From 41479d7fe68fbb0c77495bb454b3294edff8e121 Mon Sep 17 00:00:00 2001 From: Edut LLC Date: Fri, 20 Feb 2026 15:48:22 -0800 Subject: [PATCH] ci: enforce identity hygiene gate --- .gitea/workflows/check.yml | 2 ++ scripts/check_identity_hygiene.sh | 41 +++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100755 scripts/check_identity_hygiene.sh diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml index bc8dda6..d82d05f 100644 --- a/.gitea/workflows/check.yml +++ b/.gitea/workflows/check.yml @@ -10,6 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: Identity hygiene gate + run: ./scripts/check_identity_hygiene.sh - uses: actions/setup-go@v5 with: go-version-file: backend/secretapi/go.mod diff --git a/scripts/check_identity_hygiene.sh b/scripts/check_identity_hygiene.sh new file mode 100755 index 0000000..6be57c9 --- /dev/null +++ b/scripts/check_identity_hygiene.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +EXPECTED='Edut LLC ' + +fail() { + echo "IDENTITY HYGIENE CHECK FAILED: $*" >&2 + exit 1 +} + +check_head_identity() { + local label="$1" + local value="$2" + if [[ "$value" != "$EXPECTED" ]]; then + fail "$label is '$value' (expected '$EXPECTED')" + fi +} + +head_author="$(git show -s --format='%an <%ae>' HEAD)" +head_committer="$(git show -s --format='%cn <%ce>' HEAD)" +check_head_identity "HEAD author" "$head_author" +check_head_identity "HEAD committer" "$head_committer" + +if bad_identity="$(git log --format='%an <%ae>%n%cn <%ce>' | grep -Ev "^${EXPECTED//\/\\}$" | head -n 1 || true)"; [[ -n "${bad_identity}" ]]; then + fail "history contains non-publisher identity: ${bad_identity}" +fi + +# Trackers for personal attribution and legacy infra markers that must never reappear. +if git grep -nE 'Joshua Armstrong|\bjoshua\b|workvsg\.com|vsg@|vsgstrategies|VSG Strategies|/Users/vsg|VSG Codex' \ + -- . \ + ':(exclude)scripts/check_identity_hygiene.sh' \ + ':(exclude)operations/audit_reports/**' \ + >/tmp/identity_hygiene_hits.txt 2>/dev/null; then + echo "Disallowed content patterns found:" >&2 + cat /tmp/identity_hygiene_hits.txt >&2 + rm -f /tmp/identity_hygiene_hits.txt + fail "content pattern violations detected" +fi +rm -f /tmp/identity_hygiene_hits.txt + +echo "PASS: identity hygiene checks passed"