This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new fde4cc3b docs(spec): add repo-health-family spec and design docs (#558)
fde4cc3b is described below
commit fde4cc3ba3a7a6a6107c4574e8ab2173e1a2bb09
Author: Justin Mclean <[email protected]>
AuthorDate: Sat Jun 27 06:18:02 2026 +1000
docs(spec): add repo-health-family spec and design docs (#558)
Formalises the repo-health audit family, closing the gap identified in
triage-mode.md Known Gaps ('Repo-health audits are a one-off with no
family around them').
- tools/spec-loop/specs/repo-health-family.md: new functional spec
(status: experimental, mode: Triage). Defines the read-only or
propose-then-confirm contract all family members must follow, lists
ci-runner-audit as the sole shipped member, and names four candidates:
workflow-security-audit (zizmor-backed), dependency-audit,
license-compliance-audit, and flaky-test-triage.
- docs/repo-health/README.md: design doc and family overview. Describes
each candidate skill scope, rule classes, and adopter-config keys;
sketches the planned projects/_template/repo-health-config.md contract
so future build iterations have a clear shape to implement against.
Validation: spec-validate reports no violations; skill-and-tool-validate
passes (soft asf-coupling warnings are pre-existing, not introduced here).
Generated-by: Claude (Opus 4.7)
---
docs/repo-health/README.md | 176 ++++++++++++++++++++++++++++
tools/spec-loop/specs/repo-health-family.md | 116 ++++++++++++++++++
2 files changed, 292 insertions(+)
diff --git a/docs/repo-health/README.md b/docs/repo-health/README.md
new file mode 100644
index 00000000..3c98a82c
--- /dev/null
+++ b/docs/repo-health/README.md
@@ -0,0 +1,176 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update
-->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents** *generated with
[DocToc](https://github.com/thlorenz/doctoc)*
+
+- [Repo-health audits — family overview](#repo-health-audits--family-overview)
+ - [Current skills](#current-skills)
+ - [`ci-runner-audit` (experimental)](#ci-runner-audit-experimental)
+ - [Candidate skills (not yet built)](#candidate-skills-not-yet-built)
+ - [`workflow-security-audit` (proposed)](#workflow-security-audit-proposed)
+ - [`dependency-audit` (proposed)](#dependency-audit-proposed)
+ - [`license-compliance-audit`
(proposed)](#license-compliance-audit-proposed)
+ - [`flaky-test-triage` (proposed)](#flaky-test-triage-proposed)
+ - [Adopter contract (planned)](#adopter-contract-planned)
+ - [Cross-references](#cross-references)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+<!-- SPDX-License-Identifier: Apache-2.0
+ https://www.apache.org/licenses/LICENSE-2.0 -->
+
+# Repo-health audits — family overview
+
+Read-only agent-assisted audits that surface repository maintenance signals
+a human would otherwise have to detect by hand: runner label obsolescence,
+Actions workflow security issues, stale or vulnerable dependencies,
+license/NOTICE drift, and flaky-test patterns. Every skill in this family
+produces a human-readable report and proposes remedies; applying any change
+is the maintainer's action.
+
+The family lives under `mode: Triage` in the framework taxonomy — the same
+classify-and-propose discipline the security and PR-management triage skills
+follow. See [`docs/modes.md` § Triage](../modes.md#triage).
+
+---
+
+## Current skills
+
+### `ci-runner-audit` (experimental)
+
+Reads every GitHub Actions workflow file across one repo, a named set, one
+Apache project's repos, or the full Apache GitHub org and surfaces two
+classes of issue:
+
+1. **Obsolete runner labels** — `ubuntu-18.04`, `ubuntu-20.04`, `windows-2019`,
+ and other GitHub-deprecated hosted-runner label strings that silently fall
+ back to a later image or will soon break.
+2. **macOS architecture mismatches** — a workflow step targeting an `arm64`
+ macOS runner that invokes an `x86_64`-only tool or vice versa.
+
+Output is a markdown audit report grouped by repo and by issue class.
+Read-only; no workflow files are modified.
+
+---
+
+## Candidate skills (not yet built)
+
+These are enumerated from the triage-mode.md Known Gaps. Each will become
+its own build item once the family shape is confirmed through
+`ci-runner-audit` pilot evaluations.
+
+### `workflow-security-audit` (proposed)
+
+Run [`zizmor`](https://woodruffw.github.io/zizmor/) — the GitHub Actions
+security scanner already wired into the framework's own pre-commit suite —
+across one repo or a named set and surface findings for human review.
+
+Proposed finding classes:
+
+- Injection vulnerabilities (`run:` steps using `${{ github.event.* }}` or
+ `${{ github.head_ref }}` in untrusted contexts)
+- Excessive permissions (`permissions: write-all` or unnecessary `write`
+ scopes on workflow-level or job-level grants)
+- Unpinned external actions (floating `@main`, `@master`, or tag-only
+ references instead of a commit SHA)
+- Self-hosted runner scope leakage (secrets available to PRs from forks)
+
+Each finding class maps to a concise prose description and a suggested
+remediation (scope reduction, SHA pinning, `${{ env.SAFE_VAR }}` pattern).
+
+**Adopter contract**: reads `<project-config>/repo-health-config.md`
+(planned) for which rule classes to enable and which repos to audit.
+
+### `dependency-audit` (proposed)
+
+Check direct and transitive dependencies for known vulnerabilities (via
+`pip-audit` / `npm audit` / `trivy` depending on the project's language
+stack) and surface those that have available patches. One finding per
+dependency, formatted for maintainer triage. Does not open update PRs
+autonomously — proposes one per affected dependency.
+
+**Adopter contract**: reads `<project-config>/repo-health-config.md` for
+the dependency manager and audit tool to use.
+
+### `license-compliance-audit` (proposed)
+
+Verify that:
+
+1. Every source file under a configured path carries the project's required
+ SPDX-License-Identifier header line.
+2. The `LICENSE` file matches the declared SPDX expression.
+3. The `NOTICE` file lists every bundled dependency that its license
+ requires to appear in attribution notices.
+
+Surfaces discrepancies as a structured report (file path, issue class,
+suggested correction) without modifying any file.
+
+**Adopter contract**: reads `<project-config>/repo-health-config.md` for
+the required SPDX expression and which source paths to audit.
+
+### `flaky-test-triage` (proposed)
+
+Parse GitHub Actions run history for a named repo over a configurable window,
+compute per-test failure rates (differentiating consistent failures from
+intermittent ones), and produce a prioritised triage list: tests failing
+above a configurable threshold that are likely flaky rather than
+deterministically broken.
+
+Signals used: run outcome (`success` / `failure`), re-run count on the same
+SHA, test-name patterns across runs. No test code is modified.
+
+**Adopter contract**: reads `<project-config>/repo-health-config.md` for
+the audit window, the failure-rate threshold, and which test-name patterns
+to include or exclude.
+
+---
+
+## Adopter contract (planned)
+
+A future `projects/_template/repo-health-config.md` will declare per-skill
+switches:
+
+```yaml
+repo_health:
+ ci_runner_audit:
+ # Runner label families to flag. Defaults to the GitHub-deprecated list.
+ deprecated_runner_labels: [ubuntu-18.04, ubuntu-20.04, windows-2019]
+ # Repos to audit; leave empty to audit only the project's own repos.
+ extra_repos: []
+
+ workflow_security_audit:
+ # zizmor rule classes to enable (all enabled by default).
+ enabled_rules: [injection, excessive-permissions, unpinned-actions,
fork-secrets]
+
+ dependency_audit:
+ # Dependency manager(s) in use. Selects the audit tool adapter.
+ # Allowed values: pip, npm, cargo, maven, gradle
+ managers: [pip]
+
+ license_compliance_audit:
+ # Required SPDX expression for all source files.
+ required_spdx_expression: "Apache-2.0"
+ # Source paths to audit (relative to upstream repo root).
+ source_paths: [src/, lib/]
+ # Paths to skip (test fixtures, vendored code, etc.).
+ skip_paths: [tests/fixtures/, vendor/]
+
+ flaky_test_triage:
+ # Audit window in days.
+ window_days: 30
+ # Minimum failure rate (fraction) to flag a test as candidate flaky.
+ failure_rate_threshold: 0.1
+```
+
+The config file will land in a separate build item once at least one
+candidate skill reaches the planning stage.
+
+---
+
+## Cross-references
+
+- [`docs/modes.md` § Triage](../modes.md#triage) — mode taxonomy; repo-health
+ skills are listed in the Triage table.
+-
[`tools/spec-loop/specs/repo-health-family.md`](../../tools/spec-loop/specs/repo-health-family.md)
+ — functional spec: acceptance criteria, validation commands, and known gaps.
+-
[`tools/spec-loop/specs/triage-mode.md`](../../tools/spec-loop/specs/triage-mode.md)
+ — parent spec that identified the family gap.
diff --git a/tools/spec-loop/specs/repo-health-family.md
b/tools/spec-loop/specs/repo-health-family.md
new file mode 100644
index 00000000..da8c9046
--- /dev/null
+++ b/tools/spec-loop/specs/repo-health-family.md
@@ -0,0 +1,116 @@
+<!-- SPDX-License-Identifier: Apache-2.0
+ https://www.apache.org/licenses/LICENSE-2.0 -->
+
+---
+title: Repo-health audits
+status: experimental
+kind: feature
+mode: Triage
+source: >
+ MISSION.md § Technical scope (Triage). triage-mode.md Known Gaps
+ ("Repo-health audits are a one-off with no family around them;
+ ci-runner-audit is a standalone read-only audit"). Family design in
+ docs/repo-health/README.md. ci-runner-audit is the first shipped member.
+acceptance:
+ - Every repo-health skill is read-only or proposes-then-confirms; none
+ modifies workflow files, runner configs, or dependency files without
+ human confirmation.
+ - ci-runner-audit validates under skill-and-tool-validate and ships an
+ eval suite.
+ - docs/modes.md Triage table lists each shipped repo-health skill.
+---
+
+# Repo-health audits
+
+## What it does
+
+Surface repository-level health signals a maintainer would otherwise detect
+by hand: obsolete runner labels, Actions workflow security vulnerabilities,
+stale or vulnerable dependencies, license/NOTICE compliance drift, and
+flaky-test patterns. Every skill in the family produces a structured report
+and proposes remedies for human review; no skill applies a change without
+explicit maintainer confirmation.
+
+The family extends the Triage mode's classify-and-propose discipline to
+repository maintenance. The canonical sequence is: fetch a bounded snapshot
+of the target artefacts → classify each against a rule set → present a
+grouped, prioritised report → wait for confirmation before any write.
+
+## Where it lives
+
+- Skill: `ci-runner-audit` — first shipped member. Reads GitHub Actions
+ workflow files across one repo, an explicit set, one Apache project's
+ repos, or the full Apache GitHub org and surfaces obsolete
+ GitHub-hosted runner labels and macOS architecture mismatches. Read-only;
+ no workflow files are modified. Ships `mode: Triage` + `experimental`.
+- Design docs: `docs/repo-health/README.md` — family overview, candidate
+ skills (workflow-security-audit, dependency-audit, license-compliance-audit,
+ flaky-test-triage), and the planned adopter-config scaffold.
+- Planned adopter config: `projects/_template/repo-health-config.md` —
+ per-skill switches (deprecated-runner families, zizmor rule classes,
+ dependency-manager selection, SPDX expression, flaky-test window).
+ Lands in a separate build item once at least one candidate skill reaches
+ the planning stage.
+
+## Behaviour & contract
+
+- **Read-only by default.** The core loop of every repo-health skill is
+ read → classify → present. State changes (filing a tracking issue,
+ opening an update PR) are explicit proposals the maintainer confirms;
+ no skill performs an unconfirmed write to the upstream repo, the
+ tracker, or any config file.
+- **Point-in-time snapshot.** Each run produces a bounded audit report —
+ not a continuous monitor. Re-runs extend or replace the snapshot;
+ no incremental state is persisted between runs.
+- **Authenticated read only.** Skills use `gh api` (read-scoped) for
+ private repos; no write OAuth scopes are requested or used.
+- **One skill, one rule family.** Each candidate skill targets a distinct
+ maintenance concern (runner labels, workflow security, dependency
+ freshness, license compliance, test stability). Skills do not share
+ intermediate state, so each runs independently.
+
+## Out of scope
+
+- **Applying changes.** Updating a workflow file, opening a dependency-bump
+ PR, or correcting a license header are maintainer actions. Skills propose;
+ humans act.
+- **Continuous monitoring.** That is a CI / GitHub Actions job responsibility.
+ Each skill run is a triggered, bounded audit.
+- **Auto-merge of housekeeping changes.** Runner-label fixes and NOTICE
+ updates are eligible for Auto-merge only once that mode is on; the
+ repo-health skills never trigger a merge autonomously.
+- **Security-class vulnerabilities.** CVE-rated dependency issues flow
+ through the security-issue lifecycle
+ ([security-issue-lifecycle.md](security-issue-lifecycle.md)); the
+ `dependency-audit` candidate handles non-CVE dependency hygiene.
+
+## Acceptance criteria
+
+1. Every repo-health skill is read-only or proposes-then-confirms; no skill
+ modifies workflow files, dependency manifests, or source files without
+ human confirmation.
+2. `ci-runner-audit` validates under `skill-and-tool-validate` and ships an
+ eval suite under `tools/skill-evals/evals/ci-runner-audit/`.
+3. `docs/modes.md` Triage table carries each shipped repo-health skill.
+
+## Validation
+
+```bash
+test -f .claude/skills/magpie-ci-runner-audit/SKILL.md
+uv run --project tools/skill-and-tool-validator --group dev
skill-and-tool-validate
+```
+
+## Known gaps
+
+- **Family is one skill deep.** `ci-runner-audit` is the sole shipped
+ member. Four candidates are designed in `docs/repo-health/README.md`:
+ `workflow-security-audit` (zizmor-backed, highest priority — the tool
+ is already in pre-commit), `dependency-audit`, `license-compliance-audit`,
+ and `flaky-test-triage`. Each is a separate build item, sequenced after
+ `ci-runner-audit`'s pilot evaluation confirms the family shape.
+- **No adopter-config scaffold yet.**
`projects/_template/repo-health-config.md`
+ is planned alongside the first candidate skill; the keys are sketched in
+ `docs/repo-health/README.md § Adopter contract`.
+- **`ci-runner-audit` eval suite exists but no adopter pilot has run.**
+ The skill is `experimental`; behaviour may change as cross-org run
+ volumes expose edge cases in runner-label classification.