Summary
The embedded ci.cue schema is a union of GitHub Actions and GitLab CI fields. Line 16 ([string]: #Job | [...string] | _) accepts any top-level key to support GitLab's arbitrary job name convention, which makes contract validation a no-op for CI policies — every path passes.
Current Behavior
// GitLab allows arbitrary job names as top-level keys
[string]: #Job | [...string] | _
pathExistsInSchema("input.completely_bogus", ciSchema) returns true.
Desired Behavior
Split into separate schemas per CI platform:
ci-github-actions — strict, or replaced entirely by cue://cue.dev/x/githubactions@v0#Workflowci-gitlab — strict GitLab CI schema with known top-level fields plus [string]: #Job for job names (without the | _ catch-all)
Users specify the platform they're targeting:
--schema ci-github-actions=cue://cue.dev/x/githubactions@v0#Workflow
--schema ci-gitlab
Context
Discovered during PR #23 review. The contract validator rewrite correctly handles pattern constraints ([string]: T) and top type (_), but the CI schema's top-level catch-all means the validator provides zero value for CI policies. The fix is in the schema definition, not the validator.
Related: #30 (schema index) — the per-platform split aligns with replacing embedded schemas with a source-agnostic index.
Summary
The embedded
ci.cueschema is a union of GitHub Actions and GitLab CI fields. Line 16 ([string]: #Job | [...string] | _) accepts any top-level key to support GitLab's arbitrary job name convention, which makes contract validation a no-op for CI policies — every path passes.Current Behavior
pathExistsInSchema("input.completely_bogus", ciSchema)returnstrue.Desired Behavior
Split into separate schemas per CI platform:
ci-github-actions— strict, or replaced entirely bycue://cue.dev/x/githubactions@v0#Workflowci-gitlab— strict GitLab CI schema with known top-level fields plus[string]: #Jobfor job names (without the| _catch-all)Users specify the platform they're targeting:
Context
Discovered during PR #23 review. The contract validator rewrite correctly handles pattern constraints (
[string]: T) and top type (_), but the CI schema's top-level catch-all means the validator provides zero value for CI policies. The fix is in the schema definition, not the validator.Related: #30 (schema index) — the per-platform split aligns with replacing embedded schemas with a source-agnostic index.