Merge pull request #4 from techofourown/codex/catalog-refresh-apps-demo-20260315

Trigger catalog refresh after apps-demo image publish

Author: johnbenac

.github/workflows/ci.yml

@@ -11,8 +11,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - uses: rhysd/actionlint@v1.7.11
       - name: Validate script syntax
-        run: bash -n scripts/check-apps-manifest.sh scripts/check-app-builds.sh
+        run: bash -n scripts/check-apps-manifest.sh scripts/check-app-builds.sh scripts/check-workflow-guards.sh
+      - name: Validate workflow guards
+        run: bash scripts/check-workflow-guards.sh
       - name: Validate manifest and source layout
         run: bash scripts/check-apps-manifest.sh
       - name: Build application images

.github/workflows/publish-images.yml

@@ -97,3 +97,22 @@ jobs:
         with:
           name: ${{ matrix.app_id }}-publish-record
           path: dist/${{ matrix.app_id }}.publish-record.json
+
+  refresh-catalogs:
+    needs: publish
+    runs-on: ubuntu-latest
+    env:
+      CATALOG_REFRESH_TOKEN: ${{ secrets.CATALOG_REFRESH_TOKEN }}
+    steps:
+      - name: Trigger downstream catalog refresh
+        if: ${{ env.CATALOG_REFRESH_TOKEN != '' }}
+        run: |
+          set -euo pipefail
+          for repo in sw-ourbox-catalog-demo; do
+            curl -fsSL \
+              -X POST \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${CATALOG_REFRESH_TOKEN}" \
+              "https://api.github.com/repos/techofourown/${repo}/dispatches" \
+              -d "{\"event_type\":\"refresh-from-upstream-image-publish\",\"client_payload\":{\"source_repo\":\"${GITHUB_REPOSITORY}\",\"source_sha\":\"${GITHUB_SHA}\"}}"
+          done

scripts/check-workflow-guards.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+matches="$(grep -RInE '^[[:space:]]*if:.*\bsecrets\.' "${ROOT}/.github/workflows" || true)"
+if [[ -n "${matches}" ]]; then
+  echo "workflow if conditions must not reference secrets.* directly" >&2
+  echo "${matches}" >&2
+  exit 1
+fi
+
+echo "Workflow guard checks passed."