Mathieu Virbel
da3a2ac3a4
Rebrand the project from Fence to Greywall, the sandboxing layer of the GreyHaven platform. This updates: - Go module path to gitea.app.monadical.io/monadical/greywall - Binary name, CLI help text, and all usage examples - Config paths (~/.config/greywall/greywall.json), env vars (GREYWALL_*) - Log prefixes ([greywall:*]), temp file prefixes (greywall-*) - All documentation, scripts, CI workflows, and example files - README rewritten with GreyHaven branding and Fence attribution Directory/file renames: cmd/fence → cmd/greywall, pkg/fence → pkg/greywall, docs/why-fence.md → docs/why-greywall.md, example JSON files, and banner.
37 lines
596 B
Markdown
37 lines
596 B
Markdown
# Recipe: CI jobs
|
|
|
|
Goal: make CI steps safer by default: minimal egress and controlled writes.
|
|
|
|
## Suggested baseline
|
|
|
|
```json
|
|
{
|
|
"network": {
|
|
"allowedDomains": []
|
|
},
|
|
"filesystem": {
|
|
"allowWrite": [".", "/tmp"]
|
|
}
|
|
}
|
|
```
|
|
|
|
Run:
|
|
|
|
```bash
|
|
greywall --settings ./greywall.json -c "make test"
|
|
```
|
|
|
|
## Add only what you need
|
|
|
|
Use monitor mode to discover what a job tries to reach:
|
|
|
|
```bash
|
|
greywall -m --settings ./greywall.json -c "make test"
|
|
```
|
|
|
|
Then allowlist only:
|
|
|
|
- your artifact/cache endpoints
|
|
- the minimum package registries required
|
|
- any internal services the job must access
|