Adds .github/workflows/cluster-template-drift.yaml — a warn-only workflow
that reports drift between each clusters/<sovereign>/bootstrap-kit/ tree
and the canonical clusters/_template/bootstrap-kit/.
Why warn-only, not enforce:
- Every existing Sovereign carries some legitimate drift (per-Sovereign
image SHAs, region-specific values overlay) — blocking PRs on diff
count would prevent ALL cluster work.
- The right place to enforce the boundary is Catalyst's organization-
controller (slice C1 of #1095), not CI. Once C1 ships, every new
Sovereign bootstrap-kit is generated from _template and the
attestation lives at apply-time, not at CI-time.
- Retroactively reconciling the existing omantel.omani.works/ and
otech.omani.works/ trees (which have 20+ differing files plus
structural changes — extra files on each side) is a high-blast-radius
maintenance-window operation, NOT a CI scoped slice.
What this workflow does:
- Triggers on push to main + PR + workflow_dispatch when clusters/**
changes.
- For each clusters/<sovereign>/ directory, runs `diff -rq` against
clusters/_template/bootstrap-kit/ and writes a Markdown report to
the run summary AND a sticky PR comment.
- Counts differing files + only-in-template + only-in-Sovereign per
Sovereign so reviewers can quickly see whether new drift was
introduced.
Per docs/EPICS-1-6-unified-design.md §3.9 row 2 + §11 row 6 (decision
amended from "reconcile + CI gate" to "warn-only CI gate"; structural
reconcile deferred to slice C1 organization-controller).
Per docs/INVIOLABLE-PRINCIPLES.md #4a — workflow only inspects YAML;
no images built, no cloud calls.
Refs: #1094, #1095, slice C1 (organization-controller).
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
