ci: weekly desktop matrix audit driven by Claude

Adds a scheduled GitHub Actions workflow that audits the desktop
YAML matrix for two kinds of staleness and proposes fixes via the
Anthropic API.

Pieces
------

  tools/desktops/audit.py
    Deterministic auditor. Checks out armbian/build alongside
    configng (from CI; from local CLI when run by hand) and
    cross-references three things:
      - releases declared in armbian/build's config/distributions/
        (with their support status — 'supported', 'csc', 'eos', ...)
      - the 'releases:' blocks declared in every DE YAML
      - the per-(release, arch, tier) resolved DESKTOP_PACKAGES set
        from parse_desktop_yaml.py
    For each DESKTOP_PACKAGES entry, fetches packages.debian.org or
    packages.ubuntu.com and decides whether the package actually
    exists in that (release, arch). Outputs a JSON report listing
    'missing_releases' (build supports it, no DE YAML covers it,
    not EOS) and 'package_holes' (DESKTOP_PACKAGES names a package
    that the upstream archive doesn't ship for that combination).
    Pure logic, no LLM.

  tools/desktops/audit_apply.py
    Reads the JSON report and hands it to Claude via the Anthropic
    Python SDK. Claude is given file Read/Write tool access scoped
    strictly to tools/modules/desktops/yaml/ and is told to propose
    minimal edits to common.yaml's tier_overrides for package
    holes and to add release blocks to per-DE YAMLs for missing
    releases. After Claude finishes, post-edit validation re-parses
    every YAML and spot-checks the parser to ensure nothing was
    broken. Short-circuits on no findings (so 'no work' runs cost
    nothing in API tokens). Also has --dry-run mode that prints the
    prompt without calling the API, useful for local testing.

  .github/workflows/maintenance-desktop-audit.yml
    Schedule: Mondays 06:00 UTC. Also workflow_dispatch with
    optional tier / release filter inputs and a dry_run toggle.
    Job: checkout both repos, run audit.py, surface findings as
    a job summary (markdown tables), upload the report as an
    artifact, run audit_apply.py if there's anything actionable,
    open or update a draft PR via peter-evans/create-pull-request
    on a fixed branch (bot/desktop-matrix-audit) so weekly runs
    update the existing PR rather than spamming new ones.

Operational notes
-----------------

  - The Claude apply step is gated on actionable findings AND on
    ANTHROPIC_API_KEY being present. Without the secret it logs a
    warning and exits cleanly, so the workflow can run as a smoke
    test without any API access.
  - Sandboxed file access: Claude can only read files inside the
    configng checkout (path traversal blocked) and can only write
    files inside tools/modules/desktops/yaml/. No bash, no network.
  - Token cap: --max-tokens 50000 by default, configurable.
  - PR is opened as a draft so a human can review before merging.
    Labels applied: bot, desktops, documentation.

Local validation
----------------

Tested locally against the live build + configng checkouts:

  python3 tools/desktops/audit.py \\
      --build-repo /home/igorp/Development/build \\
      --configng-repo . \\
      --skip-network --output /tmp/r.json

Found 5 missing CSC releases (forky, jammy, questing, resolute,
sid) and 0 package holes — exactly what's expected given the
current YAML matrix.

Author: igorpecovnik

.github/workflows/maintenance-desktop-audit.yml

@@ -0,0 +1,187 @@
+name: "Maintenance: Desktop matrix audit"
+
+# Periodic audit of the desktop YAML matrix against:
+#   1. armbian/build's config/distributions/ — flag releases the build
+#      supports but no DE YAML covers
+#   2. packages.debian.org / packages.ubuntu.com — flag DESKTOP_PACKAGES
+#      entries that don't exist in the upstream archive for the
+#      requested (release, arch)
+#
+# When the audit finds work to do, hand the report to Claude (via the
+# Anthropic API) and let it propose YAML edits. Then open a PR with
+# whatever Claude wrote, using peter-evans/create-pull-request.
+#
+# The audit_apply.py script short-circuits when there's nothing to do,
+# so a "no changes" run never burns API tokens or opens an empty PR.
+
+on:
+  schedule:
+    # Mondays at 06:00 UTC. Weekly is enough — release / package
+    # availability changes slowly.
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+    inputs:
+      tier:
+        description: "Tier to audit (minimal, mid, full, or empty for all)"
+        required: false
+        default: ""
+      release:
+        description: "Release codename to audit (empty for all)"
+        required: false
+        default: ""
+      dry_run:
+        description: "Dry run — do not call Claude or open a PR"
+        required: false
+        default: "false"
+        type: choice
+        options:
+          - "false"
+          - "true"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: desktop-audit
+  cancel-in-progress: false
+
+jobs:
+  audit:
+    name: "Desktop matrix audit"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout configng"
+        uses: actions/checkout@v4
+        with:
+          path: configng
+
+      - name: "Checkout armbian/build"
+        uses: actions/checkout@v4
+        with:
+          repository: armbian/build
+          path: build
+          # Only the config/distributions/ directory matters for the
+          # audit, but a sparse checkout would complicate things —
+          # the build repo is small enough to clone shallowly.
+          fetch-depth: 1
+
+      - name: "Set up Python"
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: "Install Python dependencies"
+        run: |
+          pip install --quiet pyyaml anthropic
+
+      - name: "Run deterministic audit"
+        id: audit
+        working-directory: configng
+        run: |
+          set -euo pipefail
+          args=(
+            --build-repo "${{ github.workspace }}/build"
+            --configng-repo "${{ github.workspace }}/configng"
+            --output "${{ github.workspace }}/audit-report.json"
+          )
+          if [[ -n "${{ github.event.inputs.tier }}" ]]; then
+            args+=(--tier "${{ github.event.inputs.tier }}")
+          fi
+          if [[ -n "${{ github.event.inputs.release }}" ]]; then
+            args+=(--release "${{ github.event.inputs.release }}")
+          fi
+          python3 tools/desktops/audit.py "${args[@]}"
+
+          # Surface a summary in the workflow's job summary so reviewers
+          # can read it without downloading artifacts.
+          {
+            echo "## Desktop matrix audit"
+            echo
+            python3 - <<'PY'
+          import json
+          r = json.load(open("${{ github.workspace }}/audit-report.json"))
+          print(f"- **Desktops scanned:** {r['stats']['desktops']}")
+          print(f"- **(release, arch) combinations in scope:** {r['stats']['scope']}")
+          print(f"- **Package availability checks:** {r['stats']['package_lookups']}")
+          print(f"- **Holes found:** {r['stats']['holes']}")
+          print(f"- **Releases not covered:** {len(r['missing_releases'])}")
+          print()
+          if r['missing_releases']:
+              print("### Missing releases")
+              print()
+              print("| release | status | name | architectures |")
+              print("|---|---|---|---|")
+              for m in r['missing_releases']:
+                  print(f"| `{m['release']}` | {m['support_status']} | {m['name']} | `{','.join(m['architectures'])}` |")
+              print()
+          if r['package_holes']:
+              print("### Package holes")
+              print()
+              print("| de | release | arch | tier | missing |")
+              print("|---|---|---|---|---|")
+              for h in r['package_holes']:
+                  pkgs = ", ".join(f"`{p}`" for p in h['missing'])
+                  print(f"| `{h['de']}` | `{h['release']}` | `{h['arch']}` | `{h['tier']}` | {pkgs} |")
+          PY
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          # Set step output: did we find anything actionable?
+          python3 - <<'PY' >> "$GITHUB_OUTPUT"
+          import json
+          r = json.load(open("${{ github.workspace }}/audit-report.json"))
+          actionable = bool(r['package_holes'] or r['missing_releases'])
+          print(f"actionable={'true' if actionable else 'false'}")
+          PY
+
+      - name: "Upload audit report"
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: audit-report
+          path: ${{ github.workspace }}/audit-report.json
+          retention-days: 30
+
+      - name: "Run Claude apply step"
+        id: apply
+        if: steps.audit.outputs.actionable == 'true' && github.event.inputs.dry_run != 'true'
+        working-directory: configng
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${ANTHROPIC_API_KEY:-}" ]]; then
+            echo "::warning::ANTHROPIC_API_KEY secret not set; skipping Claude apply step"
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          python3 tools/desktops/audit_apply.py \
+            --report "${{ github.workspace }}/audit-report.json" \
+            --configng-repo "${{ github.workspace }}/configng" \
+            --summary-output "${{ github.workspace }}/audit-summary.md"
+          echo "skipped=false" >> "$GITHUB_OUTPUT"
+
+      - name: "Open / update pull request"
+        if: |
+          steps.audit.outputs.actionable == 'true' &&
+          github.event.inputs.dry_run != 'true' &&
+          steps.apply.outputs.skipped != 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          path: configng
+          branch: bot/desktop-matrix-audit
+          delete-branch: true
+          base: main
+          commit-message: |
+            desktops: weekly matrix audit fixes (bot)
+
+            Generated by .github/workflows/maintenance-desktop-audit.yml
+            via Claude API based on the deterministic findings of
+            tools/desktops/audit.py.
+          title: "desktops: weekly matrix audit fixes (bot)"
+          body-path: ${{ github.workspace }}/audit-summary.md
+          labels: |
+            bot
+            desktops
+            documentation
+          draft: true