initial commit

Author: groda

.github/workflows/metricx.yml

@@ -0,0 +1,129 @@
+name: Record clone metrics
+
+on:
+  workflow_call:
+    inputs:
+      observed-repo:
+        description: "Repository to fetch clone metrics from (OWNER/REPO)"
+        required: false
+        default: ${{ github.repository }}
+        type: string
+      metrics-repo:
+        description: "Target repo for storing metrics (OWNER/REPO)"
+        required: true
+        type: string
+    secrets:
+      METRICS_PAT:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  record:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
+      - name: Fetch clone stats
+        env:
+          GH_TOKEN: ${{ secrets.METRICS_PAT }}
+          OBSERVED_REPO: ${{ inputs.observed-repo }}
+        run: |
+          curl -L \
+            -D headers.txt \
+            -o clones.json \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/$OBSERVED_REPO/traffic/clones
+
+          CLONES=$(jq -r '.count // 0' clones.json)
+          UNIQUES=$(jq -r '.uniques // 0' clones.json)
+
+          echo "CLONES=$CLONES" >> $GITHUB_ENV
+          echo "UNIQUES=$UNIQUES" >> $GITHUB_ENV
+
+      - name: Debug auth identity
+        env:
+          GH_TOKEN: ${{ secrets.METRICS_PAT }}
+        run: |
+          curl -s \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/user | jq '{login, id}'
+
+      - name: Debug repo access
+        env:
+          GH_TOKEN: ${{ secrets.METRICS_PAT }}
+          OBSERVED_REPO: ${{ inputs.observed-repo }}
+        run: |
+          curl -s \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/repos/$OBSERVED_REPO | jq '{full_name, private}'
+
+      - name: Debug clone API
+        run: |
+          echo "===== clones.json ====="
+          cat clones.json
+          echo "======================"
+
+      
+      - name: Append and Deduplicate metrics CSV
+        run: |
+          set -e
+
+          # 1. Setup Repo
+          git clone https://x-access-token:${{ secrets.METRICS_PAT }}@github.com/${{ inputs.metrics-repo }}.git metrics-temp
+          cd metrics-temp
+          git config user.name "metrics-bot"
+          git config user.email "[email protected]"
+
+          # 2. Setup File
+          FILE="data/$(echo '${{ github.repository }}' | tr '/' '__').csv"
+          mkdir -p data
+          if [ ! -f "$FILE" ]; then
+            echo "date,repository,clones,uniques" > "$FILE"
+          fi
+
+          REPO="${{ github.repository }}"
+
+          # 3. GET THE LATEST DATE FROM JSON
+          # This looks at the last entry in the clones array and grabs the first 10 chars (YYYY-MM-DD)
+          # Note: the last recorded date is not necessarily today's date
+          LATEST_JSON_DATE=$(jq -r '.clones[-1].timestamp[0:10]' ../clones.json)
+
+          # If for some reason the JSON is empty, fallback to system date to avoid errors
+          if [ "$LATEST_JSON_DATE" == "null" ] || [ -z "$LATEST_JSON_DATE" ]; then
+            LATEST_JSON_DATE=$(date +%F)
+          fi
+
+          # 4. APPEND ALL DATA (Raw)
+          # Get daily stats from clones.json and append to $FILE
+          jq -r --arg REPO "$REPO" '.clones[] | [.timestamp[0:10], $REPO, .count, .uniques] | @csv' ../clones.json >> "$FILE"   
+          # Append the summary using the LATEST_JSON_DATE and the Tilde (~) for sorting
+          jq -r --arg REPO "$REPO" --arg DATE "$LATEST_JSON_DATE" \
+            '[ "\($DATE)~ 14-day total", $REPO, .count, .uniques ] | @csv' ../clones.json >> "$FILE"
+          
+          # 5. DEDUPLICATE AND SORT DESCENDING (The "Magic" Step) 
+          # Check if the first line is actually the header. If not, we add it.
+          if ! head -n 1 "$FILE" | grep -q "^date,"; then
+              # No header found? Prepend it to the file.
+              SED_HEADER="date,repository,clones,uniques"
+              sed -i "1i $SED_HEADER" "$FILE"
+          fi
+          
+          # Save the header to the tmp file first
+          head -n 1 "$FILE" > "$FILE.tmp"
+          # take everything EXCEPT the header (tail -n +2), deduplicate with awk, and sort desc
+          # -F, : Use comma as separator
+          tail -n +2 "$FILE" | awk -F, '{a[$1,$2]=$0} END {for (i in a) print a[i]}' | sort -t, -k1,1r >> "$FILE.tmp"
+          
+          mv "$FILE.tmp" "$FILE"
+
+          # 6. Commit and Push
+          git add "$FILE"
+          git commit -m "metrics: record and deduplicate stats for $REPO" || true
+          git push
+    
+ 

README.md

@@ -1,2 +1,185 @@
-# github-clone-archiver
+# Metrics Workflow 📊
+
 This is a reusable GitHub Actions workflow designed to automate the collection and archival of repository clone statistics. It solves the "14-day limit" problem of GitHub's native traffic insights by persisting data into a central repository.
+
+## 🏗 Architecture
+
+The system uses a **three-repo architecture** to maintain security and organization:
+
+1. **Workflows Repo (`metrics-workflows`)**: Central hub containing the reusable logic (`metrics.yml`).
+2. **Observed Repo(s)**: The repositories being tracked. Each triggers the workflow on a schedule.
+3. **Observer Repo (`metrics-database`)**: The central storage where `.csv` files are maintained and updated.
+
+---
+
+### 🔍 How it Works
+
+GitHub only keeps traffic data (clones and visitors) for **14 days**. This workflow acts as a "Data Logger":
+
+1. It wakes up every day and asks the GitHub API for the clone history of the **Observed Repo**.
+2. It compares this data with the existing logs in your **Observer Repo**.
+3. It appends only the most recent data and updates the "14-day total" summary.
+4. It deduplicates the file and sorts it so the most recent stats are always at the top.
+
+> [!IMPORTANT]
+> **Access Requirement:** You must be the owner or a collaborator with appropriate permissions on the **Observed Repos**. This workflow requires an authorized Personal Access Token (PAT) to read traffic data that is otherwise hidden from the public.
+
+
+---
+
+## 🔐 Security & Permissions
+
+To allow a workflow running in an **Observed Repo** to write data to the **Observer Repo**, specific permissions must be configured via a Fine-Grained Personal Access Token (PAT).
+
+### 1. The Personal Access Token (PAT)
+
+Create a token named **"Metrics Workflow"** in your [Developer Settings](https://github.com/settings/tokens?type=beta) under Personal Access Tokens/Fine-grained tokens:
+
+* **Repository access**:
+ * Select **Only select repositories**.
+ * Include all **Observed Repositories** AND the **Observer Repository**.
+
+
+* **Permissions**:
+ * `Administration`: Read-only (required for some traffic API metadata).
+ * `Metadata`: Read-only.
+ * `Contents`: **Read & Write** (Required to push `.csv` updates).
+
+
+
+### 2. Repository Secrets
+
+In **each** Observed Repo (Settings > Secrets and variables > Actions), add the following secret:
+
+* **Name**: `METRICS_PAT`
+* **Value**: Paste the token generated above.
+
+> [!NOTE]
+> While it may seem like the Observer repo doesn't need a "separate" PAT, it is actually covered by the **"Metrics Workflow" PAT** you created. Because that single token has "Write" access to the Observer repo, it can push the data once the workflow finishes gathering it.
+
+---
+
+## 🚀 Usage
+
+To implement this in an **Observed Repo**, create a file at `.github/workflows/metrics.yml`:
+
+```yaml
+name: Collect Metrics
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # Runs daily at midnight
+  workflow_dispatch:    # Allows manual triggering
+
+jobs:
+    update-metrics:
+    # This is required for the runner to operate within the Observed repo
+    permissions:
+      contents: read
+    uses: myspace/workflows-repo/.github/workflows/metrics.yml@main
+    with:
+      metrics-repo: myspace/observer-repo
+    secrets:
+      METRICS_PAT: ${{ secrets.METRICS_PAT }}
+
+```
+
+This is your caller workflow for the observed repository.
+
+---
+
+## 📈 Data Structure
+
+The workflow generates/updates a CSV file named after the repository (e.g., `myspace_observed-repo.csv`).
+
+### Sorting Logic:
+
+The CSV is automatically deduplicated and sorted in **reverse chronological order** (newest first).
+
+* **Daily Stats**: Recorded as `YYYY-MM-DD`.
+* **14-day Totals**: Recorded as `YYYY-MM-DD~ 14-day total`.
+
+The use of the tilde (`~`) ensures that in a descending sort, the **Total** summary for a specific day appears immediately **above** the individual daily stats for that same day.
+
+---
+
+## 🛠 Maintenance
+
+* **Adding Repos**: To track a new repository, simply add the `METRICS_PAT` secret to the new repo and create the caller workflow.
+* **Data Integrity**: The workflow uses `awk` to ensure that if it runs multiple times in one day, only the most recent (most complete) data point is saved, preventing duplicates.
+
+---
+
+## 🛡️🔐 Single Token vs. High Security
+
+This workflow requires cross-repository permissions. You can choose between a **Standard** setup (the current setup, easier to maintain) or a **High Security** setup (follows the Principle of Least Privilege).
+
+### Option 1: Standard Setup (Single Token)
+
+Recommended for solo developers or small setups.
+
+* **Token Name**: `Metrics-Unified-Token`
+* **Scope**: All Observed Repos **AND** the Observer Repo.
+* **Permissions**:
+* `Metadata`: Read-only
+* `Administration`: Read-only
+* `Contents`: **Read & Write**
+
+
+* **Workflow Secret**: Store as `METRICS_PAT` in all Observed repos.
+
+### Option 2: High Security Setup (Dual Token)
+
+Recommended for teams or sensitive source code. This ensures the "Writer" token cannot be used to modify source code in your Observed repositories.
+
+#### A. The "Traffic Reader" Token
+
+* **Scope**: All **Observed Repos** only.
+* **Permissions**: `Metadata` (Read), `Administration` (Read).
+* **Usage**: Used by the workflow to fetch clone data from the GitHub API.
+* **Secret Name**: `READER_PAT`
+
+#### B. The "Database Writer" Token
+
+* **Scope**: The **Observer Repo** only.
+* **Permissions**: `Contents` (Read & Write).
+* **Usage**: Used by the workflow to `git push` the CSV file.
+* **Secret Name**: `WRITER_PAT`
+
+---
+
+## 🛡️🚀 Usage (High Security Example)
+
+If you choose the **High Security** route, update your caller workflow in the Observed Repo as follows:
+
+```yaml
+jobs:
+  update-metrics:
+    uses: myspace/workflows-repo/.github/workflows/metrics.yml@main
+    with:
+      metrics-repo: myspace/observer-repo
+    secrets:
+      # We pass the Writer token to the reusable workflow
+      # so it can push to the central database repo
+      METRICS_PAT: ${{ secrets.WRITER_PAT }}
+
+```
+
+> [!TIP]
+> **Why do we pass the Writer token?** > The GitHub Actions default `GITHUB_TOKEN` can read the current repo's traffic. By passing the `WRITER_PAT` as the `METRICS_PAT` secret, the workflow gains the specific authority needed to write to the **Observer Repo** without needing permission to write to your source code.
+
+---
+
+## 🛡️🗂️ Permission Table Reference
+
+| Permission | Requirement | Reason |
+| --- | --- | --- |
+| `Metadata` | Read | Basic repository access |
+| `Administration` | Read | Required to access `/traffic/clones` API |
+| `Contents` | Read/Write | Required to push `.csv` changes to Observer Repo |
+
+---
+
+### How to verify your permissions
+
+If the workflow fails with a `403 Forbidden` error during the **push** phase, check that your PAT (the one passed to `METRICS_PAT`) has `Contents: Write` access specifically for the **Observer Repo**.