feat(catalog): validation cleanup + pipeline-self-validates roll-up
Summary
The catalog's self-validation was scattered across job names that didn't read as validation. Two moves:
-
Rename validation jobs into a `validate:` namespace so the validation surface is legible from the pipeline view alone:
- `syntax` → `validate:templates:syntax`
- `lint-templates` → `validate:templates:shape`
- sim-* names stay (component `job_name` input regex disallows colons)
-
Add `pipeline-self-validates` at the end of the sim stage. Reads every `validate:`, `sim-`, `build:*`, `secret_detection`, `container_scanning` job in the pipeline via the Jobs API (JOB-TOKEN auth), detects diff class from the MR's changed files, emits `pipeline-self-validation.md` with per-job status table + single-line verdict.
Verdict logic
SAFE iff every non-allow_failure validation job is success/skipped/ created. NOT SAFE otherwise.
Why
Renovate is actuating weekly. Each bump's "is this safe?" question deserves a structured answer in one artifact, not lore-based pipeline reading. This is the renovate-confidence concept generalized to all changes, not just Renovate-bot MRs.
Test plan
- MR pipeline green; new `pipeline-self-validates` job appears at end of sim stage
- Artifact (`pipeline-self-validation.md`) renders with the validation table + correct diff class + SAFE verdict