Skip to content

ci(actions): route CI by evidence-bearing change surface#32

Merged
hefxpzwk merged 2 commits into
developfrom
feature/action-lane-ci-release
Jul 2, 2026
Merged

ci(actions): route CI by evidence-bearing change surface#32
hefxpzwk merged 2 commits into
developfrom
feature/action-lane-ci-release

Conversation

@hefxpzwk

@hefxpzwk hefxpzwk commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Scope

  • Add a path-aware claim-docs-check lane for public claim docs and command-support/benchmark matrices.
  • Keep ci-required as the single stable branch-protection check while optional lane jobs intentionally skip when not required.
  • Refine CI route taxonomy so inert docs/assets stay lightweight, claim docs validate claims, release/npm helpers use npm lanes, package/dry-run helpers use Rust+npm, and unknown paths fail closed.
  • Harden release workflow provenance by pinning trusted default-branch release-tools once in preflight and reusing that SHA downstream.
  • Remove duplicate npm helper tests after ./scripts/verify.sh in the release verify job.
  • Align release/branch-protection docs with the workflow behavior.
  • Keep release workflow scripts shellcheck-clean now that workflow-check lints release.yml too.

Validation

  • ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].each { |path| YAML.load_file(path); puts "parsed #{path}" }'
  • bash /tmp/ci-route-assertions.sh
  • /tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.yml
  • node scripts/validate-command-support-matrix.js
  • npm test --prefix npm/tfy-cli
  • node scripts/check-release-version.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json
  • node scripts/npm-publish-plan.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json
  • node scripts/npm-dist-tag-check.js --version 0.1.0-preview.1 --channel preview --dist-tags-json '{"preview":"0.1.0-preview.1","latest":"0.1.0"}' --json
  • git diff --check
  • ./scripts/verify.sh

Supported claims

  • Branch protection should require ci-required, not optional lane jobs.
  • Claim-bearing docs/matrices are no longer treated as inert docs; they run the lightweight claim validator.
  • Release policy/npm publish-plan scripts execute from a trusted default-branch tooling checkout pinned once per run.

Unsupported / not exercised

  • No GitHub branch-protection settings were changed.
  • No npm Trusted Publishing settings were changed or live-published.
  • Live npm registry dist-tag state was not treated as a passing release check; current live lookup fails the guard because latest points at an existing preview tag.

Risk notes

  • CI route taxonomy is intentionally duplicated in the workflow self-test; future taxonomy edits must update both the classifier and route assertions.
  • release-tools trust still begins at the repository default branch, but the selected commit is now captured once and reused throughout the release run.

hefxpzwk added 2 commits July 2, 2026 12:50
Constraint: TFY must keep one stable branch-protection status while avoiding always-heavy CI and preserving truthful release/npm claims.

Rejected: Keep scripts/* and all docs as coarse buckets | it over-triggers heavy lanes and misses claim-doc validation precision.

Confidence: high

Scope-risk: moderate

Directive: Keep ci-required as the required check; optional lane jobs intentionally skip and release-tools must stay pinned per release run.

Tested: ruby YAML parse; bash /tmp/ci-route-assertions.sh; /tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.yml; node scripts/validate-command-support-matrix.js; npm test --prefix npm/tfy-cli; node scripts/check-release-version.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json; node scripts/npm-publish-plan.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json; node scripts/npm-dist-tag-check.js --version 0.1.0-preview.1 --channel preview --dist-tags-json '{"preview":"0.1.0-preview.1","latest":"0.1.0"}' --json; git diff --check; ./scripts/verify.sh.

Not-tested: Live GitHub branch-protection and npm Trusted Publishing settings were not changed or exercised; live npm dist-tag registry currently fails the guard because latest points at an existing preview tag.
Constraint: workflow-check now actionlints release.yml, so pre-existing shellcheck warnings must be explicitly documented or fixed.

Rejected: Disable actionlint shellcheck globally | it would weaken workflow semantic coverage.

Confidence: high

Scope-risk: narrow

Directive: Keep local JavaScript template literals single-quoted for node while documenting shellcheck suppressions inline.

Tested: /tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.yml; ruby YAML parse for all workflows; git diff --check; ./scripts/verify.sh.

Not-tested: GitHub Actions rerun is pending after this follow-up commit.
@hefxpzwk hefxpzwk marked this pull request as ready for review July 2, 2026 06:34
@hefxpzwk hefxpzwk merged commit 967847d into develop Jul 2, 2026
14 checks passed
@hefxpzwk hefxpzwk deleted the feature/action-lane-ci-release branch July 2, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant