ci(actions): route CI by evidence-bearing change surface#32
Merged
Conversation
Constraint: TFY must keep one stable branch-protection status while avoiding always-heavy CI and preserving truthful release/npm claims.
Rejected: Keep scripts/* and all docs as coarse buckets | it over-triggers heavy lanes and misses claim-doc validation precision.
Confidence: high
Scope-risk: moderate
Directive: Keep ci-required as the required check; optional lane jobs intentionally skip and release-tools must stay pinned per release run.
Tested: ruby YAML parse; bash /tmp/ci-route-assertions.sh; /tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.yml; node scripts/validate-command-support-matrix.js; npm test --prefix npm/tfy-cli; node scripts/check-release-version.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json; node scripts/npm-publish-plan.js --version 0.1.0-preview.1 --channel preview --source-ref develop --json; node scripts/npm-dist-tag-check.js --version 0.1.0-preview.1 --channel preview --dist-tags-json '{"preview":"0.1.0-preview.1","latest":"0.1.0"}' --json; git diff --check; ./scripts/verify.sh.
Not-tested: Live GitHub branch-protection and npm Trusted Publishing settings were not changed or exercised; live npm dist-tag registry currently fails the guard because latest points at an existing preview tag.
Constraint: workflow-check now actionlints release.yml, so pre-existing shellcheck warnings must be explicitly documented or fixed. Rejected: Disable actionlint shellcheck globally | it would weaken workflow semantic coverage. Confidence: high Scope-risk: narrow Directive: Keep local JavaScript template literals single-quoted for node while documenting shellcheck suppressions inline. Tested: /tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.yml; ruby YAML parse for all workflows; git diff --check; ./scripts/verify.sh. Not-tested: GitHub Actions rerun is pending after this follow-up commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
claim-docs-checklane for public claim docs and command-support/benchmark matrices.ci-requiredas the single stable branch-protection check while optional lane jobs intentionally skip when not required.release-toolsonce in preflight and reusing that SHA downstream../scripts/verify.shin the release verify job.workflow-checklints release.yml too.Validation
ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].each { |path| YAML.load_file(path); puts "parsed #{path}" }'bash /tmp/ci-route-assertions.sh/tmp/actionlint-1.7.12/actionlint .github/workflows/ci.yml .github/workflows/release.ymlnode scripts/validate-command-support-matrix.jsnpm test --prefix npm/tfy-clinode scripts/check-release-version.js --version 0.1.0-preview.1 --channel preview --source-ref develop --jsonnode scripts/npm-publish-plan.js --version 0.1.0-preview.1 --channel preview --source-ref develop --jsonnode scripts/npm-dist-tag-check.js --version 0.1.0-preview.1 --channel preview --dist-tags-json '{"preview":"0.1.0-preview.1","latest":"0.1.0"}' --jsongit diff --check./scripts/verify.shSupported claims
ci-required, not optional lane jobs.Unsupported / not exercised
latestpoints at an existing preview tag.Risk notes
release-toolstrust still begins at the repository default branch, but the selected commit is now captured once and reused throughout the release run.