CI Job Audit — Pre-Phase 2 Verification
Date: 2026-06-10 Purpose: Document what each CI job validates, false-positive risks, and mitigation status.
CI Job Audit — Pre-Phase 2 Verification
Date: 2026-06-10 (updated 2026-07-01)
Purpose: Document what each CI job validates, false-positive risks, and mitigation status.
Required checks (branch protection)
| Context | Workflow job | Validates | False-positive risk | Mitigation |
|---|---|---|---|---|
repo-guards | repo-guards | Layout, secrets, large files | Low | — |
markdownlint | markdown | Markdown style | Low | — |
gitleaks | secrets | Secret scan | Low | — |
CodeQL | codeql.yml | Static security analysis | Low | — |
trivy | trivy | FS vulnerability scan | Low | — |
osv-scan / osv-scan | osv-scan | Dependency CVEs | Low | — |
semgrep | semgrep.yml | SAST rules | Low | — |
golangci-lint | golangci-lint | Go lint (packages + auth + proxy) | Medium: weaker than cursor rules | Incremental linter enablement deferred |
security-integration | security-integration | M1.5.1 TestSecurity_* matrix | Was critical: -run with 0 matches exits 0 | Pre-flight -list count ≥ 28 |
go-race | go-race | Unit tests under -race | Medium: no integration + race | Nightly dispatch via nightly.yml |
go-services (auth) | go-services matrix | Unit tests + gofmt + build | Was informational | Promoted; -count=1 |
go-services (proxy) | go-services matrix | Unit tests + gofmt + build | Was informational | Promoted; -count=1 |
proxy-auth-smoke | proxy-auth-smoke | Full proxy unit + integration | Was informational | Promoted; -count=1 |
bandit | bandit | Python SAST | High until memory service: exits 0 if missing | Not required until services/memory exists |
hadolint | hadolint | Dockerfile lint | Low (exits 0 if no Dockerfiles) | — |
coverage | coverage | Merged unit+integration Go coverage ≥80% on hand-written scope; Codecov upload | Medium: Postgres service required | infra/scripts/coverage-gate.sh filters packages/proto/gen/go |
go-mod-tidy | go-mod-tidy | go.mod / go.sum tidy | Low | go mod tidy + git diff --exit-code |
shellcheck | shellcheck | Shell scripts in .github/scripts + infra/scripts | Low | Mirrors pre-commit hook |
dependency-review | dependency-review.yml | PR dependency policy | Low | Separate workflow |
buf-lint | buf-lint | buf lint on protos | Low | buf breaking moved to informational buf-breaking job |
proto-contract | proto-contract | Buf contract tests | Low | — |
db-migrate-smoke | db-migrate-smoke | Migration idempotency | Medium: Postgres required | — |
auth-validate-smoke | auth-validate-smoke | Auth integration | Medium | -count=1 |
proxy-agent-verify-smoke | proxy-agent-verify-smoke | SEC-2/SEC-3 subset | Medium | Explicit -run + count guard |
compose-validate | compose-validate | Compose config syntax | Low | — |
govulncheck | govulncheck | Reachable Go vulnerabilities | Low | Complements OSV/Trivy FS |
semantic-pr-title | semantic-pr-title | Conventional PR titles | Low | semantic-pr.yml |
license-check | license-check | Dependency license allowlist | Medium | MIT, Apache-2.0, BSD, ISC, Unicode-DFS-2016, MPL-2.0 allowed; AGPL/GPL denied |
Informational checks (not merge-blocking)
| Job | Notes |
|---|---|
buf-breaking | buf breaking against main; continue-on-error: true |
sbom | SBOM generation (sbom.yml) |
benchmark | Go benchmarks on main schedule (benchmark.yml) |
stale | Stale issue/PR hygiene (stale.yml) |
| CodeScene | Advisory code health |
Docs deploy policy
| Path | Trigger | Required upstream jobs |
|---|---|---|
Docs-only push to main | changes.docs=true, changes.go=false | repo-guards, docs-build |
Docs + Go push to main | changes.docs=true, changes.go=true | repo-guards, docs-build, docs-go-quality-gate (full Go gate) |
A single docs-deploy job runs only on push to main after merge (never on pull requests).
Docker image publish
docker-publish.yml uses a scan-before-push pipeline: build amd64 OCI artifact → Trivy scan → multi-arch push → provenance attestation.
| Trigger | Tag | :latest pushed |
|---|---|---|
workflow_run after CI success on main push | latest | Yes |
release.yml on v*.*.* tag (workflow_call) | tag name (e.g. v1.2.3) | Yes for stable tags; skipped for prereleases (v1.0.0-alpha.1) |
workflow_dispatch | user-supplied | Yes when tag is latest or stable v*.*.* |
Nightly integration
The weekly schedule on ci.yml was removed (jobs skipped on schedule). nightly.yml dispatches ci.yml via workflow_dispatch every Sunday 03:00 UTC.
Known deferrals
golangci-lintdoes not yet enable gocyclo/funlen/gosec from cursor rulesinfra/Go packages not in golangci scope- Merged integration coverage in Codecov via CI Postgres service; gen/go excluded from gate
- Python (
bandit) and TypeScript coverage flags when services land - Docker image publish runs on CI success (
workflow_run),v*.*.*tags viarelease.yml, or manualworkflow_dispatch
Trunk Flaky Tests (JUnit uploads)
All CI jobs that run go test emit JUnit XML via gotestsum (pinned v1.13.0) and upload results to Trunk Flaky Tests (org: ibexharness). Uploads are informational (continue-on-error: true); they do not block merges.
| Convention | Value |
|---|---|
| JUnit output dir | test-results/junit/ (gitignored; created by scripts at runtime) |
| Test runner wrapper | infra/scripts/go-test-gotestsum.sh <out.xml> -- [go test args...] |
| Upload script | infra/scripts/trunk-upload-junit.sh |
| Composite actions | .github/actions/setup-gotestsum, .github/actions/trunk-upload-junit |
| Secrets | TRUNK_API_TOKEN, TRUNK_ORG_URL_SLUG |
| Retries | None — callers must pass -count=1 |
Variants (Trunk --variant): proto-contract-unit, proto-contract-integration, db-migrate-unit, db-migrate-integration, auth-smoke-unit, auth-smoke-integration, proxy-auth-unit, proxy-auth-integration, proxy-agent-verify-unit, proxy-agent-verify-integration, security-integration, go-race, go-services-auth, go-services-proxy, coverage-unit, coverage-integration.
Local validation (Linux/macOS or WSL):
go install gotest.tools/[email protected]
bash infra/scripts/go-test-gotestsum.sh test-results/junit/local-validate.xml -- \
-count=1 ./packages/reqid/...
bash infra/scripts/trunk-validate-junit.sh test-results/junit/local-validate.xmlManual ops
After promoting checks, apply .github/branch-protection-main.json on GitHub repository settings.
Last updated on