phase 1 core platform

CI Job Audit — Pre-Phase 2 Verification

Date: 2026-06-10 Purpose: Document what each CI job validates, false-positive risks, and mitigation status.

CI Job Audit — Pre-Phase 2 Verification

Date: 2026-06-10 (updated 2026-07-01)
Purpose: Document what each CI job validates, false-positive risks, and mitigation status.


Required checks (branch protection)

ContextWorkflow jobValidatesFalse-positive riskMitigation
repo-guardsrepo-guardsLayout, secrets, large filesLow
markdownlintmarkdownMarkdown styleLow
gitleakssecretsSecret scanLow
CodeQLcodeql.ymlStatic security analysisLow
trivytrivyFS vulnerability scanLow
osv-scan / osv-scanosv-scanDependency CVEsLow
semgrepsemgrep.ymlSAST rulesLow
golangci-lintgolangci-lintGo lint (packages + auth + proxy)Medium: weaker than cursor rulesIncremental linter enablement deferred
security-integrationsecurity-integrationM1.5.1 TestSecurity_* matrixWas critical: -run with 0 matches exits 0Pre-flight -list count ≥ 28
go-racego-raceUnit tests under -raceMedium: no integration + raceNightly dispatch via nightly.yml
go-services (auth)go-services matrixUnit tests + gofmt + buildWas informationalPromoted; -count=1
go-services (proxy)go-services matrixUnit tests + gofmt + buildWas informationalPromoted; -count=1
proxy-auth-smokeproxy-auth-smokeFull proxy unit + integrationWas informationalPromoted; -count=1
banditbanditPython SASTHigh until memory service: exits 0 if missingNot required until services/memory exists
hadolinthadolintDockerfile lintLow (exits 0 if no Dockerfiles)
coveragecoverageMerged unit+integration Go coverage ≥80% on hand-written scope; Codecov uploadMedium: Postgres service requiredinfra/scripts/coverage-gate.sh filters packages/proto/gen/go
go-mod-tidygo-mod-tidygo.mod / go.sum tidyLowgo mod tidy + git diff --exit-code
shellcheckshellcheckShell scripts in .github/scripts + infra/scriptsLowMirrors pre-commit hook
dependency-reviewdependency-review.ymlPR dependency policyLowSeparate workflow
buf-lintbuf-lintbuf lint on protosLowbuf breaking moved to informational buf-breaking job
proto-contractproto-contractBuf contract testsLow
db-migrate-smokedb-migrate-smokeMigration idempotencyMedium: Postgres required
auth-validate-smokeauth-validate-smokeAuth integrationMedium-count=1
proxy-agent-verify-smokeproxy-agent-verify-smokeSEC-2/SEC-3 subsetMediumExplicit -run + count guard
compose-validatecompose-validateCompose config syntaxLow
govulncheckgovulncheckReachable Go vulnerabilitiesLowComplements OSV/Trivy FS
semantic-pr-titlesemantic-pr-titleConventional PR titlesLowsemantic-pr.yml
license-checklicense-checkDependency license allowlistMediumMIT, Apache-2.0, BSD, ISC, Unicode-DFS-2016, MPL-2.0 allowed; AGPL/GPL denied

Informational checks (not merge-blocking)

JobNotes
buf-breakingbuf breaking against main; continue-on-error: true
sbomSBOM generation (sbom.yml)
benchmarkGo benchmarks on main schedule (benchmark.yml)
staleStale issue/PR hygiene (stale.yml)
CodeSceneAdvisory code health

Docs deploy policy

PathTriggerRequired upstream jobs
Docs-only push to mainchanges.docs=true, changes.go=falserepo-guards, docs-build
Docs + Go push to mainchanges.docs=true, changes.go=truerepo-guards, docs-build, docs-go-quality-gate (full Go gate)

A single docs-deploy job runs only on push to main after merge (never on pull requests).

Docker image publish

docker-publish.yml uses a scan-before-push pipeline: build amd64 OCI artifact → Trivy scan → multi-arch push → provenance attestation.

TriggerTag:latest pushed
workflow_run after CI success on main pushlatestYes
release.yml on v*.*.* tag (workflow_call)tag name (e.g. v1.2.3)Yes for stable tags; skipped for prereleases (v1.0.0-alpha.1)
workflow_dispatchuser-suppliedYes when tag is latest or stable v*.*.*

Nightly integration

The weekly schedule on ci.yml was removed (jobs skipped on schedule). nightly.yml dispatches ci.yml via workflow_dispatch every Sunday 03:00 UTC.

Known deferrals

  • golangci-lint does not yet enable gocyclo/funlen/gosec from cursor rules
  • infra/ Go packages not in golangci scope
  • Merged integration coverage in Codecov via CI Postgres service; gen/go excluded from gate
  • Python (bandit) and TypeScript coverage flags when services land
  • Docker image publish runs on CI success (workflow_run), v*.*.* tags via release.yml, or manual workflow_dispatch

Trunk Flaky Tests (JUnit uploads)

All CI jobs that run go test emit JUnit XML via gotestsum (pinned v1.13.0) and upload results to Trunk Flaky Tests (org: ibexharness). Uploads are informational (continue-on-error: true); they do not block merges.

ConventionValue
JUnit output dirtest-results/junit/ (gitignored; created by scripts at runtime)
Test runner wrapperinfra/scripts/go-test-gotestsum.sh <out.xml> -- [go test args...]
Upload scriptinfra/scripts/trunk-upload-junit.sh
Composite actions.github/actions/setup-gotestsum, .github/actions/trunk-upload-junit
SecretsTRUNK_API_TOKEN, TRUNK_ORG_URL_SLUG
RetriesNone — callers must pass -count=1

Variants (Trunk --variant): proto-contract-unit, proto-contract-integration, db-migrate-unit, db-migrate-integration, auth-smoke-unit, auth-smoke-integration, proxy-auth-unit, proxy-auth-integration, proxy-agent-verify-unit, proxy-agent-verify-integration, security-integration, go-race, go-services-auth, go-services-proxy, coverage-unit, coverage-integration.

Local validation (Linux/macOS or WSL):

bash
go install gotest.tools/[email protected]
bash infra/scripts/go-test-gotestsum.sh test-results/junit/local-validate.xml -- \
  -count=1 ./packages/reqid/...
bash infra/scripts/trunk-validate-junit.sh test-results/junit/local-validate.xml

Manual ops

After promoting checks, apply .github/branch-protection-main.json on GitHub repository settings.

Edit on GitHub

Last updated on

On this page

0%