CI: Establish source-first quality gate and simplify pipeline flow #71

Merged
darkhelm merged 16 commits from feature/issue-60-source-fast-check-lane into main 2026-07-02 07:21:23 -04:00
Owner

This PR establishes a deterministic source-level quality gate before any build promotion and removes redundant post-build quality checks.

The new flow makes local developer workflow and CI behavior align:

  • Developers run pre-commit locally (with auto-fix where appropriate)
  • CI runs a check-only smoke gate to validate pre-commit cleanliness
  • Build/test promotion only proceeds after source checks pass

What Changed

1. Added a source-first quality gate

  • Added a dedicated source gate workflow:
    • .gitea/workflows/cicd-source-checks.yaml
  • Gate now:
    • Checks out target SHA
    • Bootstraps backend/frontend toolchains
    • Installs dependencies (backend via uv, frontend via yarn)
    • Runs pre-commit --all-files as the quality smoke test
  • Downstream build dispatch only occurs if this gate passes.

2. Updated pipeline routing

  • cicd-start.yaml now dispatches the source gate first.
  • cicd-start.yaml push trigger now includes all branches so feature branches run the same gate.
  • Added explicit routing logs in dispatch steps (route decision, SHA, trace id) for easier debugging.

3. Removed redundant checks workflow

  • Removed:
    • .gitea/workflows/cicd-checks.yaml
  • Updated:
    • .gitea/workflows/docker-build-main.yaml now dispatches cicd-tests.yaml directly after successful main build.

4. CI check-only behavior vs local auto-fix behavior

Updated .pre-commit-config.yaml so hooks that can auto-fix behave as:

  • Local developer pre-commit: auto-fix enabled
  • CI source gate: check-only (no auto-fix)

Applied to:

  • ruff / ruff-format
  • eslint
  • prettier
  • tsdoc-lint
  • markdownlint
  • pretty-format-toml

This keeps CI as a true smoke validation of local pre-commit compliance.

5. Renovate workflow hardening

  • Improved auth/token handling and diagnostics in:
    • .gitea/workflows/renovate.yml
  • Added support for internal/self-signed TLS endpoints used by this environment.

Why

  • Faster, earlier feedback on source quality failures
  • Avoid expensive build/test progression when source hygiene fails
  • Align CI with developer habits for predictable outcomes
  • Remove duplicated quality checks and reduce pipeline complexity

New Effective CI Flow

  1. cicd-start.yaml
  2. cicd-source-checks.yaml (pre-commit smoke gate)
  3. docker-build-base.yaml / docker-build-main.yaml
  4. cicd-tests.yaml

Acceptance Criteria Mapping (Issue #60)

  • Source-level lane runs independently and consistently: Implemented
  • Source-lane failure blocks promotion: Implemented
  • Outputs/logging are clear and actionable: Implemented

Notes

  • Source gate is intentionally check-only in CI.
  • Developers should continue running local pre-commit before pushing.
  • Any remaining failures in source gate indicate local pre-commit was not fully clean.
This PR establishes a deterministic source-level quality gate before any build promotion and removes redundant post-build quality checks. The new flow makes local developer workflow and CI behavior align: - Developers run pre-commit locally (with auto-fix where appropriate) - CI runs a check-only smoke gate to validate pre-commit cleanliness - Build/test promotion only proceeds after source checks pass ## What Changed ### 1. Added a source-first quality gate - Added a dedicated source gate workflow: - `.gitea/workflows/cicd-source-checks.yaml` - Gate now: - Checks out target SHA - Bootstraps backend/frontend toolchains - Installs dependencies (`backend` via `uv`, `frontend` via `yarn`) - Runs `pre-commit --all-files` as the quality smoke test - Downstream build dispatch only occurs if this gate passes. ### 2. Updated pipeline routing - `cicd-start.yaml` now dispatches the source gate first. - `cicd-start.yaml` push trigger now includes all branches so feature branches run the same gate. - Added explicit routing logs in dispatch steps (route decision, SHA, trace id) for easier debugging. ### 3. Removed redundant checks workflow - Removed: - `.gitea/workflows/cicd-checks.yaml` - Updated: - `.gitea/workflows/docker-build-main.yaml` now dispatches `cicd-tests.yaml` directly after successful main build. ### 4. CI check-only behavior vs local auto-fix behavior Updated `.pre-commit-config.yaml` so hooks that can auto-fix behave as: - **Local developer pre-commit**: auto-fix enabled - **CI source gate**: check-only (no auto-fix) Applied to: - `ruff` / `ruff-format` - `eslint` - `prettier` - `tsdoc-lint` - `markdownlint` - `pretty-format-toml` This keeps CI as a true smoke validation of local pre-commit compliance. ### 5. Renovate workflow hardening - Improved auth/token handling and diagnostics in: - `.gitea/workflows/renovate.yml` - Added support for internal/self-signed TLS endpoints used by this environment. ## Why - Faster, earlier feedback on source quality failures - Avoid expensive build/test progression when source hygiene fails - Align CI with developer habits for predictable outcomes - Remove duplicated quality checks and reduce pipeline complexity ## New Effective CI Flow 1. `cicd-start.yaml` 2. `cicd-source-checks.yaml` (pre-commit smoke gate) 3. `docker-build-base.yaml` / `docker-build-main.yaml` 4. `cicd-tests.yaml` ## Acceptance Criteria Mapping (Issue #60) - Source-level lane runs independently and consistently: **Implemented** - Source-lane failure blocks promotion: **Implemented** - Outputs/logging are clear and actionable: **Implemented** ## Notes - Source gate is intentionally check-only in CI. - Developers should continue running local pre-commit before pushing. - Any remaining failures in source gate indicate local pre-commit was not fully clean.
darkhelm added 16 commits 2026-07-02 07:20:44 -04:00
ci: trigger cicd start on all branch pushes
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 21s
2e238033fb
ci: log explicit downstream workflow routing
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 37s
b80a228425
ci: fix source-check checkout and manifest guards
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 29s
7e16206435
ci: make source-check containers shell-portable
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 20s
0f86faeed7
ci: fix source-check workspace permissions for containers
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 33s
2b89bcf82b
ci: stream source into containers for source checks
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 15s
286e7fa9dd
ci: include repo readme in backend source-check archive
Some checks are pending
CICD Start / Sanity and Base Decision (push) Waiting to run
476350ad12
ci: install libatomic1 for backend pyright runtime
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 20s
9a7cd54db5
ci: allow renovate auth over self-signed tls
Some checks are pending
CICD Start / Sanity and Base Decision (push) Waiting to run
4c90d1fc9b
ci: run unified source gate via pre-commit
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 14s
26ca111153
ci: make source pre-commit gate check-only
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 32s
2240552c83
ci: make markdown and toml hooks fix locally only
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 38s
e224bf57c6
ci: fix toml pre-commit check mode
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 13s
e78da48dbb
ci: remove cicd-checks workflow and dispatch tests directly
All checks were successful
CICD Start / Sanity and Base Decision (push) Successful in 24s
CICD Start / Sanity and Base Decision (pull_request) Successful in 24s
730318ef38
darkhelm merged commit 549469f105 into main 2026-07-02 07:21:23 -04:00
darkhelm deleted branch feature/issue-60-source-fast-check-lane 2026-07-02 07:21:29 -04:00
Sign in to join this conversation.