Skip to content

ci: path-safe required CI gate (always-run aggregate check)#37

Merged
thebenignhacker merged 1 commit into
mainfrom
ci/path-safe-required-gate
Jun 22, 2026
Merged

ci: path-safe required CI gate (always-run aggregate check)#37
thebenignhacker merged 1 commit into
mainfrom
ci/path-safe-required-gate

Conversation

@thebenignhacker

Copy link
Copy Markdown
Contributor

Why

Branch protection should be able to require CI before merge, but the CI workflow was path-filtered (packages/**, integrations/**, ...). A path-filtered workflow never reports a status on PRs that don't match, so requiring Build & Test would wedge those PRs forever on "Expected — waiting for status".

What

CI now runs on every PR to main and aggregates into a single always-run CI Gate check that is safe to require:

  • No workflow-level paths: filter — the workflow always runs, so CI Gate always reports.
  • A changes job (dorny/paths-filter) detects relevant paths; Build & Test and Pack smoke run only when code changed, and are skipped otherwise.
  • CI Gate (needs: [changes, build-and-test, pack-smoke], if: always()) is the required check:
    • passes when the jobs succeed or are skipped (docs-only PR),
    • fails when a job that ran failed/cancelled,
    • fails closed if change-detection itself didn't succeed (so a code change can't slip through untested).
  • Added pull-requests: read so paths-filter can list PR files via the API.

Effect

After merge, CI Gate can be set as a required status check, making the test suite merge-blocking for code PRs without wedging docs-only / config PRs. No source/runtime change.

#36)

/v1/infer now emits a `classification` field ("classified" | "abstain")
alongside attackClass, so a consumer can distinguish a confident benign
from "the model could not produce a usable verdict". Until now both
carried attackClass:"" and were indistinguishable, so FGA Step 5 failed
silently open.

- Abstain when inference throws or the predicted-class confidence is below
  ABSTAIN_CONFIDENCE_FLOOR (0.5, a conservative heuristic pending
  selective-risk calibration). On abstain, attackClass is forced to "" so a
  low-confidence guess is never actionable; the raw guess is kept in evidence.
- The HTTP 500 error body also carries classification:"abstain".
- Additive and backward/forward compatible: older consumers ignore the
  field; an older daemon lets the consumer fall back to its legacy
  attackClass==""?abstain:classified heuristic. No lockstep deploy required.
- 20/20 daemon tests pass (+2). Bump @nanomind/daemon 0.3.0 -> 0.4.0.
@thebenignhacker thebenignhacker enabled auto-merge (squash) June 22, 2026 23:07

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

VERDICT: APPROVE

SUMMARY: This PR introduces a CI workflow restructure using path-filtered change detection with an always-run aggregate gate check, making the CI status safe to require in branch protection without wedging docs/config-only PRs. The change is purely CI infrastructure — no source code, runtime behavior, or security surface is modified. The workflow logic correctly implements fail-closed semantics (the changes job must succeed for the gate to pass), and the shell script in ci-gate uses proper quoting and safe variable expansion patterns.


Reviewed 8 files changed (32350 bytes)

@thebenignhacker thebenignhacker merged commit c7f284d into main Jun 22, 2026
4 checks passed
@thebenignhacker thebenignhacker deleted the ci/path-safe-required-gate branch June 22, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant