diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c5b46b981..40f2dc678 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,8 @@ env: jobs: # Fast deterministic merge gate: static checks, unit tests, and build. - # Intended as a required status check on main together with ui-smoke. + # Intended as a required status check on main together with ui-smoke, + # Gitleaks, and one migration replay gate. verify: runs-on: ubuntu-latest timeout-minutes: 25 @@ -137,9 +138,10 @@ jobs: playwright-report/ if-no-files-found: ignore - # Database migration replay in parallel with verify and ui-smoke, so we verify - # that our schema and migration chain can rebuild cleanly from scratch on - # every PR. + # Database migration replay in parallel with verify and ui-smoke. This is the + # repo-owned replay gate; if the external Supabase Preview check is already + # required and reliable, keep this advisory or path-filtered rather than + # requiring both replay gates on every PR. db-reset-verify: runs-on: ubuntu-latest timeout-minutes: 15 diff --git a/README.md b/README.md index a1da1c115..924157799 100644 --- a/README.md +++ b/README.md @@ -183,8 +183,13 @@ npm run verify:release # check:runtime + lint + typecheck + test + build + test: ``` CI runs `format:check` in the `verify` job alongside lint, typecheck, -test:coverage, build, and edge-function typecheck. PRs also run the Chromium -`ui-smoke` job in parallel. +test:coverage, build, dependency audit, production-readiness CI mode, and +edge-function typecheck. PRs also run Chromium `ui-smoke` and the repo-owned +Supabase `db-reset-verify` job in parallel. The external `Supabase Preview` +check, when enabled, is the branch-database migration replay gate. Docker image +builds, full browser matrix, live drift, and live eval canary checks are +path-filtered, scheduled, or manual rather than normal required checks for every +source-only PR. ```bash npm run dev # Next.js UI/API on this project's stable localhost port diff --git a/docs/process-hardening.md b/docs/process-hardening.md index 67c8b5f9d..1043f28e3 100644 --- a/docs/process-hardening.md +++ b/docs/process-hardening.md @@ -7,7 +7,7 @@ This document turns the current process review into phased, durable repo practic - `npm run verify:cheap` is the default broad local gate for source/config/test changes: `check:runtime`, `sitemap:check`, lint, typecheck, and unit tests. - `npm run verify:ui` is the default UI gate: `check:runtime` plus Chromium Playwright smoke, stress, and accessibility media checks (`test:e2e:chromium`). - `npm run verify:release` is the release-confidence gate: `check:runtime`, lint, typecheck, unit tests, build, full Playwright browser matrix, `check:production-readiness`, `governance:release`, and `eval:quality:release` (the last step needs live Supabase and OpenAI keys). -- CI runs two parallel PR jobs: `verify` (runtime alignment, edge-function typecheck, CI-safe production readiness, `format:check`, lint, typecheck, unit tests with coverage, build) and `ui-smoke` (Chromium Playwright against its own dev server). A gated `release-browser-matrix` job runs the full Playwright browser set on `main`, `release/*`, manual dispatch, and the weekly schedule. +- CI runs three parallel PR jobs in the `CI` workflow: `verify` (runtime alignment, dependency vulnerability audit, edge-function typecheck, CI-safe production readiness, `format:check`, lint, typecheck, unit tests with coverage, build), `ui-smoke` (Chromium Playwright against its own dev server), and `db-reset-verify` (Supabase local start plus `supabase db reset` migration replay). The external `Supabase Preview` check also replays the migration chain on branch databases when enabled. A gated `release-browser-matrix` job runs the full Playwright browser set on `main`, `release/*`, manual dispatch, and the weekly schedule. - `tests/ui-accessibility.spec.ts` covers reduced-motion and forced-colors dashboard usability so those modes are no longer only reviewed by inspection. - `tests/ui-tools.spec.ts` covers the Applications dashboard mode at mobile and desktop sizes, including the `/applications` compatibility redirect. - `AGENTS.md` now points future agents to these gates and to this document. @@ -130,10 +130,10 @@ passes `p_worker_id`. Ordered apply steps, R17 manual `CONCURRENTLY` index, and ## PR merge gate: tiered CI + required checks (2026-07-02) -- CI is now two parallel PR jobs instead of one serial 6-7 minute job: `verify` (runtime alignment, edge typecheck, CI-safe production readiness, lint, typecheck, unit tests with coverage gate, build — ~3 min) and `ui-smoke` (Chromium Playwright smoke against its own dev server — ~4.5 min). Wall-clock PR feedback drops to the slower of the two, and a flaky smoke rerun no longer repeats lint/typecheck/tests/build. -- The deployment boot smoke and full browser matrix remain gated to `main`, `release/*`, manual dispatch, and the weekly schedule — they are deliberately not PR gates. -- **Required-check debt: RESOLVED 2026-07-02.** Branch protection is now applied on `main` requiring `verify`, `ui-smoke`, and `Gitleaks`, with "require branches up to date" left OFF (strict up-to-dateness would force constant rebases across the many concurrent agent branches), `enforce_admins` OFF (admin bypass retained as an emergency hatch), and no required PR-review count (a solo+agents flow has no second human approver). This closes the gap that let #131/#133 merge red. Consequence now in effect: **direct pushes to `main` are blocked for non-bypass users; normal work must land via PR.** Repository admins can still use the retained bypass only as an emergency hatch. To adjust, edit the rule under repo Settings → Branches or via `gh api -X PUT repos/BigSimmo/Database/branches/main/protection`. -- If `ui-smoke` proves flaky as a required check, demote it to advisory (remove from required contexts) rather than tolerating red merges — the deterministic `verify` gate stays required regardless. +- CI is now three parallel PR jobs instead of one serial 6-7 minute job: `verify` (runtime alignment, production dependency audit, edge typecheck, CI-safe production readiness, format, lint, typecheck, unit tests with coverage gate, build), `ui-smoke` (Chromium Playwright smoke against its own dev server), and `db-reset-verify` (local Supabase migration replay). Wall-clock PR feedback drops to the slowest independent gate, and a flaky smoke rerun no longer repeats lint/typecheck/tests/build. +- The deployment boot smoke, full browser matrix, live drift check, live eval canary, and Docker image builds remain gated, scheduled, manual, or path-filtered — they are deliberately not normal required checks for every source-only PR. +- **Required-check debt: RESOLVED 2026-07-02; updated 2026-07-09.** Branch protection for `main` should require the exact active check contexts for `CI / verify`, `CI / ui-smoke`, `Secret Scan / Gitleaks`, and one migration replay gate. Prefer the external `Supabase Preview` check when it is enabled and reliable; otherwise require `CI / db-reset-verify`. Requiring both replay gates is conservative but usually redundant. Keep `SAST / Semgrep` required only if the repository owner accepts its external-rule/network dependency as part of the normal merge gate. Do not require path-filtered or scheduled/manual contexts such as `Docker image build / app-image`, `Docker image build / worker-image`, `CI / release-browser-matrix`, `Eval Canary`, or `Live drift check`; they can be absent on ordinary PRs and would leave branches stuck at "Expected - Waiting for status to be reported." Keep "require branches up to date" OFF unless the branch flow changes, keep `enforce_admins` OFF only as an emergency bypass decision, and avoid requiring duplicate legacy contexts named only `verify` or `ui-smoke` when GitHub already reports the active `CI / ...` contexts. +- If `ui-smoke` proves flaky as a required check, demote it to advisory (remove from required contexts) rather than tolerating red merges — the deterministic `verify` gate stays required regardless. If `db-reset-verify` becomes the bottleneck, path-filter it to Supabase migrations/schema/config and database-access code before demoting it entirely. ## CSS cascade layering (2026-07-02)