docs(audit): correct A4 — primary merge now category-gated, dreamer k… #407
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [master, main] | |
| pull_request: | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| # Pipeline shape on every push to master and on every PR: | |
| # | |
| # check-plugin, check-pi-plugin (unit tests + lint + typecheck, parallel) | |
| # ↓ | |
| # e2e-opencode, e2e-pi (Docker install + smoke, parallel — gated by unit) | |
| # ↓ | |
| # e2e-host-opencode, e2e-host-pi (host behavior suite from packages/e2e-tests, parallel — gated by Docker) | |
| # | |
| # Two e2e layers cover different concerns: | |
| # - Docker e2e: fresh-install smoke (plugin loads, doctor clean, one mock turn writes DB rows | |
| # under cortexkit path with right harness). Catches packaging / install-flow regressions. | |
| # - Host e2e: behavior suite with byte-level wire assertions, multi-turn cache stability, | |
| # historian publish behavior, tag-owner collision, synthetic todowrite, cross-harness memory, | |
| # etc. Spawns real `opencode serve` / Pi subprocesses against an embedded mock provider. | |
| # Catches cache-stability + correctness regressions that the smoke layer cannot see. | |
| # | |
| # Docker e2e was previously in a separate workflow (e2e-docker.yml). Folding it here means | |
| # every PR and master push exercises the full unit → Docker → host gauntlet. | |
| jobs: | |
| check-plugin: | |
| name: Check (plugin) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install dependencies | |
| run: bun install | |
| - name: TypeScript typecheck | |
| run: bun run typecheck | |
| - name: Lint | |
| run: bun run lint | |
| - name: Build | |
| run: bun run build | |
| - name: Test | |
| run: bun run test | |
| check-pi-plugin: | |
| name: Check (pi-plugin) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install dependencies | |
| run: bun install | |
| - name: TypeScript typecheck | |
| run: bun run --cwd packages/pi-plugin typecheck | |
| - name: Lint | |
| run: bun run --cwd packages/pi-plugin lint | |
| - name: Build | |
| run: bun run --cwd packages/pi-plugin build | |
| - name: Test | |
| run: bun run --cwd packages/pi-plugin test | |
| check-dashboard: | |
| name: Check (dashboard) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install dependencies | |
| run: bun install | |
| # Frontend-only checks (no Rust/Tauri needed). The key gate is the test | |
| # step, which runs config-parity.test.ts — it fails the build if the | |
| # plugin config schema gains/renames/removes a field the dashboard's | |
| # ConfigEditor coverage manifest doesn't account for, so the form can't | |
| # silently drift out of sync with the schema again. | |
| - name: TypeScript typecheck | |
| run: bun run --cwd packages/dashboard typecheck | |
| - name: Lint | |
| run: bun run --cwd packages/dashboard lint | |
| - name: Test | |
| run: bun run --cwd packages/dashboard test | |
| - name: Build (frontend) | |
| run: bun run --cwd packages/dashboard build | |
| e2e-opencode: | |
| name: E2E (OpenCode, Docker) | |
| runs-on: ubuntu-latest | |
| needs: [check-plugin] | |
| timeout-minutes: 25 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install workspace deps | |
| run: bun install --frozen-lockfile | |
| - name: Build OpenCode plugin | |
| run: bun run --cwd packages/plugin build | |
| - name: Build CLI | |
| # The CLI is its own package (@cortexkit/magic-context) since | |
| # v0.16.1; Dockerfile.opencode COPYs packages/cli/dist/ in. | |
| run: bun run --cwd packages/cli build | |
| - name: Build E2E image | |
| run: | | |
| docker build \ | |
| --platform linux/amd64 \ | |
| -f tests/docker/Dockerfile.opencode \ | |
| -t mc-e2e-opencode \ | |
| . | |
| - name: Run E2E | |
| run: docker run --rm --platform linux/amd64 mc-e2e-opencode | |
| e2e-pi: | |
| name: E2E (Pi, Docker) | |
| runs-on: ubuntu-latest | |
| needs: [check-pi-plugin] | |
| timeout-minutes: 25 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install workspace deps | |
| run: bun install --frozen-lockfile | |
| - name: Build Pi plugin | |
| run: bun run --cwd packages/pi-plugin build | |
| - name: Build CLI | |
| # The CLI moved to its own package (@cortexkit/magic-context) in | |
| # v0.16.1. Dockerfile.pi COPYs packages/cli/dist/ in for the | |
| # `magic-context doctor --harness pi` test invocation. | |
| run: bun run --cwd packages/cli build | |
| - name: Build E2E image | |
| # The Pi Dockerfile installs runtime deps fresh inside the image | |
| # (better-sqlite3 builds against linux/amd64), so no host-side | |
| # `npm install` is needed. | |
| run: | | |
| docker build \ | |
| --platform linux/amd64 \ | |
| -f tests/docker/Dockerfile.pi \ | |
| -t mc-e2e-pi \ | |
| . | |
| - name: Run E2E | |
| run: docker run --rm --platform linux/amd64 mc-e2e-pi | |
| e2e-host-opencode: | |
| name: E2E (OpenCode, host behavior) | |
| runs-on: ubuntu-latest | |
| # Gated on Docker e2e: no point exercising the deep behavior suite if | |
| # the simpler install+smoke path is broken. | |
| needs: [e2e-opencode] | |
| timeout-minutes: 40 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install workspace deps | |
| run: bun install --frozen-lockfile | |
| # Install opencode the same way the Docker image does — the host | |
| # suite spawns `opencode serve` from PATH. | |
| - name: Install opencode | |
| # Float to LATEST (no --version) so CI exercises the opencode version | |
| # users actually run and catches upstream breakage as it ships — not at | |
| # our release time. (A fixed pin previously hid opencode 1.16's | |
| # post-overflow change, commit 7e09660c3, until release; the | |
| # overflow-recovery host test is now version-agnostic.) Trade-off: a | |
| # known-bad upstream release can turn CI red for unrelated PRs — if that | |
| # happens, temporarily re-pin with `--version X.Y.Z` here until it's | |
| # resolved upstream. | |
| run: | | |
| curl -fsSL https://opencode.ai/install | bash | |
| echo "$HOME/.opencode/bin" >> "$GITHUB_PATH" | |
| - name: Verify opencode on PATH | |
| run: opencode --version | |
| - name: Build OpenCode plugin | |
| # Host tests spawn `opencode serve` with a file:// plugin | |
| # specifier pointing at packages/plugin/, so dist must exist. | |
| run: bun run --cwd packages/plugin build | |
| # Strip inherited NODE_ENV=test so the spawned opencode subprocess | |
| # gets the same logging + runtime behavior as a normal local run | |
| # (documented in CONTRIBUTING / project memory). | |
| # | |
| # Per-test (and per-hook) timeout bumped to 300s: the first test file | |
| # Bun loads on a cold GitHub-hosted runner pays the dependency-resolution | |
| # + opencode-binary cold-start cost in its `beforeAll(TestHarness.create)`, | |
| # which can exceed Bun's 120s default. Subsequent files run in 5-10s. | |
| - name: Run host e2e suite (OpenCode tests only) | |
| env: | |
| NODE_ENV: "" | |
| run: | | |
| # Match every test file except pi-*.test.ts. The shell glob is | |
| # not great at "all .test.ts except pi-*", so list them explicitly. | |
| cd packages/e2e-tests | |
| # OpenCode host behavior tests, plus the cache-bust oracle unit test | |
| # (src/cache-analysis.test.ts) — the oracle backs the cache-invariant | |
| # suite, so a regression in it would silently neuter those guards. | |
| files=$(ls tests/*.test.ts | grep -v "/pi-" | tr '\n' ' ') | |
| files="$files src/cache-analysis.test.ts" | |
| echo "Running OpenCode host tests: $files" | |
| bun test --timeout 600000 $files | |
| e2e-host-pi: | |
| name: E2E (Pi, host behavior) | |
| runs-on: ubuntu-latest | |
| needs: [e2e-pi] | |
| timeout-minutes: 40 | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| # Pi tests resolve the Pi binary via createRequire against | |
| # @earendil-works/pi-coding-agent, which is a workspace dep of | |
| # packages/pi-plugin. `bun install` brings it in. | |
| - name: Install workspace deps | |
| run: bun install --frozen-lockfile | |
| # pi-cross-harness.test.ts spawns BOTH a Pi runner and an OpenCode | |
| # serve to verify cross-harness memory sharing, so this job needs | |
| # opencode on PATH too. Float to LATEST like the OpenCode host job | |
| # (see that step for the rationale + re-pin escape hatch). | |
| - name: Install opencode | |
| run: | | |
| curl -fsSL https://opencode.ai/install | bash | |
| echo "$HOME/.opencode/bin" >> "$GITHUB_PATH" | |
| - name: Verify opencode on PATH | |
| run: opencode --version | |
| - name: Build Pi plugin | |
| run: bun run --cwd packages/pi-plugin build | |
| # pi-cross-harness also instantiates the OpenCode harness, which | |
| # spawns `opencode serve` with a file:// plugin specifier pointing | |
| # at packages/plugin/. That dist must exist. | |
| - name: Build OpenCode plugin | |
| run: bun run --cwd packages/plugin build | |
| # Per-test timeout bumped to 300s for the same cold-start reason as | |
| # the OpenCode host job. Pi historian publish path also crosses an | |
| # HTTP boundary into the mock provider, which is slower on shared | |
| # runners than on local hardware. | |
| - name: Run host e2e suite (Pi tests only) | |
| env: | |
| NODE_ENV: "" | |
| run: | | |
| cd packages/e2e-tests | |
| bun test --timeout 600000 tests/pi-*.test.ts |