Skip to content

CI gates

CI gates are the blocking checks applied to every PR and every push to main. Any PR must pass them to be merged.

Workflows: .github/workflows/ci.yml, .github/workflows/release.yml, .github/workflows/scorecard.yml.


GateSourceBlocking
Public files guardgit ls-files filteryes
Public docs guardscripts/check-public-docs.mjsyes
Docs link checkscripts/check-doc-links.mjsyes
DCO sign-offtim-actions/dcoyes
Secret scangitleaksyes
ShellCheckshellcheck on scripts/*.shyes
Linteslint --max-warnings=0yes
Architecture boundariesscripts/check-architecture-boundaries.mjsyes
Guardian runtime hardcodescripts/check-guardian-runtime-hardcode.mjsyes
Line-countscripts/check-line-counts.mjsyes
Typechecktsc --noEmityes
Unit testsvitest runyes
UI testsUI Vitest/jsdomyes
Buildnpm run buildyes
License checkscripts/check-licenses.mjsyes
SBOMcyclonedx-npmyes
OSSF Scorecardscorecard-action (weekly)non-blocking, posture metric

Refuses internal files in the Git index:

  • .input (private workshop, gitignored)
  • .claude (Claude Code config, gitignored except exceptions)
  • AGENTS.md, CLAUDE.md (internal guides — excluded from the public repo by scripts/init-public-repo.sh)
  • .agents, .codex, .gitnexus (local state)

If one of these files appears in git ls-files, the job fails.


scripts/check-public-docs.mjs analyzes all .md under docs/ (+ root README*, ROADMAP, SECURITY, CONTRIBUTING):

  • Forbidden file names: AGENT-* patterns (except AGENT-INSTALL), AUDITOR-*, DISPATCH-*.
  • Forbidden content: references to internal dispatch briefs, retired WIP folders, and other internal orchestration artifacts.

To pass: remove/rename offending files, or remove the textual mention.


scripts/check-doc-links.mjs validates markdown links:

  • Each inline markdown link must point to an existing file.
  • Each anchored link must point to an existing section in the target file.
  • External URLs (http://, https://, mailto:) are ignored.

To pass: fix or remove broken links. Mentions of upcoming files should be in code simple, not active links.


Each commit must have a Signed-off-by: Name <email> line (equivalent to git commit -s). The DCO attests you have the right to submit the contribution under the project’s license.

To pass:

  • Always use git commit -s (create an alias if needed).
  • If commit forgotten: git commit --amend -s for the last, or git rebase -i HEAD~N --signoff for several.

gitleaks/gitleaks-action scans PR commits to detect API keys, tokens, passwords. Repository-level false positives are kept narrow in .gitleaks.toml; do not whitelist real secrets.


scripts/check-architecture-boundaries.mjs validates that imports respect the boundaries defined in ADR 0001. Any violation (core/ importing adapters/, etc.) blocks the CI.


scripts/check-guardian-runtime-hardcode.mjs reads the first-party guardian pack JSON files and verifies that their long texts are not copied into runtime source code. Rules, mini rules, prompts and policies stay in packs, are materialized in Cortex Lite, then compiled by guardian-runtime-compiler.


scripts/check-line-counts.mjs refuses monolithic files above 800 lines unless they are explicitly allowlisted with a reason. Generated artifacts such as dist/, coverage/ and sbom/ are excluded.


scripts/check-licenses.mjs checks that all dependencies use licenses compatible with the Arka Deck Open Source License baseline. Unauthorized copyleft (GPL, AGPL) are refused.


cyclonedx-npm generates a Software Bill of Materials for the root, the UI and cortex-lite. npm run sbom:check validates temporary SBOMs in CI; npm run sbom:release writes the release SBOMs under sbom/, and the release tarball guard requires all three .cdx.json files.


Weekly measurement (Monday) of supply-chain posture (signing, dependencies, hygiene). Non-blocking — score displayed publicly on the GitHub Security tab.