ci(main): align Vitest gates with PR workflow

[cv]

Summary

Bring main-branch CI closer to the PR Vitest gate by reusing shared local CI actions for static checks, build/typecheck, sharded CLI coverage, merged CLI coverage, and plugin coverage. The main workflow now runs the same parallel Vitest shape as PRs before handing off to sandbox image and E2E checks.

Related Issue

Refs #4892 and follows #4977.

Changes

• Add shared CI composite actions for static checks, build/typecheck, CLI coverage shards, CLI coverage merge/ratchet, and plugin coverage.
• Update the PR workflow to call the shared actions while preserving the existing PR job names and aggregate checks behavior.
• Expand main.yaml from the legacy monolithic checks job into the same static/build/CLI-shard/CLI-merge/plugin/Ollama proxy gate shape used by PRs.
• Update the workflow contract test to assert PR/main reuse and the shared action coverage, ratchet, artifact, and fail-closed blob behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 26 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d2ff82b8-8775-45fa-87a6-bbcd5d346550

📥 Commits

Reviewing files that changed from the base of the PR and between 16470fa and 08b9563.

📒 Files selected for processing (8)

• .github/actions/ci-build-typecheck/action.yaml
• .github/actions/ci-cli-coverage-merge/action.yaml
• .github/actions/ci-cli-coverage-shard/action.yaml
• .github/actions/ci-plugin-coverage/action.yaml
• .github/actions/ci-static-checks/action.yaml
• .github/workflows/main.yaml
• .github/workflows/pr.yaml
• test/pr-workflow-contract.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/main-ci-vitest-parity

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No additional E2E is recommended. The changes are CI workflow/composite-action refactoring plus workflow contract test updates, with no runtime/user-flow code touched. Existing CI and the updated workflow contract tests should validate the refactor; running sandbox or scenario E2E would not add meaningful signal for this PR.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario E2E jobs are recommended because this PR changes general CI composite actions, main/PR CI workflows, and their workflow contract test only. It does not change test/e2e-scenario runtime, scenario metadata, expected-state contracts, suite definitions/scripts, onboarding helpers, or the e2e-scenarios workflows.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 1 needs attention, 4 worth checking, 0 nice ideas
Top item: PR-required gates moved into PR-modifiable local actions

Review findings

🛠️ Needs attention

• PR-required gates moved into PR-modifiable local actions (.github/workflows/pr.yaml:84): The pull_request workflow now delegates required static/build/coverage gates to repository-local composite actions after checkout. In pull_request runs, those local action definitions are resolved from the checked-out PR/merge workspace, so a future PR can modify .github/actions/ci-* to skip checks or run different commands while the base workflow still invokes the same job names. This weakens the trusted-code boundary compared with the previous inline gate commands in the workflow.
  • Recommendation: Keep PR-required gate commands inline in .github/workflows/pr.yaml, execute the composite actions from a trusted base-ref checkout, or add a trusted fail-closed guard that blocks changes to those local actions while independently running equivalent enforcement.
  • Evidence: The PR changes PR jobs such as static-checks to `uses: ./.github/actions/ci-static-checks`; the diff shows the previous inline commands were removed from .github/workflows/pr.yaml and moved into .github/actions/ci-*/action.yaml.

🔎 Worth checking

• Source-of-truth review needed: PR CI gate implementation source of truth: The advisor marked localized patch analysis as needs_followup.
  • Recommendation: Identify the invalid state, source boundary, source-fix constraint, regression test, and removal condition before merging the localized behavior.
  • Evidence: .github/workflows/pr.yaml now calls `uses: ./.github/actions/ci-*` for required gates after checkout.
• Composite action inputs are interpolated into shell commands without validation (.github/actions/ci-cli-coverage-shard/action.yaml:41): The CLI coverage shard and merge actions interpolate `inputs.shard` and `inputs.shard-count` directly into bash command arguments and file paths. Current callers provide controlled matrix/default numeric values, but if these actions are reused with untrusted `with:` values, malformed inputs could affect shell command behavior or paths.
  • Recommendation: Validate shard inputs as positive integers at the start of each composite action, pass them through environment variables, and quote all uses. Add a contract test that non-numeric shard inputs are rejected before running vitest or find.
  • Evidence: `--shard=${{ inputs.shard }}/${{ inputs.shard-count }}` and `.vitest-reports/blob-${{ inputs.shard }}-${{ inputs.shard-count }}.json` are constructed directly from composite action inputs.
• Hadolint installer verifies with a checksum fetched from the same origin (.github/actions/ci-static-checks/action.yaml:18): The hadolint installer downloads the binary and the .sha256 file from the same GitHub release origin. This is fixed-version and pre-existing from the renamed action, but the checksum is not independently pinned in the repository, so a compromised release origin could provide a matching malicious binary and checksum.
  • Recommendation: Prefer pinning the expected SHA-256 value in the workflow/action or using a trusted package/action with pinned digest. If keeping the current pattern, document the accepted trust model.
  • Evidence: `curl -fsSL -o /usr/local/bin/hadolint "$HADOLINT_URL"` is followed by `EXPECTED=$(curl -fsSL "${HADOLINT_URL}.sha256" | awk '{print $1}')`.
• Workflow contract tests do not cover the trusted-code boundary (test/pr-workflow-contract.test.ts:80): The updated contract tests assert that PR and main workflows reuse the new local actions and that the actions contain expected commands. They do not assert that PR-required enforcement remains outside PR-modifiable files, so the tests can pass while the required gate implementation is mutable by the PR under test.
  • Recommendation: Add a policy/contract test or trusted workflow guard that fails when pull_request-required gates depend on local composite actions from the PR checkout, or that blocks PR changes to those action definitions unless equivalent inline trusted checks remain.
  • Evidence: The test explicitly expects PR jobs to contain `./.github/actions/ci-*` action paths, but no negative assertion prevents PR-required gates from depending on PR-modifiable local action YAML.

🌱 Nice ideas

• None.

Consider writing more tests for

• **Runtime validation** — PR code-path gates fail or stay trusted when `.github/actions/ci-*` is modified by a pull request. The deterministic YAML contract tests are broadly appropriate for this CI refactor, but security-sensitive workflow enforcement needs negative coverage for trusted-code boundaries and the reusable composite actions should validate shell-interpolated inputs.
• **Runtime validation** — CLI coverage composite actions reject non-numeric shard and shard-count inputs before shell interpolation. The deterministic YAML contract tests are broadly appropriate for this CI refactor, but security-sensitive workflow enforcement needs negative coverage for trusted-code boundaries and the reusable composite actions should validate shell-interpolated inputs.
• **Runtime validation** — PR aggregate checks still fail when a required shared action job is skipped or cancelled. The deterministic YAML contract tests are broadly appropriate for this CI refactor, but security-sensitive workflow enforcement needs negative coverage for trusted-code boundaries and the reusable composite actions should validate shell-interpolated inputs.
• **Workflow contract tests do not cover the trusted-code boundary** — Add a policy/contract test or trusted workflow guard that fails when pull_request-required gates depend on local composite actions from the PR checkout, or that blocks PR changes to those action definitions unless equivalent inline trusted checks remain.
• **Acceptance clause:** Refs ci: safely split slow CLI coverage suites #4892 and follows ci(pr): shard CLI coverage gate #4977. — add test evidence or identify existing coverage. The deterministic context did not include linked issue bodies or comments, so no literal issue clauses from ci: safely split slow CLI coverage suites #4892 or ci(pr): shard CLI coverage gate #4977 were available to verify.
• **Acceptance clause:** Update the PR workflow to call the shared actions while preserving the existing PR job names and aggregate `checks` behavior. — add test evidence or identify existing coverage. The PR workflow keeps the existing job names and aggregate checks job, and the contract test asserts those relationships. However, moving PR gate logic into local composite actions does not preserve the prior trusted-code boundary for PR enforcement.
• **PR CI gate implementation source of truth** — No regression test proves that PR-required gates remain non-bypassable when .github/actions/ci-* is modified by a PR.. .github/workflows/pr.yaml now calls `uses: ./.github/actions/ci-*` for required gates after checkout.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.