YAML workflows for CI, documentation audit, workflow lint, dependency review, CodeQL, and scheduled supply-chain checks. Parent hub (Dependabot + full index): ../README.md. Agent guide: AGENTS.md.
| File | Triggers | Jobs / behavior |
|---|---|---|
| ci.yml | push / pull_request → main; ignores **/*.md, doc/**; workflow_dispatch |
test: matrix 3.11–3.13; Python 3.12 also runs Ruff format/check over src scripts, terminology audits, docs audit, GNN doc patterns, mypy, collect-only, focused PyMDP/POMDP tests, and MCP ≥ 130 (see src/tests/mcp_audit_report.json). All matrix entries run JUnit + artifact + summary. security: Bandit SARIF → code scanning + artifact. |
| docs-audit.yml | push / pull_request when *.md, doc/**, root AGENTS.md/CLAUDE.md/README.md/SKILL.md, or doc/development/docs_audit.py change; workflow_dispatch |
Strict docs audit with anchors plus repository/doc terminology and GNN doc-pattern audits. |
| actionlint.yml | Changes under .github/workflows/**; workflow_dispatch |
rhysd/actionlint@v1.7.11 |
| dependency-review.yml | pull_request → main; workflow_dispatch |
High severity + AGPL deny; PR comment summary on failure. Fork PRs may get limited review. |
| codeql.yml | push / pull_request (skips doc-only paths), weekly cron, workflow_dispatch |
Init → uv sync --frozen --extra dev → analyze (Python). |
| supply-chain-audit.yml | Weekly cron Monday 06:00 UTC, workflow_dispatch |
Two pip-audit jobs (OSV); strict shell; job summary. |
actionlint .github/workflows/*.ymlRun from repo root (paths relative to root).