ci: add make gate (local==CI gate) + stale-green PR guard

The local gate must run EXACTLY what CI runs. This session: fix agents
verified work with a partial local gate, and stale-but-green PRs nearly
shipped a broken base.

- Makefile: new `gate` target = `go build ./... && go vet ./... &&
  go test ./... -short -count=1` — the exact sequence deploy.yml's test
  step runs (build+vet are a fast-fail superset). One command whose
  green result == a green CI test step.
- ci.yml: trigger fixed `main` -> `master` (this repo's default branch;
  the PR/push triggers never fired before). New `up-to-date-with-base`
  job fails a PR whose branch does not contain `origin/<base>` as an
  ancestor (git merge-base --is-ancestor), so a stale-green PR goes red
  and must update-branch before merge.

Verified: `make gate` runs clean locally (build + vet + all tests pass).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

.github/workflows/ci.yml

@@ -2,11 +2,33 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [master]
   pull_request:
-    branches: [main]
+    branches: [master]
 
 jobs:
+  # Stale-green guard. A PR can show a green CI run that was executed BEFORE a
+  # breaking commit landed on the base branch — merging it would ship a broken
+  # master. This job FAILS if the PR branch does not contain origin/<base> as
+  # an ancestor, forcing an "Update branch" before the PR can merge.
+  up-to-date-with-base:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Fail if PR branch is behind its base branch
+        run: |
+          BASE="${{ github.event.pull_request.base.ref }}"
+          git fetch origin "${BASE}" --depth=1
+          if git merge-base --is-ancestor "origin/${BASE}" HEAD; then
+            echo "PR branch contains origin/${BASE} — up to date."
+          else
+            echo "::error::PR branch is behind origin/${BASE}. Update the branch (merge/rebase ${BASE}) and re-run CI so it validates against current base."
+            exit 1
+          fi
+
   build-and-test:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build test docker-build run smoke-buildinfo
+.PHONY: build test gate docker-build run smoke-buildinfo
 
 # Build-time metadata injected into instant.dev/common/buildinfo via -ldflags.
 # Override on the make line if needed. GIT_SHA falls back to "dev" when not
@@ -13,6 +13,16 @@ build:
 test:
 	go test ./... -race -count=1
 
+# PR/deploy gate: runs EXACTLY what .github/workflows/deploy.yml runs as its
+# test gate (`go test ./... -short -count=1`, see the deploy.yml "Run unit
+# tests" step), preceded by build + vet as a fast-fail. A green `make gate`
+# locally == a green CI test step — the local gate cannot pass while CI fails.
+gate:
+	go build ./...
+	go vet ./...
+	go test ./... -short -count=1
+	@echo "gate: green — matches deploy.yml test step"
+
 docker-build:
 	docker build -f Dockerfile -t instant-worker:local \
 	  --build-arg GIT_SHA=$(GIT_SHA) \