ci: run the test suites (pytest + frontend) on every PR (#452) (#506)

* ci: run the lint + test gate on every PR (#452)

CodeQL was the only server-side check, so test regressions merged onto
`main` green — e.g. #401 broke tests/test_logentry.py, caught only on a
later local run (#451). With many agents merging in parallel under
CodeQL-only gating this keeps happening.

Add `.github/workflows/ci.yml`: a backend job that runs scripts/lint.sh
itself (LINT_PY_ONLY=1 — so local ≡ CI, including the pre-commit security
hooks + pytest) and a frontend job (pnpm -r typecheck / pnpm lint /
pnpm test / pnpm -r build). Actions SHA-pinned; least-privilege
`contents: read`; no secrets, no id-token.

This reverses the documented "no CI in pre-alpha (per repo-owner
direction)" posture (the revisit named in OQ-A-001 / ACCEPTANCE Q-4).
Reconcile every reference in the same change: SECURITY.md §8, the
codeql.yml / lint.sh / pre-commit / workflows-README comments, the PM /
security / architect decision logs, REVIEW_CHECKLIST, ACCEPTANCE Q-4, and
a new ADR in docs/agents/decisions.md; OQ-A-001 is resolved + removed.

Tier 5 (.github/workflows + SECURITY.md) — human review required; do not
auto-merge. Marking the checks *required* in branch protection is a
separate owner action (#452 / #331).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: refresh poetry.lock content-hash + pin Poetry so install works

The first CI run surfaced a pre-existing problem on `main`: a fresh
`poetry install` fails with "pyproject.toml changed significantly since
poetry.lock was last generated" — pyproject was edited after the lock was
last written, so its content-hash no longer matches. Local dev never hit
this (an existing venv + `poetry run`), but a clean checkout (CI, new
contributors) can't install.

Regenerating the lock changes ONLY the content-hash line — zero package
versions move — so this is a no-op for resolved dependencies. Pin CI to
Poetry 2.1.4 (the lock's generator) so the hash check is deterministic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: scope CI to the test suites (pytest + frontend); lint gate is a follow-up

Per owner direction (#452): ship the test gate now, fix the linters next.

The backend job runs `poetry run pytest` rather than `scripts/lint.sh`.
Reason: the local lint gate isn't satisfiable on a clean tree — it runs
two formatters (`ruff format` + `black`) whose output mutually conflicts,
plus a little flake8/pylint debt. The #401/#451 incident that motivated
#452 was a *test* regression, and the test suites pass green, so CI
enforces those today; wiring the (de-conflicted) Python lint gate into CI
is a tracked follow-up.

Drops the pre-commit install (only the lint gate needed it). Reconciles
SECURITY.md §8, the codeql/lint.sh/pre-commit/workflows-README comments,
and the decision logs (PM/security/architect, ACCEPTANCE Q-4) to "tests
in CI; lint gate local + CI follow-up".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/workflows/README.md

@@ -4,6 +4,13 @@ GitHub Actions workflows for django-admin-react.
 
 ## What lives here
 
+- **`ci.yml`** — the test gate on every PR and push to `main`: backend
+  `pytest` (with coverage) and the frontend `pnpm` gate (`-r typecheck`,
+  `lint`, `test`, `-r build`). A red suite blocks merge. Added in #452
+  (reversing the prior local-only posture). The Python *lint* gate
+  (`scripts/lint.sh`) is not in CI yet — it runs two formatters that
+  conflict, so it's de-conflicted first (follow-up off #452). Marking the
+  checks **required** is an owner branch-protection action (#452 / #331).
 - **`codeql.yml`** — CodeQL static analysis (Python + JS/TS) on push/PR and a
   weekly schedule. This is the project's security dataflow scanner.
 - **`release.yml`** — automated PyPI publishing. Triggered when a GitHub
@@ -16,10 +23,12 @@ GitHub Actions workflows for django-admin-react.
 
 ## What does not belong here
 
-- The local quality gate (`ruff`/`black`/`bandit`/`pytest`/`pnpm lint`) lives
-  in `scripts/lint.sh` and `.pre-commit-config.yaml`, not in CI — see
-  `SECURITY.md` §8 for the (deliberately) local-only posture and issue #331
-  for the forward CI-hardening plan.
+- The Python *lint* gate (`scripts/lint.sh` + `.pre-commit-config.yaml`).
+  CI runs `pytest` and the frontend `pnpm` gate; the Python lint gate
+  isn't wired into CI yet (it must be de-conflicted first — two formatters
+  disagree). See `SECURITY.md` §8 and #331 for the forward hardening plan
+  (SHA-pinning is already done; lint-in-CI / required-checks /
+  version-matrix remain).
 - Secrets. Workflows authenticate via OIDC (release) or the default
   `GITHUB_TOKEN` (CodeQL). No long-lived tokens are stored as secrets.
 

.github/workflows/ci.yml

@@ -0,0 +1,116 @@
+# CI test gate — run the test suites on every pull request and on push to
+# `main`, so a red suite can't merge.
+#
+# WHY: until now the lint/test pipeline was local-only — `scripts/lint.sh`
+# + the pre-commit hooks, run on a contributor's laptop before the Merger
+# pulled a PR (the deliberate "no CI in pre-alpha" posture). With many
+# agents merging in parallel and only CodeQL gating server-side, test
+# regressions slipped onto `main` green (e.g. #401 broke
+# `tests/test_logentry.py`, undetected until a later full local run —
+# #451). This enforces the suites server-side. Resolves the core of #452
+# (run the test suites in CI); the no-CI revisit is recorded in
+# `SECURITY.md` §8 / `docs/agents/decisions.md` / OQ-A-001.
+#
+# SCOPE: the backend job runs `pytest` (the regression that motivated
+# #452 was a broken test). The frontend job runs the full `pnpm` gate —
+# typecheck + lint + test + build — which is already self-consistent and
+# green. Enforcing the *Python lint* gate in CI is a deliberate near-term
+# follow-up: `scripts/lint.sh` currently runs two formatters (`ruff
+# format` + `black`) whose output conflicts, so it is not yet satisfiable
+# on a clean tree. That gets de-conflicted and the small existing lint
+# debt cleared first (follow-up off #452), then the lint step is added
+# here.
+#
+# SECURITY POSTURE:
+#   - Least-privilege: top-level `contents: read`; no job needs write.
+#   - All third-party actions are pinned to a full commit SHA (a tag can
+#     be moved, a SHA cannot) — consistent with codeql.yml / release.yml
+#     and the supply-chain hardening in #331.
+#   - This is a *gate*, not a publisher: it has no access to PyPI, no
+#     `id-token`, and no stored secrets.
+#
+# NOTE: making these checks *required* (branch protection) is a separate
+# owner action in repo Settings → Branches — see #452 / #331.
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+# A newer push to the same ref supersedes an in-flight run — don't burn
+# minutes finishing a run whose commit is already stale.
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  backend:
+    name: Backend (pytest)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: "3.12"
+
+      - name: Install Poetry
+        # Poetry is pinned to the version that generated poetry.lock (see
+        # its header). `poetry install` compares the lock's content-hash
+        # against the one it computes from pyproject; a different Poetry
+        # can compute it differently and reject an otherwise-valid lock.
+        # Bump this in lockstep whenever the lock is regenerated.
+        run: pipx install poetry==2.1.4
+
+      - name: Install dependencies (locked)
+        run: poetry install --no-interaction
+
+      # pytest with coverage (per pyproject `addopts`), including
+      # tests/test_security.py. `filterwarnings = ["error"]` means a new
+      # warning fails the run.
+      - name: Tests (pytest)
+        run: poetry run pytest
+
+  frontend:
+    name: Frontend (typecheck + lint + test + build)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+        with:
+          version: 9
+
+      - name: Set up Node
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 22
+          cache: pnpm
+          cache-dependency-path: frontend/pnpm-lock.yaml
+
+      - name: Install dependencies (frozen lockfile)
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck (tsc --noEmit, every package)
+        run: pnpm -r typecheck
+
+      - name: Lint (eslint --max-warnings 0 + stylelint + dark-mode coverage)
+        run: pnpm lint
+
+      - name: Unit tests (vitest)
+        run: pnpm test
+
+      - name: Build (Vite bundle, every package)
+        run: pnpm -r build

.github/workflows/codeql.yml

@@ -1,16 +1,13 @@
 # CodeQL static analysis.
 #
-# This is the ONE CI workflow the package ships (SECURITY.md §8 keeps
-# the lint/test pipeline local-only for v0.x; CodeQL is the documented
-# exception — issue #144, post-public-flip hardening). It runs GitHub's
-# semantic code analysis over the Python package and the TypeScript
-# frontend, surfacing findings in the repository's Security tab where
-# external reporters and maintainers both look. Free for public repos.
-#
-# It complements, not replaces, the local gates: `bandit` / `ruff -S`
-# (Python) and `eslint` (frontend) still run via `scripts/lint.sh`;
-# CodeQL adds dataflow-based detection (injection, path traversal,
-# unsafe deserialization) those rule-based linters can miss.
+# Dataflow-based security analysis (Python + TypeScript), surfacing
+# findings in the repository's Security tab where external reporters and
+# maintainers both look. Free for public repos. It complements the test
+# gate in `ci.yml` and the local lint gate (`scripts/lint.sh`): `bandit` /
+# `ruff -S` (Python) and `eslint` (frontend) are rule-based; CodeQL adds
+# dataflow detection (injection, path traversal, unsafe deserialization)
+# those linters can miss. Added in #144 (post-public-flip hardening);
+# the test CI gate followed in #452.
 name: CodeQL
 
 on:

.pre-commit-config.yaml

@@ -8,10 +8,10 @@
 # Anything below the [BLOCK] threshold in
 # `docs/agents/security-expert/REVIEW_CHECKLIST.md` §1 aborts the commit.
 #
-# This file is part of the local-only quality gate. There is no CI
-# in this repo by design (repo-owner direction); a developer who
-# disables this hook still has to clear `scripts/lint.sh` before the
-# Merger will pull their PR.
+# This file is the commit-time half of the quality gate, run together
+# with `scripts/lint.sh` before a PR. CI (`.github/workflows/ci.yml`)
+# currently runs the test suites, not these hooks; wiring the lint/security
+# hooks into CI is a follow-up (#452).
 
 repos:
   # -------------------------------------------------------------------

ACCEPTANCE.md

@@ -436,7 +436,7 @@ Merger runs the pipeline locally before squash-merge.
 | Q-1 | `./scripts/lint.sh` is the merge gate. A merge that bypassed it is a policy violation and a revert candidate. | Forum status / PR body. |
 | Q-2 | `./scripts/build.sh` is the release gate. Both the SPA build and `poetry build` must succeed. | Run output before tagging. |
 | Q-3 | A PR that touches `pyproject.toml` runtime deps, frontend root `package.json` deps, or `LICENSE` includes a locally-recorded `pip-audit` (Python) and `pnpm audit` (npm) clean run in the PR body. | PR-body inspection. |
-| Q-4 | The "no CI" decision is revisited before leaving pre-alpha and recorded in [`docs/agents/decisions.md`](docs/agents/decisions.md). | Decision-log entry. |
+| Q-4 | The "no CI" decision was revisited and reversed before leaving pre-alpha: the test suites now run in CI (`.github/workflows/ci.yml` — backend `pytest` + frontend gate), recorded in [`docs/agents/decisions.md`](docs/agents/decisions.md). Wiring the Python lint gate into CI and marking checks required in branch protection are the remaining follow-ups (#452). | Decision-log entry + `ci.yml`. |
 
 ### 3.8 Packaging
 

SECURITY.md

@@ -174,7 +174,21 @@ Every endpoint added must include all of these tests before merging:
 - TestPyPI may be used for verification by the maintainer with a
   separate token; same hygiene rules apply.
 
-## 8. Static analysis (local-only — no CI in v0.x)
+## 8. Static analysis (local + CI)
+
+The earlier "local-only, no CI in v0.x" posture was revisited and
+reversed (issue #452 — regressions were slipping onto `main` under
+CodeQL-only gating; see `docs/agents/decisions.md`). **The test suites
+now run server-side in CI** (`.github/workflows/ci.yml`): backend
+`pytest` and the frontend `pnpm` gate (typecheck + lint + test + build),
+so a red suite cannot merge.
+
+Enforcing the **Python lint gate** in CI is a near-term follow-up:
+`scripts/lint.sh` currently runs two formatters (`ruff format` + `black`)
+whose output conflicts, so it isn't satisfiable on a clean tree yet. The
+local script below is still the authoritative lint gate; it gets
+de-conflicted and the small existing debt cleared first, then the lint
+step is added to CI.
 
 Run via `./scripts/lint.sh`:
 
@@ -187,8 +201,11 @@ Run via `./scripts/lint.sh`:
 - `mypy` (best-effort; tightening planned for v1.x)
 - `bandit -r django_admin_react`
 - `pytest -q` (including `tests/test_security.py`)
-- Frontend: `prettier --check`, `pnpm -r typecheck`, `pnpm -r lint`
-  (`eslint` wires up in PR #6).
+- Frontend: `pnpm -r typecheck`, `pnpm lint` (eslint `--max-warnings 0`
+  + stylelint + dark-mode coverage), `pnpm test` (vitest), `pnpm -r build`.
+
+Making the CI checks **required** in branch protection is a separate
+owner action (#452 / #331).
 
 Dependency audit runs separately via `./scripts/audit-deps.sh`
 (see §6).

docs/agents/decisions.md

@@ -7,6 +7,28 @@ Newest decisions on top.
 
 ---
 
+## 2026-05-28 — Reverse "no CI": the test suites now run server-side
+
+The prior "no CI in pre-alpha (per repo-owner direction)" posture was
+revisited (the trigger named in OQ-A-001 / ACCEPTANCE Q-4) and reversed.
+Under CodeQL-only gating, test regressions were merging onto `main` green
+with many agents working in parallel (e.g. #401 broke
+`tests/test_logentry.py`, caught only on a later local run — #451).
+
+- **CI now runs the test suites on every PR + push to `main`**
+  (`.github/workflows/ci.yml`): backend `pytest` (with coverage) and the
+  frontend gate (`pnpm -r typecheck` / `pnpm lint` / `pnpm test` /
+  `pnpm -r build`). Actions SHA-pinned; least-privilege `contents: read`.
+  — issue #452, ci.yml. Owner-directed merge despite Tier 5 (workflows +
+  SECURITY.md §8).
+- **Follow-ups** (off #452 / #331): wire the Python *lint* gate into CI —
+  blocked first on de-conflicting `scripts/lint.sh`, which runs two
+  formatters (`ruff format` + `black`) whose output conflicts, plus a
+  little pylint/flake8 debt to clear; mark the CI checks **required** in
+  branch protection; optional Python/Django version matrix.
+
+---
+
 ## 2026-05-27 — Ship a concrete recommended CSP (QSEC-03 resolved)
 
 Security lane (`claude-security-opus47-2026-05-27`). The SPA shell loads

docs/agents/product-manager/DECISIONS.md

@@ -60,8 +60,10 @@ Authoring session: `claude-pm-ux-opus47`.
 11. **Lighthouse-equivalent budget:** FCP < 1.5 s cached, LCP < 2.5 s
     cold on the reference profile (M-class laptop, 10 Mbps).
     — [`PRODUCT_VISION.md`](../../PRODUCT_VISION.md) §7
-12. **No `--force` push to `main`. No CI/CD (per repo-owner direction).**
-    Local linters via `scripts/lint.sh` are the gate.
+12. **No `--force` push to `main`.** The test suites run in CI
+    (`.github/workflows/ci.yml`, added in #452 — the prior "no CI" stance
+    was reversed); the lint gate (`scripts/lint.sh`) runs locally, with
+    lint-in-CI a follow-up.
     — [`docs/agents/decisions.md`](../../docs/agents/decisions.md) (engineering)
 13. **`docs/agents/` handoff convention adopted** — durable role state
     survives session loss. — [`docs/agents/decisions.md`](../DECISIONS.md)

docs/agents/security-expert/DECISIONS.md

@@ -31,10 +31,13 @@ agents see it without reading this folder.
 - **CSRF is mandatory.** No view in the package is `@csrf_exempt`.
   Tests must assert that a missing or invalid `X-CSRFToken` header
   on `POST` / `PATCH` / `DELETE` returns `403`. — invariant
-- **No CI in v1.** The Merger runs `scripts/lint.sh` locally; security
-  scans (`ruff S`, `bandit`, `pip-audit`, secret grep) are part of
-  that script. Acceptance criteria below treat the local pipeline as
-  authoritative until CI is reintroduced. — repo-owner directive
+- **Tests run in CI; the lint gate stays local (for now).**
+  `.github/workflows/ci.yml` runs `pytest` + the frontend gate
+  server-side on every PR so a red suite can't merge (#452 — the earlier
+  "no CI" stance was reversed). The Python lint/security gate
+  (`scripts/lint.sh`: `ruff S`, `bandit`, the pre-commit secret/pygrep
+  hooks) plus `pip-audit` stay local pre-merge steps until the gate is
+  de-conflicted and wired into CI (follow-up off #452). — #452
 - **Frontend never holds permission state alone.** `@dar/data` may
   cache `permissions: {view, add, change, delete}` from the API for
   UI courtesy (hide buttons), but **every** write call re-verifies

docs/agents/security-expert/REVIEW_CHECKLIST.md

@@ -204,7 +204,8 @@ human takes it from there.
 
 - "We'll add tests in a follow-up PR."
 - "It's only a refactor, no review needed."
-- "CI will catch it." (We have no CI.)
+- "CI will catch it." (CI runs the gate (#452), but a green pipeline is
+  the floor, not the review — dataflow/logic bugs still need human eyes.)
 - "The frontend handles it." (Defense in depth; backend must enforce.)
 - "It's behind staff auth." (Necessary, not sufficient — the
   backend still must obey `ModelAdmin`.)