Move CI to in-pipeline Woodpecker

- Add .woodpecker.yml so the new pipeline's Woodpecker stack runs validation on every push.
- Disable push/PR triggers on the GitHub-hosted validation workflows; the new pipeline does deterministic host-side validation before pushing to origin. Tag-triggered release/publish/deploy workflows are unchanged.
- Re-enable Public Boundary on push and pull_request as a defense-in-depth scan in addition to the in-pipeline pre-push leak guard.

Author: durable-workflow-ops

.github/workflows/ci.yml

@@ -1,10 +1,7 @@
 name: CI
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
+  workflow_dispatch:
 
 permissions:
   contents: read

.github/workflows/public-boundary.yml

@@ -3,6 +3,7 @@ name: Public Boundary
 on:
   pull_request:
   push:
+  workflow_dispatch:
 
 permissions:
   contents: read

.woodpecker.yml

@@ -0,0 +1,93 @@
+when:
+  - event: [push, pull_request]
+
+steps:
+  lint:
+    image: python:3.12
+    commands:
+      - pip install -e '.[dev]'
+      - ruff check src/ tests/
+      - mypy src/durable_workflow/
+
+  test-python-310:
+    image: python:3.10
+    commands:
+      - pip install -e '.[dev]'
+      - pytest tests/ -m "not integration" -q
+
+  test-python-311:
+    image: python:3.11
+    commands:
+      - pip install -e '.[dev]'
+      - pytest tests/ -m "not integration" -q
+
+  test-python-312:
+    image: python:3.12
+    commands:
+      - pip install -e '.[dev]'
+      - pytest tests/ -m "not integration" -q
+
+  package:
+    image: python:3.12
+    commands:
+      - pip install build twine
+      - python -m build
+      - twine check dist/*
+      - python scripts/smoke-built-package.py
+
+  docs-build:
+    image: python:3.12
+    commands:
+      - pip install -e '.[docs]'
+      - mkdocs build --strict
+
+  cli-parity:
+    image: python:3.12
+    commands:
+      - apt-get update
+      - apt-get install -y git
+      - |
+        if [ -n "$${CI_NETRC_MACHINE:-}" ] && [ -n "$${CI_NETRC_USERNAME:-}" ] && [ -n "$${CI_NETRC_PASSWORD:-}" ]; then
+          cat > "$HOME/.netrc" <<EOF
+        machine $${CI_NETRC_MACHINE}
+          login $${CI_NETRC_USERNAME}
+          password $${CI_NETRC_PASSWORD}
+        EOF
+          chmod 600 "$HOME/.netrc"
+        fi
+      - export FORGE_BASE="$${CI_FORGE_URL%/}"
+      - rm -rf /tmp/cli
+      - git clone --depth 1 "$${FORGE_BASE}/$${CI_REPO_OWNER}/cli.git" /tmp/cli
+      - python scripts/check-cli-parity.py --cli /tmp/cli
+
+  integration:
+    image: docker:27-cli
+    privileged: true
+    commands:
+      - apk add --no-cache bash git python3 py3-pip docker-cli-compose
+      - |
+        if [ -n "$${CI_NETRC_MACHINE:-}" ] && [ -n "$${CI_NETRC_USERNAME:-}" ] && [ -n "$${CI_NETRC_PASSWORD:-}" ]; then
+          cat > "$HOME/.netrc" <<EOF
+        machine $${CI_NETRC_MACHINE}
+          login $${CI_NETRC_USERNAME}
+          password $${CI_NETRC_PASSWORD}
+        EOF
+          chmod 600 "$HOME/.netrc"
+        fi
+      - export FORGE_BASE="$${CI_FORGE_URL%/}"
+      - repo_parent="$(dirname "$PWD")"
+      - rm -rf "$repo_parent/server"
+      - git clone --depth 1 "$${FORGE_BASE}/$${CI_REPO_OWNER}/server.git" "$repo_parent/server"
+      - export WORKFLOW_PACKAGE_SOURCE="$${FORGE_BASE}/$${CI_REPO_OWNER}/workflow.git"
+      - export WORKFLOW_PACKAGE_REF=v2
+      - python3 -m pip install -e '.[dev]'
+      - trap 'docker compose -f docker-compose.test.yml down -v' EXIT
+      - docker compose -f docker-compose.test.yml up -d --wait --timeout 120
+      - DURABLE_WORKFLOW_SERVER_URL=http://localhost:8080 DURABLE_WORKFLOW_AUTH_TOKEN=test-token pytest tests/integration/ -v
+
+  public-boundary:
+    image: python:3.12
+    commands:
+      - export PUBLIC_BOUNDARY_GIT_RANGE="$${CI_COMMIT_SHA}^..$${CI_COMMIT_SHA}"
+      - if [ -n "$${CI_PREV_COMMIT_SHA:-}" ]; then export PUBLIC_BOUNDARY_GIT_RANGE="$${CI_PREV_COMMIT_SHA}..$${CI_COMMIT_SHA}"; fi
+      - scripts/check-public-boundary.sh