Enforce warnaserror in CI build

KSemenenko · KSemenenko · commit 01f537cd3868 · 2026-03-13T10:44:52.000+01:00
diff --git a/.github/workflows/build-validation.yml b/.github/workflows/build-validation.yml
@@ -39,10 +39,6 @@ jobs:
         run: dotnet format DotPilot.slnx --verify-no-changes
 
       - name: Build
-        shell: pwsh
-        run: dotnet build DotPilot.slnx
-
-      - name: Analyze
         shell: pwsh
         run: dotnet build DotPilot.slnx -warnaserror
 
diff --git a/AGENTS.md b/AGENTS.md
@@ -120,7 +120,7 @@ Skill-management rules for this `.NET` solution:
 
 ### Commands
 
-- `build`: `dotnet build DotPilot.slnx`
+- `build`: `dotnet build DotPilot.slnx -warnaserror`
 - `test`: `dotnet test DotPilot.slnx`
 - `format`: `dotnet format DotPilot.slnx --verify-no-changes`
 - `analyze`: `dotnet build DotPilot.slnx -warnaserror`
@@ -137,13 +137,15 @@ For this app:
 - desktop release publishing uses `dotnet publish DotPilot/DotPilot.csproj -c Release -f net10.0-desktop`; the validation workflow stays focused on build and automated tests, while the release workflow owns desktop publish outputs for macOS, Windows, and Linux
 - `LangVersion` is pinned to `latest` at the root
 - the repo-root lowercase `.editorconfig` is the source of truth for formatting, naming, style, and analyzer severity
+- local and CI build commands must pass `-warnaserror`; warnings are not an acceptable "green" build state in this repository
 - `Directory.Build.props` owns the shared analyzer and warning policy for future projects
 - `Directory.Packages.props` owns centrally managed package versions
 - `global.json` pins the .NET SDK and Uno SDK version used by the app and tests
 - `DotPilot/DotPilot.csproj` keeps `GenerateDocumentationFile=true` with `CS1591` suppressed so `IDE0005` stays enforceable in CI across all target frameworks without inventing command-line-only build flags
 - GitHub Actions workflows must use descriptive names and filenames that reflect their purpose; do not use a generic `ci.yml` catch-all because build validation and release automation are separate operator flows
 - GitHub Actions must be split into at least one validation workflow for normal builds/tests and one release workflow for CI-driven version resolution, release-note generation, desktop publishing, and GitHub Release publication
 - the release workflow must run automatically on pushes to `main`, build desktop apps, and publish the GitHub Release without requiring a manual dispatch
+- desktop app build or publish jobs must use native runners for their target OS: macOS artifacts on macOS runners, Windows artifacts on Windows runners, and Linux artifacts on Linux runners
 - desktop release versions must use the `ApplicationDisplayVersion` value in `DotPilot/DotPilot.csproj` as a manually maintained two-segment prefix, with CI appending the final segment from the build number (for example `0.0.<build-number>`)
 - the release workflow must not take ownership of the first two version segments; those remain manually edited in source, while CI supplies only the last numeric segment and matching release tag/application version values
 - for CI and release automation in this solution, prefer existing `dotnet` and `MSBuild` capabilities plus small workflow-native steps over Python or adding a separate helper project for simple versioning and release-note tasks
diff --git a/github-actions-yaml-review.plan.md b/github-actions-yaml-review.plan.md
@@ -0,0 +1,87 @@
+# GitHub Actions YAML Review Plan
+
+## Goal
+
+Review the current GitHub Actions validation and release workflows, record concrete risks with line-level evidence, and capture any durable CI policy that emerged from the user conversation, including mandatory `-warnaserror` enforcement for local and CI builds.
+
+## Scope
+
+### In Scope
+
+- `.github/workflows/build-validation.yml`
+- `.github/workflows/release-publish.yml`
+- shared workflow assumptions from `.github/steps/install_dependencies/action.yml`
+- root governance updates needed to capture durable CI runner policy and mandatory `-warnaserror` build usage
+
+### Out Of Scope
+
+- application code changes unrelated to CI/CD
+- release-note content changes
+- speculative platform changes without a concrete workflow finding
+
+## Constraints And Risks
+
+- The review must focus on real failure or operability risks, not styling-only nits.
+- Findings must use exact file references and line numbers.
+- Desktop builds must stay on native OS runners for the target artifact.
+
+## Testing Methodology
+
+- Static review of workflow logic, trigger model, runner selection, packaging steps, and rerun behavior
+- Validation commands for any touched YAML or policy file:
+  - `dotnet build DotPilot.slnx -warnaserror`
+  - `actionlint .github/workflows/build-validation.yml`
+  - `actionlint .github/workflows/release-publish.yml`
+- Quality bar:
+  - every reported finding must describe a user-visible or operator-visible failure mode
+  - no finding should rely on vague “could be cleaner” arguments
+
+## Ordered Plan
+
+- [x] Step 1: Read the current workflows, shared composite action, and relevant governance/docs.
+  Verification:
+  - inspect the workflow YAML and shared action with line numbers
+  - inspect the nearest architecture/ADR references for the intended CI split
+  Done when: the current workflow intent and boundaries are clear.
+
+- [x] Step 2: Record durable policy from the latest user instruction.
+  Verification:
+  - update `AGENTS.md` with the native-runner rule for desktop build/publish jobs
+  - update `AGENTS.md` with mandatory `-warnaserror` usage for local and CI builds
+  Done when: the rules are present in root governance.
+
+- [x] Step 3: Apply the explicitly requested CI warning-policy fix.
+  Verification:
+  - `build-validation.yml` runs the build step with `-warnaserror`
+  - no duplicate non-value build step remains after the change
+  Done when: CI and local build policy both require `-warnaserror`.
+
+- [x] Step 4: Produce the workflow review findings.
+  Verification:
+  - findings reference exact files and lines
+  - findings are ordered by severity
+  Done when: the user can act on the review without needing another pass to discover the real problems.
+
+- [x] Step 5: Validate touched YAML/policy files.
+  Verification:
+  - `dotnet build DotPilot.slnx -warnaserror`
+  - `actionlint .github/workflows/build-validation.yml`
+  - `actionlint .github/workflows/release-publish.yml`
+  Done when: touched workflow files still parse cleanly.
+
+## Full-Test Baseline Step
+
+- [x] Capture the current workflow state before proposing changes.
+  Done when: the review is grounded in the current checked-in YAML, not stale assumptions.
+
+## Failing Tests And Checks Tracker
+
+- [x] None currently tracked for this review-only pass.
+
+## Final Validation Skills
+
+1. `mcaf-ci-cd`
+Reason: review CI/release workflow structure and operator risks.
+
+2. `mcaf-testing`
+Reason: ensure the review respects the repo verification model and required test gates.
