feat(policy): Phase 1 — org-level policy engine for `apm audit --ci` #673

	name: CI

	env:
	PYTHON_VERSION: '3.12'

	on:
	pull_request:
	branches: [ main ]
	paths-ignore:
	- 'docs/**'
	- '.gitignore'
	- 'LICENSE'

	permissions:
	contents: read

	jobs:
	# Linux-only for PR feedback. Full platform matrix (incl. macOS + Windows) runs post-merge in build-release.yml.
	# Combines unit tests + binary build into a single job to eliminate runner re-provisioning overhead.
	build-and-test:
	name: Build & Test (Linux)
	runs-on: ubuntu-24.04
	permissions:
	contents: read

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PYTHON_VERSION }}

	- name: Install uv
	uses: astral-sh/setup-uv@v6
	with:
	enable-cache: true

	- name: Install dependencies
	run: uv sync --extra dev --extra build

	- name: Run tests
	run: uv run pytest tests/unit tests/test_console.py -n auto --dist worksteal

	- name: Install UPX
	run: \|
	sudo apt-get update
	sudo apt-get install -y upx-ucl

	- name: Build binary
	run: \|
	chmod +x scripts/build-binary.sh
	uv run ./scripts/build-binary.sh

	- name: Upload binary as workflow artifact
	uses: actions/upload-artifact@v4
	with:
	name: apm-linux-x86_64
	# Scripts are included to preserve the artifact root at ./ (not ./dist/).
	# Without a sibling directory, upload-artifact strips the dist/ prefix,
	# breaking download paths in ci-integration.yml which expects dist/$BINARY_NAME/apm.
	path: \|
	./dist/apm-linux-x86_64
	./dist/apm-linux-x86_64.sha256
	./scripts/test-release-validation.sh
	./scripts/github-token-helper.sh
	include-hidden-files: true
	retention-days: 30
	if-no-files-found: error

Provide feedback