feat: add pre-commit hooks and CI workflow for plugin repo

JoeOakhartNava · claude · JoeOakhartNava · commit 67b0a41f21e2 · 2026-03-16T21:52:00.000-07:00
Pre-commit hooks:
- executable-guard: protect +x on .sh files
- format-and-lint (ruff): lint Python scripts and tests
- isolation-check: test isolation rules on staged Python
- block-sentinel-push: prevent pushing unreviewed checkpoint commits
- pre-push-lint: full-tree ruff check before push

CI workflow (GitHub Actions):
- shellcheck: lint all shell scripts
- lint-python: ruff check + format on Python files
- test-plugin: run full test suite (1527 tests) with shfmt
- create-failure-bug: auto-create tickets on CI failure

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,119 @@
+# Digital Service Orchestra (DSO) — Continuous Integration
+# Runs shellcheck, Python linting, plugin tests, and auto-creates failure tickets.
+
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - 'feature/**'
+      - 'bugfix/**'
+      - 'epic/**'
+      - 'exp/**'
+    paths-ignore:
+      - '.tickets/**'
+      - '**/*.md'
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '.tickets/**'
+      - '**/*.md'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # ── Fast gates ──────────────────────────────────────────────
+
+  shellcheck:
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install shellcheck
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+
+      - name: Run shellcheck
+        run: shellcheck scripts/*.sh hooks/*.sh hooks/**/*.sh
+
+      - name: Job timing report
+        if: always()
+        run: echo "shellcheck completed at $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+  lint-python:
+    name: Lint Python (ruff)
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Ruff check
+        run: ruff check scripts/*.py tests/**/*.py
+
+      - name: Ruff format check
+        run: ruff format --check scripts/*.py tests/**/*.py
+
+      - name: Job timing report
+        if: always()
+        run: echo "lint-python completed at $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+  # ── Full test suite ─────────────────────────────────────────
+
+  test-plugin:
+    name: Plugin Test Suite
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: [shellcheck, lint-python]
+    env:
+      SERIAL_SUITES: 1
+      MAX_PARALLEL: 4
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install shfmt
+        run: |
+          curl -sS https://webinstall.dev/shfmt | bash
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Configure git identity
+        run: |
+          git config --global user.name "CI Bot"
+          git config --global user.email "ci@example.com"
+
+      - name: Run plugin tests
+        env:
+          CLAUDE_PLUGIN_ROOT: ${{ github.workspace }}
+        run: bash tests/run-all.sh
+
+      - name: Job timing report
+        if: always()
+        run: echo "test-plugin completed at $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+  # ── Failure ticket ──────────────────────────────────────────
+
+  create-failure-bug:
+    name: Create Failure Bug Ticket
+    runs-on: ubuntu-latest
+    needs: [shellcheck, lint-python, test-plugin]
+    if: failure() && github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tk CLI
+        run: pip install tk
+
+      - name: Create failure bug
+        run: bash scripts/ci-create-failure-bug.sh "${{ github.run_id }}"
+
+      - name: Job timing report
+        if: always()
+        run: echo "create-failure-bug completed at $(date -u +%Y-%m-%dT%H:%M:%SZ)"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,50 @@
+# Digital Service Orchestra (DSO) plugin pre-commit configuration
+# These hooks enforce code quality and safety checks for the DSO plugin repository.
+fail_fast: true
+
+repos:
+  - repo: local
+    hooks:
+      # --- commit-stage hooks ---
+
+      - id: executable-guard
+        name: Executable Bit Guard (5s timeout)
+        entry: ./scripts/pre-commit-executable-guard.sh
+        language: system
+        pass_filenames: false
+        stages: [commit]
+        files: \.sh$
+
+      - id: format-and-lint
+        name: Format + Lint - Ruff (15s timeout)
+        entry: ./scripts/pre-commit-wrapper.sh format-and-lint 15 "ruff check scripts/*.py tests/**/*.py && ruff format --check scripts/*.py tests/**/*.py"
+        language: system
+        pass_filenames: false
+        types: [python]
+        stages: [commit]
+
+      - id: isolation-check
+        name: Test Isolation Check (60s timeout)
+        entry: ./scripts/pre-commit-wrapper.sh isolation-check 60 "STAGED_ONLY=true scripts/check-test-isolation.sh"
+        language: system
+        pass_filenames: false
+        types: [python]
+        stages: [commit]
+
+      # --- push-stage hooks ---
+
+      - id: block-sentinel-push
+        name: Block checkpoint sentinel push
+        language: system
+        entry: "bash -c 'git cat-file -t HEAD:.checkpoint-needs-review >/dev/null 2>&1 && exit 1; exit 0'"
+        pass_filenames: false
+        always_run: true
+        stages: [push]
+
+      - id: pre-push-lint
+        name: Pre-push format + lint check
+        language: system
+        entry: ./scripts/pre-commit-wrapper.sh pre-push-lint 60 "ruff check scripts/*.py tests/**/*.py && ruff format --check scripts/*.py tests/**/*.py"
+        pass_filenames: false
+        always_run: true
+        stages: [push]
