Enforce mandatory PR security checklist, CI scans, contract tests, and backward-compat policy

[Moeabdelaziz007]

Motivation

• Ensure every PR explicitly acknowledges and passes dependency, secret, and static scans before merge by adding a mandatory security checklist.
• Automate enforcement of dependency, secret, static and filesystem vulnerability scans on every PR to reduce regressions and supply-chain risk.
• Run contract tests whenever API/proto surfaces change to prevent breaking consumer contracts.
• Define a clear backward-compatibility policy and SLA for triaging critical/high findings so security work is tracked and remediated promptly.

Description

• Updated the PR template .github/pull_request_template.md to include a 🔒 Mandatory Security Checklist and API / Proto Contract Safety checks that require scan confirmations and contract-test confirmation.
• Extended the CI workflow .github/workflows/ci.yml to add a changes job using dorny/paths-filter to detect api/**, *.proto, and generated protobuf changes and a conditional contract-tests job that runs when those paths change.
• Added automated scans to CI: dependency checks (npm audit, govulncheck), secret scanning (secretlint), static analysis (semgrep), and filesystem vulnerability scanning (trivy), and added semgrep to the build job.
• Added docs/operations/security-governance-policy.md that defines scope, required PR gates, semantic versioning rules, a 90-day deprecation window, breaking-change controls, and SLAs (CRITICAL = 24h, HIGH = 7 days).
• Linked the new governance policy from .github/CONTRIBUTING.md to ensure contributors follow the policy.

Testing

• Ran npm run -s contracts:check locally and the contract sync validation passed.
• Pre-commit automated checks (formatting/linting and secretlint via lint-staged) executed successfully during the change process.
• The new conditional contract-tests job and full CI security scans will run in GitHub Actions for PRs and will enforce the gates on merge.

---

Codex Task

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Documentation

  • Enhanced contributing guidelines with security governance protocols
  • Added security governance policy documentation

• Chores

  • Improved CI/CD pipeline with enhanced security scanning
  • Updated PR template with mandatory security checks

**Disclaimer This is AxiomID Review Agent.

Greptile Summary

This PR introduces a mandatory security checklist in the PR template, adds automated dependency/secret/static/filesystem vulnerability scans to CI, creates a conditional contract-tests job for API/proto changes, and documents the security governance policy with SLAs and backward-compatibility rules.

• CI workflow: Adds changes (path-filter) and contract-tests jobs, injects Semgrep into the build job, and corrects action versions from the non-existent @v6 tags to @v4/@v5. However, contract-tests does not declare needs: build, so it can complete successfully while the build's security scans are still running or failing — and the entire e2e-real staging job is silently removed with no replacement.
• PR template / policy: Clean additions; the new security checklist, API contract safety section, and governance policy document are well-structured and actionable.

Confidence Score: 3/5

The CI changes introduce two structural problems that should be resolved before merging: the contract-tests job bypasses the security gates it is meant to enforce, and the existing staging E2E tests are silently dropped.

The contract-tests job runs independently of build, so it can report green while Semgrep, Trivy, govulncheck, and npm audit are still in flight or have already failed on the same PR. Combined with the unexplained removal of the e2e-real job, the net effect is that this PR — despite adding security tooling — actually weakens the enforcement posture on the contract-test path and eliminates staging validation entirely. The documentation and PR-template changes are solid and ready to merge; only the workflow file needs attention.

.github/workflows/ci.yml requires the most attention: fix the contract-tests dependency chain and clarify the removal of e2e-real.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Adds changes and contract-tests jobs, Semgrep scan, and removes the e2e-real staging job; contract-tests lacks needs: build, creating a bypass around security gates, and the e2e removal is an unaddressed regression.
.github/pull_request_template.md	Adds mandatory security checklist and API/proto contract safety section; also removes a duplicated 'no hardcoded secrets' checkbox now covered by the new checklist.
.github/CONTRIBUTING.md	Minor formatting improvements and a new Security Governance section linking contributors to the new policy document.
docs/operations/security-governance-policy.md	New policy document defining scan gates, contract-test requirements, semantic versioning/deprecation rules, and SLAs (CRITICAL=24h, HIGH=7 days); content is clear and complete.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    PR[Pull Request] --> changes[changes job\ndorny/paths-filter]
    PR --> build[build job\nno dependency]

    changes -->|api_or_proto_changed == true| contract[contract-tests job\nneeds: changes only]
    changes -->|api_or_proto_changed == false| skip[contract-tests skipped]

    build --> audit[npm audit]
    build --> govulncheck[govulncheck]
    build --> secretlint[Secretlint]
    build --> semgrep[Semgrep]
    build --> trivy[Trivy]

    contract --> contractsCheck[npm run contracts:check]
    contract --> goTest[go test ./api/...]

    style contract fill:#f96,color:#000
    style build fill:#6af,color:#000

    note1["⚠️ contract-tests does NOT\nwait for build to finish"]:::note
    contract -.->|missing dependency| note1

Loading

_{Reviews (1): Last reviewed commit: "ci: enforce PR security gates and API co..." | Re-trigger Greptile}

Greptile also left 4 inline comments on this PR.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
piworker-os	Error		May 13, 2026 4:04pm

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/axiom-id?upgradeToPro=build-rate-limit

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR establishes a comprehensive security governance framework by introducing a formal security policy, updating contributor guidance and PR templates with mandatory security checklists, and automating enforcement through CI/CD workflows with path-based contract testing and static analysis scanning.

Changes

Security Governance Implementation

Layer / File(s)	Summary
Security Governance Policy Document docs/operations/security-governance-policy.md	Introduces the complete security governance policy defining PR scope, mandatory security gates (dependency, secret, static, filesystem scanning with explicit commands), required contract tests for API/proto changes, backward-compatibility rules including semantic versioning and a 90-day deprecation window, critical/high finding SLAs with monitoring and merge prohibition, and policy exception process.
Contributor Guidance & PR Enforcement .github/CONTRIBUTING.md, .github/pull_request_template.md	Updates the contributing guide with a "Sovereign Contribution Protocol" section and cross-reference to the security governance policy. Reorganizes the PR template by adding a "Mandatory Security Checklist" section (CI scan completion, hardcoded secret prevention, dependency risk review, critical finding resolution) and an "API / Proto Contract Safety" section (contract test updates, backward-compatibility policy checks).
API/Proto Change Detection and Contract Testing .github/workflows/ci.yml	Adds a new changes job using path filtering to detect API/proto modifications and expose api_or_proto_changed output. Adds a conditional contract-tests job that runs only when APIs change, performing contract validation and executing Go API package tests (go test ./api/...) with Node and Go setup.
Security Scanning and CI Maintenance .github/workflows/ci.yml	Integrates Semgrep static analysis with OWASP Top Ten configuration into the CI security scanning pipeline before Trivy. Updates actions/setup-go version from v6 to v5. Updates the generated release checklist to include Semgrep in the "Security scans" list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A fortress of rules the rabbit designed,
With gates and with scans of the strictest kind,
Contract tests guard the API door,
While Semgrep seeks secrets and flaws galore—
Security flows through the workflow with grace! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides clear motivation, detailed description of changes, and testing performed, but does not follow the repository's required template structure with sections like 'Type of Change' checkboxes.	Restructure the description to match the template: add '📝 Description', '🔗 Related Issue', '🧩 Type of Change' checkboxes, and '✅ Strict Checklist' sections with required verification items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: enforcing mandatory PR security checklist, CI scans, contract tests, and backward-compatibility policy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/add-security-checklist-to-pr-template

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[blacksmith-sh]

Blacksmith Account Suspended

This Blacksmith account requires additional verification. Jobs targeting Blacksmith runners will not be picked up and will remain queued until they timeout.

Please contact Blacksmith Support for assistance.

[greptile-apps]

contract-tests runs independently of build, bypassing all security gates

The contract-tests job declares needs: changes but not needs: build. This means it can succeed (and satisfy its branch-protection check) even when the build job — which runs npm audit, govulncheck, Secretlint, Semgrep, and Trivy — is still running or has already failed. A PR that introduces a vulnerable dependency or a secret could pass the contract-tests gate before the build's security scans report failure, giving reviewers a false sense of passing CI for the security-sensitive contract path. Adding needs: [changes, build] would ensure contract tests only run against a clean, fully-audited build.

[greptile-apps]

e2e-real staging job removed with no replacement

The entire e2e-real job — which ran npm run test:tier4 against a live staging environment, validated required env vars (SOVEREIGN_STAGING_URL, SOVEREIGN_AUTH_TOKEN, AGENT_SYSTEM_SECRET), and uploaded E2E artifacts — has been silently dropped. The new contract-tests job only performs a contract-sync check and go test ./api/..., and only triggers when api/** or *.proto files change. Any regression in non-API runtime behavior against staging will go undetected. If the removal is intentional, the PR description should justify it; otherwise this is a testing coverage gap.

[greptile-apps]

Semgrep version unpinned — undermines supply-chain security

pip install semgrep without a version specifier fetches whatever the latest PyPI release is at run time. This contradicts the supply-chain hardening intent of this PR: a new Semgrep release could silently change rule results, break the --config p/owasp-top-ten fetch, or introduce a dependency with a vulnerability. Pin a specific version to make the scan reproducible and auditable.

Suggested change

	- name: Static scan (Semgrep)
	run: |
	python -m pip install --upgrade pip
	pip install semgrep
	semgrep --config p/owasp-top-ten --error
	- name: Static scan (Semgrep)
	run: |
	python -m pip install --upgrade pip
	pip install semgrep==1.100.0
	semgrep --config p/owasp-top-ten --error

[greptile-apps]

--no-audit skips dependency auditing in the contract-tests job

The contract-tests job installs dependencies with --no-audit, which suppresses npm audit output. This is inconsistent with the security intent of this PR — a PR touching API/proto surfaces is exactly the kind of change where dependency integrity should be verified. Consider dropping the flag or running a separate npm audit step after install.

Suggested change

	- name: Install dependencies
	run: npm install --ignore-scripts --no-audit --no-fund --legacy-peer-deps
	- name: Validate required staging env
	run: |
	missing=0
	[ -n "$SOVEREIGN_STAGING_URL" ] || { echo "Missing required var: SOVEREIGN_STAGING_URL"; missing=1; }
	[ -n "$SOVEREIGN_AUTH_TOKEN" ] || { echo "Missing required var: SOVEREIGN_AUTH_TOKEN"; missing=1; }
	[ -n "$AGENT_SYSTEM_SECRET" ] || { echo "Missing required var: AGENT_SYSTEM_SECRET"; missing=1; }
	[ "$missing" -eq 0 ] || exit 1
	- name: Run real E2E
	run: npm run test:tier4
	- name: Upload E2E artifacts
	if: always()
	uses: actions/upload-artifact@v4
	- name: Contract sync check
	- name: Install dependencies
	run: npm install --ignore-scripts --no-fund --legacy-peer-deps
	- name: Contract sync check