From 62e0a8c2c259497339c1567b34de52ae10795352 Mon Sep 17 00:00:00 2001
From: "marcin p. joachimiak" <4625870+realmarcin@users.noreply.github.com>
Date: Mon, 25 May 2026 19:36:05 -0700
Subject: [PATCH 1/2] Add validate-strict CI workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Locks in the 0-error closed-schema baseline established across PRs
#84-#88 so it can't silently regress on future merges. Mirrors the
qc.yaml workflow shipped to TraitMech in PR #77 and adapted for the
CommunityMech runner conventions.

Runs `just validate-strict` + `just audit-writers` + `pytest tests/`
on PRs touching kb/communities/, schema, source, scripts, justfile,
or this workflow. Uploads the categorized TSV reports as workflow
artifacts so reviewers can inspect failures without re-running
locally.

Deliberately scoped narrower than `just qc` — the existing
network-quality.yml handles the network-integrity audit; this new
workflow specifically gates closed-schema validation + writer audit
+ unit tests, which are fast and run on every PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/validate-strict.yaml | 59 ++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/validate-strict.yaml

diff --git a/.github/workflows/validate-strict.yaml b/.github/workflows/validate-strict.yaml
new file mode 100644
index 00000000..9b5ac73f
--- /dev/null
+++ b/.github/workflows/validate-strict.yaml
@@ -0,0 +1,59 @@
+name: validate-strict
+
+on:
+  pull_request:
+    paths:
+      - "kb/communities/**"
+      - "src/communitymech/schema/**"
+      - "src/communitymech/**.py"
+      - "scripts/**.py"
+      - "justfile"
+      - "pyproject.toml"
+      - ".github/workflows/validate-strict.yaml"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  validate-strict:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: extractions/setup-just@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "latest"
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run validate-strict (closed-schema LinkML validation)
+        run: just validate-strict
+
+      - name: Run audit-writers
+        run: just audit-writers
+
+      - name: Run tests
+        run: uv run pytest tests/ -q --no-cov
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: validate-strict-reports-${{ github.run_id }}
+          path: |
+            reports/instance_validation_failures.tsv
+            reports/pipeline_writers_audit.tsv
+          if-no-files-found: warn

From d68df812e001b92b4833bfdd97ab7ef19d7835df Mon Sep 17 00:00:00 2001
From: "marcin p. joachimiak" <4625870+realmarcin@users.noreply.github.com>
Date: Mon, 25 May 2026 19:40:26 -0700
Subject: [PATCH 2/2] Address Copilot review on PR #89
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three findings, all addressed:

- Path globs: \`**.py\` doesn't actually match nested subdirs in
  GitHub Actions glob semantics — it behaves like \`*.py\`. Switch
  to \`**/*.py\` so changes under src/communitymech/<subpkg>/ (like
  network/, validators/, embedding/) trigger the workflow.
- Push trigger had no \`paths:\` filter, so the workflow ran on
  every commit to main. Mirror the pull_request path list via a
  YAML anchor (&trigger_paths + *trigger_paths) so the two stay in
  sync.
- uv sync: switch to \`--frozen --all-extras\` so the workflow fails
  if uv.lock is stale (instead of silently re-resolving) while
  keeping the dev/test extras the existing network-quality.yml
  uses. Also added uv.lock + tests/**/*.py to the trigger paths so
  dependency and test changes re-run the workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/validate-strict.yaml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/validate-strict.yaml b/.github/workflows/validate-strict.yaml
index 9b5ac73f..8cd053ff 100644
--- a/.github/workflows/validate-strict.yaml
+++ b/.github/workflows/validate-strict.yaml
@@ -2,16 +2,19 @@ name: validate-strict
 
 on:
   pull_request:
-    paths:
+    paths: &trigger_paths
       - "kb/communities/**"
       - "src/communitymech/schema/**"
-      - "src/communitymech/**.py"
-      - "scripts/**.py"
+      - "src/communitymech/**/*.py"
+      - "scripts/**/*.py"
+      - "tests/**/*.py"
       - "justfile"
       - "pyproject.toml"
+      - "uv.lock"
       - ".github/workflows/validate-strict.yaml"
   push:
     branches: [main]
+    paths: *trigger_paths
   workflow_dispatch:
 
 permissions:
@@ -37,7 +40,11 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync --all-extras
+        # --frozen fails the workflow if uv.lock is stale (don't silently
+        # re-resolve in CI). --all-extras keeps parity with the existing
+        # network-quality.yml workflow and ensures pytest + optional deps
+        # are available for the test step below.
+        run: uv sync --frozen --all-extras
 
       - name: Run validate-strict (closed-schema LinkML validation)
         run: just validate-strict