Identity-Boundary CI Gate
The drift-detector required check runs
tests/sync/test_diagnose.py::TestCanonicalRegistryRecognition on every PR
against main. It catches drift between the canonical registries in this
repo and the consumer-recognition contract that
spec-kitty-end-to-end-testing#41 closed over an 8-RC peeling cycle
(rc14 -> rc22). Workflow file:
.github/workflows/drift-detector.yml.
This is one of three coordinated CI gates tracked under
#1247:
drift-detectorhere (this repo).cross-repo-harness-testsinspec-kitty-events- workflow.github/workflows/cross-repo-harness-tests.yml.identity-boundary-canaryinspec-kitty-saas- workflow.github/workflows/canary-gate.yml.
This repo's drift-detector pins no external SHA. It only runs an in-repo
test. The sibling repos' workflows pin a specific commit of
Priivacy-ai/spec-kitty-end-to-end-testing; see each sibling's README
Identity-Boundary CI Gate section for the SHA-bump procedure.
Admin Action
After this gate merges, a repo admin must register the check as required on
main:
- Open https://github.com/Priivacy-ai/spec-kitty/settings/branches.
- Edit the rule for
main. - Under "Require status checks to pass before merging", add the exact name
drift-detector. - Save.
Until that step is done, the workflow still runs on every PR but its red status does not block merge.