# CI — foundation self-checks (T14). Runs on the foundation's own runner, in the # baked foundation-ci image (VERSIONS IMAGE_CI; force_pull:false → local image). # These two jobs are self-contained (checkout + toolchain only) — no stack state or # secrets needed, so they gate every push. The stack-state-dependent pipelines # (pulumi preview, backup-verify) live in their own files and need CI secrets + # a state fetch (see those workflows' headers). name: CI on: push: pull_request: jobs: preflight: runs-on: docker container: image: foundation-ci:latest steps: - uses: actions/checkout@v4 - name: Toolchain preflight (tools present + >= VERSIONS pins) run: ./preflight/preflight.sh tools versions typecheck: runs-on: docker container: image: foundation-ci:latest steps: - uses: actions/checkout@v4 - name: Install workspace deps run: bun install --frozen-lockfile || bun install - name: Typecheck bootstrap (tsc --noEmit) working-directory: bootstrap run: bunx tsc --noEmit