Skip to content

CI and automation

This page is the single map of every automated pipeline in the shieldkit repository. Human contributors and Cursor agents should start here when asking “what runs when?” or “why did this workflow fail?”.

Related deep-dives:

Overview

mermaid
flowchart TB
  subgraph merge_gate["Merge gate (every push / PR)"]
    CI["CI — lint, test, build, docs, audit, pack"]
    DOCS["Docs — VitePress deploy check"]
    CODEQL["CodeQL — security analysis"]
    LABEL["Labeler — PR labels"]
    AICOMPAT_PR["AI SDK Compatibility — when src/deps change"]
  end

  subgraph weekly["Weekly (Monday UTC)"]
    DEP["Dependabot 06:00 — opens PRs"]
    AICOMPAT["AI SDK Compatibility 08:00 — drift + matrix"]
  end

  subgraph nightly["Nightly"]
    RED["Red Team 04:00 — Ollama adversarial"]
  end

  DEP --> AICOMPAT
  AICOMPAT -->|drift + latest passes| ISSUE_D["Issue: ai-sdk-drift"]
  AICOMPAT -->|latest fails| ISSUE_F["Issue: ai-sdk-compat-failure"]

Workflow reference

WorkflowFileTriggerBlocks merge?Purpose
CIci.ymlPush / PR to mainYesFull quality gate + build + docs + npm pack --dry-run
AI SDK Compatibilityai-sdk-compat.ymlWeekly Mon 08:00 UTC, PR (deps/src/tests), manualYes on PR when triggeredLockfile vs ai@latest; typecheck + test + build matrix
Docsdocs.ymlPush / PR (docs paths)Yes when triggeredVitePress build / GitHub Pages
CodeQLcodeql.ymlPush / PR / scheduleAdvisoryStatic security analysis
Red Teamredteam.ymlDaily 04:00 UTC, manualNo (continue-on-error)Live Ollama injection prompts
Labelerlabeler.ymlPR opened / syncNoAuto-labels (ci, tests, documentation, …)
Publishpublish.ymlPush tag v*, manualN/A (release)npm OIDC publish + GitHub Release from CHANGELOG

Dependabot (dependabot.yml) is not a workflow but opens PRs weekly (Monday 06:00 UTC). The ai-sdk group bundles ai and @ai-sdk/*; those PRs should pass CI and AI SDK Compatibility.

CI (merge gate)

File: .github/workflows/ci.yml
Node: 22
Concurrency: one run per ref; PRs cancel in-progress runs.

StepCommandWhat it proves
Installnpm ciReproducible lockfile
Quality gatenpm run ciLint (0 warnings), Prettier, tsc, Vitest (163 tests), full-tree npm audit
Librarynpm run builddist/ compiles via tsup
Documentationnpm run docs:buildVitePress links and MD valid
Package tarballnpm pack --dry-runnpm publish surface = dist + README + LICENSE

npm run ci includes tests/adversarial/ but not tests/redteam/ (see Running tests).

AI SDK Compatibility

File: .github/workflows/ai-sdk-compat.yml
Why: shieldkit is tightly coupled to Vercel AI SDK v6 (LanguageModelV3 middleware). New ai releases can break types or middleware contracts before consumers upgrade.

Jobs

JobWhat it does
Version drift reportRuns scripts/check-ai-sdk-version.mjs; writes a summary table (lockfile, npm latest, peer range, drift yes/no)
Compatibility matrixTwo parallel legs: pinned lockfile (npm ci) and latest on npm (npm install ai@latest); each runs typecheck, test:run, build
Weekly notifyScheduled only: opens a GitHub issue when drift is detected (latest passes) or when the matrix fails (latest breaks)

Outcomes (scheduled run)

SituationWorkflow resultMaintainer action
Lockfile = latest, all greenPassNone
Lockfile < latest, matrix greenPass + optional ai-sdk-drift issueMerge Dependabot PR or npm install ai@latest --save-dev
ai@latest matrix redFail + ai-sdk-compat-failure issueFix forward compatibility in src/ / tests; read AI SDK releases
Pinned matrix redFailFix regression on current pin (same as broken main)

PR triggers

Runs when a PR touches:

  • package.json, package-lock.json
  • src/**, tests/**
  • scripts/check-ai-sdk-version.mjs, workflow or Dependabot config

Local equivalents

bash
npm run check:ai-sdk                    # drift report (human-readable)
npm run check:ai-sdk -- --strict        # exit 1 if lockfile < latest
npm run check:ai-sdk -- --json          # machine-readable
npm run verify:ai-sdk-latest            # full typecheck + test + build on latest

After verify:ai-sdk-latest, run npm ci to restore the lockfile pin.

Full policy: Dependency policy.

Red Team (advisory)

File: .github/workflows/redteam.yml
Schedule: daily 04:00 UTC
Merge impact: none (continue-on-error: true, REDTEAM_STRICT=0)

Installs Ollama on the runner, pulls llama3.2, runs npm run test:redteam. Uploads test-results/ artifacts when present.

Locally, default REDTEAM_STRICT=1 hard-fails on unblockable injection prompts. See Security assurance report.

Docs deployment

File: .github/workflows/docs.yml
Builds VitePress with VITEPRESS_BASE set for GitHub Pages project sites. Details: DEPLOYMENT.md.

CodeQL

File: .github/workflows/codeql.yml
JavaScript/TypeScript analysis on src/. Results appear in the GitHub Security tab.

Publish (npm)

File: .github/workflows/publish.yml
Trigger: push tag v* (or manual workflow_dispatch)
Auth: npm trusted publishing (OIDC) — requires one-time setup on npmjs.com

Runs the same quality gate as CI, builds dist/, verifies npm pack --dry-run, then npm publish. On tag push, also extracts the matching CHANGELOG section and creates a GitHub Release automatically.

Full setup (trusted publisher form fields, release checklist): npm publishing.

Dependabot groups

GroupPackagesSchedule
ai-sdkai, @ai-sdk/*Weekly Mon 06:00 UTC
testingvitestWeekly
typescript-and-buildtypescript, tsup, esbuildWeekly
linting-and-formattingeslint, prettierWeekly
docsvitepressWeekly
security-updatesany (security advisories)As needed

Labels (automation)

LabelSourceMeaning
dependenciesDependabot / drift issuesDependency change
ai-sdk-driftAI SDK Compatibility (scheduled)Latest passes; lockfile can be bumped
ai-sdk-compat-failureAI SDK Compatibility (scheduled)Latest ai breaks the test matrix
automatedDrift / compat issuesBot-opened reminder

PR labels from labeler.yml: ci, dependencies, documentation, code, tests, examples, security.

Maintainer checklist

Every PR

  • [ ] CI green
  • [ ] AI SDK Compatibility green (if workflow ran on the PR)

After merging an ai bump

  • [ ] npm run ci locally
  • [ ] Scan AI SDK changelog
  • [ ] Update CHANGELOG.md if peer or middleware behavior changed

Weekly (optional)

  • Review Actions → AI SDK Compatibility summary
  • Triage open ai-sdk-drift / ai-sdk-compat-failure issues
  • Merge grouped Dependabot PRs when green