ci: harden the structured ci-gate workflow stack

[PerishCode]

Why

I needed to turn the new ci-gate stack into something the repository can actually trust as the future PR check entrypoint, instead of leaving it at design-only status. The immediate pain here was that the new ci-* workflows still needed real proof that they could absorb the old gate semantics, survive self-hosted runner transport issues, and support the intended hosted fallback path before we can switch repository rules over.

This PR hardens that new stack so the CI gate itself is no longer the risky part of the migration. It gives us a structured result contract, a thin aggregator, verified fallback behavior, and enough runtime timing detail to understand hotspots later without coupling gate correctness to workflow logs.

What users will see

There is no end-user product surface change. For maintainers and contributors, the repository gains a new ci-gate workflow stack that can serve as the future PR check entrypoint, with a self-hosted default path, a hosted nix|full path, structured aggregation, and a verified hosted fallback flow.

Surface area

• UI — new page / dialog / panel / menu item / setting / empty state in apps/web or apps/desktop (including Electron menu bar)
• Keyboard shortcut — new or changed
• CLI / env var — new od subcommand or flag, new tools-dev / tools-pack / tools-pr flag, or new OD_* env var
• API / contract — new /api/* endpoint, new SSE event, or changed shape in packages/contracts
• Extension point — new entry under skills/, design-systems/, design-templates/, or craft/, or change to the skills protocol
• i18n keys — added new translation keys (see TRANSLATIONS.md for the locale workflow)
• New top-level dependency — adding any new entry to the root package.json (dependencies or devDependencies); workspace-package package.json files are out of scope. Include a paragraph on what we get vs. what bytes we ship (see CONTRIBUTING.md → Code style)
• Default behavior change — changes what existing users experience without opting in (default model, default setting, file/SQLite schema, auto-network on startup, auto-install)
• None — internal refactor, docs, tests, or translation update only

Screenshots

N/A

Bug fix verification

Validation

• bash -n .github/workflows/scripts/ci-gate.sh .github/workflows/scripts/ci/lib.sh .github/workflows/scripts/ci/actions/*.sh
• git diff --check
• Manual GitHub Actions validation on codex/ci-gate-hardening:
  • ci-runner 27261360550 verified structured-log fallback behavior when self-hosted artifact upload hit ECONNRESET
  • ci-hosted mode=nix 27261360728 verified the default hosted nix lane and structured result artifact
  • ci-gate 27261371310 verified action-level aggregation and runner log fallback
  • ci-hosted mode=full 27262247348 verified hosted full fallback on the current head
  • ci-gate 27263628637 verified explicit fallback aggregation with failed runner + successful hosted full
  • ci-gate 27263701318 verified workflow_dispatch run-id inference without explicit target_sha / target_event
  • ci-hosted mode=nix 27266573824 verified timing-enabled structured results with per-step steps[]
  • ci-runner 27267280361 and ci-hosted mode=full 27267280362 verified comparative timing output across runner and hosted

[Siri-Ray]

Thanks for pushing this CI gate hardening through, @PerishCode. I reviewed the changed workflow stack, the shell action wrappers, and the TypeScript aggregator, and also smoke-tested the aggregator locally against the successful runner/hosted validation pair. I found one merge-safe robustness regression around preserving structured results when a command hangs.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[PerishCode]

Looper fixer round complete — 2be21d7

• ✅ Review comment on .github/workflows/scripts/ci/lib.sh (@Siri-Ray) — thread
  • Updated .github/workflows/scripts/ci/lib.sh so ci_gate_timed_step wraps each command with timeout using CI_GATE_STEP_TIMEOUT_SECONDS defaulting to 600. Timed-out commands now return non-zero after writing the step timing entry as a failure.

_{🔁 Powered by Looper · runner=fixer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[Siri-Ray]

@PerishCode I reviewed the updated ci-gate workflow stack on the current head, including the new runner/hosted workflow wiring, the shell action wrappers, the step timeout restoration in ci/lib.sh, and the TypeScript result aggregator. I also checked the prior timeout feedback against this head, ran shell syntax validation, git diff --check, inspected the live workflow check failure log, and did a local stubbed smoke test that confirmed ci-gate.sh emits the structured result file plus OD_CI_RESULTS_JSON marker. I did not find any actionable correctness issues in the changed ranges; thanks for tightening up the CI gate transport and fallback path.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[Siri-Ray]

@PerishCode I reviewed the current ci-gate hardening head, including the new actionlint install path, the runner/hosted workflow wiring, the structured result script, per-action shell wrappers, timeout handling, artifact/log fallback parsing, and aggregation behavior. I also checked the prior timeout feedback against this head and ran local shell syntax plus diff whitespace validation. I did not find any actionable correctness issues in the changed ranges; thanks for continuing to tighten this CI gate path.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}

[Siri-Ray]

@PerishCode I reviewed the current ci-gate hardening head, including the pull request target SHA alignment, runner/hosted workflow wiring, structured result generation, per-action shell wrappers, timeout handling, artifact/log fallback parsing, and the TypeScript aggregation path. I also checked the prior timeout feedback against this head, ran local shell syntax validation, node --check for the aggregator, git diff --check, and inspected the live check state; I did not find any actionable correctness issues in the changed ranges. Thanks for continuing to harden this CI gate path and for keeping the fallback behavior verifiable.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}