CI path filtering for artifact-only commits

Pipeline artifact saves (scope, plan, spec, contract, build-report, verify-report) and work completions push to main but only touch `.ana/` files. Every push triggers the full GitHub Actions test matrix — 6 test runners + 1 website check — against completely unchanged source code. 36% of the last 50 CI runs (18 of 50) were triggered by artifact-only commits. The pre-commit hook already skips these correctly; GitHub Actions does not.

verdict PASSscore 8 / 8findings 3 (0 risk · 1 debt · 2 obs)duration 46mrejection cycles 0shipped May 8, 2026

Pipeline timeline

Intent to proven code in 46m across Think, Plan, Build, and Verify.

Think
25m
Plan
8m
Build
1m
Verify
3m

Assertion ledger

8 claims, each independently verified.

IDSaysMatcher
A001Artifact-only pushes to main skip the CI test suiteverifiedok
A002Agent metadata pushes to main skip the CI test suiteverifiedok
A003Artifact-only pull requests skip the CI test suiteverifiedok
A004Agent metadata pull requests skip the CI test suiteverifiedok
A005The push trigger still targets main and staging branchesverifiedok
A006The pull request trigger still targets main and staging branchesverifiedok
A007Website changes are not ignored by CIverifiedok
A008The release workflow is untouchedverifiedok

Findings 3 total

obs.github/workflows/test.ymlclosed
paths-ignore is workflow-level — website job also skips on .ana/.claude-only commits
obsclosed
Branch protection required checks may block .ana/.claude-only PRs — accepted risk per spec
debt.github/workflows/test.ymlclosed
staging branch in trigger list is a no-op — branch does not exist on remote

Integrity seal

scopesha256:9318dde0c2925...
contractsha256:f5e79bcdd55d9...
plansha256:a9b6fc90b2266...
specsha256:829772be2dac8...
build-reportsha256:f57a7e73e0adf...
build-datasha256:7b7fe5f4f09e1...
verify-reportsha256:ecb69882ddc5e...
verify-datasha256:4cc25d194d651...
audit cmd$ ana proof audit ci-artifact-path-ignore   → all hashes match