LabVIEW-Community-CI-CD · svelderrainruiz · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026 · Mar 22, 2026
@@ -6,30 +6,44 @@ on:
     paths:
       - '.github/workflows/cookiecutter-bootstrap.yml'
       - 'docs/knowledgebase/Cookiecutter-Certification-Scaffolds.md'
+      - 'docs/documentation-manifest.json'
       - 'docs/schemas/comparevi-cookiecutter-*.json'
+      - 'docs/schemas/template-*.json'
       - 'package.json'
       - 'tests/Test-CompareVICookiecutterBootstrap.Tests.ps1'
       - 'tests/New-CompareVICookiecutterScaffold.Tests.ps1'
       - 'tests/fixtures/cookiecutter/*.json'
+      - 'tools/docker/Dockerfile.tools'
       - 'tools/Test-CompareVICookiecutterBootstrap.ps1'
       - 'tools/New-CompareVICookiecutterScaffold.ps1'
       - 'tools/cookiecutter/**'
       - 'tools/policy/comparevi-cookiecutter-templates.json'
+      - 'tools/policy/template-*.json'
+      - 'tools/priority/template-*.mjs'
+      - 'tools/priority/__tests__/template-*.test.mjs'
+      - 'tools/priority/__tests__/template-*-schema.test.mjs'
       - 'tools/priority/__tests__/cookiecutter-bootstrap-workflow.test.mjs'
   push:
     branches: [main]
     paths:
       - '.github/workflows/cookiecutter-bootstrap.yml'
       - 'docs/knowledgebase/Cookiecutter-Certification-Scaffolds.md'
+      - 'docs/documentation-manifest.json'
       - 'docs/schemas/comparevi-cookiecutter-*.json'
+      - 'docs/schemas/template-*.json'
       - 'package.json'
       - 'tests/Test-CompareVICookiecutterBootstrap.Tests.ps1'
       - 'tests/New-CompareVICookiecutterScaffold.Tests.ps1'
       - 'tests/fixtures/cookiecutter/*.json'
+      - 'tools/docker/Dockerfile.tools'
       - 'tools/Test-CompareVICookiecutterBootstrap.ps1'
       - 'tools/New-CompareVICookiecutterScaffold.ps1'
       - 'tools/cookiecutter/**'
       - 'tools/policy/comparevi-cookiecutter-templates.json'
+      - 'tools/policy/template-*.json'
+      - 'tools/priority/template-*.mjs'
+      - 'tools/priority/__tests__/template-*.test.mjs'
+      - 'tools/priority/__tests__/template-*-schema.test.mjs'
       - 'tools/priority/__tests__/cookiecutter-bootstrap-workflow.test.mjs'
   workflow_dispatch:
 
@@ -64,11 +78,124 @@ jobs:
         shell: bash
         run: npm ci
 
+      - name: Resolve pinned template dependency policy
+        id: template-policy
+        shell: bash
+        run: |
+          set -euo pipefail
+          node <<'NODE' >> "$GITHUB_OUTPUT"
+          const fs = require('fs');
+          const policy = JSON.parse(fs.readFileSync('tools/policy/template-dependency.json', 'utf8'));
+          console.log(`repository=${policy.templateRepositorySlug}`);
+          console.log(`ref=${policy.templateReleaseRef}`);
+          console.log(`cookiecutter_version=${policy.cookiecutterVersion}`);
+          console.log(`container_image=${policy.container.image}`);
+          console.log(`execution_plane=${policy.container.executionPlane}`);
+          console.log(`default_context_path=${policy.rendering.defaultContextPath}`);
+          NODE
+
       - name: Setup Python
         uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 
+      - name: Build local tools image for cookiecutter conveyor
+        if: ${{ matrix.runner == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          docker build -f tools/docker/Dockerfile.tools -t comparevi-tools:cookiecutter .
+
+      - name: Render pinned template dependency in the tools container
+        if: ${{ matrix.runner == 'ubuntu-latest' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          proof_root="tests/results/_agent/cookiecutter-bootstrap/${{ matrix.proof_id }}"
+          mkdir -p "$proof_root"
+          node tools/npm/run-script.mjs priority:template:render:container -- \
+            --workspace-root "$GITHUB_WORKSPACE/$proof_root/container-workspaces" \
+            --lane-id "cookiecutter-bootstrap-${{ matrix.proof_id }}" \
+            --run-id "${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.proof_id }}" \
+            --container-image comparevi-tools:cookiecutter \
+            --output "$proof_root/template-cookiecutter-container.json"
+          generated_root="$(node -e "const fs=require('fs'); const receipt=JSON.parse(fs.readFileSync('$proof_root/template-cookiecutter-container.json','utf8')); const generatedRoot = receipt.result.hostProjectDir || receipt.result.projectDir; if (!generatedRoot) { process.exit(1); } process.stdout.write(generatedRoot);")"
+          test -n "$generated_root"
+          test -f "$generated_root/README.md"
+          test -f "$generated_root/.github/workflows/validate.yml"
+          grep -q 'Hosted Linux consumer lane' "$generated_root/.github/workflows/validate.yml"
+          grep -q 'Hosted Windows consumer lane' "$generated_root/.github/workflows/validate.yml"
+          cat > "$proof_root/pinned-template-dependency.json" <<JSON
+          {
+            "schema": "priority/template-dependency@v1",
+            "repository": "${{ steps.template-policy.outputs.repository }}",
+            "ref": "${{ steps.template-policy.outputs.ref }}",
+            "cookiecutterVersion": "${{ steps.template-policy.outputs.cookiecutter_version }}",
+            "executionPlane": "hosted-ubuntu-container",
+            "containerImage": "comparevi-tools:cookiecutter",
+            "renderOutputRoot": "$generated_root"
+          }
+          JSON
+
+      - name: Verify pinned template dependency on Windows
+        if: ${{ matrix.runner == 'windows-latest' }}
+        shell: pwsh
+        run: |
+          $proofRoot = "tests/results/_agent/cookiecutter-bootstrap/${{ matrix.proof_id }}"
+          $renderRoot = Join-Path $proofRoot 'pinned-template-render'
+          New-Item -ItemType Directory -Force -Path $renderRoot | Out-Null
+          $context = Get-Content -LiteralPath '${{ steps.template-policy.outputs.default_context_path }}' -Raw | ConvertFrom-Json
+          python -m pip install --quiet "cookiecutter==${{ steps.template-policy.outputs.cookiecutter_version }}"
+          python -m cookiecutter "https://github.com/${{ steps.template-policy.outputs.repository }}.git" `
+            --checkout "${{ steps.template-policy.outputs.ref }}" `
+            --no-input `
+            --output-dir $renderRoot `
+            project_name="$($context.project_name)" `
+            repo_slug="$($context.repo_slug)" `
+            github_owner="$($context.github_owner)" `
+            default_branch="$($context.default_branch)" `
+            license_holder="$($context.license_holder)" `
+            copyright_year="$($context.copyright_year)"
+          $generatedRoot = Get-ChildItem -Directory $renderRoot | Select-Object -First 1
+          if (-not $generatedRoot) {
+            throw 'Cookiecutter did not generate an output directory.'
+          }
+          $required = @(
+            'AGENTS.md',
+            'README.md',
+            'LICENSE',
+            '.gitignore',
+            'docs/COMPAREVI_PLATFORM_INTEGRATION.md',
+            'docs/CONSUMER_PROVING_RAIL.md',
+            '.github/ISSUE_TEMPLATE/config.yml',
+            '.github/ISSUE_TEMPLATE/work-item.yml',
+            '.github/workflows/validate.yml'
+          )
+          foreach ($relativePath in $required) {
+            $candidate = Join-Path $generatedRoot.FullName $relativePath
+            if (-not (Test-Path -LiteralPath $candidate)) {
+              throw "Missing rendered file: $relativePath"
+            }
+          }
+          $workflowPath = Join-Path $generatedRoot.FullName '.github/workflows/validate.yml'
+          $workflowContent = Get-Content -LiteralPath $workflowPath -Raw
+          foreach ($snippet in @('feature/*', 'hotfix/*', 'release/*', 'Hosted Linux consumer lane', 'Hosted Windows consumer lane')) {
+            if ($workflowContent -notlike "*$snippet*") {
+              throw "Generated workflow is missing required snippet: $snippet"
+            }
+          }
+          @(
+            [ordered]@{
+              schema = 'priority/template-dependency@v1'
+              repository = '${{ steps.template-policy.outputs.repository }}'
+              ref = '${{ steps.template-policy.outputs.ref }}'
+              cookiecutterVersion = '${{ steps.template-policy.outputs.cookiecutter_version }}'
+              executionPlane = 'hosted-windows-verification'
+              containerImage = $null
+              renderOutputRoot = $generatedRoot.FullName
+            }
+          ) | ConvertTo-Json -Depth 5 | Set-Content -Encoding utf8 (Join-Path $proofRoot 'pinned-template-dependency.json')
+
       - name: Run cookiecutter bootstrap proof
         shell: pwsh
         run: |
@@ -86,3 +213,77 @@ jobs:
             tests/results/_agent/cookiecutter-bootstrap/${{ matrix.proof_id }}
             tests/results/_agent/cookiecutter-scaffolds/bootstrap-proof/${{ matrix.proof_id }}
           if-no-files-found: error
+
+  template-agent-verification:
+    name: Template Agent Verification / template-agent-verification
+    runs-on: ubuntu-latest
+    needs: bootstrap-proof
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Download Linux bootstrap artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: cookiecutter-bootstrap-linux
+          path: tests/results/_agent
+
+      - name: Download Windows bootstrap artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: cookiecutter-bootstrap-windows
+          path: tests/results/_agent
+
+      - name: Resolve pinned template dependency policy
+        id: template-policy
+        shell: bash
+        run: |
+          set -euo pipefail
+          node <<'NODE' >> "$GITHUB_OUTPUT"
+          const fs = require('fs');
+          const policy = JSON.parse(fs.readFileSync('tools/policy/template-dependency.json', 'utf8'));
+          console.log(`repository=${policy.templateRepositorySlug}`);
+          console.log(`ref=${policy.templateReleaseRef}`);
+          console.log(`cookiecutter_version=${policy.cookiecutterVersion}`);
+          console.log(`container_image=${policy.container.image}`);
+          NODE
+
+      - name: Write template agent verification report
+        shell: bash
+        run: |
+          set -euo pipefail
+          generated_root="$(node -e "const fs=require('fs'); const path=require('path'); const receipt=JSON.parse(fs.readFileSync('tests/results/_agent/cookiecutter-bootstrap/linux/template-cookiecutter-container.json','utf8')); let generatedRoot = receipt.result.hostProjectDir || receipt.result.projectDir; const projectDir = receipt.result.projectDir; const containerOutputRoot = receipt.run.containerOutputRoot; if (projectDir && containerOutputRoot && projectDir.startsWith(containerOutputRoot + '/')) { const relativeProjectDir = projectDir.slice(containerOutputRoot.length + 1).split('/').filter(Boolean); generatedRoot = path.join('tests','results','_agent','cookiecutter-bootstrap','linux','container-workspaces', receipt.run.laneId, receipt.run.runToken, 'output', ...relativeProjectDir); } if (!generatedRoot) { process.exit(1); } process.stdout.write(generatedRoot);")"
+          node tools/npm/run-script.mjs priority:template:agent:verify -- \
+            --iteration-label "cookiecutter-bootstrap-${GITHUB_RUN_ID}" \
+            --iteration-ref "${GITHUB_REF_NAME:-${GITHUB_SHA}}" \
+            --iteration-head-sha "${GITHUB_SHA}" \
+            --verification-status pass \
+            --provider hosted-github-workflow \
+            --run-url "https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \
+            --template-repo "${{ steps.template-policy.outputs.repository }}" \
+            --template-version "${{ steps.template-policy.outputs.ref }}" \
+            --template-ref "${{ steps.template-policy.outputs.ref }}" \
+            --cookiecutter-version "${{ steps.template-policy.outputs.cookiecutter_version }}" \
+            --execution-plane hosted-ubuntu-container \
+            --container-image comparevi-tools:cookiecutter \
+            --generated-consumer-workspace-root "$generated_root" \
+            --lane-id logical-lane-template-verification \
+            --agent-id Darwin \
+            --funding-window-id heuristic-default
+
+      - name: Upload template verification report
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v5
+        with:
+          name: template-agent-verification-${{ github.run_id }}
+          path: tests/results/_agent/promotion/template-agent-verification-report.json
+          if-no-files-found: error
@@ -16,6 +16,11 @@ on:
         required: false
         default: ''
         type: string
+      consumer_issue_repo:
+        description: 'Consumer repository slug (owner/repo) for hardening issues'
+        required: false
+        default: ''
+        type: string
       started_at:
         description: 'Optional onboarding start timestamp (ISO-8601 UTC)'
         required: false
@@ -47,13 +52,16 @@ jobs:
       GH_TOKEN: ${{ github.token }}
       DOWNSTREAM_REPO: ${{ inputs.downstream_repo }}
       DOWNSTREAM_BRANCH: ${{ inputs.downstream_branch }}
+      DOWNSTREAM_CONSUMER_ISSUE_REPO: ${{ inputs.consumer_issue_repo || vars.DOWNSTREAM_CONSUMER_ISSUE_REPO }}
       DOWNSTREAM_STARTED_AT: ${{ inputs.started_at }}
       DOWNSTREAM_CREATE_ISSUES: ${{ inputs.create_hardening_issues || 'false' }}
       DOWNSTREAM_FAIL_ON_GAP: ${{ inputs.fail_on_gap || 'false' }}
       DOWNSTREAM_PILOT_REPO: ${{ vars.DOWNSTREAM_PILOT_REPO }}
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -64,6 +72,35 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Resolve pinned template dependency policy
+        id: template-policy
+        shell: bash
+        run: |
+          set -euo pipefail
+          node <<'NODE' >> "$GITHUB_OUTPUT"
+          const fs = require('fs');
+          const policy = JSON.parse(fs.readFileSync('tools/policy/template-dependency.json', 'utf8'));
+          console.log(`repository=${policy.templateRepositorySlug}`);
+          console.log(`ref=${policy.templateReleaseRef}`);
+          console.log(`cookiecutter_version=${policy.cookiecutterVersion}`);
+          console.log(`execution_plane=${policy.container.executionPlane}`);
+          NODE
+
+      - name: Resolve immutable upstream source
+        id: source
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --no-tags origin '+refs/heads/develop:refs/remotes/upstream/develop'
+          resolved="$(git rev-parse upstream/develop)"
+          if [ "$resolved" != "$GITHUB_SHA" ]; then
+            echo "Workflow head does not match upstream/develop."
+            echo "resolved=$resolved"
+            echo "head=$GITHUB_SHA"
+            exit 1
+          fi
+          echo "source_sha=$resolved" >> "$GITHUB_OUTPUT"
+
       - name: Run downstream onboarding feedback harness
         id: feedback
         continue-on-error: true
@@ -108,6 +145,12 @@ jobs:
             args+=(--started-at "${DOWNSTREAM_STARTED_AT}")
           fi
           if [ "${DOWNSTREAM_CREATE_ISSUES}" = "true" ]; then
+            issue_repo="${DOWNSTREAM_CONSUMER_ISSUE_REPO}"
+            if [ -z "$issue_repo" ]; then
+              echo "Consumer hardening issue target is not configured. Set workflow input consumer_issue_repo or repo variable DOWNSTREAM_CONSUMER_ISSUE_REPO." >&2
+              exit 1
+            fi
+            args+=(--issue-repo "$issue_repo")
             args+=(--create-hardening-issues)
           fi
           if [ "${DOWNSTREAM_FAIL_ON_GAP}" = "true" ]; then
@@ -149,6 +192,29 @@ jobs:
           fi
           node tools/npm/run-script.mjs "${args[@]}"
 
+      - name: Generate downstream promotion manifest
+        if: ${{ always() }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          node tools/priority/downstream-promotion-manifest.mjs \
+            --source-sha '${{ steps.source.outputs.source_sha }}' \
+            --comparevi-tools-release 'develop@${{ steps.source.outputs.source_sha }}' \
+            --comparevi-history-release 'not-evaluated:onboarding-feedback' \
+            --scenario-pack-id 'downstream-onboarding-feedback@v1' \
+            --cookiecutter-template-id '${{ steps.template-policy.outputs.repository }}@${{ steps.template-policy.outputs.ref }}' \
+            --proving-scorecard-ref tests/results/_agent/promotion/downstream-develop-promotion-scorecard.json \
+            --actor '${{ github.actor }}' \
+            --output tests/results/_agent/promotion/downstream-develop-promotion-manifest.json
+
+      - name: Validate downstream promotion manifest schema
+        if: ${{ always() && hashFiles('tests/results/_agent/promotion/downstream-develop-promotion-manifest.json') != '' }}
+        run: |
+          set -euo pipefail
+          node tools/npm/run-script.mjs schema:validate -- \
+            --schema docs/schemas/downstream-promotion-manifest-v1.schema.json \
+            --data tests/results/_agent/promotion/downstream-develop-promotion-manifest.json
+
       - name: Validate onboarding report schema
         if: ${{ always() && hashFiles('tests/results/_agent/onboarding/downstream-onboarding.json') != '' }}
         run: |
@@ -182,12 +248,13 @@ jobs:
             --data tests/results/_agent/promotion/template-agent-verification-report.json
 
       - name: Build downstream promotion scorecard
-        if: ${{ always() && hashFiles('tests/results/_agent/onboarding/downstream-onboarding-success.json') != '' && hashFiles('tests/results/_agent/onboarding/downstream-onboarding-feedback.json') != '' }}
+        if: ${{ always() && hashFiles('tests/results/_agent/onboarding/downstream-onboarding-success.json') != '' && hashFiles('tests/results/_agent/onboarding/downstream-onboarding-feedback.json') != '' && hashFiles('tests/results/_agent/promotion/downstream-develop-promotion-manifest.json') != '' }}
         run: |
           set -euo pipefail
           node tools/priority/downstream-promotion-scorecard.mjs \
             --success-report tests/results/_agent/onboarding/downstream-onboarding-success.json \
             --feedback-report tests/results/_agent/onboarding/downstream-onboarding-feedback.json \
+            --template-agent-verification-report tests/results/_agent/promotion/template-agent-verification-report.json \
             --manifest-report tests/results/_agent/promotion/downstream-develop-promotion-manifest.json \
             --output tests/results/_agent/promotion/downstream-develop-promotion-scorecard.json