Build + Deploy ran in parallel with CI's lint/test/loc, so a deploy could ship
even when CI failed. Gate Build + Deploy on CI success via workflow_run, and
add per-service change detection so only affected services rebuild and only
relevant lint/test jobs run on PRs.
- scripts/detect-changes.sh: shared diff helper that emits per-service +
aggregate flags from a BASE_SHA diff; falls back to "rebuild all" when the
base is missing or unreachable
- ci.yaml: detect-changes job runs first; loc-budget, *-lint, *-build, and
test-* jobs gate on the relevant outputs
- build-push-deploy.yml: triggered via workflow_run on CI completion; diff
base is the last-build/main git tag, force-pushed by a new mark-last-build
job after each green run (handles multi-commit pushes, force pushes, and
the "all skipped" case)
- check-loc.sh: exclude Office/binary extensions (xlsm, docx, pptx, zip,
tar, gz) so binary docs aren't counted as source
- loc-exceptions.txt: grandfather two existing >500 LOC files
(tender_handlers.go, DecisionTreeWizard.tsx) as Phase 5+ backlog
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the pitch-deck pattern: each service builds its Docker image,
pushes to registry.meghsakha.com/breakpilot/compliance-*, then triggers
orca redeploy via HMAC-signed webhook.
Requires secrets: REGISTRY_USERNAME, REGISTRY_PASSWORD, ORCA_WEBHOOK_SECRET
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sharang Parnerkar