Note 2026-07-03

Consolidating SecureVault's CI/CD workflows

Why I deleted two workflow files, pinned every CI tool, and replaced a fake deploy gate with a real Checks API verification.

SecureVault had four workflow files with overlapping responsibilities. That produced duplicate security scans, a manually dispatchable zombie plan workflow, and a deploy job whose “verification” step was just an echo.

What changed

Deleted

Updated .github/workflows/ci.yml

All CI now runs through one file. Tool versions are pinned for deterministic builds:

Rewrote .github/workflows/deploy.yml

The old verify job printed a reminder and exited cleanly no matter what CI actually showed. I replaced it with a job that queries the GitHub Checks API for the latest main commit and fails the workflow if any required check is red. Only when verification passes does the deploy job run terraform apply and deploy the Cloud Function.

Why it matters

Consolidation removes duplicate CI runs and conflicting status checks. Pinning tools prevents surprise breakages from @master/@main drift. A real deployment gate means the pipeline enforces safety instead of relying on a human remembering to check CI first.

Commit: 4de87ee