From 6b89411cbfafd5f66f8b79e522622f0ede74b05f Mon Sep 17 00:00:00 2001
From: Nathan Gillett <nathan@intentproof.io>
Date: Sat, 30 May 2026 16:05:21 -0500
Subject: [PATCH] Simplify CI to build and test only

Drop DCO, CodeQL, deps-scan, and coverage gate from GitHub Actions.
---
 .github/workflows/ci.yml        | 24 +++--------
 .github/workflows/codeql.yml    | 71 ---------------------------------
 .github/workflows/dco.yml       | 41 -------------------
 .github/workflows/deps-scan.yml | 58 ---------------------------
 4 files changed, 5 insertions(+), 189 deletions(-)
 delete mode 100644 .github/workflows/codeql.yml
 delete mode 100644 .github/workflows/dco.yml
 delete mode 100644 .github/workflows/deps-scan.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2e1e87d..805dd3d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     name: "IntentProof CI: Build and Test"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Checkout spec repository
         uses: actions/checkout@v4
@@ -20,28 +20,14 @@ jobs:
           ref: main
           path: intentproof-spec
 
-      - name: Ensure spec sdk-signing golden checkout
-        run: |
-          if [[ -d intentproof-spec/golden/sdk-signing ]]; then
-            exit 0
-          fi
-          git -C intentproof-spec fetch origin phase3-ecosystem-conformance
-          git -C intentproof-spec checkout FETCH_HEAD
-
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
 
       - name: Install dependencies
-        run: |
-          pip install -e ".[dev]"
-
-      - name: Run tests with coverage
-        env:
-          INTENTPROOF_SPEC_DIR: intentproof-spec
-        run: bash ./scripts/run-coverage-gate.sh
+        run: pip install -e ".[dev]"
 
-      - name: Verify sdk-signing fixtures synced with spec
+      - name: Run tests
         env:
           INTENTPROOF_SPEC_DIR: intentproof-spec
-        run: bash ./scripts/check-sdk-signing-fixtures-sync.sh
+        run: python3 -m pytest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index 9ff9692..0000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: codeql
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: "0 6 * * 1"
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  allowlist-expiry:
-    name: "IntentProof Security: CodeQL Allowlist"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Validate allowlist expiry dates
-        run: bash ./scripts/check-codeql-allowlist.sh
-
-  gitleaks:
-    name: "IntentProof Security: Secret Scan"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Install gitleaks
-        run: |
-          curl -sSfL \
-            "https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz" \
-            | tar -xz
-          sudo install -m 755 gitleaks /usr/local/bin/gitleaks
-
-      - name: Run gitleaks
-        run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact
-
-  analyze:
-    name: "IntentProof Security: CodeQL (${{ matrix.language }})"
-    needs: allowlist-expiry
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [python]
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-python@v6
-        with:
-          python-version: "3.11"
-
-      - name: Install package for CodeQL
-        run: pip install -e ".[dev]"
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: ${{ matrix.language }}
-          queries: security-and-quality
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
-        with:
-          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
deleted file mode 100644
index 1e83fd1..0000000
--- a/.github/workflows/dco.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-name: dco
-
-on:
-  pull_request:
-
-jobs:
-  check:
-    name: "IntentProof CI: DCO"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Require Signed-off-by trailer on every commit
-        run: |
-          base="${{ github.event.pull_request.base.sha }}"
-          head="${{ github.event.pull_request.head.sha }}"
-          fail=0
-          for sha in $(git rev-list "$base".."$head"); do
-            body=$(git log -1 --format=%B "$sha")
-            author_email=$(git log -1 --format=%ae "$sha")
-            soby=$(echo "$body" | grep -oE '^Signed-off-by: .+ <.+@.+>$' || true)
-            if [ -z "$soby" ]; then
-              echo "Commit $sha is missing a Signed-off-by trailer." >&2
-              fail=1
-            else
-              soby_email=$(echo "$soby" | grep -oE '<.+@.+>' | tr -d '<>')
-              if [ "$soby_email" != "$author_email" ]; then
-                echo "Commit $sha: Signed-off-by email ($soby_email) does not match author email ($author_email)." >&2
-                fail=1
-              fi
-            fi
-          done
-          if [[ $fail -ne 0 ]]; then
-            echo "" >&2
-            echo "All commits in this PR must be signed off via the DCO." >&2
-            echo "See CONTRIBUTING.md. Use 'git commit -s' or amend with 'git commit --amend -s'." >&2
-            exit 1
-          fi
-          echo "PASS: all commits carry Signed-off-by trailers."
diff --git a/.github/workflows/deps-scan.yml b/.github/workflows/deps-scan.yml
deleted file mode 100644
index efcdb49..0000000
--- a/.github/workflows/deps-scan.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-name: deps-scan
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: "0 7 * * 1"
-
-permissions:
-  contents: read
-
-jobs:
-  allowlist-expiry:
-    name: "IntentProof Security: Deps Allowlist"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Validate dependency allowlist expiry dates
-        run: bash ./scripts/check-deps-allowlist.sh
-
-  pip-audit:
-    name: "IntentProof Security: pip-audit"
-    needs: allowlist-expiry
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-python@v6
-        with:
-          python-version: "3.11"
-
-      - name: Install package and pip-audit
-        run: pip install -e ".[dev]" pip-audit
-
-      - name: Run pip-audit
-        run: pip-audit --desc on
-
-  osv-scanner:
-    name: "IntentProof Security: OSV-Scanner"
-    needs: allowlist-expiry
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-python@v6
-        with:
-          python-version: "3.11"
-
-      - name: Materialize Python lockfile for OSV
-        run: |
-          pip install -e ".[dev]"
-          pip freeze --exclude-editable > requirements-osv.txt
-
-      - name: Run OSV-Scanner gate
-        run: bash ./scripts/run-osv-scanner-gate.sh . .osv-scanner.toml requirements-osv.txt