Deploy & Ops
Gate agent-authored changes in CI: verify the committed tree not the working tree, reproduce the deploy's install and type gate exactly, and fail fast on drift.
1 file
Description
Gate agent-authored changes in CI: verify the committed tree not the working tree, reproduce the deploy's install and type gate exactly, and fail fast on drift.
A repo where agents (or fast human iteration) push changes and you want CI to catch what passes locally but breaks the deploy, before it reaches production.
An agent leaves an in-progress file unstaged, then commits code that imports it. Local checks pass (the file is on disk); CI checks out only the commit and fails. So the gate must test the committed tree, which a fresh checkout does by definition. Do not run checks against a dirty runner.
Match the deploy's install and gate, or CI will disagree with production:
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with: { node-version: 22, cache: pnpm }
- run: pnpm install --frozen-lockfile # surfaces lockfile drift + blocked build scripts
- run: pnpm typecheck # the SAME gate the deploy runs
- run: pnpm build
--frozen-lockfile fails on lockfile drift instead of silently updating, and surfaces ERR_PNPM_IGNORED_BUILDS when a dependency's build script is not approved (pnpm 11 blocks them by default; the approval list is allowBuilds: in pnpm-workspace.yaml).tsc --noEmit or a native preview, run that, not just next build, which does not fail on every type error.pnpm lint:ox (or your fast linter) as its own quick step so a lint error is not buried in a slow build.cache: pnpm) so installs are quick; never cache node_modules across lockfile changes.actions/checkout plus an unpinned pnpm install (not frozen) hides the exact drift the deploy will hit. Freeze the lockfile.next build passing is not proof the type gate passes. Run the gate the deploy runs.pnpm-workspace.yaml allowBuilds: means CI installs clean but the deploy hard-fails on ignored build scripts. Reproduce the install with --frozen-lockfile so CI catches it first.Related
Added 2026-07-01. Back to the Skill Library.

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.