CI template: helix verify gate (fail closed)
This is the copy/paste merge gate that makes CI explicitly say:
“CI will not accept this result unless Helix verifies it.”
It is intentionally minimal and uses the canonical refusal fixture:
fixtures/golden_failing_bundle_v1/.
What it gates
On every PR (and pushes to protected branches), CI must:
- run
tests/test_golden_failing_bundle_v1.py - verify
fixtures/golden_failing_bundle_v1/run_ok→verdict=PASS - verify
fixtures/golden_failing_bundle_v1/run_blocked→verdict=FAILand non-zero exit code - verify
fixtures/golden_failing_bundle_v1/divergence_proof/manifest.json→verdict=PASS
Required secrets
None.
Required branch protection check
Require this status check name (GitHub derives it from workflow/job):
helix verify gate / verify
Do not allow bypass if you want the gate to mean anything.
Local run
python -m pytest -q tests/test_golden_failing_bundle_v1.py
helix verify fixtures/golden_failing_bundle_v1/run_ok --json-out /tmp/verify_run_ok.json
helix verify fixtures/golden_failing_bundle_v1/run_blocked --json-out /tmp/verify_run_blocked.json ; echo $?
helix verify fixtures/golden_failing_bundle_v1/divergence_proof/manifest.json --json-out /tmp/verify_divergence.json
JSON contract for the gate
When --json-out is provided, helix verify must always emit a top-level:
verdict: one ofPASS,FAIL,INCOMPLETE
CI should treat missing/unknown verdict as INCOMPLETE and fail closed.
Reason codes are a first-class contract: see docs/ci/verify_reason_codes.md.