feat(ci): integrate no-runner-git-commit hook into shared CI gate

[JacobPEvans]

Summary

Layer 5 (CI half) of the 8-PR signed-commits initiative. Wires the
check-no-runner-git-commit.sh hook (added in the companion PR over in
JacobPEvans/ai-assistant-instructions) into the shared CI gate so
every consumer repo catches the violation during PR validation, not
just locally via pre-commit.

Changes

• New: .github/workflows/_no-runner-git-commit.yml — a reusable
  workflow that sparse-checks out the hook script from
  JacobPEvans/ai-assistant-instructions@main and runs it against the
  caller repo. Single source of truth: the script lives there; this
  workflow just transports it.
• Modified: .github/workflows/_ci-gate.yml
  • new input toggle no_runner_git_commit (bool, default false — opt-in per consumer)
  • new filter convention github_actions documented in the file header
  • new job no-runner-git-commit, gated on (toggle && filter)
  • added to gate.needs and allowed-skips

What the hook catches

See the companion PR for the full allowlist. TL;DR: any raw
git commit / git push in .github/workflows/*.yml or
.github/actions/**/action.yml outside of:

• Contents API calls (gh api repos/.../contents/...)
• peter-evans/create-pull-request
• The canonical SSH-signing wrapper (_ai-action-with-signing.yml)
• Markdown bodies passed to gh pr/issue create / actions/github-script

Why a reusable workflow (not an inline job)

Consistent with the existing pattern in this repo — every conditional
check (_nix-validate.yml, _markdown-lint.yml, _file-size.yml,
_python-security.yml) is its own reusable workflow that _ci-gate.yml
calls. Keeps _ci-gate.yml declarative, isolates concurrency groups,
and lets repos that don't use _ci-gate.yml call the check directly.

Test plan

• actionlint clean on both modified files
• check-yaml pre-commit hook passes on both
• Default false — no consumer gets the check until they opt in (no surprise CI breakage)
• Git commit signature verified (git log -1 --format='%G?' → G)

Companion PR

JacobPEvans/ai-assistant-instructions#632: feat(hooks): block raw git commit/push in workflow YAML

Assisted-by: Claude noreply@anthropic.com

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[Copilot]

Pull request overview

Adds an opt-in, reusable CI check to enforce the “no raw git commit / git push from runners” rule across consumer repos by wiring a shared hook into the existing _ci-gate.yml pattern.

Changes:

• Added a new reusable workflow (_no-runner-git-commit.yml) that fetches and runs the central check-no-runner-git-commit.sh hook against the caller repo.
• Extended _ci-gate.yml with a no_runner_git_commit boolean toggle plus a new github_actions filter output to conditionally run the new check.
• Updated Merge Gate aggregation (needs + allowed-skips) to include the new conditional job.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/_no-runner-git-commit.yml	New reusable workflow that checks out the caller repo, pulls the central hook script via sparse checkout, and runs it in CI.
.github/workflows/_ci-gate.yml	Adds an opt-in toggle and filter convention, wires the new check into the conditional-job and merge-gate aggregation pattern.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[JacobPEvans]

Closing — this wires the script from #632 which was rejected as overkill. Source-side fixes in #26 (planetscale/ghcommit-action for the profile workflows) plus the SSH-signing composite in JacobPEvans/ai-workflows#214 cover every commit path natively without needing the CI gate this PR wires.