feat: drift checker CI integration (Phase 2 Session C)

[TMHSDigital]

Summary

Phase 2 Session C ships the CI infrastructure for the agent-file drift checker built in Sessions A and B. After this lands, the checker runs automatically on schedule, on demand, and whenever checker code or standards change.

What's in the box

Composite action (.github/actions/drift-check/action.yml): reusable by both meta-repo and tool-repo workflows. Inputs: mode (self/all), format, github-token, update-sticky-issue, python-version, meta-repo-ref, caller-path. Outputs: exit-code, error-count, warning-count, sticky-issue-action. Tag-pinned (@v1.7) for tool-repo consumers per design Q9.

Meta-repo orchestration workflow (.github/workflows/drift-check.yml): all four triggers per Decision 5:

• push to main (path-gated to checker code, standards, registry)
• schedule weekly Monday 13:00 UTC
• workflow_dispatch for on-demand
• pull_request to guard the checker against regressions

Token resolution uses ${{ secrets.DRIFT_CHECK_TOKEN || secrets.GITHUB_TOKEN }}.

Sparse-checkout snapshot (snapshot.py): new build_remote_snapshot(repo_slug, ..., gh_token, owner=...). Uses git clone --filter=blob:none --sparse --depth 1, immediately scrubs the token from .git/config post-clone, sparse-sets only the four agent-file paths, cleans the tempdir on every exit path including errors. Common logic shared with build_local_snapshot via _build_snapshot_from_path so both produce byte-identical snapshots given identical content.

Sticky-issue upsert (report/issue.py): implements the Q1-resolved reopen-on-drift state machine. Marker-based identification (<!-- drift-check-sticky-issue-v1 -->) so the issue is locatable across runs even if the title is human-edited. Five terminal actions: created / updated / reopened / closed / no_op. info-only findings are intentionally non-blocking (no sticky issue raised).

CLI flags: --remote OWNER/REPO (repeatable, defaults to TMHSDigital), --all (expands registry.json active entries), --gh-token (with $DRIFT_CHECK_TOKEN / $GITHUB_TOKEN env fallback), --update-sticky-issue, --sticky-issue-repo.

Token setup doc (docs/drift-check-token-setup.md): scopes, creation walk-through, rotation guidance, fallback behavior. Linked from CONTRIBUTING.md.

Tests: 32 new tests across 4 files (snapshot remote, issue upsert state machine, CLI flag wiring, action.yml structural shape). Total suite now 157 passed + 1 skipped (the integration test gated on DRIFT_CHECK_INTEGRATION_TOKEN).

Local dogfood (run before opening this PR)

Ran the checker against all 9 active registry repos via --local (the same code path the composite action uses minus the runner shell):

$ python scripts/drift_check/cli.py --local E:\CFX-Developer-Tools ... [9 repos]
{'errors': 261, 'warnings': 62, 'infos': 0}
repos: 9

261 version-signal errors are the expected drift baseline — tool repos carry 1.6.3, meta-repo is now 1.7.2. Session D (v1.7.x rollout) clears these.

Also exercised --format gh-summary writing to $GITHUB_STEP_SUMMARY: 395-line GitHub-flavored markdown report rendered correctly.

Constraint: workflow_dispatch dogfood is post-merge

workflow_dispatch (and pull_request) cannot trigger a workflow that does not yet exist on the default branch. GitHub Actions registers workflows on default-branch presence, so the very first run of drift-check.yml has to wait for this PR to merge. This is a structural GitHub limitation, not a defect in this PR. The local dogfood above exercises every line of the checker code that the composite action runs.

After merge, the first run will be triggered manually:

gh workflow run drift-check.yml --repo TMHSDigital/Developer-Tools-Directory

If anything is broken at the runner level, the workflow can be disabled or fixed in a follow-up PR — the file is inert until something invokes it.

Test plan

• 157 unit tests passing (composite action shape parsed, sparse-checkout subprocess shape verified, all 5 sticky-issue states covered, CLI flag parsing covered)
• Local --local dogfood across all 9 active repos: 261 errors, 62 warnings (matches design prediction)
• --format gh-summary writes a valid step summary file
• No linter errors on touched files
• Post-merge: trigger workflow_dispatch, verify step summary, verify sticky issue created with marker

VERSION

1.7.1 -> 1.7.2 (PATCH). CI infrastructure addition does not change the checker's behavior or tool-repo obligations, so PATCH is appropriate (the design doc's MINOR criterion is "tool repos need to re-align"; this PR does not require any tool-repo change).

Phase 2 progress

• Session A: core library (v1.7.0)
• Session B: additional checks + policy data (v1.7.1)
• Session C: CI integration (v1.7.2 — this PR)
• Session D: tool-repo validate.yml integration + v1.7.x signal rollout

See #1.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/drift-check.yml

Package	Version	License	Issue Type
actions/checkout	5.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	5.*.*	🟢 5.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/drift-check.yml