From b63a57b327b98979ea3762e7ad278f9cbb0ea346 Mon Sep 17 00:00:00 2001
From: ndycode <ndycode@users.noreply.github.com>
Date: Tue, 10 Mar 2026 16:45:23 +0800
Subject: [PATCH 1/2] ci(actions): add dedicated pull request workflow

---
 .github/workflows/ci.yml    |  9 +++-----
 .github/workflows/pr-ci.yml | 45 +++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/pr-ci.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e3c4f0b9..98cef1f0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,8 +3,6 @@ name: CI
 on:
   push:
     branches: [main]
-  pull_request:
-    branches: [main]
 
 jobs:
   test:
@@ -23,7 +21,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
@@ -52,7 +50,6 @@ jobs:
 
   lint:
     name: Lint
-
     runs-on: ubuntu-latest
 
     steps:
@@ -63,7 +60,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
@@ -83,7 +80,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml
new file mode 100644
index 00000000..3c978160
--- /dev/null
+++ b/.github/workflows/pr-ci.yml
@@ -0,0 +1,45 @@
+name: PR CI
+
+on:
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: pr-ci-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    name: PR Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Repository hygiene check
+        run: npm run clean:repo:check
+
+      - name: Run type check
+        run: npm run typecheck
+
+      - name: Run ESLint
+        run: npm run lint
+
+      - name: Run tests
+        run: npm test
+
+      - name: Build
+        run: npm run build

From 0aae5a0b48f372007ade3a29a49493334c465802 Mon Sep 17 00:00:00 2001
From: ndycode <ndycode@users.noreply.github.com>
Date: Tue, 10 Mar 2026 17:01:15 +0800
Subject: [PATCH 2/2] ci(actions): add PR audit parity checks

---
 .github/workflows/pr-ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml
index 3c978160..daccaa95 100644
--- a/.github/workflows/pr-ci.yml
+++ b/.github/workflows/pr-ci.yml
@@ -29,6 +29,12 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Security audit (CI policy)
+        run: npm run audit:ci
+
+      - name: Lockfile floor guard
+        run: npm run test -- test/lockfile-version-floor.test.ts
+
       - name: Repository hygiene check
         run: npm run clean:repo:check