CI as the Default Shape for Engineering

CI tests on every PR. The norm.

CI is the default shape

Every change goes through CI before merge. Local pre-commit hooks help; they don't replace CI.

CI catches: test failures, type errors, lint issues, security scans, secret leaks.

Without CI as the default, code quality drifts and trust in main branch erodes.

Standard pipeline shape

Lint and format check.

Unit tests with coverage report.

Integration tests against ephemeral environments.

Build artifact and tag.

Security scan: SCA (Snyk, Dependabot), SAST (CodeQL, Semgrep), secret scan (Gitleaks).

CI speed targets

Lint + unit tests: under 5 minutes.

Full pipeline: under 15 minutes for most changes.

Above 15 minutes, devs context-switch and the feedback loop dies.

Flake handling

Flaky tests destroy CI trust. Quarantine flaky tests within 24 hours of detection.

Track flake rate per test. Above 1% flake rate, fix or delete the test.

Don't auto-retry. Retries hide flakes; the test should pass deterministically or get fixed.

How to install the discipline

Branch protection: require CI pass before merge. No exceptions.

Make the pipeline visible. Slack notifications for main branch failures.

Run the pipeline on PRs and on main. Catches "works on PR, fails on main" rebase issues.