FIX7 P0 - CI seal-vs-bytes gate :: SAMPLE WORKFLOW STUB (OFF-PRODUCTION)

STATUS: SAMPLE ONLY. NOT WIRED. NOT INSTALLED. NEVER TRIGGERED BY THIS LANE.

This stub shows how the reference gate WOULD be wired if and when the owner

adopts it (blocker FIX7-P0-PROD-CI-SCOPE-1). Adoption sequence required by

the governed blocker map:

1. owner decides to adopt the gate;

2. operator wires this stub in a THROWAWAY NON-PRODUCTION branch first;

3. the wiring is reviewed there before any production CI wiring.

Deliberate safety properties of the stub itself:

* trigger is workflow_dispatch ONLY (a human must click; no push/PR/cron

trigger, so merely committing this file can never run it);

* no deploy step, no secrets, no environment selection;

* the gate blocks (exit nonzero) on ANY byte drift vs the seal manifest.

name: fix7-seal-vs-bytes-gate-SAMPLE-NOT-WIRED

on: workflow_dispatch: {} # manual only; intentionally NO push / pull_request / schedule

jobs: seal-vs-bytes: # Guard rail: refuse to run anywhere but a throwaway wiring-test branch. if: ${{ github.ref == 'refs/heads/throwaway-ci-gate-wiring-test' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Verify sealed bytes (fail-closed)
    run: |
      python3 ci_seal_vs_bytes_gate.py \
        --manifest seal-manifest.sha256 \
        --root .
    # exit nonzero on sha mismatch, byte-length mismatch, unicode /
    # ensure_ascii / BOM / CRLF drift, or missing sealed file
    # -> blocks the merge/deploy this job gates.