Verification Metadata
- Route:
/transparency/dependency-ci/ - Last verified:
- Next review due:
- Verification scope: npm package policy, lockfile behavior, GitHub Actions workflows, and release-gate documentation.
- Previous version: Dependency and CI/CD Governance before the June 2026 tooling update
June 2026 CI/CD Tooling Update
This page now links to the complete CI/CD Tooling and Release Governance article. That article documents local hooks, public-health gates, release-ledger promotion, production receipts, and portability work in one place.
npm Dependency Policy
PayCal uses a lockfile-first dependency policy for JavaScript tooling and browser automation checks.
- Install mode for automation:
npm cionly (frozen lockfile install). - Lockfile source of truth:
package-lock.jsonis required for deterministic CI installs. - Declared package manifest:
package.jsondefines lint, smoke, and accessibility command surfaces. - Override controls: dependency overrides are declared in
package.jsonto pin selected transitive risk points.
If npm ci reports a mismatch between package.json and package-lock.json, the lockfile is updated intentionally in a dedicated maintenance change before CI reruns.
What npm Is Used For
| Purpose | Command | Primary Control |
|---|---|---|
| JavaScript lint and sink checks | npm run test:js |
ESLint rules + JS sink policy checks |
| Playwright smoke checks | npm run test:smoke:ui |
Browser-level route behavior and regression validation |
| Accessibility route and policy checks | npm run test:a11y:all |
WCAG, reflow, contrast, and ARIA test suites |
| Contrast matrix generation | npm run test:a11y:contrast |
Theme-level contrast conformance verification |
CI/CD Gate Model
PayCal separates quality controls across workflows so failures are explicit and traceable:
.github/workflows/javascript.yml: Node 20 +npm ci+ JavaScript quality gates..github/workflows/phpunit.yml: staged backend validation from fast gate to deep verification and artifacts..github/workflows/phpstan.yml: strict static analysis with baseline-blocking policy.
Release hygiene workflows treat failed gates as blockers and require rerun after fixes.
Known Limitations
- Public transparency pages are manually synchronized with workflow and package changes on release cycles.
- CI pipeline behavior is documented in multiple pages and can drift if updates are not applied consistently.
Planned Documentation Improvements
- Publish one canonical gate matrix mapping each CI job to owner, trigger, command, and blocking status.
- Add a quarterly dependency governance snapshot including direct npm packages, rationale, and update cadence.
- Add a release checklist item to confirm npm governance docs remain aligned with workflow and lockfile policy.
How to Verify
# Reproduce JavaScript CI gates locally npm ci npm run test:js # Reproduce broader release-level accessibility gate npm run test:a11y:all # Inspect workflow definitions cat .github/workflows/javascript.yml cat .github/workflows/phpunit.yml cat .github/workflows/phpstan.yml
Related transparency pages: CI/CD Tooling and Release Governance, Testing and Validation Governance, and Verification and Governance.