# CI scaffold `shrk ci scaffold github-actions` writes a starter GitHub Actions workflow that wires up the SharkCraft checks you want. Dry-run by default. ```bash shrk ci scaffold github-actions --with-quality --with-review --with-boundaries shrk ci scaffold github-actions --with-coverage --with-agent-tests --write ``` ## Flags | Flag | Adds the step | Artifact | |-----------------------|---------------------------------------------------|--------------------------------| | `--with-quality` | `shrk quality --ci > quality.json` | `sharkcraft-quality` | | `--with-review` | `shrk review --since origin/main --json` | `sharkcraft-review-packet` | | `--with-boundaries` | `shrk check boundaries --json` | `sharkcraft-boundaries` | | `--with-coverage` | `shrk coverage --json` | `sharkcraft-coverage` | | `--with-agent-tests` | `shrk test agent --json` | `sharkcraft-agent-tests` | | `--with-drift-gate` | chains `--require-drift-clean` onto the `--with-quality` step | (folded into `sharkcraft-quality`) | | `--with-node-compat` | `bun run compat:node > node-compat.json` | `sharkcraft-node-compat` | | `--with-safety-audit` | `shrk safety audit --json` | `sharkcraft-safety-audit` | | `--with-command-doctor` | `shrk commands doctor --json` | `sharkcraft-commands-doctor` | | `--with-pack-tests --pack-paths a,b` | one `shrk packs test

--load --json` per comma-separated path | `sharkcraft-pack-` (one per path) | | `--with-impact` (R13) | `shrk impact --since origin/main --format json` | `.sharkcraft/reports/impact.json` | | `--with-policy-snapshot-gate` (R13) | `shrk policy snapshot --all --gate --json` | `policy-snapshots.json` | | `--with-bundle-replay` (R13) | `shrk bundle replay --all --report --html` | `.sharkcraft/reports/bundle-replay-all.md` | | `--with-report-site` (R13) | `shrk report site --output .sharkcraft/reports/site` | `.sharkcraft/reports/site/index.html` | | `--with-knowledge-check` (R30) | `shrk knowledge stale-check --ci --format json` | `.sharkcraft/reports/knowledge-stale.json` | | `--with-template-drift` (R30) | `shrk templates drift --ci --format json` | `.sharkcraft/reports/template-drift.json` | | `--with-integrity` (R30) | shortcut: enables both `--with-knowledge-check` and `--with-template-drift` | both artifacts | The scaffold uploads each artifact via `actions/upload-artifact@v4` with `if: always()` so failed runs still surface their data. `--with-drift-gate` requires `--with-quality` (it modifies that step's arguments). The other flags can be combined freely. ```bash shrk ci scaffold github-actions \ --with-quality --with-drift-gate \ --with-node-compat \ --with-safety-audit \ --with-command-doctor \ --with-pack-tests --pack-paths ./packs/my-pack \ --write ``` ## Output ```bash shrk ci scaffold github-actions --with-quality # prints YAML to stdout shrk ci scaffold github-actions --with-quality --write # writes .github/workflows/sharkcraft.yml shrk ci scaffold github-actions --output ops/sharkcraft.yml --write ``` Refuses to overwrite an existing file unless you pass `--force`. ## Jenkins / Azure DevOps / CircleCI R48 removed the CLI surface for these providers (`shrk ci scaffold circleci|azure|azure-pipelines|jenkins`). The underlying generators (`circleciYaml`, `azureYaml`, `azureFromInputs`, `jenkinsFile`) still live in `packages/cli/src/commands/ci.command.ts` and can be imported by pack authors who need them. See [`docs/ci-providers.md`](ci-providers.md). ## CI permissions audit (R15) ```bash shrk ci permissions [--provider github-actions|gitlab|bitbucket|azure|jenkins] [--json] ``` Audits the generated (or hand-written) workflow file for write scopes, PR-comment posting, token usage, external actions/images, and artifact uploads. Returns a least-privilege recommendation. See [ci-permissions.md](ci-permissions.md) for the full audit reference. ## GitLab and Bitbucket (R14) ```bash shrk ci scaffold gitlab --with-quality --with-policy --with-impact --with-report-site shrk ci scaffold bitbucket --with-quality --with-policy --with-impact --with-report-site ``` `gitlab` emits a `.gitlab-ci.yml`-style file with three explicit stages: `sharkcraft_quality`, `sharkcraft_review`, `sharkcraft_reports`. Each gate flag adds the matching job — `sharkcraft:quality`, `sharkcraft:policy`, `sharkcraft:impact`, `sharkcraft:review`, `sharkcraft:report-site`, `sharkcraft:bundle-replay`, `sharkcraft:compat-node`. Artifacts are scoped per job and only kept on the runs that produced them. `bitbucket` emits a `bitbucket-pipelines.yml` with two pipelines: - `pipelines.pull-requests` — runs the selected steps on every PR. - `pipelines.custom.sharkcraft-governance` — manually triggered governance run (doctor + quality + policy + bundle-replay + report site). Both scaffolds support the same flag matrix as `github-actions` (quality, policy, policy-snapshot-gate, impact, review, report-site, bundle-replay, node-compat). Dry-run by default; refuses to overwrite without `--force`. MCP: `get_ci_scaffold_preview` now accepts `provider` (`github-actions | gitlab | bitbucket`) and returns the rendered YAML + the canonical output path. No writes. ## Bundle-replay schedule (R13) ```bash shrk bundle replay scaffold github-actions --schedule weekly|daily|manual [--with-report-site] ``` Generates a separate `.github/workflows/sharkcraft-bundle-replay.yml` that runs `shrk bundle replay --all --report --html` on the chosen schedule (defaults to weekly cron `17 6 * * 1`). ## What it intentionally does NOT do - Does not call the GitHub API - Does not post PR comments (use `shrk review render-comment` + `gh pr comment`) - Does not pin actions to commit SHAs (review the workflow before adopting) - Does not enable branch protection rules