Required Check Mapping

This document maps merge-critical workflows to expected check names.

Merge to `dev` / `main`

Required check name	Source workflow	Scope
`CI Required Gate`	`.github/workflows/ci-run.yml`	core Rust/doc merge gate
`Security Required Gate`	`.github/workflows/sec-audit.yml`	aggregated security merge gate

Supplemental monitors (non-blocking unless added to branch protection contexts):

Feature matrix lane check names (informational, non-required):

Required check name	Source workflow	Scope
`Verify Artifact Set`	`.github/workflows/pub-release.yml`	release completeness
`Pre-release Guard`	`.github/workflows/pub-prerelease.yml`	stage progression + tag integrity
`Nightly Summary & Routing`	`.github/workflows/feature-matrix.yml` (`profile=nightly`)	overnight integration signal

Check active branch protection required contexts:
- gh api repos/zeroclaw-labs/zeroclaw/branches/main/protection --jq '.required_status_checks.contexts[]'
Resolve latest workflow run IDs:
- gh run list --repo zeroclaw-labs/zeroclaw --workflow feature-matrix.yml --limit 1
- gh run list --repo zeroclaw-labs/zeroclaw --workflow ci-run.yml --limit 1
Enumerate check/job names and compare to this mapping:
- gh run view <run_id> --repo zeroclaw-labs/zeroclaw --json jobs --jq '.jobs[].name'
If any merge-critical check name changed, update this file before changing branch protection policy.

Use pinned uses: references for all workflow actions.
Keep check names stable; renaming check jobs can break branch protection rules.
GitHub scheduled/manual discovery for workflows is default-branch driven. If a release/nightly workflow only exists on a non-default branch, merge it into the default branch before expecting schedule visibility.
Update this mapping whenever merge-critical workflows/jobs are added or renamed.