api7 · guoqqqi · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,22 +2,24 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, master]
   pull_request:
-    branches: [main]
+    branches: [main, master]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   test:
+    name: Go Test
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: ["1.22", "1.23"]
     steps:
       - uses: actions/checkout@v4
 
       - uses: actions/setup-go@v5
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version-file: go.mod
 
       - name: Build
         run: go build ./...
@@ -29,14 +31,15 @@ jobs:
         run: go vet ./...
 
   lint:
+    name: Go Lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version-file: go.mod
 
       - uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v1.64.8
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -6,6 +6,10 @@ on:
     branches: [main, master]
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   e2e:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/skills.yml b/.github/workflows/skills.yml
@@ -0,0 +1,28 @@
+name: Skills Validation
+on:
+  pull_request:
+    branches: [main, master]
+  push:
+    branches: [main, master]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  validate-skills:
+    name: Skills Metadata & Command Validation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.0"
+
+      - name: Validate skills
+        run: make validate-skills
+
+      - name: Test skills
+        run: make test-skills
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ LDFLAGS := -s -w \
 	-X $(MODULE)/internal/version.Commit=$(COMMIT) \
 	-X $(MODULE)/internal/version.Date=$(DATE)
 
-.PHONY: build test test-verbose lint fmt vet check install clean docker-up docker-down test-e2e test-e2e-full
+.PHONY: build test test-verbose lint fmt vet check install clean docker-up docker-down validate-skills test-skills test-e2e test-e2e-full
 
 build:
 	go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) ./cmd/a7
@@ -29,7 +29,13 @@ fmt:
 vet:
 	go vet ./...
 
-check: fmt vet lint test
+check: fmt vet lint test validate-skills test-skills
+
+validate-skills:
+	bash ./scripts/validate-skills.sh
+
+test-skills:
+	go test ./test/e2e/skills -tags=e2e -count=1
 
 install: build
 	cp bin/$(BINARY) $(GOPATH)/bin/$(BINARY)

diff --git a/docs/skills.md b/docs/skills.md
@@ -13,8 +13,8 @@ skills/
 ├── a7-shared/SKILL.md               # Core a7 conventions (shared skill)
 ├── a7-plugin-ai-proxy/SKILL.md      # AI Gateway plugin skill
 ├── a7-plugin-key-auth/SKILL.md      # key-auth plugin skill
-├── a7-recipe-gateway-group/SKILL.md # Gateway group management recipe
-├── a7-persona-platform-eng/SKILL.md # Platform Engineer persona
+├── a7-recipe-canary/SKILL.md        # Canary release recipe
+├── a7-persona-operator/SKILL.md     # Operator persona
 └── ...
 ```
 
@@ -28,8 +28,8 @@ Skills follow a naming convention with four types:
 |--------|------|-------------|---------|
 | `a7-shared` | Shared | Core project conventions and patterns | `a7-shared` |
 | `a7-plugin-*` | Plugin | One API7 EE plugin — config, examples, gateway group scoping | `a7-plugin-ai-proxy` |
-| `a7-recipe-*` | Recipe | Multi-step operational task (e.g., setting up a service template) | `a7-recipe-service-template` |
-| `a7-persona-*` | Persona | Role-specific workflow guidance | `a7-persona-platform-eng` |
+| `a7-recipe-*` | Recipe | Multi-step operational task | `a7-recipe-canary` |
+| `a7-persona-*` | Persona | Role-specific workflow guidance | `a7-persona-operator` |
 
 ### Naming Rules
 
@@ -106,13 +106,19 @@ The body content depends on the skill type:
 
 ## CI Validation
 
-Every PR that modifies `skills/` is validated by `scripts/validate-skills.sh`. The script checks:
+Every PR validates `skills/` with `scripts/validate-skills.sh`. The script checks:
 
 1. Every `skills/*/SKILL.md` has valid YAML frontmatter
 2. Required fields `name` and `description` are present
 3. `name` matches the directory name
 4. `name` follows kebab-case pattern
 5. `description` is non-empty
+6. skill names are unique
+
+The E2E suite also contains static skill checks under `test/e2e/skills`.
+Those checks keep this document aligned with the actual `skills/` inventory and
+prevent references to known removed commands such as the old health and portal
+commands.
 
 Run locally:
 
@@ -128,18 +134,65 @@ make validate-skills
 4. Run validation: `make validate-skills`
 5. Update this document if adding a new skill type or category
 
-## Skill Roadmap
-
-| PR | Skills | Description |
-|----|--------|-------------|
-| PR-28 | 1 | Infrastructure + `a7-shared` |
-| PR-29 | 6 | AI Gateway plugins (ai-proxy, ai-prompt-template, ai-prompt-decorator, ai-content-moderation, ai-rag, ai-token-limiter) |
-| PR-30 | 5 | Enterprise core (gateway-group, service-template, rbac, portal, audit-log) |
-| PR-31 | 5 | Authentication plugins (key-auth, jwt-auth, basic-auth, openid-connect, wolf-rbac) |
-| PR-32 | 4 | Security + rate limiting (ip-restriction, cors, limit-count, limit-req) |
-| PR-33 | 5 | Traffic + transformation (proxy-rewrite, response-rewrite, traffic-split, redirect, grpc-transcode) |
-| PR-34 | 5 | Operational recipes (blue-green, canary, circuit-breaker, health-check, service-registry) |
-| PR-35 | 6 | Observability (prometheus, skywalking, zipkin, http-logger, kafka-logger, datadog) |
-| PR-36 | 3 | Advanced recipes + personas |
-
-**Total**: 40 skills across 9 PRs.
+## Current Inventory
+
+The repository currently contains 40 skills:
+
+**Shared**
+
+- `a7-shared`
+
+**Personas**
+
+- `a7-persona-developer`
+- `a7-persona-operator`
+
+**Plugin Skills**
+
+- `a7-plugin-ai-content-moderation`
+- `a7-plugin-ai-prompt-decorator`
+- `a7-plugin-ai-prompt-template`
+- `a7-plugin-ai-proxy`
+- `a7-plugin-basic-auth`
+- `a7-plugin-consumer-restriction`
+- `a7-plugin-cors`
+- `a7-plugin-datadog`
+- `a7-plugin-ext-plugin`
+- `a7-plugin-fault-injection`
+- `a7-plugin-grpc-transcode`
+- `a7-plugin-hmac-auth`
+- `a7-plugin-http-logger`
+- `a7-plugin-ip-restriction`
+- `a7-plugin-jwt-auth`
+- `a7-plugin-kafka-logger`
+- `a7-plugin-key-auth`
+- `a7-plugin-limit-count`
+- `a7-plugin-limit-req`
+- `a7-plugin-openid-connect`
+- `a7-plugin-prometheus`
+- `a7-plugin-proxy-rewrite`
+- `a7-plugin-redirect`
+- `a7-plugin-response-rewrite`
+- `a7-plugin-serverless`
+- `a7-plugin-skywalking`
+- `a7-plugin-traffic-split`
+- `a7-plugin-wolf-rbac`
+- `a7-plugin-zipkin`
+
+**Recipe Skills**
+
+- `a7-recipe-api-versioning`
+- `a7-recipe-blue-green`
+- `a7-recipe-canary`
+- `a7-recipe-circuit-breaker`
+- `a7-recipe-graphql-proxy`
+- `a7-recipe-health-check`
+- `a7-recipe-mtls`
+- `a7-recipe-multi-tenant`
+
+## Current Compatibility Notes
+
+- Route examples should use the current API7 EE model: create a service, then create routes with `service_id`.
+- Auth examples should use `consumer create` plus `credential create`; do not put auth plugin credentials directly in the consumer body.
+- Standalone upstream workflows are not the preferred `a7` path for current API7 EE. Use service inline upstreams and service-backed routes unless you are intentionally documenting APISIX-compatible behavior.
+- Gateway/httpbin traffic checks are optional for `a7`; the default CI focuses on CLI-driven control-plane resource CRUD and structured `get/list/dump` assertions.
diff --git a/docs/testing-strategy.md b/docs/testing-strategy.md
@@ -6,6 +6,8 @@
 - Unit tests are only allowed for self-contained logic that does not need mocked external systems.
 - Do not add new command-level tests that mock the Admin API, gateway, or control-plane behavior.
 - Default E2E coverage should prioritize control-plane CLI roundtrips: create/update/delete/sync via `a7`, then read back state with `get`, `list`, or `config dump`.
+- GitHub CI uses repository-configured external environment variables and does not bootstrap API7 with Docker Compose.
+- The Docker Compose stack under `test/e2e/` is for local testing and debugging.
 
 ## Test Pyramid For `a7`
 
@@ -40,6 +42,10 @@ Optional targets outside the default CI path:
 - auth and forwarding behavior that depends on a live upstream
 - debug flows that require live gateway requests
 
+Full gateway/data-plane traffic validation belongs in the gateway repository.
+For `a7`, prefer validating CLI behavior by creating, updating, reading, and
+deleting resources through the CLI itself.
+
 E2E tests live in `test/e2e/` behind the `e2e` build tag and are run through the Ginkgo entrypoint in `make test-e2e`.
 
 ## What To Remove
@@ -62,7 +68,10 @@ Optional for live gateway/data-plane coverage:
 - `A7_GATEWAY_GROUP`
 - `A7_E2E_ENABLE_GATEWAY_GROUP_CRUD=1` when you explicitly want to exercise gateway-group create/delete against an environment that supports it
 
-For local development, you can bring up the repository's Docker-based environment with:
+CI provides `A7_ADMIN_URL` and `A7_TOKEN` through repository secrets, and sets
+`A7_GATEWAY_GROUP` to the fixed value `default` in the workflow. For local
+development, you can either point these variables at an existing API7
+environment or bring up the repository's Docker-based environment with:
 
 ```bash
 make docker-up
@@ -95,6 +104,9 @@ export HTTPBIN_URL=...
 make test-e2e-full
 ```
 
+`test-e2e-full` is intended for local/debug use. It should not be treated as the
+default CI contract for `a7`.
+
 Equivalent direct command:
 
 ```bash