feat(ci): add retry logic and metrics to critical workflows

.github/workflows/_reusable-ga-readiness.yml

@@ -89,7 +89,7 @@ jobs:
           curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 
       - name: Install Dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       # 1. Antigravity Governance Check
       - name: Antigravity Compliance
@@ -110,7 +110,7 @@ jobs:
           exit-code: "1"
 
       - name: Run NPM Audit
-        run: npm audit --audit-level=high
+        run: for i in 1 2 3; do npm audit --audit-level=high && exit 0 || sleep 15; done; exit 1
 
       # 3. Supply Chain: SBOM & OPA
       - name: Generate SBOM

.github/workflows/ci-verify.yml

@@ -37,16 +37,15 @@ jobs:
           cache: pnpm
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       - name: Dependency audit (critical CVEs only)
         run: |
           echo "=== Scanning for Critical CVEs ==="
-          pnpm audit --audit-level critical || {
-            echo "::error::Critical CVEs detected - CI BLOCKED"
-            echo "::error::Run 'pnpm audit' locally and document exceptions if needed"
-            exit 1
-          }
+          for i in 1 2 3; do pnpm audit --audit-level critical && exit 0 || { echo "Retry $i..."; sleep 15; }; done
+          echo "::error::Critical CVEs detected - CI BLOCKED"
+          echo "::error::Run 'pnpm audit' locally and document exceptions if needed"
+          exit 1
         continue-on-error: false # BLOCKING: critical CVEs block merge
 
       - name: Snyk security scan
@@ -114,7 +113,7 @@ jobs:
           cache: pnpm
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       - name: Media provenance gate
         run: npx tsx scripts/ci/verify_media_provenance.ts
@@ -172,7 +171,7 @@ jobs:
           cache: pnpm
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       - name: Generate SBOM
         run: |
@@ -254,7 +253,7 @@ jobs:
           cache: pnpm
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       - name: GraphQL schema compatibility check
         run: |
@@ -286,7 +285,7 @@ jobs:
           cache: pnpm
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
 
       - name: Verify control coverage
         run: |
@@ -462,3 +461,11 @@ jobs:
           echo "- ℹ️ Compliance Evidence" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "**Status**: Security and compliance verified" >> $GITHUB_STEP_SUMMARY
+
+  ci-metrics:
+    name: CI Metrics
+    needs: [security-scan, policy-compliance, governance-checks, mcp-ux-lint, provenance, schema-validation, compliance-evidence, ga-evidence-completeness, ci-verify-gate]
+    if: always()
+    uses: ./.github/workflows/_reusable-ci-metrics.yml
+    with:
+      workflow_name: 'CI Verify'

.github/workflows/ci.yml

@@ -48,7 +48,7 @@ jobs:
         with:
           node-version: '18'
           cache: 'pnpm'
-      - run: pnpm install --frozen-lockfile
+      - run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
       - run: pnpm run lint
 
   typecheck:
@@ -68,7 +68,7 @@ jobs:
           node-version-file: .nvmrc
           cache: "pnpm"
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
       - name: Typecheck
         run: pnpm typecheck
 
@@ -89,7 +89,7 @@ jobs:
           node-version-file: .nvmrc
           cache: "pnpm"
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
       - name: Unit Tests
         run: pnpm -w test:unit || pnpm -w test:unit
       - name: Attach evidence
@@ -173,7 +173,7 @@ jobs:
           node-version-file: .nvmrc
           cache: "pnpm"
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: for i in 1 2 3; do pnpm install --frozen-lockfile && exit 0 || sleep 15; done; exit 1
       - name: SOC Control Unit Tests
         run: bash scripts/test-soc-controls.sh soc-compliance-reports || bash scripts/test-soc-controls.sh soc-compliance-reports
       - name: Upload SOC compliance reports
@@ -207,3 +207,11 @@ jobs:
         with:
           name: verification-artifacts
           path: artifacts/**
+
+  ci-metrics:
+    name: CI Metrics
+    needs: [config-guard, lint, typecheck, unit-tests, integration-test, security-compliance, soc-controls, verify-versions]
+    if: always()
+    uses: ./.github/workflows/_reusable-ci-metrics.yml
+    with:
+      workflow_name: 'CI'