From 6c3a28037bb3f39375baf5ec0ef5f1aeaa3fddbd Mon Sep 17 00:00:00 2001
From: ruv <ruv@ruv.net>
Date: Sun, 31 May 2026 11:39:08 -0400
Subject: [PATCH] ci(verify-pipeline): re-run determinism gate on lock changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The determinism gate is path-filtered, but requirements-lock.txt (which
pins the numpy/scipy versions that *produce* the proof hash) was not in
the filter — so a dependency bump could silently drift the hash without
re-running the gate. That's how the 1.26.4 pin diverged from the
published ca58956c hash unnoticed. Add requirements-lock.txt to both the
push and pull_request path filters so this PR (and any future lock
change) actually re-runs verify.py.

Co-Authored-By: claude-flow <ruv@ruv.net>
---
 .github/workflows/verify-pipeline.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/verify-pipeline.yml b/.github/workflows/verify-pipeline.yml
index 1a7a6ed6..3e647e43 100644
--- a/.github/workflows/verify-pipeline.yml
+++ b/.github/workflows/verify-pipeline.yml
@@ -7,6 +7,7 @@ on:
       - 'archive/v1/src/core/**'
       - 'archive/v1/src/hardware/**'
       - 'archive/v1/data/proof/**'
+      - 'archive/v1/requirements-lock.txt'
       - '.github/workflows/verify-pipeline.yml'
   pull_request:
     branches: [ main, master ]
@@ -14,6 +15,7 @@ on:
       - 'archive/v1/src/core/**'
       - 'archive/v1/src/hardware/**'
       - 'archive/v1/data/proof/**'
+      - 'archive/v1/requirements-lock.txt'
       - '.github/workflows/verify-pipeline.yml'
   workflow_dispatch: