Workflow enumeration (GitHub Actions)

File	Purpose
`.github/workflows/ci.yml`	`runs-on: [self-hosted, linux, x64]` (basic Linux pool). `cargo build -p vox-cli`, then guards via `vox ci` (`cargo run -p vox-cli --quiet -- ci …`): `manifest`, `line-endings` (forward-only diff vs `GITHUB_BASE_SHA`…`GITHUB_SHA` on PRs), `check-codex-ssot`, `check-docs-ssot` (includes stale doc/workflow ref scan), `doc-inventory verify`, `eval-matrix verify`, `eval-matrix run --milestone m3-dei-contracts` (bounded matrix-runner smoke), `cargo check -p vox-cli --features gpu` (compile smoke), `workflow-scripts`, `toestub-scoped`, `feature-matrix`, `no-vox-orchestrator-import`, `cuda-features`, `openclaw-contract` (protocol fixture guard); `cargo fmt --check`, `RUSTDOCFLAGS='-D warnings' cargo doc --workspace --no-deps`, `cargo clippy --workspace --all-targets -- -D warnings`, repository/orchestrator/MCP smoke, `cargo check -p vox-cli --features gpu,mens-qlora,stub-check`, `cargo llvm-cov nextest --workspace --profile ci` (toolchain `llvm-tools-preview` + `cargo-llvm-cov`), then `cargo llvm-cov report` without `--workspace` (text + JSON summary + LCOV; `report` only aggregates the last instrumented run), `vox ci coverage-gates --mode enforce`, artifact upload, `cargo test --workspace --doc`, `mens-gate --profile ci_full` (full Mens gate matrix from `scripts/populi/gates.yaml`). Sibling job `vox-browser-cdp-smoke`: `runs-on: [self-hosted, linux, x64, browser]`, `cargo test -p vox-browser -- --ignored` with `VOX_BROWSER_NO_SANDBOX=1` (Chromium/CDP via chromiumoxide; requires Chrome/Chromium on the runner). Optional shell twins: `scripts/README.md`. Intentional duals: command-surface-duals.
`.github/workflows/docs-deploy.yml`	Build `vox-doc-pipeline`, run doc pair extraction, mdBook build, Pages artifact.
`.github/workflows/deploy-hetzner.yml`	`push: main` Automated deployment to Hetzner Coolify VPS. Gate 1 is a thin `cargo build -p vox-cli --locked` on `ubuntu-latest` (fmt/clippy/tests are `ci.yml`); Gates 2–4 poll Coolify and probe public `/health`.
`.github/workflows/docs-quality.yml`	`runs-on: ubuntu-latest` (documented exception). mdBook toolchain, `cargo run -p vox-doc-pipeline -- --check` (blocking), advisory mdBook build / markdownlint / internal link steps.
`.github/workflows/link_checker.yml`	Link validation for docs site.
`.github/workflows/ml_data_extraction.yml`	ML / corpus maintenance jobs. Grammar drift via `vox ci grammar-drift --emit github`; eval summary via `vox corpus eval --print-summary` (no Python).
`.github/workflows/release-binaries.yml`	Tag-only release publish (`v`): matrix `vox ci release-build --package both`* for Linux x64, Windows x64, macOS x64 + Apple Silicon (`aarch64-apple-darwin`), using `cargo run --locked`. Each matrix job builds and smoke-tests both `vox` and `vox-bootstrap` archives (`vox --version`, `vox-bootstrap --help`) before upload; publish job merges `checksums.txt`. See binary release contract.
`.github/workflows/pm-provenance-verify.yml`	`workflow_dispatch` only: writes a minimal `vox.pm.provenance/1` fixture under `.vox_modules/provenance/` and runs `vox ci pm-provenance --strict` (PM publish lane smoke; separate from binary tags). Add a `schedule:` block locally if you want periodic self-hosted runs.
`.github/workflows/mutation-nightly.yml`	Schedule / `workflow_dispatch`: `cargo mutants -p vox-compiler` with `cargo-nextest` (pilot; config `.cargo/mutants.toml`). Self-hosted Linux pool.

CUDA / GPU compile gates: when a job needs nvcc or CUDA-enabled cargo check, use the Docker self-hosted profile ([self-hosted, linux, x64, docker]) per runner contract; keep runs-on explicit per job.

GitLab: .gitlab-ci.yml mirrors Rust guards, tests, docs, and ML jobs. Job vox-ci-guards runs the same vox ci + scoped cargo slice as the first half of GitHub ci.yml (through build-timings --crates): line-endings, command-compliance, eval-matrix verify, eval-matrix run --milestone m3-dei-contracts, cargo check -p vox-cli --features gpu, workflow-scripts, repository/orchestrator/MCP-lib + vox-git check, vox-populi --features transport tests, vox-workflow-runtime tests, vox-cli --features mesh,workflow-runtime check, build-timings --crates, feature-matrix, no-vox-orchestrator-import, toestub-scoped, cuda-features, mens-gate --profile ci_full. Separate GitLab jobs cover cargo fmt, cargo doc -D warnings, clippy, doc-only cargo test, and coverage (cargo llvm-cov nextest, not a separate full nextest run in test). Docker parity (optional):

vox-workflow-runtime tests also validate representative interpreted journal event rows against contracts/workflow/workflow-journal.v1.schema.json (including retry and mesh event families across feature modes), so CI catches v1 contract drift in both event shape and replay paths.

Job	GitHub equivalent	Notes
`mens-compose-config`	`mens-compose-config` in `ci.yml`	`docker compose -f examples/mens-compose.yml config` using `docker:26-cli` (no DinD if `config` is client-only).
`docker-vox-image-smoke`	`docker-vox-image-smoke`	`docker build` default + mens features; Docker-in-Docker service + `allow_failure: true` unless the runner allows privileged service containers (typical GitLab constraint).

If your runner cannot run DinD, the smoke job fails soft; keep mens-compose-config green for compose YAML validation. See deployment compose SSOT.