cistack 4.0.0 → 5.1.0

package/README.md

@@ -76,45 +76,30 @@ This writes `cistack.config.js` with the supported override keys.
 
 ## What gets generated
 
-### `ci.yml`
+### `pipeline.yml`
 
-Continuous integration for linting, tests, builds, coverage upload, and optional E2E jobs.
+By default, `cistack` now generates a single GitHub Actions workflow that combines CI, deploy, Docker, security, and release jobs into one place so teams can track the whole pipeline from one file.
 
-- Runs on pushes and pull requests
+- Includes lint, test, build, E2E, deploy, Docker, security, and release jobs when those parts of the stack are detected
 - Uses the detected default branch or your configured `branches`
-- Uses runtime matrices where appropriate
-- Uses package-manager-aware install and script commands
+- Keeps preview deploys, release jobs, and scheduled security scans in the same workflow file
+- Documents required secrets in the file header
 
-### `deploy.yml`
+### `dependabot.yml`
 
-Continuous deployment for the primary hosting provider.
+Dependabot remains a separate file in `.github/dependabot.yml`, because it is not a GitHub Actions workflow.
 
-- Runs on production pushes plus manual dispatch
-- Uses preview deployments on pull requests for providers that support them cleanly
-- Documents the required secrets in the file header
-- Avoids empty push branch lists when a repo is `develop`-only
+### Split mode
 
-### `docker.yml`
+If you prefer the old multi-file layout, set:
 
-Builds and optionally pushes Docker images to GHCR.
-
-- Runs on configured branches, pull requests, and semantic version tags
-- Uses Buildx and GitHub Actions cache
-
-### `security.yml`
-
-Dependency audit plus CodeQL analysis.
-
-- Runs on push, pull request, and a weekly schedule
-- Uses the detected default branch or configured branch overrides
-
-### `release.yml`
-
-Generated when `semantic-release`, `changesets`, `release-it`, `standard-version`, or a custom release command is detected or configured.
+```js
+module.exports = {
+  workflowLayout: 'split',
+};
+```
 
-- Uses the detected package manager for release commands
-- Respects configured branches and detected default branch
-- Documents additional required secrets such as `NPM_TOKEN`
+In split mode, `cistack` writes separate `ci.yml`, `deploy.yml`, `docker.yml`, `security.yml`, and `release.yml` files again.
 
 ## Supported detection
 
@@ -184,6 +169,7 @@ module.exports = {
   nodeVersion: '20',
   packageManager: 'pnpm',
   branches: ['main', 'staging'],
+  workflowLayout: 'single',
   hosting: ['Vercel'],
   outputDir: '.github/workflows',
 
@@ -211,6 +197,7 @@ Supported top-level config keys:
 - `frameworks`
 - `testing`
 - `branches`
+- `workflowLayout`
 - `cache`
 - `monorepo`
 - `release`

package/bin/ciflow.js

@@ -88,6 +88,7 @@ module.exports = {
   // packageManager: 'pnpm',    // 'npm' | 'yarn' | 'pnpm' | 'bun'
   // hosting: ['Firebase'],      // Force a specific hosting provider
   // branches: ['main', 'staging'], // CI branches (default: detected git default branch, then main/master/develop)
+  // workflowLayout: 'single',   // 'single' (default) or 'split'
   // outputDir: '.github/workflows', // Where to write workflow files
 
   // cache: {
@@ -101,7 +102,7 @@ module.exports = {
   // },
 
   // monorepo: {
-  //   perPackage: true, // Generate one ci-<name>.yml per workspace
+  //   perPackage: true, // Generate one ci-<name>.yml per workspace (split layout only)
   // },
 
   // release: {

package/index.d.ts

@@ -63,6 +63,7 @@ export interface Config {
   frameworks?: string | string[];
   testing?: string | string[];
   branches?: string[];
+  workflowLayout?: 'single' | 'split';
   cache?: CacheConfig;
   monorepo?: MonorepoConfig;
   release?: ReleaseTool | ReleaseConfig;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cistack",
-  "version": "4.0.0",
+  "version": "5.1.0",
   "description": "Automatically generate GitHub Actions CI/CD pipelines by analysing your codebase",
   "main": "src/index.js",
   "types": "index.d.ts",

package/src/config/loader.js

@@ -16,6 +16,7 @@ const chalk = require('chalk');
  *                      (default: detected git default branch, then main/master/develop)
  *   cache            – { npm: bool, cargo: bool, pip: bool, ... } enable/disable caches
  *   monorepo         – { perPackage: bool } generate one file per workspace
+ *   workflowLayout   – 'single' | 'split' (default: 'single')
  *   release          – { tool: 'semantic-release'|'changesets'|'standard-version'|'release-it' }
  *   secrets          – extra secret names to document in workflow comments
  *   outputDir        – override default '.github/workflows'

package/src/generators/dependabot.js

@@ -150,6 +150,11 @@ class DependabotGenerator {
       directory: '/',
       schedule: { interval: 'weekly', day: 'monday' },
       'open-pull-requests-limit': 10,
+      groups: {
+        'github-actions-updates': {
+          patterns: ['*'],
+        },
+      },
     });
 
     const doc = { version: 2, updates };

package/src/generators/workflow.js

@@ -23,6 +23,7 @@ class WorkflowGenerator {
     this.lockFiles = new Set(config.lockFiles || []);
     this.extraConfig = config._config || {}; // raw cistack.config.js
     this.defaultBranch = config.defaultBranch || config.currentBranch || null;
+    this.workflowLayout = this.extraConfig.workflowLayout === 'split' ? 'split' : 'single';
 
     // Convenient accessors
     this.primaryLang = this.languages[0] || { name: 'JavaScript', packageManager: 'npm', nodeVersion: '20' };
@@ -31,9 +32,10 @@ class WorkflowGenerator {
     this.hasDocker = this.hosting.some((h) => h.name === 'Docker');
     this.primaryHosting = this.hosting.filter((h) => h.name !== 'Docker')[0] || null;
 
-    // Monorepo mode: per-package workflows if configured or if > 1 package
+    // Monorepo mode: always keep the root matrix workflow for monorepos.
+    // Split layout may additionally emit one workflow per workspace.
     this.isMonorepo = this.monorepoPackages.length > 0;
-    this.perPackageWorkflows = this.isMonorepo && (
+    this.perPackageWorkflows = this.workflowLayout === 'split' && this.isMonorepo && (
       (this.extraConfig.monorepo && this.extraConfig.monorepo.perPackage) ||
       this.monorepoPackages.length > 1
     );
@@ -77,15 +79,17 @@ class WorkflowGenerator {
   generate() {
     const workflows = [];
 
-    if (this.perPackageWorkflows) {
-      // ── Monorepo: one CI file per workspace ─────────────────────────────
-      for (const pkg of this.monorepoPackages) {
-        workflows.push({
-          filename: `ci-${this._slugify(pkg.name)}.yml`,
-          content: this._buildCIWorkflow(pkg),
-        });
+    if (this.isMonorepo) {
+      if (this.perPackageWorkflows) {
+        // ── Monorepo split mode: one CI file per workspace ───────────────
+        for (const pkg of this.monorepoPackages) {
+          workflows.push({
+            filename: `ci-${this._slugify(pkg.name)}.yml`,
+            content: this._buildCIWorkflow(pkg),
+          });
+        }
       }
-      // Root-level CI file (matrix over all packages)
+      // ── Monorepo root CI file (matrix over all packages) ──────────────
       workflows.push({
         filename: 'ci.yml',
         content: this._buildMonorepoRootCI(),

package/src/index.js

@@ -18,6 +18,7 @@ const WorkflowGenerator = require('./generators/workflow');
 const DependabotGenerator = require('./generators/dependabot');
 const ReleaseGenerator  = require('./generators/release');
 const ConfigLoader      = require('./config/loader');
+const combineWorkflows  = require('./utils/workflow-combiner');
 const { ensureDir, writeFile, banner, smartMergeWorkflow } = require('./utils/helpers');
 
 const WorkflowAnalyzer = require('./analyzers/workflow');
@@ -105,8 +106,7 @@ class CIFlow {
       // ── 7. Generate CI/CD workflow(s) ─────────────────────────────────
       spinner.start('Generating workflow(s)...');
       const generator = new WorkflowGenerator(finalConfig, this.projectPath);
-      const workflows = generator.generate();
-      spinner.succeed(chalk.green(`Generated ${workflows.length} CI workflow(s)`));
+      let workflows = generator.generate();
 
       // ── 8. Generate dependabot.yml ────────────────────────────────────
       const dependabotGen = new DependabotGenerator(codebaseInfo);
@@ -121,6 +121,11 @@ class CIFlow {
         if (releaseWorkflow) workflows.push(releaseWorkflow);
       }
 
+      if (this._workflowLayout(finalConfig) !== 'split') {
+        workflows = [combineWorkflows(workflows, { config: finalConfig, releaseInfo: combinedReleaseInfo })];
+      }
+      spinner.succeed(chalk.green(`Generated ${this._workflowCountLabel(workflows.length)}`));
+
       // ── 10. Write files ────────────────────────────────────────────────
       if (this.dryRun) {
         this._dryRunPrint(workflows, dependabotFile);
@@ -131,7 +136,11 @@ class CIFlow {
 
       console.log('\n' + chalk.bold.green('✅  Done! Your GitHub Actions pipeline is ready.'));
       if (!this.dryRun) {
-        console.log(chalk.dim(`   Workflows → ${this.outputDir}`));
+        if (workflows.length === 1) {
+          console.log(chalk.dim(`   Pipeline → ${path.join(this.outputDir, workflows[0].filename)}`));
+        } else {
+          console.log(chalk.dim(`   Workflows → ${this.outputDir}`));
+        }
         console.log(chalk.dim(`   Dependabot → ${path.join(this.projectPath, '.github', 'dependabot.yml')}\n`));
       }
     } catch (err) {
@@ -253,6 +262,19 @@ class CIFlow {
     console.log('');
   }
 
+  _workflowLayout(config) {
+    const layout = config && config._config && config._config.workflowLayout;
+    return layout === 'split' ? 'split' : 'single';
+  }
+
+  _workflowCountLabel(count) {
+    return `${count} workflow file${count === 1 ? '' : 's'}`;
+  }
+
+  _displayWorkflowPath(filename) {
+    return path.posix.join('.github/workflows', filename);
+  }
+
   async _interactiveConfirm(config) {
     const { confirmed } = await inquirer.prompt([
       {
@@ -367,11 +389,11 @@ class CIFlow {
         const { content: merged, changes } = smartMergeWorkflow(existing, wf.content);
 
         if (changes.length === 0) {
-          console.log(chalk.dim(`  ○ No changes: ${wf.filename}`));
+          console.log(chalk.dim(`  ○ No changes: ${this._displayWorkflowPath(wf.filename)}`));
           continue;
         }
 
-        console.log(chalk.yellow(`  ↻ Smart-merged: ${wf.filename}`));
+        console.log(chalk.yellow(`  ↻ Smart-merged: ${this._displayWorkflowPath(wf.filename)}`));
         for (const c of changes) {
           console.log(chalk.dim(`    • ${c}`));
         }
@@ -379,10 +401,10 @@ class CIFlow {
         writeFile(filePath, merged);
       } else if (exists && this.force) {
         writeFile(filePath, wf.content);
-        console.log(chalk.green(`  ✔ Overwritten:  ${wf.filename}`));
+        console.log(chalk.green(`  ✔ Overwritten:  ${this._displayWorkflowPath(wf.filename)}`));
       } else {
         writeFile(filePath, wf.content);
-        console.log(chalk.green(`  ✔ Written:      ${wf.filename}`));
+        console.log(chalk.green(`  ✔ Written:      ${this._displayWorkflowPath(wf.filename)}`));
       }
     }
   }

package/src/utils/workflow-combiner.js

@@ -0,0 +1,238 @@
+'use strict';
+
+const path = require('path');
+const yaml = require('js-yaml');
+const { version } = require('../../package.json');
+
+function stripHeader(content) {
+  return content.replace(/^(?:#[^\n]*\n)+\n?/, '');
+}
+
+function isPlainObject(value) {
+  return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+
+function dedupeArray(values) {
+  const seen = new Set();
+  const result = [];
+
+  for (const value of values) {
+    const key = isPlainObject(value) || Array.isArray(value)
+      ? JSON.stringify(value)
+      : String(value);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    result.push(value);
+  }
+
+  return result;
+}
+
+function mergeDeep(target, source) {
+  if (Array.isArray(target) || Array.isArray(source)) {
+    return dedupeArray([...(target || []), ...(source || [])]);
+  }
+  if (isPlainObject(target) && isPlainObject(source)) {
+    const merged = { ...target };
+    for (const [key, value] of Object.entries(source)) {
+      merged[key] = key in merged ? mergeDeep(merged[key], value) : value;
+    }
+    return merged;
+  }
+  return source === undefined ? target : source;
+}
+
+function mergePermissions(target, source) {
+  const rank = { none: 0, read: 1, write: 2 };
+  const merged = { ...(target || {}) };
+
+  for (const [key, value] of Object.entries(source || {})) {
+    const current = merged[key];
+    if (!current) {
+      merged[key] = value;
+      continue;
+    }
+    merged[key] = (rank[value] || 0) > (rank[current] || 0) ? value : current;
+  }
+
+  return merged;
+}
+
+function prefixJobMap(jobs, prefix) {
+  const mapping = {};
+  for (const jobId of Object.keys(jobs || {})) {
+    mapping[jobId] = `${prefix}_${jobId}`;
+  }
+
+  const prefixed = {};
+  for (const [jobId, job] of Object.entries(jobs || {})) {
+    const nextJob = JSON.parse(JSON.stringify(job));
+    if (typeof nextJob.needs === 'string') {
+      nextJob.needs = mapping[nextJob.needs] || nextJob.needs;
+    } else if (Array.isArray(nextJob.needs)) {
+      nextJob.needs = nextJob.needs.map((need) => mapping[need] || need);
+    }
+    prefixed[mapping[jobId]] = nextJob;
+  }
+
+  return prefixed;
+}
+
+function unwrapExpression(expr) {
+  if (typeof expr !== 'string') return '';
+  return expr.trim().replace(/^\${{\s*/, '').replace(/\s*}}$/, '');
+}
+
+function quote(value) {
+  return String(value).replace(/'/g, "\\'");
+}
+
+function buildBranchCondition(branches, refName) {
+  if (!Array.isArray(branches) || branches.length === 0) return '';
+  return branches
+    .map((branch) => `${refName} == '${quote(branch)}'`)
+    .join(' || ');
+}
+
+function buildTriggerCondition(onConfig) {
+  if (!onConfig) return '';
+
+  if (typeof onConfig === 'string') {
+    return `github.event_name == '${quote(onConfig)}'`;
+  }
+
+  if (Array.isArray(onConfig)) {
+    return onConfig
+      .map((eventName) => `github.event_name == '${quote(eventName)}'`)
+      .join(' || ');
+  }
+
+  const clauses = [];
+
+  for (const [eventName, eventConfig] of Object.entries(onConfig)) {
+    if (eventName === 'push') {
+      const branchExpr = buildBranchCondition(eventConfig && eventConfig.branches, 'github.ref_name');
+      clauses.push(branchExpr ? `(github.event_name == 'push' && (${branchExpr}))` : "github.event_name == 'push'");
+      continue;
+    }
+
+    if (eventName === 'pull_request') {
+      const branchExpr = buildBranchCondition(eventConfig && eventConfig.branches, 'github.base_ref');
+      clauses.push(branchExpr ? `(github.event_name == 'pull_request' && (${branchExpr}))` : "github.event_name == 'pull_request'");
+      continue;
+    }
+
+    if (eventName === 'workflow_dispatch') {
+      clauses.push("github.event_name == 'workflow_dispatch'");
+      continue;
+    }
+
+    if (eventName === 'schedule') {
+      clauses.push("github.event_name == 'schedule'");
+      continue;
+    }
+
+    clauses.push(`github.event_name == '${quote(eventName)}'`);
+  }
+
+  return clauses.join(' || ');
+}
+
+function applyTriggerCondition(job, triggerCondition) {
+  if (!triggerCondition) return job;
+
+  const nextJob = { ...job };
+  const existingIf = unwrapExpression(nextJob.if);
+  nextJob.if = existingIf
+    ? `(${triggerCondition}) && (${existingIf})`
+    : triggerCondition;
+  return nextJob;
+}
+
+function collectRequiredSecrets(config, releaseInfo) {
+  const secrets = new Set();
+
+  for (const hosting of config.hosting || []) {
+    for (const secret of hosting.secrets || []) {
+      secrets.add(secret);
+    }
+  }
+
+  for (const secret of (config.envVars && config.envVars.secrets) || []) {
+    secrets.add(secret);
+  }
+
+  if (releaseInfo && releaseInfo.requiresNpmToken) {
+    secrets.add('NPM_TOKEN');
+  }
+
+  return [...secrets];
+}
+
+function buildHeader(sections, config, releaseInfo) {
+  const sectionList = dedupeArray(sections).join(', ');
+  const requiredSecrets = collectRequiredSecrets(config, releaseInfo);
+  const secretsDoc = requiredSecrets.length > 0
+    ? `# Required secrets: ${requiredSecrets.join(', ')}\n# Add these at: Settings → Secrets and Variables → Actions\n`
+    : '';
+
+  return (
+    `# Generated by cistack v${version} — https://github.com/cistack\n` +
+    `# Unified Pipeline: ${sectionList}\n` +
+    `${secretsDoc}` +
+    `# Dependabot remains in .github/dependabot.yml\n\n`
+  );
+}
+
+function combineWorkflows(workflows, options = {}) {
+  const config = options.config || {};
+  const releaseInfo = options.releaseInfo || null;
+  const combined = {
+    name: 'Pipeline',
+    on: {},
+    concurrency: {
+      group: '${{ github.workflow }}-${{ github.ref }}',
+      'cancel-in-progress': true,
+    },
+    jobs: {},
+  };
+  const sections = [];
+
+  for (const workflow of workflows.filter(Boolean)) {
+    const parsed = yaml.load(stripHeader(workflow.content));
+    const triggerCondition = buildTriggerCondition(parsed.on || {});
+    const prefix = path.basename(workflow.filename, path.extname(workflow.filename))
+      .replace(/[^a-z0-9]+/gi, '_')
+      .replace(/^_+|_+$/g, '')
+      .toLowerCase();
+
+    sections.push(prefix);
+    combined.on = mergeDeep(combined.on, parsed.on || {});
+    if (parsed.env) {
+      combined.env = mergeDeep(combined.env || {}, parsed.env);
+    }
+    if (parsed.permissions) {
+      combined.permissions = mergePermissions(combined.permissions, parsed.permissions);
+    }
+
+    const prefixedJobs = prefixJobMap(parsed.jobs, prefix);
+    for (const [jobId, job] of Object.entries(prefixedJobs)) {
+      combined.jobs[jobId] = applyTriggerCondition(job, triggerCondition);
+    }
+  }
+
+  const raw = yaml.dump(combined, {
+    indent: 2,
+    lineWidth: 120,
+    quotingType: "'",
+    forceQuotes: false,
+    noRefs: true,
+  });
+
+  return {
+    filename: 'pipeline.yml',
+    content: buildHeader(sections, config, releaseInfo) + raw,
+  };
+}
+
+module.exports = combineWorkflows;

package/tests/run.js

@@ -17,6 +17,7 @@ const ReleaseDetector = require('../src/detectors/release');
 const TestingDetector = require('../src/detectors/testing');
 const WorkflowGenerator = require('../src/generators/workflow');
 const ReleaseGenerator = require('../src/generators/release');
+const combineWorkflows = require('../src/utils/workflow-combiner');
 const { smartMergeWorkflow } = require('../src/utils/helpers');
 
 const repoRoot = path.resolve(__dirname, '..');
@@ -212,6 +213,33 @@ test('Dependabot skips empty npm manifests and uses the bun ecosystem for bun.lo
   assert(!bunDependabot.updates.some((entry) => entry['package-ecosystem'] === 'npm'));
 });
 
+test('Dependabot groups GitHub Actions updates into a single pull request', async () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    '.github/workflows/ci.yml': [
+      'name: CI',
+      'jobs:',
+      '  test:',
+      '    runs-on: ubuntu-latest',
+      '    steps:',
+      '      - uses: actions/checkout@v4',
+      '      - uses: actions/setup-node@v4',
+      '      - uses: actions/upload-artifact@v4',
+    ].join('\n'),
+  });
+
+  const info = await new CodebaseAnalyzer(projectDir).analyse();
+  const dependabot = parseWorkflow(new DependabotGenerator(info).generate().content);
+  const gha = dependabot.updates.find((entry) => entry['package-ecosystem'] === 'github-actions');
+
+  assert(gha);
+  assert.deepEqual(gha.groups, {
+    'github-actions-updates': {
+      patterns: ['*'],
+    },
+  });
+});
+
 test('GCP App Engine detection documents only the secrets the generated deploy flow uses', async () => {
   const projectDir = makeTempDir();
   writeFiles(projectDir, {
@@ -324,6 +352,106 @@ test('WorkflowGenerator uses the detected default branch across CI, deploy, and
   assert.deepEqual(byName['security.yml'].on.push.branches, ['release']);
 });
 
+test('combineWorkflows collapses generated workflows into a single pipeline file', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'combined-pipeline-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+      },
+    }),
+  });
+
+  const config = makeJsProject({
+    hosting: [{ name: 'Vercel', secrets: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'] }],
+    testing: [{ name: 'Vitest', type: 'unit', confidence: 1, command: 'npm run test' }],
+  });
+  config.releaseInfo = { tool: 'custom', command: 'npm run release', publishToNpm: false, requiresNpmToken: false };
+  const workflows = new WorkflowGenerator(config, projectDir).generate();
+  workflows.push(new ReleaseGenerator(config.releaseInfo, config, projectDir).generate());
+
+  const combined = combineWorkflows(workflows, { config, releaseInfo: config.releaseInfo });
+  const parsed = parseWorkflow(combined.content);
+
+  assert.equal(combined.filename, 'pipeline.yml');
+  assert(parsed.jobs.ci_lint);
+  assert(parsed.jobs.deploy_deploy);
+  assert(parsed.jobs.security_security);
+  assert(parsed.jobs.release_release);
+});
+
+test('combineWorkflows preserves workflow-specific trigger scoping in the unified pipeline', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'combined-trigger-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+        build: 'echo build',
+        release: 'echo release',
+      },
+    }),
+  });
+
+  const config = makeJsProject({
+    hosting: [{ name: 'Vercel', secrets: ['VERCEL_TOKEN', 'VERCEL_ORG_ID', 'VERCEL_PROJECT_ID'] }],
+    frameworks: [{ name: 'Next.js', confidence: 1, buildDir: '.next' }],
+    testing: [{ name: 'Vitest', type: 'unit', confidence: 1, command: 'npm run test' }],
+  });
+  config.releaseInfo = { tool: 'custom', command: 'npm run release', publishToNpm: false, requiresNpmToken: false };
+
+  const workflows = new WorkflowGenerator(config, projectDir).generate();
+  workflows.push(new ReleaseGenerator(config.releaseInfo, config, projectDir).generate());
+
+  const combined = parseWorkflow(combineWorkflows(workflows, { config, releaseInfo: config.releaseInfo }).content);
+
+  assert.deepEqual(combined.on.push.branches, ['main', 'master', 'develop']);
+  assert(combined.jobs.ci_lint.if.includes("github.event_name == 'push'"));
+  assert(combined.jobs.ci_lint.if.includes("github.event_name == 'pull_request'"));
+  assert(!combined.jobs.ci_lint.if.includes("github.event_name == 'schedule'"));
+  assert(combined.jobs.security_security.if.includes("github.event_name == 'schedule'"));
+  assert(combined.jobs.deploy_deploy.if.includes("github.ref_name == 'main'"));
+  assert(combined.jobs.deploy_deploy.if.includes("github.ref_name == 'master'"));
+  assert(!combined.jobs.deploy_deploy.if.includes("github.ref_name == 'develop'"));
+});
+
+test('Single-layout monorepos still generate the root workspace matrix CI', () => {
+  const projectDir = makeTempDir();
+  const packages = [
+    {
+      name: 'app',
+      relativePath: 'packages/app',
+      packageJson: {
+        name: 'app',
+        scripts: {
+          lint: 'echo lint',
+          test: 'echo test',
+          build: 'echo build',
+        },
+      },
+    },
+  ];
+
+  const generator = new WorkflowGenerator(
+    makeJsProject({
+      frameworks: [{ name: 'React', confidence: 1, buildDir: 'dist' }],
+      testing: [{ name: 'Vitest', type: 'unit', confidence: 1, command: 'npm run test' }],
+      monorepoPackages: packages,
+      _config: { monorepo: { perPackage: true } },
+    }),
+    projectDir
+  );
+
+  const ciWorkflow = parseWorkflow(generator.generate().find((workflow) => workflow.filename === 'ci.yml').content);
+
+  assert(ciWorkflow.jobs.ci);
+  assert(ciWorkflow.jobs.ci.strategy);
+  assert.equal(ciWorkflow.jobs.ci.steps.find((step) => step.name === 'Lint').if, '${{ matrix.lintScript != \'\' }}');
+});
+
 test('Frontend Lighthouse is omitted when no build job exists', () => {
   const projectDir = makeTempDir();
   const generator = new WorkflowGenerator(
@@ -576,7 +704,7 @@ test('Per-package CI picks workspace build scripts instead of only reading the r
     makeJsProject({
       testing: [{ name: 'Vitest', type: 'unit', confidence: 1, command: 'npm run test' }],
       monorepoPackages: [pkg],
-      _config: { monorepo: { perPackage: true } },
+      _config: { workflowLayout: 'split', monorepo: { perPackage: true } },
     }),
     projectDir
   );
@@ -635,7 +763,7 @@ test('Monorepo root CI installs dependencies at the repo root and does not hide
       languages: [{ name: 'JavaScript', packageManager: 'yarn', nodeVersion: '20' }],
       monorepoPackages: packages,
       lockFiles: ['yarn.lock'],
-      _config: { monorepo: { perPackage: true } },
+      _config: { workflowLayout: 'split', monorepo: { perPackage: true } },
     }),
     projectDir
   );
@@ -680,7 +808,7 @@ test('Bun monorepo matrix commands are scoped to the workspace path', () => {
       frameworks: [{ name: 'React', confidence: 1, buildDir: 'dist' }],
       languages: [{ name: 'JavaScript', packageManager: 'bun', nodeVersion: '20' }],
       monorepoPackages: packages,
-      _config: { monorepo: { perPackage: true } },
+      _config: { workflowLayout: 'split', monorepo: { perPackage: true } },
     }),
     projectDir
   );
@@ -776,6 +904,54 @@ test('CLI smoke test still generates workflows in dry-run mode', () => {
     stdio: ['ignore', 'pipe', 'pipe'],
   });
 
+  assert(output.includes('.github/workflows/pipeline.yml'));
+  assert(output.includes('.github/dependabot.yml'));
+  assert(output.includes('Unified Pipeline'));
+  assert(output.includes('Done! Your GitHub Actions pipeline is ready.'));
+});
+
+test('CLI write output shows the pipeline file path in single-layout mode', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'cli-write-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+      },
+    }),
+  });
+
+  const output = execFileSync(process.execPath, ['bin/ciflow.js', 'generate', '--path', projectDir, '--no-prompt'], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
+  assert(output.includes('✔ Written:      .github/workflows/pipeline.yml'));
+  assert(output.includes(`Pipeline → ${path.join(projectDir, '.github', 'workflows', 'pipeline.yml')}`));
+  assert(output.includes(`Dependabot → ${path.join(projectDir, '.github', 'dependabot.yml')}`));
+});
+
+test('CLI supports opting back into split workflow files', () => {
+  const projectDir = makeTempDir();
+  writeFiles(projectDir, {
+    'package.json': json({
+      name: 'cli-split-app',
+      version: '1.0.0',
+      scripts: {
+        test: 'echo ok',
+      },
+    }),
+    'cistack.config.js': `module.exports = { workflowLayout: 'split' };\n`,
+  });
+
+  const output = execFileSync(process.execPath, ['bin/ciflow.js', 'generate', '--path', projectDir, '--dry-run', '--no-prompt'], {
+    cwd: repoRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+
   assert(output.includes('.github/workflows/ci.yml'));
   assert(output.includes('.github/workflows/security.yml'));
   assert(output.includes('Done! Your GitHub Actions pipeline is ready.'));