Please read the AGPL very carefully before saying things like this. There is no reasonable interpretation where some cli program in part of a CI pipeline would infect the result of the pipeline (i.e. build artifacts) unless it actually put itself into the result. (E.g. gcc puts a small amount of code from libgcc into the executable, but that explicitly has a different license).
The "A" of the AGPL expands the distribution rules of the GPL to include network access but doesn't really expand the virality or combined-works parts. It "infects" your program just as much as any GPL program would.
Is that CI provided as a propietary service? If it applied, it would only apply to users of the CI service. So, publish your custom internal CI code to your own developers.
