Skip to content

Commit 8dbb41c

Browse files
committed
Run the full validation pipeline on pull requests
Pull requests now execute the dry-run chain (security including the license gates, lint, full test suite, all build legs, smoke) plus a single ci-ok summary job that fails unless every stage succeeded. Branch protection requires dco + ci-ok, so nothing unverified can merge — including from admins. CodeQL also runs on pull requests so the security island completes on PR commits. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
1 parent 2a0ec32 commit 8dbb41c

2 files changed

Lines changed: 63 additions & 0 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ name: CodeQL SAST
33
on:
44
push:
55
branches: [main]
6+
pull_request:
7+
branches: [main]
68

79
permissions:
810
security-events: write

.github/workflows/pr.yml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
# PR validation: the full dry-run pipeline (minus soak) on every pull
2+
# request. Branch protection requires the final `ci-ok` summary job — a
3+
# single stable context that fails unless every stage succeeded, so matrix
4+
# renames can never silently deadlock merges.
5+
name: PR
6+
7+
on:
8+
pull_request:
9+
branches: [main]
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
security:
16+
uses: ./.github/workflows/_security.yml
17+
secrets: inherit
18+
19+
lint:
20+
uses: ./.github/workflows/_lint.yml
21+
22+
test:
23+
needs: [lint]
24+
if: ${{ !cancelled() && needs.lint.result == 'success' }}
25+
uses: ./.github/workflows/_test.yml
26+
with:
27+
# Perf assertions are timing-sensitive on shared runners; they stay in
28+
# dry runs and releases where a flaky red does not block a merge.
29+
skip_perf: true
30+
31+
build:
32+
needs: [test]
33+
if: ${{ !cancelled() && needs.test.result == 'success' }}
34+
uses: ./.github/workflows/_build.yml
35+
36+
smoke:
37+
needs: [build]
38+
if: ${{ !cancelled() && needs.build.result == 'success' }}
39+
uses: ./.github/workflows/_smoke.yml
40+
41+
ci-ok:
42+
# The one required context (besides dco). Runs even when upstream jobs
43+
# fail, and passes only when every stage succeeded.
44+
needs: [security, lint, test, build, smoke]
45+
if: ${{ always() }}
46+
runs-on: ubuntu-latest
47+
timeout-minutes: 5
48+
steps:
49+
- name: All stages must have succeeded
50+
env:
51+
RESULTS: ${{ toJSON(needs) }}
52+
run: |
53+
echo "$RESULTS" | python3 -c "
54+
import json, sys
55+
needs = json.load(sys.stdin)
56+
bad = {k: v['result'] for k, v in needs.items() if v['result'] != 'success'}
57+
if bad:
58+
print('CI NOT OK:', bad)
59+
sys.exit(1)
60+
print('CI OK:', ', '.join(needs))
61+
"

0 commit comments

Comments
 (0)