Skip to content

Commit d7dfd01

Browse files
committed
Add lint and the test suite to PR validation
PRs now run security gates, lint, and the full test suite (perf assertions excluded — they stay in dry runs and releases where a timing-flaky red cannot block a merge). Builds, smoke and soak remain maintainer-driven. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
1 parent edde9de commit d7dfd01

1 file changed

Lines changed: 30 additions & 14 deletions

File tree

.github/workflows/pr.yml

Lines changed: 30 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
1-
# PR validation: the security gates only — static audit, the license gates
2-
# (structural + ScanCode + npm tree + provenance), and the CodeQL gate.
3-
# The full dry-run chain (lint/test/build/smoke/soak) stays maintainer-driven
4-
# via workflow_dispatch. Branch protection requires `dco` + `ci-ok`.
1+
# PR validation: security gates + lint + full test suite. Builds, smoke and
2+
# soak stay maintainer-driven via the dry-run workflow_dispatch. Branch
3+
# protection requires `dco` + `ci-ok` — a single stable summary context that
4+
# fails unless every PR stage succeeded.
55
name: PR
66

77
on:
@@ -16,20 +16,36 @@ jobs:
1616
uses: ./.github/workflows/_security.yml
1717
secrets: inherit
1818

19+
lint:
20+
uses: ./.github/workflows/_lint.yml
21+
22+
test:
23+
needs: [lint]
24+
if: ${{ !cancelled() && needs.lint.result == 'success' }}
25+
uses: ./.github/workflows/_test.yml
26+
with:
27+
# Perf assertions are timing-sensitive on shared runners; they stay in
28+
# dry runs and releases where a flaky red does not block a merge.
29+
skip_perf: true
30+
1931
ci-ok:
20-
# The one required context (besides dco) — a stable name that fails
21-
# unless the security gates succeeded.
22-
needs: [security]
32+
# The one required context (besides dco) — fails unless every PR stage
33+
# succeeded, so matrix renames can never silently deadlock merges.
34+
needs: [security, lint, test]
2335
if: ${{ always() }}
2436
runs-on: ubuntu-latest
2537
timeout-minutes: 5
2638
steps:
27-
- name: Security gates must have succeeded
39+
- name: All PR stages must have succeeded
2840
env:
29-
RESULT: ${{ needs.security.result }}
41+
RESULTS: ${{ toJSON(needs) }}
3042
run: |
31-
if [ "$RESULT" != "success" ]; then
32-
echo "CI NOT OK: security=$RESULT"
33-
exit 1
34-
fi
35-
echo "CI OK: security gates green"
43+
echo "$RESULTS" | python3 -c "
44+
import json, sys
45+
needs = json.load(sys.stdin)
46+
bad = {k: v['result'] for k, v in needs.items() if v['result'] != 'success'}
47+
if bad:
48+
print('CI NOT OK:', bad)
49+
sys.exit(1)
50+
print('CI OK:', ', '.join(needs))
51+
"

0 commit comments

Comments
 (0)