Conversation
Pull requests now execute the dry-run chain (security including the license gates, lint, full test suite, all build legs, smoke) plus a single ci-ok summary job that fails unless every stage succeeded. Branch protection requires dco + ci-ok, so nothing unverified can merge — including from admins. CodeQL also runs on pull requests so the security island completes on PR commits. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
Pull requests run the security island only — static audit, license gates, and the CodeQL gate plus the ci-ok summary; the full dry-run chain (lint/test/build/smoke) stays maintainer-driven via workflow_dispatch. The CodeQL gate now resolves the PR head SHA instead of the synthetic merge commit so it can find the analysis run. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
PRs now run security gates, lint, and the full test suite (perf assertions excluded — they stay in dry runs and releases where a timing-flaky red cannot block a merge). Builds, smoke and soak remain maintainer-driven. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
It names license identifiers in its verdict maps by design — the same documented false-positive category as the other license tooling. Signed-off-by: Martin Vogel <martin.vogel@datadice.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the PR validation workflow (security + lint + tests + builds + smoke + ci-ok summary) and extends CodeQL to pull requests. With branch protection requiring
dco+ci-ok, every merge — including by admins — needs a fully green pipeline and signed commits.This PR is itself the first end-to-end run of that gate.