Merge queue: make dev checks required + add .asf.yaml validation (apache#21239)

blaginin · web-flow · commit 18af5189e212 · 2026-04-02T21:43:03.000Z
Related to apache#6880 Follow up on apache#17538 Bringing back the merge queues 🤞🏻 Last time it was painful because: - there was no `.asf.yaml` validation - if something goes wrong, we weren't able to force merge without the infra team this PR solved the first problem. As for the second one, I have the permissions to bypass so should be able to quickly revert if something ever goes bad <img width="830" height="151" alt="image" src="https://github.com/user-attachments/assets/62fb2bb5-44d8-4aae-a006-188d96728140" /> Check result: https://github.com/apache/datafusion/actions/runs/23715604583/job/69082077684?pr=21239 I also checked that CI will keep working by [merging](apache/datafusion-sandbox#197) this into our sandbox and then opening and merging [a dummy pr](apache/datafusion-sandbox#204) For now, bringing just the basic checks (in dev.yml). Will do rust.yml separately if everything goes smoothly after this one is merged
diff --git a/.asf.yaml b/.asf.yaml
@@ -51,6 +51,12 @@ github:
     main:
       required_pull_request_reviews:
         required_approving_review_count: 1
+      required_status_checks:
+        contexts:
+          - "Check License Header"
+          - "Use prettier to check formatting of documents"
+          - "Validate required_status_checks in .asf.yaml"
+          - "Spell Check with Typos"
     # needs to be updated as part of the release process
     # .asf.yaml doesn't support wildcard branch protection rules, only exact branch names
     # https://github.com/apache/infrastructure-asfyaml?tab=readme-ov-file#branch-protection
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -51,6 +51,14 @@ jobs:
       # if you encounter error, see instructions inside the script
         run: ci/scripts/doc_prettier_check.sh
 
+  asf-yaml-check:
+    name: Validate required_status_checks in .asf.yaml
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - run: pip install pyyaml
+      - run: python3 ci/scripts/check_asf_yaml_status_checks.py
+
   typos:
     name: Spell Check with Typos
     runs-on: ubuntu-latest
diff --git a/ci/scripts/check_asf_yaml_status_checks.py b/ci/scripts/check_asf_yaml_status_checks.py
@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""
+Validate that every entry in .asf.yaml required_status_checks
+matches an actual GitHub Actions job name, and that the workflow
+is not filtered by paths/paths-ignore (which would prevent the
+check from running on some PRs, blocking merges).
+
+A typo or stale entry in required_status_checks will block all
+merges for the project, so this check catches that early.
+"""
+
+import glob
+import os
+import sys
+
+import yaml
+
+
+def get_required_checks(asf_yaml_path):
+    """Extract all required_status_checks contexts from .asf.yaml."""
+    with open(asf_yaml_path) as f:
+        config = yaml.safe_load(f)
+
+    checks = {}  # context -> list of branches requiring it
+    branches = config.get("github", {}).get("protected_branches", {})
+    for branch, settings in branches.items():
+        contexts = (
+            settings.get("required_status_checks", {}).get("contexts", [])
+        )
+        for ctx in contexts:
+            checks.setdefault(ctx, []).append(branch)
+
+    return checks
+
+
+def get_workflow_jobs(workflows_dir):
+    """Collect all jobs with their metadata from GitHub Actions workflow files.
+
+    Returns a dict mapping job identifier (name or key) to a list of
+    (workflow_file, has_path_filters) tuples.
+    """
+    jobs = {}  # identifier -> [(workflow_file, has_path_filters)]
+    for workflow_file in sorted(glob.glob(os.path.join(workflows_dir, "*.yml"))):
+        with open(workflow_file) as f:
+            workflow = yaml.safe_load(f)
+
+        if not workflow or "jobs" not in workflow:
+            continue
+
+        # Check if pull_request trigger has path filters
+        on = workflow.get(True, workflow.get("on", {}))  # yaml parses `on:` as True
+        pr_trigger = on.get("pull_request", {}) if isinstance(on, dict) else {}
+        has_path_filters = bool(
+            isinstance(pr_trigger, dict)
+            and (pr_trigger.get("paths") or pr_trigger.get("paths-ignore"))
+        )
+
+        basename = os.path.basename(workflow_file)
+        for job_key, job_config in workflow.get("jobs", {}).items():
+            if not isinstance(job_config, dict):
+                continue
+            job_name = job_config.get("name", job_key)
+            info = (basename, has_path_filters)
+            jobs.setdefault(job_name, []).append(info)
+            if job_key != job_name:
+                jobs.setdefault(job_key, []).append(info)
+
+    return jobs
+
+
+def main():
+    repo_root = os.path.dirname(
+        os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    )
+    asf_yaml = os.path.join(repo_root, ".asf.yaml")
+    workflows_dir = os.path.join(repo_root, ".github", "workflows")
+
+    required_checks = get_required_checks(asf_yaml)
+    if not required_checks:
+        print("No required_status_checks found in .asf.yaml — nothing to validate.")
+        return
+
+    jobs = get_workflow_jobs(workflows_dir)
+    errors = []
+
+    for ctx in sorted(required_checks):
+        branches = ", ".join(sorted(required_checks[ctx]))
+        if ctx not in jobs:
+            errors.append(
+                f'  - "{ctx}" (branch: {branches}): '
+                f"not found in any GitHub Actions workflow"
+            )
+            continue
+
+        # Check if ALL workflows providing this job have path filters
+        # (if at least one doesn't, the check will still run)
+        filtered_workflows = [
+            wf for wf, has_filter in jobs[ctx] if has_filter
+        ]
+        unfiltered_workflows = [
+            wf for wf, has_filter in jobs[ctx] if not has_filter
+        ]
+        if filtered_workflows and not unfiltered_workflows:
+            wf_list = ", ".join(filtered_workflows)
+            errors.append(
+                f'  - "{ctx}" (branch: {branches}): '
+                f"workflow {wf_list} uses paths/paths-ignore filters on "
+                f"pull_request, so this check won't run for some PRs "
+                f"and will block merging"
+            )
+
+    if errors:
+        print("ERROR: Problems found with required_status_checks in .asf.yaml:\n")
+        print("\n".join(errors))
+        print()
+        print("Available job names across all workflows:")
+        for name in sorted(jobs):
+            print(f"  - {name}")
+        sys.exit(1)
+
+    print(
+        f"OK: All {len(required_checks)} required_status_checks "
+        "match existing GitHub Actions jobs."
+    )
+
+
+if __name__ == "__main__":
+    main()
