ci: run strict-schema via workflow_run after mirror-tarball

Strict schema validation requires tarball + sha256 to be populated, but
merge PRs intentionally leave those null (mirror-tarball fills them
post-merge). The prior trigger raced with mirror and always failed on
main because mirror bot commits dont re-trigger push workflows under
GITHUB_TOKEN.

Switch strict-main to workflow_run so it runs after mirror-tarball
completes successfully on main. The four non-strict jobs still fire on
pull_request and push-to-main; they are gated off the workflow_run
event to avoid duplicate runs.

Observed failure pattern on PR #4 (wheels-seo-suite v2.0.0) and PR #5
(wheels-basecoat + wheels-hotwire v1.0.1). Both had all PR-time checks
green, mirror-tarball succeeded, notify-site dispatched correctly, but
the push-to-main validate run showed a red strict-main.

Author: bpamiri

.github/workflows/validate.yml

@@ -10,10 +10,16 @@ on:
     paths:
       - "packages/**"
       - "schema/**"
+  # Fire the strict-schema job only after mirror-tarball has populated the
+  # freshly-merged null entries. See the strict-main job comment for details.
+  workflow_run:
+    workflows: ["mirror-tarball"]
+    types: [completed]
 
 jobs:
   schema:
     name: JSONSchema validation
+    if: github.event_name != 'workflow_run'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -37,13 +43,22 @@ jobs:
 
   strict-main:
     name: Strict schema (tarball + sha256 required)
-    # Runs only on main. PRs submit with null tarball/sha256; the mirror
-    # workflow populates them post-merge, after which this re-run on main
-    # enforces that every version entry is fully materialized.
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    # Runs only after mirror-tarball completes on main. Merge PRs submit with
+    # null tarball/sha256; mirror-tarball populates them and pushes a backfill
+    # commit. That bot-push doesn't re-trigger push-driven workflows (default
+    # GITHUB_TOKEN behavior), so we use workflow_run to re-enter here and
+    # enforce that every version entry is fully materialized.
+    if: >-
+      github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          # Explicit main checkout — default on workflow_run triggers is the
+          # triggering workflow's head_sha (pre-mirror), which still has nulls.
+          ref: main
 
       - uses: actions/setup-node@v4
         with:
@@ -66,6 +81,7 @@ jobs:
 
   structure:
     name: Directory + name consistency
+    if: github.event_name != 'workflow_run'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -94,6 +110,7 @@ jobs:
 
   source-resolvable:
     name: source.repo + sourceTag resolve on GitHub
+    if: github.event_name != 'workflow_run'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -122,6 +139,7 @@ jobs:
 
   content-safety:
     name: File-type allowlist + size cap
+    if: github.event_name != 'workflow_run'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4