workflows/{merge-group,pr}: post "no PR failures" status manually

Posting the status manually allows us to avoid the strange "skipped == success" logic and properly skip the `unlock` job for pull_request events in the next commit. This should be much easier to understand than the previous logic. (cherry picked from commit 2c25cb0891)
2026-01-11 18:32:23 +08:00 · 2025-08-22 18:11:21 +02:00
parent 8a43ec9631
commit 8824c563a7
3 changed files with 45 additions and 26 deletions
--- a/.github/workflows/merge-group.yml
+++ b/.github/workflows/merge-group.yml
@@ -26,19 +26,29 @@ jobs:
      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}
      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}

-  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
+  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block the Merge Queue.
-  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
-  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
-  no-pr-failures:
+  unlock:
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - lint
-    # WARNING:
-    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
-    # This would prevent all PRs from passing the merge queue.
-    name: no PR failures
-    if: ${{ failure() }}
    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
    steps:
-      - run: exit 1
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            const target_url =
+              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.merge_group.head_sha,
+              // WARNING:
+              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
+              // This would prevent all PRs from merging.
+              context: 'no PR failures',
+              state: 'success',
+              target_url,
+            })
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -119,26 +119,32 @@ jobs:
      baseBranch: ${{ needs.prepare.outputs.baseBranch }}
      mergedSha: ${{ needs.prepare.outputs.mergedSha }}

-  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
+  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.
  # It "needs" all the jobs that should block merging a PR.
-  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
-  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
-  no-pr-failures:
+  unlock:
    # Modify this list to add or remove jobs from required status checks.
    needs:
      - check
      - lint
      - eval
      - build
-    # WARNING:
-    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
-    # This would prevent all PRs from merging.
-    name: no PR failures
-    # A single job is "cancelled" when it hits its timeout. This is not the same
-    # as "skipped", which happens when the `if` condition doesn't apply.
-    # The "cancelled()" function only checks the whole workflow, but not individual
-    # jobs.
-    if: ${{ failure() || contains(needs.*.result, 'cancelled') }}
    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
    steps:
-      - run: exit 1
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            const target_url =
+              `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}`
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.pull_request.head.sha,
+              // WARNING:
+              // Do NOT change the name of this, otherwise the rule will not catch it anymore.
+              // This would prevent all PRs from merging.
+              context: 'no PR failures',
+              state: 'success',
+              target_url,
+            })
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -76,6 +76,9 @@ jobs:
    name: Merge Group
    needs: [prepare]
    uses: ./.github/workflows/merge-group.yml
+    # Those are actually only used on the merge_group event, but will throw an error if not set.
+    permissions:
+      statuses: write
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
    with:
@@ -87,7 +90,7 @@ jobs:
    name: PR
    needs: [prepare]
    uses: ./.github/workflows/pr.yml
-    # Those are not actually used on pull_request, but will throw an error if not set.
+    # Those are actually only used on the pull_request_target event, but will throw an error if not set.
    permissions:
      issues: write
      pull-requests: write
@@ -102,7 +105,7 @@ jobs:
    name: Push
    needs: [prepare]
    uses: ./.github/workflows/push.yml
-    # Those are not actually used on push, but will throw an error if not set.
+    # Those are not actually used on the push or pull_request events, but will throw an error if not set.
    permissions:
      statuses: write
    secrets: