From 8824c563a706dc743a66511beed58b7f2ecd710b Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Fri, 22 Aug 2025 18:11:21 +0200 Subject: [PATCH] workflows/{merge-group,pr}: post "no PR failures" status manually Posting the status manually allows us to avoid the strange "skipped == success" logic and properly skip the `unlock` job for pull_request events in the next commit. This should be much easier to understand than the previous logic. (cherry picked from commit 2c25cb0891d23f052baac7db22004ec39e683921) --- .github/workflows/merge-group.yml | 30 ++++++++++++++++++--------- .github/workflows/pr.yml | 34 ++++++++++++++++++------------- .github/workflows/test.yml | 7 +++++-- 3 files changed, 45 insertions(+), 26 deletions(-) diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml index dac02065debf..e7404d5a6975 100644 --- a/.github/workflows/merge-group.yml +++ b/.github/workflows/merge-group.yml @@ -26,19 +26,29 @@ jobs: mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }} targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }} - # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block the Merge Queue. - # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. - # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. - no-pr-failures: + unlock: # Modify this list to add or remove jobs from required status checks. needs: - lint - # WARNING: - # Do NOT change the name of this job, otherwise the rule will not catch it anymore. - # This would prevent all PRs from passing the merge queue. - name: no PR failures - if: ${{ failure() }} runs-on: ubuntu-24.04-arm + permissions: + statuses: write steps: - - run: exit 1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { serverUrl, repo, runId, payload } = context + const target_url = + `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}` + await github.rest.repos.createCommitStatus({ + ...repo, + sha: payload.merge_group.head_sha, + // WARNING: + // Do NOT change the name of this, otherwise the rule will not catch it anymore. + // This would prevent all PRs from merging. + context: 'no PR failures', + state: 'success', + target_url, + }) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a7720df7226a..b280e7c4dd35 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -119,26 +119,32 @@ jobs: baseBranch: ${{ needs.prepare.outputs.baseBranch }} mergedSha: ${{ needs.prepare.outputs.mergedSha }} - # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset. + # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset. # It "needs" all the jobs that should block merging a PR. - # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset. - # However, if any of them fail, this job will also fail — thus blocking the branch ruleset. - no-pr-failures: + unlock: # Modify this list to add or remove jobs from required status checks. needs: - check - lint - eval - build - # WARNING: - # Do NOT change the name of this job, otherwise the rule will not catch it anymore. - # This would prevent all PRs from merging. - name: no PR failures - # A single job is "cancelled" when it hits its timeout. This is not the same - # as "skipped", which happens when the `if` condition doesn't apply. - # The "cancelled()" function only checks the whole workflow, but not individual - # jobs. - if: ${{ failure() || contains(needs.*.result, 'cancelled') }} runs-on: ubuntu-24.04-arm + permissions: + statuses: write steps: - - run: exit 1 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { serverUrl, repo, runId, payload } = context + const target_url = + `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}?pr=${payload.pull_request.number}` + await github.rest.repos.createCommitStatus({ + ...repo, + sha: payload.pull_request.head.sha, + // WARNING: + // Do NOT change the name of this, otherwise the rule will not catch it anymore. + // This would prevent all PRs from merging. + context: 'no PR failures', + state: 'success', + target_url, + }) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f26c371a5563..b3c2c6c59863 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -76,6 +76,9 @@ jobs: name: Merge Group needs: [prepare] uses: ./.github/workflows/merge-group.yml + # Those are actually only used on the merge_group event, but will throw an error if not set. + permissions: + statuses: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} with: @@ -87,7 +90,7 @@ jobs: name: PR needs: [prepare] uses: ./.github/workflows/pr.yml - # Those are not actually used on pull_request, but will throw an error if not set. + # Those are actually only used on the pull_request_target event, but will throw an error if not set. permissions: issues: write pull-requests: write @@ -102,7 +105,7 @@ jobs: name: Push needs: [prepare] uses: ./.github/workflows/push.yml - # Those are not actually used on push, but will throw an error if not set. + # Those are not actually used on the push or pull_request events, but will throw an error if not set. permissions: statuses: write secrets: