ci: add aggregated 'CI - Required Checks' job#18
Merged
botantler[bot] merged 2 commits intomainfrom Apr 20, 2026
Merged
Conversation
Add a terminal aggregation job to the CI workflow that depends on all other jobs (ci, auto-commit) and gates on their results. This satisfies the org-wide ruleset requiring a single 'CI - Required Checks' status check on PRs. The job requires 'ci' to succeed, tolerates 'auto-commit' being skipped (forks, pushes), but fails if it errors. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a terminal aggregation job (CI - Required Checks) to produce a single required CI status check for org-wide rulesets.
Changes:
- Introduces a new
required-checksjob that depends onciandauto-commit - Forces the aggregation job to run via
if: always()and validates upstream job results - Locks down permissions and audits outbound network calls in the aggregation job
- Move template expressions to env vars to fix zizmor code injection warnings (expressions in run: blocks are injection vectors). - Switch auto-commit check from blocklist (failure) to allowlist (success/skipped) so cancelled state also fails the gate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a terminal aggregation job (
CI - Required Checks) to the CI workflow that satisfies the org-wide ruleset requiring a single status check on PRs.Changes
required-checksjob to.github/workflows/ci.ymlneeds: [ci, auto-commit], transitively covering all 4 existing jobsif: always()so it runs even whenauto-commitis skipped (pushes to main, fork PRs)cito succeed; toleratesauto-commitskip but fails on errorBehavior matrix
ciauto-commitCI - Required Checkscici