From 04bdf24007f40ec145d42f64a48c6938ac4d5d98 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Mon, 20 Apr 2026 19:02:26 +0200 Subject: [PATCH 1/2] ci: add aggregated 'CI - Required Checks' job Add a terminal aggregation job to the CI workflow that depends on all other jobs (ci, auto-commit) and gates on their results. This satisfies the org-wide ruleset requiring a single 'CI - Required Checks' status check on PRs. The job requires 'ci' to succeed, tolerates 'auto-commit' being skipped (forks, pushes), but fails if it errors. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 574e4f8..d4d8706 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -206,3 +206,33 @@ jobs: with: commit_message: "chore: auto-fix lockfile and formatting" branch: ${{ github.head_ref }} + + required-checks: + name: CI - Required Checks + runs-on: ubuntu-latest + timeout-minutes: 5 + if: always() + needs: [ci, auto-commit] + permissions: {} + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + with: + egress-policy: audit + + - name: Verify required checks passed + run: | + echo "ci: ${{ needs.ci.result }}" + echo "auto-commit: ${{ needs.auto-commit.result }}" + + if [[ "${{ needs.ci.result }}" != "success" ]]; then + echo "::error::CI checks failed or were cancelled." + exit 1 + fi + + if [[ "${{ needs.auto-commit.result }}" == "failure" ]]; then + echo "::error::Auto-commit failed." + exit 1 + fi + + echo "All required checks passed." From 15eaa40bdf7003287d0000880e365923967ffdb8 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Mon, 20 Apr 2026 19:08:06 +0200 Subject: [PATCH 2/2] fix: address review feedback in required-checks job - Move template expressions to env vars to fix zizmor code injection warnings (expressions in run: blocks are injection vectors). - Switch auto-commit check from blocklist (failure) to allowlist (success/skipped) so cancelled state also fails the gate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4d8706..d50ad88 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -221,17 +221,20 @@ jobs: egress-policy: audit - name: Verify required checks passed + env: + CI_RESULT: ${{ needs.ci.result }} + AUTO_COMMIT_RESULT: ${{ needs.auto-commit.result }} run: | - echo "ci: ${{ needs.ci.result }}" - echo "auto-commit: ${{ needs.auto-commit.result }}" + echo "ci: $CI_RESULT" + echo "auto-commit: $AUTO_COMMIT_RESULT" - if [[ "${{ needs.ci.result }}" != "success" ]]; then + if [[ "$CI_RESULT" != "success" ]]; then echo "::error::CI checks failed or were cancelled." exit 1 fi - if [[ "${{ needs.auto-commit.result }}" == "failure" ]]; then - echo "::error::Auto-commit failed." + if [[ "$AUTO_COMMIT_RESULT" != "success" && "$AUTO_COMMIT_RESULT" != "skipped" ]]; then + echo "::error::Auto-commit failed or was cancelled." exit 1 fi