Fix CI check: evaluate only latest run per workflow, not all runs

When falling back to the workflow runs API, checking all runs would
incorrectly block a PR where a workflow failed and was successfully
re-run. Group by workflow name and take the highest run_number as
the authoritative result for each workflow.

Same wording fix applied to AI agent instructions (Step 2 CI check).

Author: BenjaminMichaelis

.github/workflows/dependabot-major-merge.yml

@@ -113,31 +113,37 @@ jobs:
 
           if [ "$TOTAL" -eq 0 ]; then
             echo "No check-runs found — falling back to workflow runs API (common for Dependabot PRs)..."
-            WORKFLOW_RUNS=$(gh api \
+            ALL_RUNS=$(gh api \
               "/repos/${{ github.repository }}/actions/runs?head_sha=$PR_SHA&per_page=100" \
               --jq '[.workflow_runs[] | select(.name != "Dependabot major-version auto-merge")]')
-            WF_TOTAL=$(echo "$WORKFLOW_RUNS" | jq 'length')
-            echo "Found $WF_TOTAL workflow run(s) via actions/runs API."
+            WF_TOTAL=$(echo "$ALL_RUNS" | jq 'length')
+            echo "Found $WF_TOTAL total workflow run(s) via actions/runs API."
 
             if [ "$WF_TOTAL" -eq 0 ]; then
               echo "::error::No CI results found via either API — refusing to merge without CI signals."
               exit 1
             fi
 
-            WF_PENDING=$(echo "$WORKFLOW_RUNS" | jq '[.[] | select(.status != "completed")] | length')
-            WF_FAILED=$(echo "$WORKFLOW_RUNS" | jq '[.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")] | length')
+            # Take only the latest run per workflow (highest run_number), so a
+            # successful re-run after an earlier failure isn't blocked by the old failure.
+            LATEST_RUNS=$(echo "$ALL_RUNS" | jq '[group_by(.name)[] | sort_by(.run_number) | last]')
+            LATEST_TOTAL=$(echo "$LATEST_RUNS" | jq 'length')
+            echo "Evaluating $LATEST_TOTAL latest run(s) (one per workflow)."
+
+            WF_PENDING=$(echo "$LATEST_RUNS" | jq '[.[] | select(.status != "completed")] | length')
+            WF_FAILED=$(echo "$LATEST_RUNS" | jq '[.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")] | length')
 
             if [ "$WF_PENDING" -gt 0 ]; then
               echo "::error::$WF_PENDING workflow run(s) are still pending — refusing to merge."
-              echo "$WORKFLOW_RUNS" | jq '[.[] | select(.status != "completed")] | .[].name'
+              echo "$LATEST_RUNS" | jq '[.[] | select(.status != "completed")] | .[].name'
               exit 1
             fi
             if [ "$WF_FAILED" -gt 0 ]; then
               echo "::error::$WF_FAILED workflow run(s) did not succeed — refusing to merge."
-              echo "$WORKFLOW_RUNS" | jq '[.[] | select(.conclusion != "success" and .conclusion != "skipped")] | .[] | {name, conclusion}'
+              echo "$LATEST_RUNS" | jq '[.[] | select(.conclusion != "success" and .conclusion != "skipped")] | .[] | {name, conclusion}'
               exit 1
             fi
-            echo "✅ All $WF_TOTAL workflow run(s) passed (via actions/runs API)."
+            echo "✅ All $LATEST_TOTAL latest workflow run(s) passed (via actions/runs API)."
           else
             FAILED=$(echo "$CHECK_RUNS" | jq '[.[] | select(.conclusion != "success" and .conclusion != "skipped" and .conclusion != null)] | length')
             PENDING=$(echo "$CHECK_RUNS" | jq '[.[] | select(.conclusion == null)] | length')

.github/workflows/dependabot-major-review.md

@@ -96,7 +96,7 @@ For each candidate PR, perform the following checks in order. If any check fails
    - Single package: "Bump <package> from <old> to <new>" — parse semver, only proceed if major version increased OR if this is a multi-package PR
    - Multi-package: "Bump <package> in <path>" with a branch name containing `/multi-` — these have multiple packages updated together and `fetch-metadata` returns null for `update-type`. **Always process these** regardless of version increment — the AI must analyze the diff to determine all version changes
    - If the title is a single-package bump where the major version has NOT increased (pure patch/minor), skip it — the existing auto-merge workflow handles those
-4. **CI status:** Use the `actions` toolset to retrieve check runs for the PR's head commit. Verify that every check run has a conclusion of `"success"` or `"skipped"`. If the check-runs endpoint returns 0 results, also query workflow runs by head SHA (`GET /repos/IntelliTect/try/actions/runs?head_sha=<sha>`) — Dependabot PRs often register their CI only as workflow runs, not as check-run objects. At least one workflow run must exist and all must have `conclusion: "success"`. If any check or run has failed, is cancelled, or is still in-progress/pending, skip this PR entirely.
+4. **CI status:** Use the `actions` toolset to retrieve check runs for the PR's head commit. Verify that every check run has a conclusion of `"success"` or `"skipped"`. If the check-runs endpoint returns 0 results, also query workflow runs by head SHA (`GET /repos/IntelliTect/try/actions/runs?head_sha=<sha>`) — Dependabot PRs often register their CI only as workflow runs, not as check-run objects. Group runs by workflow name and evaluate only the **latest run per workflow** (highest run number) — a successful re-run after an earlier failure is valid. At least one workflow run must exist and the latest run for every workflow must have `conclusion: "success"` or `"skipped"`. If any latest run has failed, is cancelled, or is still in-progress/pending, skip this PR entirely.
 
 ### Step 3: Verify the Diff is Version-Only