From 682ee5186abba37d0e5f0b57306639fc39396fbe Mon Sep 17 00:00:00 2001 From: Joao Luis Sombrio Date: Wed, 27 May 2026 14:03:45 -0300 Subject: [PATCH] ci: restore fail-the-PR-check on clang-tidy findings in stage A The split workflow removed the inline reviewdog step from stage A, which silently downgraded enforcement: stage A now exits 0 even when PR-diff clang-tidy findings exist, so branch protection on the `clang-tidy-bazel` check passes and merges are no longer blocked on lint findings. Stage B's `-fail-level=any` runs in workflow_run context where the resulting check binds to the default-branch SHA, not the PR head, so it cannot satisfy a required PR check. Restore the old behaviour: - Stage A re-adds reviewdog (set up + run with -reporter=local -filter-mode=added -fail-level=any). The fork-PR token is read-only, but `-reporter=local` only needs the filesystem and a `-diff` command, so this works in all PR contexts. Step is positioned AFTER the artifact upload so the post workflow still has the findings to post as review comments even when this step exits non-zero. - Stage B's guard relaxes from `conclusion == 'success'` to `conclusion != 'cancelled'`, so it still runs when Stage A's check step failed (artifact is uploaded before that fail step). Signed-off-by: Joao Luis Sombrio --- .../github-actions-clang-tidy-bazel-post.yml | 7 ++++-- .../github-actions-clang-tidy-bazel.yml | 25 +++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github-actions-clang-tidy-bazel-post.yml b/.github/workflows/github-actions-clang-tidy-bazel-post.yml index 881ea716040..e1d989bfee5 100644 --- a/.github/workflows/github-actions-clang-tidy-bazel-post.yml +++ b/.github/workflows/github-actions-clang-tidy-bazel-post.yml @@ -24,8 +24,11 @@ permissions: jobs: Post-Reviewdog: - # Skip if the upstream build failed before producing an artifact. - if: ${{ github.event.workflow_run.conclusion == 'success' }} + # Run on success AND failure: Stage A intentionally exits non-zero when + # clang-tidy findings exist on the PR diff (to fail the required PR + # check), but the artifact is uploaded *before* that fail step, so the + # findings are still posted as review comments. Only skip on cancelled. + if: ${{ github.event.workflow_run.conclusion != 'cancelled' }} runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }} steps: # Reviewdog's github-pr-review reporter resolves the local git root diff --git a/.github/workflows/github-actions-clang-tidy-bazel.yml b/.github/workflows/github-actions-clang-tidy-bazel.yml index 522120654e3..4166c770af3 100644 --- a/.github/workflows/github-actions-clang-tidy-bazel.yml +++ b/.github/workflows/github-actions-clang-tidy-bazel.yml @@ -110,3 +110,28 @@ jobs: pr-meta.txt retention-days: 7 if-no-files-found: error + + - name: Set up reviewdog + uses: reviewdog/action-setup@v1 + with: + reviewdog_version: latest + + - name: Fail check on clang-tidy findings in PR diff + # Runs after the artifact upload so the post workflow always has the + # findings to comment on, even when this step exits non-zero. + # Uses -reporter=local because the fork-PR token is read-only here; + # local mode just prints to stdout and exits with -fail-level=any if + # findings exist. The post workflow does the actual review posting. + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + reviewdog \ + -efm="%E%f:%l:%c: error: %m" \ + -efm="%W%f:%l:%c: warning: %m" \ + -name="clang-tidy" \ + -reporter=local \ + -diff="git diff ${BASE_SHA}...${HEAD_SHA}" \ + -filter-mode=added \ + -fail-level=any \ + < clang-tidy.txt