From 2a9a8f286b5a6dc3220d30a696278e3755fe79e5 Mon Sep 17 00:00:00 2001 From: agent-of-mkmeral Date: Wed, 17 Jun 2026 21:15:26 +0000 Subject: [PATCH] ci: add aggregate CI Gate as the single required status check The CI matrix produces ~30 dynamically-named check runs (e.g. "Python (ubuntu-latest, 3.14)", "Node.js (macos-latest, Node 22)"). Requiring each one in branch protection is brittle: every time the matrix changes, the required-checks list silently drifts and a leg can be dropped without anyone noticing. Add a single "CI Gate" job that `needs` all four real jobs (rust, python, audit, node) and fails unless every one of them succeeded (catching failures *and* cancellations via `needs.*.result`). Branch protection only has to require this one stable context, so the gate stays correct as the matrix evolves. Refs strands-agents/shell#32 --- .github/workflows/ci.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6fc4f64..33dc8a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -146,3 +146,26 @@ jobs: - name: npm test run: npm test + + # Single required status check. Branch protection can require just this one + # context ("CI Gate") instead of every matrix leg (Rust/Python/Node/audit), + # whose names change whenever the matrix changes. This job fails if any + # needed job failed or was cancelled, so it is a faithful aggregate gate. + gate: + name: CI Gate + if: always() + needs: [rust, python, audit, node] + runs-on: ubuntu-latest + steps: + - name: Verify all required jobs succeeded + env: + RESULTS: ${{ join(needs.*.result, ' ') }} + run: | + echo "Needed job results: $RESULTS" + for result in $RESULTS; do + if [ "$result" != "success" ]; then + echo "::error::A required CI job did not succeed (result: $result)." + exit 1 + fi + done + echo "All required CI jobs succeeded."