Add gateway pattern for CI required checks

tvdeyen · tvdeyen · commit 8ef7309b4b67 · 2026-02-26T16:58:54.000+01:00
The push_javascript workflow pushes rebuilt JS bundles to PR branches
after CI passes. It used [skip ci] to avoid retriggering the full CI
suite, but this prevented required status checks from being reported
on the new commit SHA, making PRs unmergeable.

Each workflow now has a check_bot_commit job that detects commits from
the CI bot (alchemy@blish.cloud) and a gateway job that becomes the
single required check. Expensive jobs are skipped for bot commits but
the gateway always runs and reports a status, so PRs remain mergeable.
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -21,7 +21,12 @@ on:
     - cron: "40 4 * * 2"
 
 jobs:
+  check_bot_commit:
+    uses: ./.github/workflows/check-bot-commit.yml
+
   brakeman-scan:
+    needs: [check_bot_commit]
+    if: needs.check_bot_commit.outputs.is_bot != 'true'
     name: Brakeman Scan
     runs-on: ubuntu-24.04
     steps:
@@ -47,3 +52,18 @@ jobs:
         if: always()
         with:
           sarif_file: output.sarif.json
+
+  brakeman-success:
+    name: "Brakeman Success"
+    if: always()
+    needs: [check_bot_commit, brakeman-scan]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check results
+        run: |
+          if [[ "${{ needs.brakeman-scan.result }}" != "success" && "${{ needs.brakeman-scan.result }}" != "skipped" ]]; then
+            echo "Failed: ${{ needs.brakeman-scan.result }}"
+            exit 1
+          fi
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -17,6 +17,9 @@ on:
   pull_request:
 
 jobs:
+  check_bot_commit:
+    uses: ./.github/workflows/check-bot-commit.yml
+
   check_package_json:
     permissions:
       contents: read
@@ -78,8 +81,11 @@ jobs:
   RSpec:
     permissions:
       contents: read
-    needs: [check_package_json, build_javascript]
-    if: ${{ always() && (needs.build_javascript.result == 'success' || needs.build_javascript.result == 'skipped') }}
+    needs: [check_package_json, build_javascript, check_bot_commit]
+    if: >
+      always() &&
+      needs.check_bot_commit.outputs.is_bot != 'true' &&
+      (needs.build_javascript.result == 'success' || needs.build_javascript.result == 'skipped')
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
@@ -223,8 +229,11 @@ jobs:
     permissions:
       contents: read
     runs-on: ubuntu-24.04
-    needs: [check_package_json, build_javascript]
-    if: ${{ always() && (needs.build_javascript.result == 'success' || needs.build_javascript.result == 'skipped') }}
+    needs: [check_package_json, build_javascript, check_bot_commit]
+    if: >
+      always() &&
+      needs.check_bot_commit.outputs.is_bot != 'true' &&
+      (needs.build_javascript.result == 'success' || needs.build_javascript.result == 'skipped')
     env:
       NODE_ENV: test
     steps:
@@ -246,3 +255,20 @@ jobs:
         run: bun install
       - name: Run vitest
         run: bun run test
+
+  build-test-success:
+    name: "Build & Test Success"
+    if: always()
+    needs: [check_bot_commit, RSpec, Vitest]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check results
+        run: |
+          for result in "${{ needs.RSpec.result }}" "${{ needs.Vitest.result }}"; do
+            if [[ "$result" != "success" && "$result" != "skipped" ]]; then
+              echo "Failed: $result"
+              exit 1
+            fi
+          done
diff --git a/.github/workflows/check-bot-commit.yml b/.github/workflows/check-bot-commit.yml
@@ -0,0 +1,25 @@
+name: Check Bot Commit
+
+on:
+  workflow_call:
+    outputs:
+      is_bot:
+        value: ${{ jobs.check.outputs.is_bot }}
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      is_bot: ${{ steps.check.outputs.is_bot }}
+    steps:
+      - id: check
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          SHA="${{ github.event.pull_request.head.sha || github.sha }}"
+          AUTHOR_EMAIL=$(gh api "repos/${{ github.repository }}/commits/${SHA}" --jq '.commit.author.email')
+          if [ "$AUTHOR_EMAIL" = "alchemy@blish.cloud" ]; then
+            echo "is_bot=true" >> $GITHUB_OUTPUT
+          fi
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,7 +10,12 @@ permissions:
   contents: read
 
 jobs:
+  check_bot_commit:
+    uses: ./.github/workflows/check-bot-commit.yml
+
   Standard:
+    needs: [check_bot_commit]
+    if: needs.check_bot_commit.outputs.is_bot != 'true'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
@@ -24,6 +29,8 @@ jobs:
       - name: Lint Ruby files
         run: bundle exec standardrb
   ESLint:
+    needs: [check_bot_commit]
+    if: needs.check_bot_commit.outputs.is_bot != 'true'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -42,6 +49,8 @@ jobs:
       - name: Lint code
         run: bun run --bun eslint
   Prettier:
+    needs: [check_bot_commit]
+    if: needs.check_bot_commit.outputs.is_bot != 'true'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -60,6 +69,8 @@ jobs:
       - name: Lint code
         run: bun run --bun lint
   Herb:
+    needs: [check_bot_commit]
+    if: needs.check_bot_commit.outputs.is_bot != 'true'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -77,3 +88,18 @@ jobs:
         run: bun install
       - name: Lint erb files
         run: bun run --bun herb-lint
+
+  lint-success:
+    name: "Lint Success"
+    if: always()
+    needs: [check_bot_commit, Standard, ESLint, Prettier, Herb]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check results
+        run: |
+          for result in "${{ needs.Standard.result }}" "${{ needs.ESLint.result }}" "${{ needs.Prettier.result }}" "${{ needs.Herb.result }}"; do
+            if [[ "$result" != "success" && "$result" != "skipped" ]]; then
+              echo "Failed: $result"
+              exit 1
+            fi
+          done
diff --git a/.github/workflows/push_javascript.yml b/.github/workflows/push_javascript.yml
@@ -53,7 +53,7 @@ jobs:
           git config --local user.name 'AlchemyCMS - CI Bot'
           git config --local user.email 'alchemy@blish.cloud'
           git add vendor/javascript bun.lock
-          git commit -m "Update JS packages" -m "Rebuilt packages after updating dependencies." -m "[skip ci]"
+          git commit -m "Update JS packages" -m "Rebuilt packages after updating dependencies."
       - name: Push changes
         if: steps.git-status.outputs.changed == 'true'
         uses: ad-m/github-push-action@master
