Skip to content

CI: aggregator job as single required check; drop trigger-level paths filter #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
glwagner wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

CI: aggregator job as single required check; drop trigger-level paths filter #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7247cac
Make CI/Docs always report a single required check
glwagner May 6, 2026
e9a0cdd
Merge branch 'main' into glw/ci-aggregator-required-check
glwagner May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 50 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
name: CI

# Path-based gating is implemented *inside* this workflow (via the `changes`
# job and per-job `if:` conditions) rather than via a trigger-level `paths:`
# filter. With a trigger-level filter, the entire workflow — including the
# `test-summary` aggregator — would not run on out-of-path PRs, leaving any
# required status checks pending forever and blocking the merge button for
# non-admins. By dropping `paths:` here, the workflow always starts and
# `test-summary` always reports a status to branch protection.
on:
pull_request:
paths: &paths
- ".github/workflows/ci.yml"
- "ext/**"
- "src/**"
- "test/**"
- "Project.toml"
push:
paths: *paths
branches:
- main
tags: "*"
Expand Down Expand Up @@ -38,8 +38,31 @@ env:
#####

jobs:
# Detect whether any CI-relevant paths changed on this PR / push. Each
# downstream job gates itself on the `ci` output (with an exception for
# `push` events, which always run regardless).
changes:
name: Detect path changes
runs-on: ubuntu-latest
outputs:
ci: ${{ steps.filter.outputs.ci }}
steps:
- uses: actions/checkout@v6
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
ci:
- '.github/workflows/ci.yml'
- 'ext/**'
- 'src/**'
- 'test/**'
- 'Project.toml'

cpu_tests:
name: (CPU) - Julia ${{ matrix.version }}
needs: changes
if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.ci == 'true' }}
runs-on: ${{ matrix.os }}
timeout-minutes: 120
strategy:
Expand Down Expand Up @@ -95,6 +118,8 @@ jobs:

gpu_tests:
name: (GPU)
needs: changes
if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.ci == 'true' }}
runs-on: aws-linux-nvidia-gpu-l4
container:
image: ghcr.io/numericalearth/numerical-earth-docker-images:test-julia_1.12.5
Expand Down Expand Up @@ -166,6 +191,8 @@ jobs:

cds_downloading:
name: Data Downloading - Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }} - ${{ github.event_name }}
needs: changes
if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.ci == 'true' }}
runs-on: ${{ matrix.os }}
timeout-minutes: 60
strategy:
Expand Down Expand Up @@ -228,6 +255,8 @@ jobs:

reactant:
name: Reactant extension - Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }} - ${{ github.event_name }}
needs: changes
if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.ci == 'true' }}
runs-on: ${{ matrix.os }}
timeout-minutes: 80
strategy:
Expand Down Expand Up @@ -312,17 +341,26 @@ jobs:
# run: ./mpiexecjl -np 4 julia --project --color=yes -e 'using Pkg; Pkg.test()'

#####
##### The final test (a final check)
##### Aggregator: single required check for branch protection
#####
##### `test-summary` is intended to be the *only* CI status check listed as
##### required in branch protection / rulesets. It runs unconditionally
##### (`if: always()`) and passes iff every needed job is `success` or
##### `skipped` — so PRs that legitimately skip jobs (e.g. out-of-path
##### changes) can still merge, while real failures still block.

ci:
name: CI
test-summary:
name: test-summary
if: always()
needs:
- changes
- cpu_tests
- gpu_tests
- cds_downloading
- reactant
runs-on: ubuntu-latest
if: ${{ success() }}
steps:
- run: echo "All CI jobs passed successfully."
- name: Check that all needed jobs passed or were skipped
run: |
echo '${{ toJSON(needs) }}'
jq -e 'to_entries | all(.value.result == "success" or .value.result == "skipped")' <<< '${{ toJSON(needs) }}'
Comment on lines -328 to +366
Copy link
Copy Markdown
Member

@giordano giordano May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's this for?

61 changes: 54 additions & 7 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
name: Documentation

# Path-based gating is implemented *inside* this workflow (via the `changes`
# job and per-job `if:` conditions) rather than via a trigger-level `paths:`
# filter. With a trigger-level filter, the entire workflow — including the
# `docs-summary` aggregator — would not run on out-of-path PRs, leaving any
# required status checks pending forever and blocking the merge button for
# non-admins. By dropping `paths:` here, the workflow always starts and
# `docs-summary` always reports a status to branch protection.
on:
pull_request:
paths: &paths
- ".github/workflows/docs.yml"
- "docs/**"
- "examples/**"
- "src/**"
- "Project.toml"
push:
paths: *paths
branches:
- main
tags: '*'
Expand All @@ -31,8 +31,31 @@ env:
ECCO_WEBDAV_PASSWORD: ${{ secrets.ECCO_WEBDAV_PASSWORD }}

jobs:
# Detect whether any docs-relevant paths changed on this PR / push. The
# `build-docs` job gates itself on the `docs` output (`push` events always
# build).
changes:
name: Detect path changes
runs-on: ubuntu-latest
outputs:
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@v6
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
docs:
- '.github/workflows/docs.yml'
- 'docs/**'
- 'examples/**'
- 'src/**'
- 'Project.toml'

build-docs:
name: Build documentation
needs: changes
if: ${{ github.event_name != 'pull_request' || needs.changes.outputs.docs == 'true' }}
runs-on: [self-hosted, tartarus, gpu-3]
timeout-minutes: 1440
permissions:
Expand Down Expand Up @@ -112,3 +135,27 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCUMENTER_KEY: ${{ secrets.DOCUMENTER_KEY }}
run: julia --color=yes docs/deploy.jl

#####
##### Aggregator: single required check for branch protection
#####
##### `docs-summary` is intended to be the *only* Documentation status check
##### listed as required in branch protection / rulesets. It runs
##### unconditionally (`if: always()`) and passes iff every needed job is
##### `success` or `skipped` — so PRs that legitimately skip jobs (e.g.
##### out-of-path changes, or `deploy-docs` on a fork PR) can still merge,
##### while real failures still block.

docs-summary:
name: docs-summary
if: always()
needs:
- changes
- build-docs
- deploy-docs
runs-on: ubuntu-latest
steps:
- name: Check that all needed jobs passed or were skipped
run: |
echo '${{ toJSON(needs) }}'
jq -e 'to_entries | all(.value.result == "success" or .value.result == "skipped")' <<< '${{ toJSON(needs) }}'
Loading