From e0492aa2dca01e62280f8de0870af62f0d404d9e Mon Sep 17 00:00:00 2001 From: ethernet Date: Mon, 15 Jun 2026 17:03:44 -0400 Subject: [PATCH] fix(ci): always run pull_request checks no waiting for pending forever! --- .github/workflows/contributor-check.yml | 5 ++--- .github/workflows/docker-lint.yml | 9 ++++---- .github/workflows/docker-publish.yml | 13 +++++------- .github/workflows/docs-site-checks.yml | 16 ++++++++------- .github/workflows/history-check.yml | 7 +++++-- .github/workflows/lint.yml | 9 ++++---- .github/workflows/osv-scanner.yml | 26 +++++++++--------------- .github/workflows/supply-chain-audit.yml | 12 +++++------ .github/workflows/tests.yml | 8 ++++---- .github/workflows/typecheck.yml | 3 +++ .github/workflows/uv-lockfile-check.yml | 18 ++++++++-------- 11 files changed, 61 insertions(+), 65 deletions(-) diff --git a/.github/workflows/contributor-check.yml b/.github/workflows/contributor-check.yml index de38fcaae9a..23266931a69 100644 --- a/.github/workflows/contributor-check.yml +++ b/.github/workflows/contributor-check.yml @@ -1,12 +1,11 @@ name: Contributor Attribution Check on: - pull_request: - branches: [main] # No paths filter — the job must always run so the required check # reports a status (path-gated workflows leave checks "pending" forever # when no matching files change, which blocks merge). - + pull_request: + branches: [main] permissions: contents: read diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index f1673813e99..631add200ad 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -18,13 +18,12 @@ on: - docker/** - .hadolint.yaml - .github/workflows/docker-lint.yml + + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths: - - Dockerfile - - docker/** - - .hadolint.yaml - - .github/workflows/docker-lint.yml permissions: contents: read diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index c12ad772fa6..09b89138412 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -11,16 +11,13 @@ on: - 'docker/**' - '.github/workflows/docker-publish.yml' - '.github/actions/hermes-smoke-test/**' + + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths: - - '**/*.py' - - 'pyproject.toml' - - 'uv.lock' - - 'Dockerfile' - - 'docker/**' - - '.github/workflows/docker-publish.yml' - - '.github/actions/hermes-smoke-test/**' + release: types: [published] diff --git a/.github/workflows/docs-site-checks.yml b/.github/workflows/docs-site-checks.yml index 7001c0b7439..975028afe23 100644 --- a/.github/workflows/docs-site-checks.yml +++ b/.github/workflows/docs-site-checks.yml @@ -1,10 +1,12 @@ name: Docs Site Checks on: + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: - paths: - - 'website/**' - - '.github/workflows/docs-site-checks.yml' + branches: [main] + workflow_dispatch: permissions: @@ -14,9 +16,9 @@ jobs: docs-site-checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: npm @@ -26,9 +28,9 @@ jobs: run: npm ci working-directory: website - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - python-version: '3.11' + python-version: "3.11" - name: Install ascii-guard run: python -m pip install ascii-guard==2.3.0 pyyaml==6.0.3 diff --git a/.github/workflows/history-check.yml b/.github/workflows/history-check.yml index 46f5368f790..ef657d5982c 100644 --- a/.github/workflows/history-check.yml +++ b/.github/workflows/history-check.yml @@ -14,6 +14,9 @@ name: History Check # the PR head and main to be non-empty. on: + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] @@ -24,9 +27,9 @@ jobs: check-common-ancestor: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - fetch-depth: 0 # full history both sides for merge-base + fetch-depth: 0 # full history both sides for merge-base - name: Reject PRs with no common ancestor on main run: | diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 013d212020d..f2765823a0b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,12 +15,12 @@ on: - "**/*.md" - "docs/**" - "website/**" + + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths-ignore: - - "**/*.md" - - "docs/**" - - "website/**" permissions: contents: read @@ -154,7 +154,6 @@ jobs: }); } - ruff-blocking: # Enforce the rules in pyproject.toml [tool.ruff.lint.select]. Currently # PLW1514 (unspecified-encoding) — catches bare ``open()`` / diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index c7d4b5bb067..d1b318cc737 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -20,29 +20,23 @@ name: OSV-Scanner # vulnerabilities in pinned deps that we may need to patch deliberately. on: + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths: - - 'uv.lock' - - 'pyproject.toml' - - 'package.json' - - 'package-lock.json' - - 'ui-tui/package.json' - - 'website/package.json' - - 'website/package-lock.json' - - '.github/workflows/osv-scanner.yml' push: branches: [main] paths: - - 'uv.lock' - - 'pyproject.toml' - - 'package.json' - - 'package-lock.json' - - 'website/package-lock.json' + - "uv.lock" + - "pyproject.toml" + - "package.json" + - "package-lock.json" + - "website/package-lock.json" schedule: # Weekly scan against main — catches CVEs published after merge for # deps that haven't changed since. - - cron: '0 9 * * 1' + - cron: "0 9 * * 1" workflow_dispatch: permissions: @@ -54,7 +48,7 @@ permissions: jobs: scan: name: Scan lockfiles - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 with: # Scan explicit lockfiles rather than recursing, so we only look at # the three sources of truth and skip vendored / test / worktree dirs. diff --git a/.github/workflows/supply-chain-audit.yml b/.github/workflows/supply-chain-audit.yml index 4bee46a95cd..f3405b7660f 100644 --- a/.github/workflows/supply-chain-audit.yml +++ b/.github/workflows/supply-chain-audit.yml @@ -1,11 +1,11 @@ name: Supply Chain Audit on: - pull_request: - types: [opened, synchronize, reopened] # No paths filter — the jobs must always run so required checks # report a status (path-gated workflows leave checks "pending" forever # when no matching files change, which blocks merge). + pull_request: + types: [opened, synchronize, reopened] permissions: pull-requests: write @@ -32,7 +32,7 @@ jobs: # True when the curated MCP catalog / bundled MCP manifests changed. mcp_catalog: ${{ steps.filter.outputs.mcp_catalog }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Check for relevant file changes @@ -72,7 +72,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -207,7 +207,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -286,7 +286,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a6e7738fa40..c1f59c5094a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -6,11 +6,11 @@ on: paths-ignore: - "**/*.md" - "docs/**" + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths-ignore: - - "**/*.md" - - "docs/**" permissions: contents: read @@ -219,4 +219,4 @@ jobs: env: OPENROUTER_API_KEY: "" OPENAI_API_KEY: "" - NOUS_API_KEY: "" \ No newline at end of file + NOUS_API_KEY: "" diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index e21b80864c8..29994e3e295 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -4,6 +4,9 @@ name: Typecheck on: push: branches: [main] + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] diff --git a/.github/workflows/uv-lockfile-check.yml b/.github/workflows/uv-lockfile-check.yml index 37c31799bea..54662b23eda 100644 --- a/.github/workflows/uv-lockfile-check.yml +++ b/.github/workflows/uv-lockfile-check.yml @@ -47,15 +47,15 @@ on: push: branches: [main] paths: - - 'pyproject.toml' - - 'uv.lock' - - '.github/workflows/uv-lockfile-check.yml' + - "pyproject.toml" + - "uv.lock" + - ".github/workflows/uv-lockfile-check.yml" + + # No paths filter — the job must always run so the required check + # reports a status (path-gated workflows leave checks "pending" forever + # when no matching files change, which blocks merge). pull_request: branches: [main] - paths: - - 'pyproject.toml' - - 'uv.lock' - - '.github/workflows/uv-lockfile-check.yml' permissions: contents: read @@ -71,10 +71,10 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install uv - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 # `uv lock --check` re-resolves the project from pyproject.toml and # compares the result to uv.lock, exiting non-zero if they disagree.