From d797f81ffb6aa873feab46b43832b3c1eafaf590 Mon Sep 17 00:00:00 2001 From: Byron Williams Date: Mon, 29 Jun 2026 08:59:36 -0700 Subject: [PATCH] fix(ci): wire required checks for the merge queue Adds a bare `Security Gate Validation` aggregator job to `security-analysis.yml` (which already triggers on `merge_group`). The reusable security workflow only emitted `Security Analysis / Security Gate Validation` (caller/callee form), which never matched the bare required context, so that check was unsatisfiable on every PR, not just in the queue. The other three required checks were already wired correctly. Part of the org-wide merge-queue stall remediation. A required merge queue stalls when required-check workflows do not trigger on the merge_group event; the queue dispatches merge_group, waits for checks that never report, and times out. See reference-library PR #64 for the reference fix. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/security-analysis.yml | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml index 6bc7ba4..94f382e 100644 --- a/.github/workflows/security-analysis.yml +++ b/.github/workflows/security-analysis.yml @@ -58,3 +58,32 @@ jobs: # rag-processor uses hatchling as build backend, so editable installs # require the build step. The reusable defaults no-build: true; override. no-build: false + + # Bare "Security Gate Validation" context required by the org ruleset. + # The reusable security workflow surfaces as + # "Security Analysis / Security Gate Validation" (caller / reusable job), + # which cannot match the bare ruleset context. This in-line aggregator + # re-emits the bare context on pull_request and inside the merge queue. + security-gate: + name: Security Gate Validation + runs-on: ubuntu-latest + needs: [security] + if: always() + timeout-minutes: 5 + permissions: + contents: read + steps: + - name: Harden runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: block + allowed-endpoints: '' + - name: Aggregate security result + run: | + result="${{ needs.security.result }}" + if [ "$result" = "success" ] || [ "$result" = "skipped" ]; then + echo "Security Gate Validation: passed (result: $result)" + else + echo "::error::Security Gate Validation failed: $result" + exit 1 + fi