Skip to content

ci: restructure guards to job-level conditions (fix Scorecard parse)#163

Merged
SebTardif merged 2 commits into
mainfrom
fix/restructure-ci-guards-for-scorecard
Jun 23, 2026
Merged

ci: restructure guards to job-level conditions (fix Scorecard parse)#163
SebTardif merged 2 commits into
mainfrom
fix/restructure-ci-guards-for-scorecard

Conversation

@SebTardif

@SebTardif SebTardif commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Restructure the docs-only skip logic in ci.yml to use clean job-level conditions, following the exact pattern used successfully in:

Before (broke Scorecard parser)

  • Internal "should-run" steps setting outputs
  • Per-step if: steps.should-run.outputs.run == 'true' || ...
  • Complex shell scripts with GitHub expressions inside run: |

This caused:

internal error: invalid GitHub workflow: :64:0: could not parse as YAML

on Pinned-Dependencies, Token-Permissions, Dangerous-Workflow, Packaging, SAST → all -1.

After

unit-test:
  needs: [changes]
  if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.code == 'true')
  ...

build: ...
integration-test: ...
  • No more internal guard steps.
  • All steps inside a job run when the job condition passes.
  • Matches the working implementations in patchloom and attune.

This should make Scorecard parse the workflows cleanly again (restoring real scores instead of -1 errors).

Also updated the changes job comment.

npm run check passes.

SebTardif added 2 commits June 22, 2026 17:29
@SebTardif
ci: restructure guards to job-level conditions (fix Scorecard parse)
d4746ea 
Use the proven pattern from patchloom and attune-io/attune:

- changes job: if: github.event_name == 'pull_request'
- heavy jobs: if: always() && (needs.changes.result == 'skipped' || needs.changes.outputs.code == 'true')
- No more internal "should-run" steps or per-step `steps.xxx.outputs` conditions.

This makes the workflow YAML cleanly parsable by Scorecard (no more line 64 "mapping values" errors in Pinned-Dependencies / Token-Permissions / etc.).

Removes the complex guard steps that were causing -1 scores.

See: patchloom ci.yml and attune ci.yaml for the reference implementation.
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif
ci: add final ci gate job (following patchloom/attune pattern)
390508c 
This provides a single always() job that the required checks / branch
protection can depend on, while the matrix jobs use the changes filter.

This is exactly how patchloom structures its final "ci" job.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif force-pushed the fix/restructure-ci-guards-for-scorecard branch from c7ca709 to 390508c Compare June 23, 2026 00:29
@SebTardif SebTardif marked this pull request as ready for review June 23, 2026 00:29
@SebTardif SebTardif merged commit 4dadafa into main Jun 23, 2026
20 checks passed
@SebTardif SebTardif deleted the fix/restructure-ci-guards-for-scorecard branch June 23, 2026 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SebTardif