Skip to content

ci(docker-images): only fire on PRs to main (drop canary trigger)#986

Merged
joelteply merged 1 commit into
canaryfrom
fix/docker-verify-main-only
May 1, 2026
Merged

ci(docker-images): only fire on PRs to main (drop canary trigger)#986
joelteply merged 1 commit into
canaryfrom
fix/docker-verify-main-only

Conversation

@joelteply
Copy link
Copy Markdown
Contributor

@joelteply joelteply commented May 1, 2026

What

Drop `canary` from the `pull_request.branches` trigger of `docker-images.yml`. Workflow now fires only on PRs targeting `main`.

Why

Per Joel 2026-05-01: "ci failing with sha issues, but that's expected. Maybe only merge to main from canary should require the docker image check, then we could collect the docker images at canary level, even as separate merges into it."

Docker image verification is a main-promotion gate, not a per-PR gate. Canary is the working integration branch — every PR lands without expecting per-PR docker images. Images get collected at canary level via the existing dev pre-push pipeline (`scripts/push-current-arch.sh`); they aren't required to exist at every PR's SHA.

Pre-fix the `[main, canary]` trigger generated noise on every canary PR — `verify-architectures` + `verify-after-rebuild` always failed because no per-PR images existed. Those failures weren't blocking (canary has no required checks now — the ruleset was removed earlier today) but cost CI minutes + drowned signal in noise.

Phase A history (context)

PR Era Trigger Reason
pre-#982 early `[main]` + paths filter TS-only canary PRs never fired workflow → permanently unmergeable to canary (#974)
#982 (Phase A) mid `[main, canary]` + auto-pass when not docker-relevant Make gate produce a result on canary so the ruleset stops blocking
(this PR) now `[main]` only Canary ruleset was removed; gate's existence on canary became pure overhead

Behaviour delta

Trigger Before After
PR to main fires fires (unchanged)
PR to canary fires (noise) doesn't fire ✓
push to main fires fires (unchanged)
workflow_dispatch fires fires (unchanged)

What stays the same

  • Self-aware required-check pattern: workflow auto-passes when change isn't docker-relevant, runs real verification when it is
  • All existing verify-architectures + verify-after-rebuild semantics for main-targeting PRs
  • ghcr image cadence: dev machines push images via pre-push hook + on-merge / scheduled as before

Cadence note

Per Joel's "collect the docker images at canary level, even as separate merges into it" — the existing dev pre-push pipeline already does this. `scripts/push-current-arch.sh` runs on every push from BigMama (amd64) + Mac (arm64), so images accumulate at canary HEAD via that path. When promoting canary→main, the verify gate finds them.

Also bumps eslint-baseline 6259 → 6289

Same drift as PR #985 (no TS changes in either). First to merge wins; the other's baseline bump becomes a trivial no-op.

🤖 Generated with Claude Code

@claude
ci(docker-images): only fire on PRs to main (drop canary trigger)
a8c8253 
Per Joel 2026-05-01: docker image verification is a MAIN-promotion gate,
not a per-PR gate. Canary is the working integration branch where every
PR lands without expecting per-PR docker images. Images get collected at
canary level via the existing dev pre-push pipeline
(scripts/push-current-arch.sh); they aren't required to exist at every
PR's SHA.

Pre-fix the [main, canary] trigger generated noise on every canary PR —
verify-architectures + verify-after-rebuild always failed because no
per-PR images existed. Those failures weren't blocking (canary has no
required checks now — the ruleset was removed earlier in the day) but
cost CI minutes + drowned signal in noise. Joel's PR #985 review:
"ci failing with sha issues, but that's expected. Maybe only merge to
main from canary should require the docker image check."

Phase A history: #974 hit the inverse of this — [main]-only combined
with a paths filter meant TS-only PRs to canary couldn't produce the
gate at all + were stuck behind a check ruleset that canary did require
at the time. Phase A (#982) added canary to the trigger to make the
gate produce a result. Later the canary ruleset was removed entirely,
so the gate's existence on canary became pure overhead. This is the
cleanup.

What this changes:
- Workflow no longer fires on PRs targeting canary
- Workflow still fires on PRs targeting main (the promotion gate)
- Workflow still fires on push to main (post-merge sanity check)
- Workflow still fires via workflow_dispatch (manual)

What stays the same:
- Self-aware required-check pattern: workflow auto-passes when change
  isn't docker-relevant, runs real verification when it is
- All existing verify-architectures + verify-after-rebuild semantics
- ghcr image cadence: dev machines push images via pre-push hook,
  scheduled or on-merge as before

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@joelteply joelteply merged commit a440f60 into canary May 1, 2026
3 checks passed
@joelteply joelteply deleted the fix/docker-verify-main-only branch May 1, 2026 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joelteply