feat: add require-checks-in-pr composite action#113
Conversation
Extracted from ksail's local .github/actions/summarize-workflow into a shared composite action. Aggregates multiple job results into a single required check for branch protection rules. Inputs: - job-results (required): space-separated list of job results - check-name (default: "CI - Required Checks"): name for messages Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a reusable composite GitHub Action to aggregate multiple job results into one required check outcome, supporting branch protection rules that need a stable check name.
Changes:
- Introduces
require-checks-in-prcomposite action that fails if any dependent job failed/cancelled and passes on success/skipped. - Adds documentation with usage examples, inputs, and result semantics.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| require-checks-in-pr/action.yaml | Implements the composite action logic to aggregate job results into a single pass/fail outcome. |
| require-checks-in-pr/README.md | Documents motivation, usage patterns, inputs, and interpretation of job result values. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| set -Eeuo pipefail | ||
| failed=false | ||
|
|
||
| for result in $JOB_RESULTS; do | ||
| case "$result" in | ||
| success|skipped) | ||
| ;; | ||
| *) | ||
| failed=true | ||
| ;; | ||
| esac | ||
| done |
There was a problem hiding this comment.
If job-results is provided as an empty/whitespace-only string, the loop never runs and the action will incorrectly succeed. Add an explicit validation that JOB_RESULTS contains at least one non-whitespace token and fail with a clear message if it doesn't.
|
|
||
| for result in $JOB_RESULTS; do | ||
| case "$result" in | ||
| success|skipped) | ||
| ;; | ||
| *) | ||
| failed=true | ||
| ;; | ||
| esac | ||
| done | ||
|
|
There was a problem hiding this comment.
The default (*) branch treats any unexpected value as a failure/cancel and prints a message that may be inaccurate (e.g., typo/unknown result). Consider handling failure|cancelled explicitly, and for unknown values print an error like Unknown job result: <value> (optionally listing allowed values) and exit non-zero to make misconfigurations easier to diagnose.
| for result in $JOB_RESULTS; do | |
| case "$result" in | |
| success|skipped) | |
| ;; | |
| *) | |
| failed=true | |
| ;; | |
| esac | |
| done | |
| unknown_result="" | |
| for result in $JOB_RESULTS; do | |
| case "$result" in | |
| success|skipped) | |
| ;; | |
| failure|cancelled) | |
| failed=true | |
| ;; | |
| *) | |
| unknown_result="$result" | |
| break | |
| ;; | |
| esac | |
| done | |
| if [ -n "$unknown_result" ]; then | |
| echo "❌ $CHECK_NAME — Unknown job result: $unknown_result. Allowed values: success, failure, cancelled, skipped." | |
| exit 1 | |
| fi |
| done | ||
|
|
||
| if [ "$failed" = true ]; then | ||
| echo "❌ $CHECK_NAME — at least one job failed or was cancelled." |
There was a problem hiding this comment.
The default (*) branch treats any unexpected value as a failure/cancel and prints a message that may be inaccurate (e.g., typo/unknown result). Consider handling failure|cancelled explicitly, and for unknown values print an error like Unknown job result: <value> (optionally listing allowed values) and exit non-zero to make misconfigurations easier to diagnose.
| - uses: devantler-tech/actions/require-checks-in-pr@main | ||
| with: | ||
| job-results: "${{ needs.build.result }} ${{ needs.test.result }}" |
There was a problem hiding this comment.
The examples pin the action to @main, which is vulnerable to supply-chain risk and can introduce unexpected breaking changes. Prefer pinning to an immutable ref (a commit SHA) or a release tag (e.g., @v1) and update the README examples accordingly.
| needs: [build, lint, test] | ||
| if: ${{ always() }} | ||
| steps: | ||
| - uses: devantler-tech/actions/require-checks-in-pr@main |
There was a problem hiding this comment.
The examples pin the action to @main, which is vulnerable to supply-chain risk and can introduce unexpected breaking changes. Prefer pinning to an immutable ref (a commit SHA) or a release tag (e.g., @v1) and update the README examples accordingly.
|
🎉 This PR is included in version 3.2.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
- Fail with a clear message when job-results is empty or whitespace-only - Handle failure|cancelled explicitly instead of relying on catch-all - Report unknown job result values with actionable error message Addresses review feedback from #113. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: validate empty input and handle unknown job results - Fail with a clear message when job-results is empty or whitespace-only - Handle failure|cancelled explicitly instead of relying on catch-all - Report unknown job result values with actionable error message Addresses review feedback from #113. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: pin README examples to SHA instead of @main Pin action references to the v3.2.0 release SHA for supply-chain safety. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address reviewer feedback on echo and allowed_values duplication Agent-Logs-Url: https://github.com/devantler-tech/actions/sessions/a2b7624d-f1ad-4173-b521-d8c2de93ad5c Co-authored-by: devantler <26203420+devantler@users.noreply.github.com> * fix: use printf, disable globbing, and parse into array for robustness - Replace echo with printf '%s\n' to avoid option misinterpretation - Use read -r -a to parse JOB_RESULTS into an array safely - Disable globbing with set -f to prevent wildcard expansion Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: devantler <26203420+devantler@users.noreply.github.com>
Description
Adds a shared composite action that aggregates the results of multiple CI jobs into a single required check. Extracted from ksail's local
.github/actions/summarize-workflow.Inputs
job-resultscheck-nameCI - Required ChecksBehavior
successandskipped→ passfailureandcancelled→ failMotivation
Branch protection rules need a single, stable check name. This action provides that by aggregating results from matrix builds or parallel jobs.
See require-checks-in-pr/README.md for usage examples.