From 9b80555db3ee0fd62c53a55a11c8be4837c1ba9c Mon Sep 17 00:00:00 2001
From: Nikolai Emil Damm <nikolaiemildamm@icloud.com>
Date: Mon, 20 Apr 2026 18:49:24 +0200
Subject: [PATCH 1/3] feat: add CI - Required Checks aggregation job

Add a ci-required-checks job that aggregates all CI job results into a
single "CI - Required Checks" status check using the shared
devantler-tech/actions/require-checks-in-pr composite action.

This allows branch protection to require a single check instead of
listing each individual job.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/ci.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f62fe6b..b7d72e9 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -146,3 +146,22 @@ jobs:
         env:
           SKILL: ${{ matrix.skill }}
         run: skills-ref validate "$SKILL"
+
+  ci-required-checks:
+    name: CI - Required Checks
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: [validate-manifests, discover-skills, validate-spec]
+    if: ${{ always() }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        with:
+          egress-policy: audit
+
+      - uses: devantler-tech/actions/require-checks-in-pr@61ae89ec83b943bd3a486fdcaf91cb66fd6b8760 # feat/require-checks-in-pr
+        with:
+          job-results: >-
+            ${{ needs.validate-manifests.result }}
+            ${{ needs.discover-skills.result }}
+            ${{ needs.validate-spec.result }}

From 9d5f29341fd85092ba04a8d758aa766165e4d518 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 20 Apr 2026 16:53:41 +0000
Subject: [PATCH 2/3] fix: update require-checks-in-pr to v3.2.0 release

Agent-Logs-Url: https://github.com/devantler-tech/copilot-plugins/sessions/afca5567-a763-45ec-ad82-130b877a8f6a

Co-authored-by: devantler <26203420+devantler@users.noreply.github.com>
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b7d72e9..23936a6 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -159,7 +159,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: devantler-tech/actions/require-checks-in-pr@61ae89ec83b943bd3a486fdcaf91cb66fd6b8760 # feat/require-checks-in-pr
+      - uses: devantler-tech/actions/require-checks-in-pr@1f66c91d45d374ceac9fe830a783444ebc9be958 # v3.2.0
         with:
           job-results: >-
             ${{ needs.validate-manifests.result }}

From 811fb8a2f6d5af7a52f4a0a836a0ccd417f6ffd4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 20 Apr 2026 16:57:38 +0000
Subject: [PATCH 3/3] fix: add explicit least-privilege permissions to
 ci-required-checks job

Agent-Logs-Url: https://github.com/devantler-tech/copilot-plugins/sessions/48e39470-5672-4e88-874e-8f8c16d31408

Co-authored-by: devantler <26203420+devantler@users.noreply.github.com>
---
 .github/workflows/ci.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 23936a6..9544ba5 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -150,6 +150,10 @@ jobs:
   ci-required-checks:
     name: CI - Required Checks
     runs-on: ubuntu-latest
+    permissions:
+      checks: read
+      statuses: read
+      pull-requests: read
     timeout-minutes: 5
     needs: [validate-manifests, discover-skills, validate-spec]
     if: ${{ always() }}