Skip to content

Surface publish-time gates as PR-visible jobs#164

Merged
PaulNewling merged 2 commits into
v4-betafrom
paulnewling/preflight-require-latest
May 22, 2026
Merged

Surface publish-time gates as PR-visible jobs#164
PaulNewling merged 2 commits into
v4-betafrom
paulnewling/preflight-require-latest

Conversation

@PaulNewling
Copy link
Copy Markdown
Collaborator

@PaulNewling PaulNewling commented May 21, 2026
edited by greptile-apps Bot
Loading

Two publish-time gates move out of build-test-publish into a PR-visible preflight job. Merge protection is unchanged — the merge queue still blocks any failure.

Gates

Gate Before After
require-latest (SDK drift) step in build-test-publish; failure skipped build / test / publish preflight job; non-blocking on PR, blocking in merge queue and on the default branch
pnpm-workspacepnpm-lock drift inline bash duplicated in build-test-publish and pre-calculated-build (the latter ran with fetch-depth: 1, effectively a no-op) preflight job, single canonical location with fetch-depth: '0'
scan-pnpm-repo (Trivy) step in build-test-publish after build / test unchanged — the scan reads dist/artifacts/*.json produced by the build, so it must stay co-located with the build (see greptile comment)

Per-trigger behavior

Trigger continue-on-error Failure consequence
pull_request true PR check shows the failed step; build / test still run
merge_group false merge queue fails; PR does not merge
push to default branch false publish skipped via needs + if on build-test-publish

Notes

  • preflight mirrors the existing check-changesets pattern: continue-on-error: ${{ github.ref_name != inputs.changeset-default-branch && github.event_name != 'merge_group' }}.
  • build-test-publish adds preflight to needs + if.
  • Motivating failure: https://github.com/platforma-open/miltenyi-tcr-bcr-clonotyping/actions/runs/26252180582/job/77266165614.
  • Follow-up: making the Trivy scan a separate PR-visible job needs build-artifact passing (upload from build-test-publish, download in a downstream scan job, split publish into its own job). Out of scope here.

Greptile Summary

This PR promotes two publish-time gate checks — SDK version drift (require-latest) and pnpm-workspace.yaml/pnpm-lock.yaml sync — out of build-test-publish into a new preflight job that surfaces failures as PR-visible checks while remaining blocking in the merge queue and on the default branch.

  • preflight mirrors the existing check-changesets pattern exactly: continue-on-error is true on pull_request events and false on merge_group/default-branch push, so downstream jobs (pre-calculated-build, build-test-publish) gate on needs.preflight.result == 'success' || 'skipped'.
  • The lockfile-drift check now runs with fetch-depth: '0' in preflight, replacing the previous copy in pre-calculated-build which ran at fetch-depth: 1 and was effectively a no-op.
  • The Trivy scan (scan-pnpm-repo) correctly stays in build-test-publish since it reads dist/artifacts/ produced by the build step.

Confidence Score: 5/5

Safe to merge — the refactoring is a clean extraction with no behavioral changes on the default branch or merge queue, and the continue-on-error + downstream if guards are correctly wired.

The preflight job follows the identical gating pattern as check-changesets, the lockfile-drift check now runs with a full clone where it was previously a no-op, and the Trivy scan correctly remains co-located with the build. No logic changes affect merge protection.

No files require special attention.

Important Files Changed
Filename Overview
.github/workflows/node-simple-pnpm.yaml Adds preflight job with require-latest and pnpm-lock drift checks; correctly wires continue-on-error, needs, and if guards for all downstream jobs and the notify job.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    init["init"]
    metadata["metadata"]
    preflight["preflight\n(require-latest + pnpm-lock drift)\ncontinue-on-error: PR=true / MQ=false"]
    check_changesets["check-changesets\ncontinue-on-error: PR=true / MQ=false"]
    pre_calc["pre-calculated-build\nif: preflight==success|skipped"]
    btp["build-test-publish\nif: preflight==success|skipped"]
    notify["notify-slack-release"]

    init --> metadata
    init --> preflight
    metadata --> check_changesets
    preflight --> pre_calc
    check_changesets --> pre_calc
    metadata --> pre_calc
    preflight --> btp
    check_changesets --> btp
    metadata --> btp
    pre_calc --> btp
    btp --> notify
    preflight --> notify
    check_changesets --> notify
    pre_calc --> notify
    metadata --> notify
    init --> notify
Loading

Reviews (2): Last reviewed commit: "Revert security-scan extraction: scan ne..." | Re-trigger Greptile

@PaulNewling PaulNewling marked this pull request as ready for review May 21, 2026 21:51
greptile-apps[bot]
greptile-apps Bot reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/node-simple-pnpm.yaml Outdated
@PaulNewling
Copy link
Copy Markdown
Collaborator Author

PaulNewling commented May 22, 2026

@greptileai

@PaulNewling PaulNewling changed the base branch from v4 to v4-beta May 22, 2026 16:42
@PaulNewling
Surface publish-time gates as PR-visible jobs
7c1ad51 
Extract require-latest, the pnpm-workspace/lock drift guard, and the
scan-pnpm-repo Trivy scan from build-test-publish into separate
preflight and security-scan jobs. Both are non-blocking on PRs and
blocking on the default branch and in the merge queue, mirroring the
existing check-changesets pattern. build-test-publish gates publish on
both via needs + if.
@PaulNewling
Revert security-scan extraction: scan needs build artifacts
cc1aa77 
scan-pnpm-repo discovers images via dist/artifacts/*.json which is only
populated by the build step. A pre-build security-scan job silently
passes in auto-discovery mode (scan_npm_package returns 0 when no
images are found and _require_docker=false), making the Trivy gate a
no-op. Restore scan-pnpm-repo as a step in build-test-publish after
the build. preflight (require-latest + lockfile drift) is unaffected
since those checks have no artifact dependency.
@PaulNewling PaulNewling force-pushed the paulnewling/preflight-require-latest branch from cc9ca1f to cc1aa77 Compare May 22, 2026 20:11
@PaulNewling PaulNewling merged commit 31ee7b7 into v4-beta May 22, 2026
@PaulNewling PaulNewling deleted the paulnewling/preflight-require-latest branch May 22, 2026 20:29
This was referenced May 22, 2026
Draft
Merged
PaulNewling added a commit that referenced this pull request May 22, 2026
@PaulNewling
preflight: split into require-latest and pnpm-lock-sync jobs
d265b29 
The previous single 'preflight' job collapsed both checks under one
PR status row, and when require-latest failed the pnpm-lock-sync step
was skipped (job-level continue-on-error does not propagate to step
ordering inside the job).

Split into 'preflight-require-latest' and 'preflight-pnpm-lock-sync'
so each surfaces as its own PR-visible check, each carries its own
job-level continue-on-error, and a failure in one no longer hides the
other. Downstream needs: in pre-calculated-build, build-test-publish,
and notify slack release updated to depend on both new jobs.

Follow-up to #164.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PaulNewling