ci: run strict-schema via workflow_run after mirror-tarball#6
Merged
Conversation
Strict schema validation requires tarball + sha256 to be populated, but merge PRs intentionally leave those null (mirror-tarball fills them post-merge). The prior trigger raced with mirror and always failed on main because mirror bot commits dont re-trigger push workflows under GITHUB_TOKEN. Switch strict-main to workflow_run so it runs after mirror-tarball completes successfully on main. The four non-strict jobs still fire on pull_request and push-to-main; they are gated off the workflow_run event to avoid duplicate runs. Observed failure pattern on PR #4 (wheels-seo-suite v2.0.0) and PR #5 (wheels-basecoat + wheels-hotwire v1.0.1). Both had all PR-time checks green, mirror-tarball succeeded, notify-site dispatched correctly, but the push-to-main validate run showed a red strict-main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the long-standing red
validaterun that appears onmainafter every publish PR (#4, #5).Root cause
Merge PRs intentionally leave
tarballandsha256asnullper CONTRIBUTING.md. Themirror-tarballworkflow populates them post-merge and pushes a backfill commit. The intent (stated invalidate.ymlcomments) was for strict validation to re-run on the backfilled commit. That never happened because:GITHUB_TOKEN.GITHUB_TOKENdo not trigger downstreampush/pull_requestworkflows (GitHub loop-prevention guardrail).null, and failed.Fix
Switch
strict-mainto fire onworkflow_run: mirror-tarball completedinstead of racing with it on thepushevent.mirror-tarball.yml— unchanged.validate.yml— addedworkflow_runtrigger; gated the four non-strict jobs withif: github.event_name != workflow_runso they dont duplicate on the follow-up run; tightenedstrict-maintoworkflow_runwithconclusion == successandhead_branch == main.strict-mainnow explicitly checks outref: main— defaultactions/checkoutbehavior onworkflow_runtriggers is thehead_shaof the triggering run, which is the pre-mirror commit. We need post-mirror state.Before → after
Before: merge → push-to-main fires 5 checks on validate; strict-main fails (null); mirror runs, backfills, but no re-trigger → persistent red run on main.
After: merge → push-to-main fires 4 checks on validate (strict skips); mirror runs + backfills; on mirror completion a second validate run fires with only strict-main, against the post-mirror state → green.
Test plan
workflow_rundoes not inherit the push eventspathsfilter — all four non-strict jobs explicitly gated bygithub.event_name != workflow_run.workflow_runtrigger file must land on the default branch before it activates. This PR puts it there.gh workflow run mirror-tarball.yml --repo wheels-dev/wheels-packages --ref mainas a no-op dispatch to verify aworkflow_run-triggered validate run fires andstrict-mainpasses.main.Out of scope
content-safetyscans every package on every main push (expensive). Left alone — separate follow-up if we want to narrow it.actions/*@v4— pre-existing, unrelated.