ci: docs-gate companion so docs-only PRs satisfy required checks (no admin bypass)#18
Merged
Merged
Conversation
main branch protection requires `lint-and-test` + `validate-templates (app| default|docs|portfolio|product)`. ci.yml is paths-gated to code paths, so a PR that touches only README*.md (e.g. a translations refresh) never triggers those checks - the required contexts stay Pending and the PR is stuck MERGEABLE/BLOCKED, forcing an --admin bypass every release (hit on v2.1.0 #17). Add .github/workflows/ci-docs.yml: GitHub's documented "skipped but required checks" pattern. It triggers on the INVERSE paths (paths-ignore == ci.yml's paths) with no-op jobs whose names mirror the required contexts exactly, so the checks report green on docs-only PRs in a few seconds. The real build still only runs on code changes via ci.yml. Mixed code+docs PRs trigger both; GitHub requires ALL same-named check runs to pass (conjunction, fails closed), so the real build still gates code - protection is not weakened. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem — a CI/branch-protection deadlock blocks docs-only PRs
mainbranch protection requires these status checks before merge:Those contexts are produced by
ci.yml, which is paths-gated to code paths (package.json,package-lock.json,cli/**,components/**,types/**,templates/**,styles/**,tests/**,tsconfig.json,.github/workflows/**).A PR that changes only
README*.md(e.g. the per-release translations refresh) never matches those paths, soci.ymlnever runs and the required checks never report. The PR sitsMERGEABLE / BLOCKEDforever — the required check is stuckPending. Every release has had to bypass this with an admin merge (--admin). It happened on the v2.1.0 translations PR (#17).Fix — GitHub's documented "skipped but required checks" pattern
Add a tiny companion workflow
.github/workflows/ci-docs.ymlthat:paths-ignore==ci.yml'spaths), so it runs only when a PR changes no code paths;lint-and-testand avalidate-templatesmatrix[default, docs, product, portfolio, app, tool]— each running a few-secondecho.On a docs-only PR the companion reports all required contexts green in seconds;
ci.ymlstays correctly skipped (no wasted build). On a code PR the companion stays out of the way and the real build is the only thing reporting the contexts.Refs:
Why a separate file (not a job inside
ci.yml)pathsis a workflow-level trigger filter — it gates the entireci.yml. A no-op job added insideci.ymlwould be gated by the same code-paths filter and would not run on docs-only PRs. The companion must be its own file with the inverse filter. It is intentionally minimal (nocheckout, nosetup-node, pureecho).Safety — real code PRs are NOT weakened
ci.yml(real build)ci-docs.yml(no-op)README*.md)For the mixed case, GitHub evaluates same-named required checks as a conjunction — per the docs, "if you have a check and a status with the same name … both … are required." All check runs sharing a context name must pass, so a failing real build still blocks the merge; the no-op can never shadow it. It fails closed. Protection on real code changes is unchanged: the full
lint-and-test+validate-templatesstill gate any PR that touches code.Org GitHub Actions rules — respected
ci.yml) stays paths-gated; this companion is also paths-filtered (inverse).ubuntu-latest.concurrencyblock preserved (and present here).workflow_dispatchmanual fallback included.ci.yml's path filter is workflow-level (see above).Verification
.github/workflows/**, which is a code path → it triggers the realci.yml(fulllint-and-test+validate-templatesmatrix) and does not trigger the companion. That confirms code/workflow PRs still run the full build.lint-and-test+validate-templates (*)checks, which report green, andci.ymlis skipped — so the PR becomes mergeable through the normal flow with no--admin. (Final confirmation lands once this is onmain: the next translations PR will go green on its own.)This pattern may recur on other org repos
Any
mcp-tool-shop-orgrepo that combines required status checks with a paths-gated CI workflow has the same latent deadlock for docs-only PRs. This PR is scoped to site-theme only; flagging for awareness so the same companion-workflow fix can be applied where the pattern repeats (e.g. registry-stats and other Astro/CI repos).