fix(ci): gate required schema-parity & verify-non-root via changes job (#1222) — main#1236
Merged
Merged
Conversation
#1222) Both checks were required on `dev` but path-filtered via `on.pull_request.paths`, so they never posted a status on PRs that don't touch DB/docker paths — leaving the required context "expected" forever and freezing the entire dev merge queue (admin override blocked too via enforce_admins). Move the path filter from the workflow trigger to a cheap `changes` detector (dorny/paths-filter) + job-level `if:`. A job skipped via `if:` still posts a check run (conclusion: skipped), which branch protection counts as passing — so the required context is always present, while the heavy job runs only when the relevant surface changes. Intent preserved: schema-parity still blocks real schema drift on `src/backend/db/**`; verify-non-root still blocks root/socket regressions on `docker/**`. Self-merging: this PR edits both workflow files (each filter includes its own path), so both real jobs run here and post all four required contexts — no branch-protection change or admin override needed. Fixes #1222 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dolho
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The CI required-check shim from #1223 landed on
devbut not onmain.mainstill path-filtersschema-parityandverify-non-rootat the workflow trigger, so any PR tomain(includingdev → mainrelease PRs) that doesn't touch DB ordocker/**paths freezesBLOCKED— the required context stays "expected" forever andenforce_adminsblocks the override.Fix
Promote the #1223 change to
mainverbatim (cherry-pick of9e4882d4): move path filtering from the workflow trigger to a cheapchangesdetector job (dorny/paths-filter) + a job-levelif:on the heavy job.if:still posts a check run (conclusion: skipped), which branch protection counts as passing → the required context is always present.schema-paritystill runs (and can block) onsrc/backend/db/**,database.py,utils/helpers.py, …verify-non-rootstill boots the stack (and can block) ondocker/**,docker-compose*.yml,scripts/deploy/start.sh,src/mcp-server/Dockerfile.This brings
mainfully in sync withdevon both workflow files (the cherry-pick closes the entiremain..devgap: 77 insertions / 36 deletions across the two files).Self-merging — no branch-protection change needed
This PR edits both workflow files, and each filter includes its own path, so both real jobs run here and post all four required contexts.
Relates to #1222 (the
dev-side fix shipped as #1223).🤖 Generated with Claude Code