BUILD-10804 unique check names for branch protection

.github/actionlint.yaml

@@ -1,4 +1,6 @@
 ---
 self-hosted-runner:
   labels:
-    - ubuntu-24.04-large
+    - sonar-xs
+    - github-ubuntu-latest-s
+    - github-windows-latest-s

.github/workflows/check-cache-migration.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   check-migration:
-    runs-on: ubuntu-latest
+    runs-on: github-ubuntu-latest-s
     name: Compare GitHub cache vs S3
     permissions:
       id-token: write

.github/workflows/pre-commit.yml

@@ -6,7 +6,7 @@ on:
 jobs:
   pre-commit:
     name: "pre-commit"
-    runs-on: ubuntu-latest
+    runs-on: github-ubuntu-latest-s
     steps:
       - uses: SonarSource/gh-action_pre-commit@fc9d73025994fd1c2b96d568c8c8a4af82a3ae21 # 1.0.6
         with:

.github/workflows/test-action.yml

@@ -147,9 +147,11 @@ jobs:
       # This is the scenario that caused production failures
       - name: Overwrite AWS credentials (simulating user workflow)
         run: |
-          echo "AWS_ACCESS_KEY_ID=FAKE_KEY_TO_OVERRIDE" >> "$GITHUB_ENV"
-          echo "AWS_SECRET_ACCESS_KEY=FAKE_SECRET_TO_OVERRIDE" >> "$GITHUB_ENV"
-          echo "AWS_SESSION_TOKEN=FAKE_TOKEN_TO_OVERRIDE" >> "$GITHUB_ENV"
+          {
+            echo "AWS_ACCESS_KEY_ID=FAKE_KEY_TO_OVERRIDE"
+            echo "AWS_SECRET_ACCESS_KEY=FAKE_SECRET_TO_OVERRIDE"
+            echo "AWS_SESSION_TOKEN=FAKE_TOKEN_TO_OVERRIDE"
+          } >> "$GITHUB_ENV"
           echo "Simulated credential override via GITHUB_ENV"
 
       # Step 3: Create something to cache
@@ -264,11 +266,13 @@ jobs:
 
       - name: Set conflicting AWS env vars
         run: |
-          echo "AWS_ACCESS_KEY_ID=AKIAFAKEENV" >> "$GITHUB_ENV"
-          echo "AWS_SECRET_ACCESS_KEY=fakesecretenv" >> "$GITHUB_ENV"
-          echo "AWS_SESSION_TOKEN=faketokenenv" >> "$GITHUB_ENV"
-          echo "AWS_PROFILE=some-other-profile" >> "$GITHUB_ENV"
-          echo "AWS_DEFAULT_PROFILE=some-other-profile" >> "$GITHUB_ENV"
+          {
+            echo "AWS_ACCESS_KEY_ID=AKIAFAKEENV"
+            echo "AWS_SECRET_ACCESS_KEY=fakesecretenv"
+            echo "AWS_SESSION_TOKEN=faketokenenv"
+            echo "AWS_PROFILE=some-other-profile"
+            echo "AWS_DEFAULT_PROFILE=some-other-profile"
+          } >> "$GITHUB_ENV"
 
       # Cache action should override the conflicting credentials
       - name: Cache with S3
@@ -283,9 +287,11 @@ jobs:
 
       - name: Re-override with fake credentials (simulating mid-job auth change)
         run: |
-          echo "AWS_ACCESS_KEY_ID=AKIAFAKEOVERRIDE" >> "$GITHUB_ENV"
-          echo "AWS_SECRET_ACCESS_KEY=fakesecretoverride" >> "$GITHUB_ENV"
-          echo "AWS_SESSION_TOKEN=faketokenoverride" >> "$GITHUB_ENV"
+          {
+            echo "AWS_ACCESS_KEY_ID=AKIAFAKEOVERRIDE"
+            echo "AWS_SECRET_ACCESS_KEY=fakesecretoverride"
+            echo "AWS_SESSION_TOKEN=faketokenoverride"
+          } >> "$GITHUB_ENV"
 
       - name: Create something to cache
         run: |
@@ -328,3 +334,22 @@ jobs:
           pip install pytest requests
 
       # SUCCESS: credential-guard post step runs, then runs-on/cache saves to S3
+
+  all-green:
+    name: All Tests
+    if: always()
+    needs:
+      - test-github-cache
+      - test-s3-cache
+      - test-s3-cache-with-fallback
+      - test-s3-cache-with-credential-interference
+      - test-s3-cache-windows
+      - test-s3-cache-multiple-invocations
+      - test-s3-cache-with-preset-aws-config
+      - test-s3-cache-survives-git-clean
+    runs-on: github-ubuntu-latest-s
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/test-cache-migration-gh2s3.yml

@@ -172,3 +172,21 @@ jobs:
           [[ "${{ steps.cache.outputs.cache-hit }}" == "true" ]] || { echo "ERROR: cache-hit is not true — GitHub cache was not imported for a public repo"; exit 1; }
           [[ "$(cat ~/.cache/test-migration/test-file.txt)" == "github-content" ]] || { echo "ERROR: unexpected content, not restored from GitHub"; exit 1; }
           rm -rf ~/.cache/test-migration  # prevent saving to S3 so other scenarios don't find it
+
+  all-green:
+    name: All Tests - Cache Migration
+    if: always()
+    needs:
+      - provision-github-cache
+      - provision-s3-cache
+      - test-s3-import-enabled
+      - test-s3-import-disabled
+      - test-s3-import-disabled-via-env
+      - test-s3-hit-skips-github-import
+      - test-auto-public-import-enabled
+    runs-on: github-ubuntu-latest-s
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/test-credential-isolation.yml

@@ -9,8 +9,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  credential-isolation-tests:
-    runs-on: ubuntu-latest
+  tests-credential-isolation:
+    runs-on: github-ubuntu-latest-s
     permissions:
       id-token: write
       contents: read

.pre-commit-config.yaml

@@ -7,13 +7,17 @@ repos:
       - id: check-hooks-apply
       - id: check-useless-excludes
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 3298ddab3c13dd77d6ce1fc0baf97691430d84b0  # frozen: v4.3.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-added-large-files
         exclude: ^(credential-setup/dist/|credential-guard/dist/)
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: f295829140d25717bc79368d3f966fc1f67a824f  # frozen: v0.41.0
+    rev: v0.48.0
     hooks:
       - id: markdownlint
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.11  # v1.7.1
+    hooks:
+      - id: actionlint