PR #1170 added secret-scan, dependency-security, and sast-scan jobs to ci-required.yml as enforcing gates. Because ci-required.yml has no aggregation gate job, each runs as an independent check and is not merge-blocking until its context is added to the protected-branch required-status-checks list (a repo-settings action, not doable from PR code).
Action (maintainer)
Add these exact check contexts (<caller job> / <inner job>) to branch protection on main:
Secret Scan / Gitleaks ScanDependency Security / Dependency Security SignalsSAST Scan / SAST Scan (Semgrep)
(The bundle-size check rides inside the already-required Frontend Unit job — no separate context.)
Until then the scans run red/green advisory-style but PRs can still merge. Source: adversarial review of #1170. See ADR-0035.
PR #1170 added
secret-scan,dependency-security, andsast-scanjobs toci-required.ymlas enforcing gates. Becauseci-required.ymlhas no aggregation gate job, each runs as an independent check and is not merge-blocking until its context is added to the protected-branch required-status-checks list (a repo-settings action, not doable from PR code).Action (maintainer)
Add these exact check contexts (
<caller job> / <inner job>) to branch protection onmain:Secret Scan / Gitleaks ScanDependency Security / Dependency Security SignalsSAST Scan / SAST Scan (Semgrep)(The bundle-size check rides inside the already-required
Frontend Unitjob — no separate context.)Until then the scans run red/green advisory-style but PRs can still merge. Source: adversarial review of #1170. See ADR-0035.