ci: update CI workflow dependencies and required status checks#1159
Conversation
marcusrbrown
commented
Jul 9, 2026
- Added 'Gateway Image Smoke Test' and 'Workspace Image Smoke Test' to the list of required status checks.
- Modified 'Test' job to only depend on 'setup'.
- Adjusted 'Release' job dependencies to include only 'lint', 'test', and 'build'.
- Added 'Gateway Image Smoke Test' and 'Workspace Image Smoke Test' to the list of required status checks. - Modified 'Test' job to only depend on 'setup'. - Adjusted 'Release' job dependencies to include only 'lint', 'test', and 'build'.
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
Clean, low-risk CI configuration change. The two new required status-check contexts exactly match the workflow job name: values (Gateway Image Smoke Test → ci.yaml:259, Workspace Image Smoke Test → ci.yaml:391), and the dependency-graph edits are correct. Live checks on this PR confirm both smoke jobs run and pass, so the required-context wiring is validated end-to-end.
Blocking issues
None
Non-blocking concerns
- Skipped-when-not-needed required checks. Both smoke jobs are gated by
if: ${{ github.event_name == 'push' || needs.setup.outputs.should-build == 'true' }}(ci.yaml:258, ci.yaml:390). On a PR that touches no build-relevant paths,should-buildisfalseand both jobs are skipped. Withstrict: truebranch protection, a required context that never reports can leave a PRBLOCKED. This is not a regression: the already-requiredBuildcontext (ci.yaml:86) uses the identical gate, so the new smoke jobs inherit whatever resolution mechanism the repo already relies on (merge_group / skip handling). Worth confirming a docs-only PR still reaches a mergeable state, but no action required for this change. testno longer depends onbuild(ci.yaml:131). Correct —bun run test/test:scriptsconsume nodist/artifact, so dropping the edge only improves parallelism.releasedropssetupfromneeds(ci.yaml:739). Safe:releasestill transitively depends onsetupvialint/test/build, andsetupis ungated so it always runs. No behavioral change to release gating (thelint/test/buildedges were already present).
Missing tests
None. This is CI plumbing; the smoke jobs are themselves the tests, and their success on this PR is the verification. Branch-protection context names cannot be unit-tested and were validated against live check runs.
Risk assessment (LOW):
Blast radius limited to CI orchestration and merge gating. No runtime/product code touched. Regression likelihood low — job-name-to-context mapping verified against passing checks; dependency edits preserve required ordering. No security exposure (permissions blocks unchanged, still least-privilege). Worst case is a stricter merge gate, which is the intended effect.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 29056669959 |
| Cache | hit |
| Session | ses_0b6d83396ffemHzDl7MhWOlF36 |