Skip to content

Add sfw aggregator gate to enforce required CI checks#89

Merged
lelia merged 2 commits into
mainfrom
lelia/sfw-aggregator-gate
Jun 3, 2026
Merged

Add sfw aggregator gate to enforce required CI checks#89
lelia merged 2 commits into
mainfrom
lelia/sfw-aggregator-gate

Conversation

@lelia
Copy link
Copy Markdown
Contributor

@lelia lelia commented Jun 3, 2026
edited
Loading

What

Adds a single sfw-gate job to dependency-review.yml — the check intended to eventually become the required status check on main — and bumps the package version 3.2.03.2.1.

Also already done out-of-band: the socket-firewall GitHub Environment's required_reviewers protection rule was removed (it was self-approvable with prevent_self_review: false and bypassable since it was never a required check). The environment is retained for narrow secret scoping purposes.

Why

The Socket Firewall smoke jobs are conditional — python_deps_changed gates them, and exactly one of python-sfw-smoke-free / python-sfw-smoke-enterprise runs per PR (free for Dependabot/forks, enterprise for trusted maintainers). So neither can be marked required directly: a required status check whose job is skipped via a job-level if: is never created, sits at "Expected — Waiting for status to be reported" forever, and permanently blocks merge. That would hit every Dependabot/fork PR and every PR that doesn't touch deps.

The aggregator gate solves this:

  • if: always(), needs: the conditional jobs (inspect, both smoke jobs, workflow-notice)
  • reads ${{ toJSON(needs) }} and fails iff any result is failure or cancelledsuccess and skipped both pass
  • green when no deps change (everything skips), and satisfied by whichever smoke path actually ran
  • a real Socket Firewall block surfaces as a smoke-job failure → gate failure

Not blocking yet (intentional)

This PR does not touch branch-protection required checks. The gate is added during a soak period so the check is visible and familiar before it becomes blocking — and per the sequencing rule, the gate must exist on main before it can be required, or requiring it would strand every other open PR on the same trap. Flipping it to required is a follow-up, after comms + sign-off.

Pattern source

Adapted from SocketDev/socket-python-cli #224. The bypass-job pattern (#224's Pattern 1) is not needed here — the SDK has no e2e matrix, and the free/enterprise split is already mutually-exclusive-and-exhaustive at the job level.

@lelia
ci: add Socket Firewall aggregator gate; bump 3.2.0 -> 3.2.1
ba79edb 
Add a single sfw-gate job (if: always(), needs the conditional inspect +
free/enterprise smoke + workflow-notice jobs) that fails only when an
upstream job failed or was cancelled -- success and skipped both pass.

This is the check intended to become the required status check on main:
the smoke jobs are conditional (deps-changed gates them, and exactly one
of free/enterprise runs per PR), so none can be required directly -- a
required check whose job is if-skipped is never created and blocks merge
forever. The gate is green when no deps change and is satisfied by
whichever smoke path actually ran.

NOT yet wired into branch protection -- added during a soak period so the
check is visible before it becomes blocking, and so requiring it doesn't
strand other open PRs.

Pattern adapted from SocketDev/socket-python-cli #224.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia lelia requested a review from a team as a code owner June 3, 2026 17:45
@lelia lelia temporarily deployed to socket-firewall June 3, 2026 17:46 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026
edited
Loading

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketdev==3.2.1.dev2

@lelia lelia changed the title ci: add Socket Firewall aggregator gate (non-blocking, soak) Add sfw aggregator gate to enforce required CI checks Jun 3, 2026
@lelia
ci: spell out 'iff' as 'if and only if' in gate comment
75bc566 
Review feedback: 'iff' read as a typo. It is the logic shorthand for
'if and only if', but the comment exists to communicate, so spell it out.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
@lelia lelia deployed to socket-firewall June 3, 2026 17:57 — with GitHub Actions Active
@lelia lelia merged commit 836936c into main Jun 3, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flowstate Eric Hibbs (flowstate) flowstate approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lelia @flowstate