Guard master docs-only pushes and ensure full CI runs

Author: justin808

.github/actions/ensure-master-docs-safety/action.yml

@@ -0,0 +1,66 @@
+name: Ensure master docs-only skips are safe
+description: Fails if the previous master commit still has failing workflow runs when current push is docs-only
+inputs:
+  docs-only:
+    description: 'String output from ci-changes-detector ("true" or "false")'
+    required: true
+  previous-sha:
+    description: 'SHA of the previous commit on master (github.event.before)'
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Check previous master commit status
+      if: ${{ inputs.docs-only == 'true' && inputs.previous-sha != '' && inputs.previous-sha != '0000000000000000000000000000000000000000' }}
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const previousSha = core.getInput('previous-sha');
+          const workflowRuns = await github.paginate(
+            github.rest.actions.listWorkflowRunsForRepo,
+            {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              branch: 'master',
+              per_page: 100
+            }
+          );
+
+          const relevantRuns = workflowRuns.filter((run) => run.head_sha === previousSha);
+
+          if (relevantRuns.length === 0) {
+            core.info(`No workflow runs found for ${previousSha}. Nothing to enforce.`);
+            return;
+          }
+
+          const latestByWorkflow = new Map();
+          for (const run of relevantRuns) {
+            const existing = latestByWorkflow.get(run.workflow_id);
+            if (!existing || new Date(run.created_at) > new Date(existing.created_at)) {
+              latestByWorkflow.set(run.workflow_id, run);
+            }
+          }
+
+          const failingRuns = Array.from(latestByWorkflow.values()).filter((run) => {
+            if (run.status !== 'completed') {
+              core.info(`Workflow ${run.name} (#${run.id}) is still ${run.status}; ignoring for enforcement.`);
+              return false;
+            }
+            return ['failure', 'timed_out', 'cancelled', 'action_required'].includes(run.conclusion);
+          });
+
+          if (failingRuns.length === 0) {
+            core.info(`Previous master commit ${previousSha} completed without failures. Docs-only skip allowed.`);
+            return;
+          }
+
+          const details = failingRuns
+            .map((run) => `- ${run.name} (run #${run.run_number}) concluded ${run.conclusion}`)
+            .join('\n');
+
+          core.setFailed(
+            [
+              `Cannot skip CI for docs-only commit because previous master commit ${previousSha} still has failing workflows:`,
+              details
+            ].join('\n')
+          );

.github/workflows/detect-changes.yml

@@ -25,6 +25,9 @@ on:
 jobs:
   detect:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: read
     outputs:
       docs_only: ${{ steps.changes.outputs.docs_only }}
       run_lint: ${{ steps.changes.outputs.run_lint }}
@@ -41,17 +44,11 @@ jobs:
       - name: Detect changes
         id: changes
         run: |
-          # For master branch, always run everything
-          if [ "${{ github.ref }}" = "refs/heads/master" ]; then
-            echo "docs_only=false" >> "$GITHUB_OUTPUT"
-            echo "run_lint=true" >> "$GITHUB_OUTPUT"
-            echo "run_ruby_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_js_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_dummy_tests=true" >> "$GITHUB_OUTPUT"
-            echo "run_generators=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # For PRs, analyze changes
-          BASE_SHA="${{ github.event.pull_request.base.sha || github.event.before }}"
+          BASE_SHA="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_SHA"
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.changes.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}

.github/workflows/examples.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -19,6 +19,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -54,6 +57,12 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-matrix:
     needs: detect-changes
@@ -79,7 +88,15 @@ jobs:
     needs: [detect-changes, setup-matrix]
     # Run on master, workflow_dispatch, OR when generators needed
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_generators == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_generators == 'true'
+      )
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}

.github/workflows/gem-tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -21,6 +21,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -56,6 +59,12 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-gem-tests-matrix:
     needs: detect-changes
@@ -79,7 +88,14 @@ jobs:
     needs: [detect-changes, setup-gem-tests-matrix]
     # Run on master OR when Ruby tests needed on PR
     if: |
-      (github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_ruby_tests == 'true')
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        needs.detect-changes.outputs.run_ruby_tests == 'true'
+      )
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.setup-gem-tests-matrix.outputs.matrix) }}

.github/workflows/integration-tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -20,6 +20,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -51,9 +54,15 @@ jobs:
             echo "docs_only=false" >> "$GITHUB_OUTPUT"
           else
             BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
-          script/ci-changes-detector "$BASE_REF"
+            script/ci-changes-detector "$BASE_REF"
           fi
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   setup-integration-matrix:
     needs: detect-changes
@@ -79,7 +88,15 @@ jobs:
     needs: [detect-changes, setup-integration-matrix]
     # Run on master, workflow_dispatch, OR when tests needed on PR
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_dummy_tests == 'true'
+      )
     strategy:
       matrix: ${{ fromJson(needs.setup-integration-matrix.outputs.matrix) }}
     runs-on: ubuntu-22.04
@@ -154,7 +171,15 @@ jobs:
     needs: [detect-changes, setup-integration-matrix, build-dummy-app-webpack-test-bundles]
     # Run on master, workflow_dispatch, OR when tests needed on PR
     if: |
-      github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true'
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        github.event_name == 'workflow_dispatch' ||
+        needs.detect-changes.outputs.run_dummy_tests == 'true'
+      )
     strategy:
       matrix: ${{ fromJson(needs.setup-integration-matrix.outputs.matrix) }}
     runs-on: ubuntu-22.04

.github/workflows/lint-js-and-ruby.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -20,6 +20,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -54,10 +57,24 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   build:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_lint == 'true'
+    if: |
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        needs.detect-changes.outputs.run_lint == 'true'
+      )
     env:
       BUNDLE_FROZEN: true
     runs-on: ubuntu-22.04

.github/workflows/package-js-tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - 'master'
-    # Never skip on master - always run full test suite
+    # Always trigger on master; docs-only detection handles skipping heavy jobs
   pull_request:
     paths-ignore:
       - '**.md'
@@ -22,6 +22,9 @@ on:
 
 jobs:
   detect-changes:
+    permissions:
+      contents: read
+      actions: read
     runs-on: ubuntu-22.04
     outputs:
       docs_only: ${{ steps.detect.outputs.docs_only }}
@@ -57,12 +60,25 @@ jobs:
           BASE_REF="${{ github.event.pull_request.base.sha || github.event.before || 'origin/master' }}"
           script/ci-changes-detector "$BASE_REF"
         shell: bash
+      - name: Guard docs-only master pushes
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+        uses: ./.github/actions/ensure-master-docs-safety
+        with:
+          docs-only: ${{ steps.detect.outputs.docs_only }}
+          previous-sha: ${{ github.event.before }}
 
   build:
     needs: detect-changes
     # Run on master OR when JS tests needed on PR
     if: |
-      (github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_js_tests == 'true')
+      !(
+        github.event_name == 'push' &&
+        github.ref == 'refs/heads/master' &&
+        needs.detect-changes.outputs.docs_only == 'true'
+      ) && (
+        github.ref == 'refs/heads/master' ||
+        needs.detect-changes.outputs.run_js_tests == 'true'
+      )
     strategy:
       matrix:
         include: