ci: hybrid mirror push triggers for feature branches (smoke + lane-shas)
Some checks failed
lane-shas / verify pinned lane SHAs (push) Has been skipped
smoke / smoke (-m "not quarantine") (push) Has been skipped
smoke / smoke (-m "not quarantine") (pull_request) Successful in 5m36s
lane-shas / verify pinned lane SHAs (pull_request) Has been cancelled

GitHub never sees Forgejo PRs, so pull_request-gated workflows never ran on
the mirror for feature branches. Per the hybrid workflow guide convention,
smoke + lane-shas now also trigger on non-main branch pushes.

- Job guards (github.server_url) keep the Forgejo Act host from running each
  branch twice (push + pull_request) — the run #167 OOM class.
- lane-shas extends its skip-safe pin-relevant-path policy to branch pushes
  (merge-base vs origin/main); main pushes keep always-verify.
- full-pytest stays main-only (a per-push ~73-min trigger would torch the
  Actions minute budget).

Note: GitHub-side runs stay dead until the AssetOverflow account billing
lock is cleared ('job was not started because your account is locked').
This commit is contained in:
Shay 2026-07-15 12:58:05 -07:00
parent a11899f8b9
commit 819cf78b31
2 changed files with 32 additions and 5 deletions

View file

@ -18,7 +18,12 @@ name: lane-shas
on:
push:
branches: [main]
# main: post-merge verify (always runs, any host).
# other branches: hybrid mirror CI — GitHub-hosted runners stand in for
# the Forgejo pull_request gate (PR metadata lives on Forgejo only). The
# job guard below skips branch pushes on the Forgejo Act host to avoid
# double-running each branch (push + pull_request).
branches: ['**']
pull_request:
branches: [main]
@ -34,6 +39,10 @@ jobs:
name: verify pinned lane SHAs
runs-on: ubuntu-latest
timeout-minutes: 45
if: >-
github.event_name == 'pull_request' ||
github.ref_name == 'main' ||
github.server_url == 'https://github.com'
steps:
- name: checkout
@ -48,14 +57,21 @@ jobs:
run: |
set -euo pipefail
# Always verify on main pushes.
if [ "${{ github.event_name }}" = "push" ]; then
if [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref_name }}" = "main" ]; then
echo "run=true" >> "$GITHUB_OUTPUT"
echo "Pin-relevant path check: always run on push"
echo "Pin-relevant path check: always run on main push"
exit 0
fi
BASE="${{ github.event.pull_request.base.sha }}"
HEAD="${{ github.event.pull_request.head.sha }}"
if [ "${{ github.event_name }}" = "push" ]; then
# Feature-branch push (GitHub mirror): same skip-safe policy as the
# Forgejo PR gate, diffing against the merge-base with main.
BASE="$(git merge-base origin/main HEAD)"
HEAD="$(git rev-parse HEAD)"
else
BASE="${{ github.event.pull_request.base.sha }}"
HEAD="${{ github.event.pull_request.head.sha }}"
fi
# Paths that can change pin bytes or CLAIMS generation inputs.
# Keep in sync with docs/testing-lanes.md § CI policy.
PATTERN='(\.py$|^packs/|^evals/|^teaching/|^CLAIMS\.md$|^pyproject\.toml$|^uv\.lock$|^\.github/workflows/lane-shas\.yml$)'

View file

@ -15,6 +15,13 @@ name: smoke
on:
pull_request:
branches: [main]
# Hybrid mirror CI (docs: Agent Workflow Guide — Hybrid Forgejo & GitHub
# Actions): PR metadata lives on Forgejo only, so GitHub never sees
# pull_request events. Mirrored feature-branch pushes run this same gate on
# GitHub-hosted runners instead. The job guard below keeps the Forgejo Act
# host from running each branch twice (push + pull_request).
push:
branches-ignore: [main]
permissions:
contents: read
@ -28,6 +35,10 @@ jobs:
name: smoke (-m "not quarantine")
runs-on: ubuntu-latest
timeout-minutes: 10
# Push events are the GitHub-mirror stand-in for Forgejo PRs; skip them on
# the Forgejo Act host, which already covers branches via pull_request
# (avoids double-running the 4GB host — the run #167 OOM class).
if: github.event_name == 'pull_request' || github.server_url == 'https://github.com'
steps:
- name: checkout