Skip to content

ci: gate binding publishers on the core via a needs: job (#500 follow-up)#515

Merged
raeq merged 2 commits into
mainfrom
fix/500-followup-needs-gate
Jul 1, 2026
Merged

ci: gate binding publishers on the core via a needs: job (#500 follow-up)#515
raeq merged 2 commits into
mainfrom
fix/500-followup-needs-gate

Conversation

@raeq

@raeq raeq commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Follow-up to #514 (which fixed #500). Implements the issue's "eventual clean architecture" (option 3) — needs:-based ordering — adapted to respect the OIDC trusted-publishing constraint.

What changed

#514 fixed the release race with an inline crates.io sparse-index poll inside each binding build, which runs redundantly once per matrix leg (5× in node build, 5× in ruby cross-gems). This replaces that with a single wait-for-core gating job per binding workflow that the build job depends on via needs:, so a binding build doesn't start until disarm 0.<minor> is on crates.io.

  • publish-node.yml: add wait-for-core (release/workflow_dispatch-gated), remove the inline poll from build, add needs: wait-for-core to build.
  • publish-ruby.yml: same, gating cross-gems.

Why not literally merge into one workflow (option 3 as written)

publish-node.yml and publish-ruby.yml are registered as OIDC Trusted Publishers keyed to their exact workflow filenames (npmjs.org / rubygems.org), and PyPI/RubyGems also key on the pypi / rubygems environments. Merging the three publishers into one file would silently break trusted publishing until each registry's Trusted Publisher is reconfigured out-of-band. So the needs: dependency is scoped within each existing workflow — triggers, filenames, and environments are all unchanged.

workflow_run chaining (option 2) was also rejected: it flips github.event_name to workflow_run, breaking the ~5 release/workflow_dispatch guards per file (including the #374 drift-patch gate) and forcing manual release-ref handling.

Behavior on non-release events

On push/PR the wait-for-core job is skipped (its if: is false). A skipped needs: dependency does not block the dependent, so the node build / ruby test validation jobs still run against the #374 in-repo-patched core exactly as before.

Verification

Assisted-by: Claude:claude-opus-4-8

…-up)

PR #514 fixed the #500 release race with an inline crates.io sparse-index poll
inside each binding build — but that runs redundantly once per matrix leg (5x in
the node `build` matrix, 5x in ruby `cross-gems`). Realise the issue's option (3)
`needs:`-based ordering instead: a single `wait-for-core` gating job per binding
workflow that the build job depends on, so a build doesn't start until `disarm
0.<minor>` is on crates.io.

Scope the `needs:` within each existing workflow rather than merging the three
publishers into one file: publish-node.yml / publish-ruby.yml are registered as
OIDC Trusted Publishers keyed to their exact filenames (npmjs.org / rubygems.org),
so a merge would break trusted publishing until each registry is reconfigured
out-of-band. Triggers, filenames, and environments are unchanged.

- publish-node.yml: add `wait-for-core` (release/dispatch-gated), remove the
  inline poll from `build`, add `needs: wait-for-core` to `build`.
- publish-ruby.yml: same, gating `cross-gems`.

On push/PR the gating job is skipped; a skipped `needs:` dependency does not block
the dependent, so the #374 in-repo-patched validation builds run unchanged.

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Richard Quinn <[email protected]>
Copilot AI review requested due to automatic review settings July 1, 2026 17:31
@raeq raeq enabled auto-merge July 1, 2026 17:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the binding publish workflows (Node and Ruby) to avoid redundant per-matrix polling for the core crate by introducing a single wait-for-core gating job per workflow, then wiring the build job to depend on it via needs:—while keeping workflow filenames/environments unchanged for OIDC Trusted Publishing compatibility.

Changes:

  • Added a wait-for-core job to publish-node.yml and publish-ruby.yml to poll crates.io once per workflow (release/dispatch only).
  • Removed the inline per-matrix poll from the Node/Ruby build jobs and replaced it with needs: wait-for-core gating.
  • Updated job ordering so the release path waits for disarm 0.<minor> to be available on crates.io before starting binding builds.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/publish-node.yml Adds wait-for-core and gates build via needs: (but currently breaks push-to-main validation runs unless adjusted).
.github/workflows/publish-ruby.yml Adds wait-for-core and gates cross-gems via needs: on release/dispatch, eliminating redundant per-matrix polling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/publish-node.yml Outdated
Comment thread .github/workflows/publish-node.yml Outdated
Address Copilot review on #515: a job with the default `if: success()` is
SKIPPED when a `needs:` dependency is skipped, so `build`'s plain `needs:
wait-for-core` would suppress the push-to-main validation build (#374 patch
path), where wait-for-core is release/dispatch-gated and thus skipped.

Guard `build` with `if: ${{ !failure() && !cancelled() }}` so it runs when the
gate SUCCEEDED (release/dispatch, core is up) or was SKIPPED (push), but not when
it FAILED (core never landed in 10 min) — in which case `publish` (needs: build)
is skipped too. This is safe under either GitHub skipped-dependency semantic. The
ruby `cross-gems` job needs no change: it is release/dispatch-only, exactly when
wait-for-core also runs, so it never faces a skipped gate. Also correct the
misleading "push/PR" wording (publish-node.yml runs on push to main, not PRs).

Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Richard Quinn <[email protected]>
@raeq raeq merged commit 611a162 into main Jul 1, 2026
28 checks passed
@raeq raeq deleted the fix/500-followup-needs-gate branch July 1, 2026 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Release: binding publishers race the core crate publish (fail until the core is on crates.io)

2 participants