From 5cd0673217d4f83832186a16bc9a449d23d1e58f Mon Sep 17 00:00:00 2001 From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com> Date: Fri, 29 May 2026 21:41:45 +0530 Subject: [PATCH] ci: harden supply-chain gate jobs against changes-job failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The scan-gate / dep-bounds-gate jobs use needs.changes; if the changes job itself fails, its dependents would be skipped via a failed dependency (not a conditional skip), leaving the required check unreported — the same "pending forever" failure this PR fixes. Add always() and switch the gate condition from == 'false' to != 'true' so the gate still fires (and reports SUCCESS) when changes fails and its output is empty. --- .github/workflows/supply-chain-audit.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/supply-chain-audit.yml b/.github/workflows/supply-chain-audit.yml index 324a2e142..3309de78d 100644 --- a/.github/workflows/supply-chain-audit.yml +++ b/.github/workflows/supply-chain-audit.yml @@ -182,7 +182,10 @@ jobs: scan-gate: name: Scan PR for critical supply chain risks needs: changes - if: needs.changes.outputs.scan == 'false' + # always() so the gate still reports SUCCESS even if `changes` fails/is + # skipped — without it, a failed dependency would leave the required + # check unreported (i.e. "pending"), the exact failure mode this fixes. + if: always() && needs.changes.outputs.scan != 'true' runs-on: ubuntu-latest steps: - run: echo "No supply-chain-relevant files changed, skipping scan." @@ -258,7 +261,10 @@ jobs: dep-bounds-gate: name: Check PyPI dependency upper bounds needs: changes - if: needs.changes.outputs.deps == 'false' + # always() so the gate still reports SUCCESS even if `changes` fails/is + # skipped — without it, a failed dependency would leave the required + # check unreported (i.e. "pending"), the exact failure mode this fixes. + if: always() && needs.changes.outputs.deps != 'true' runs-on: ubuntu-latest steps: - run: echo "No pyproject.toml changes, skipping dependency bounds check."