feat: add self-validating workflow gate jobs (aws-observability#477)

thpierce · jj22ee · commit abfb4d501705 · 2025-10-22T13:45:40.000-07:00
Add gate jobs that fail if any workflow job fails OR if any job is missing from the gate's needs array. Prevents both job failures and configuration drift when adding new workflow jobs. Callout: I don't think it's possible to have one gate for both workflows, but it should not be the case that we add more over time. ### Testing: * Confirmed if even one subjob in a matrix fails, the job fails: [PASS](https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17930014615/job/50985189015?pr=477) * lint(lint) passes, but lint (spellcheck) fails, and all-pr-checks-pass fails. * Confirmed if a job is missing, the job fails: [PASS](https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17930365916/job/50986188220?pr=477) By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -95,3 +95,38 @@ jobs:
       uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 #v2.23.0
       with:
         category: "/language:${{matrix.language}}"
+
+  all-codeql-checks-pass:
+    runs-on: ubuntu-latest
+    needs: [analyze]
+    if: always()
+    steps:
+      - name: Checkout to get workflow file
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
+      
+      - name: Check all jobs succeeded and none missing
+        run: |
+          # Check if all needed jobs succeeded
+          results='${{ toJSON(needs) }}'
+          if echo "$results" | jq -r '.[] | .result' | grep -v success; then
+            echo "Some jobs failed"
+            exit 1
+          fi
+          
+          # Extract all job names from workflow (excluding this gate job)
+          all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/codeql.yml | grep -v "all-codeql-checks-pass" | sort)
+          
+          # Extract job names from needs array
+          needed_jobs='${{ toJSON(needs) }}'
+          needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
+          
+          # Check if any jobs are missing from needs
+          missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
+          if [ -n "$missing_jobs" ]; then
+            echo "ERROR: Jobs missing from needs array in all-codeql-checks-pass:"
+            echo "$missing_jobs"
+            echo "Please add these jobs to the needs array of all-codeql-checks-pass"
+            exit 1
+          fi
+          
+          echo "All CodeQL checks passed and no jobs missing from gate!"
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -155,3 +155,38 @@ jobs:
 
       - name: Build with Gradle
         run: cd performance-tests; ./gradlew spotlessCheck
+
+  all-pr-checks-pass:
+    runs-on: ubuntu-latest
+    needs: [static-code-checks, lint, spotless, build, build-lambda]
+    if: always()
+    steps:
+      - name: Checkout to get workflow file
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
+      
+      - name: Check all jobs succeeded and none missing
+        run: |
+          # Check if all needed jobs succeeded
+          results='${{ toJSON(needs) }}'
+          if echo "$results" | jq -r '.[] | .result' | grep -v success; then
+            echo "Some jobs failed"
+            exit 1
+          fi
+          
+          # Extract all job names from workflow (excluding this gate job)
+          all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/pr-build.yml | grep -v "all-pr-checks-pass" | sort)
+          
+          # Extract job names from needs array
+          needed_jobs='${{ toJSON(needs) }}'
+          needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
+          
+          # Check if any jobs are missing from needs
+          missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
+          if [ -n "$missing_jobs" ]; then
+            echo "ERROR: Jobs missing from needs array in all-pr-checks-pass:"
+            echo "$missing_jobs"
+            echo "Please add these jobs to the needs array of all-pr-checks-pass"
+            exit 1
+          fi
+          
+          echo "All checks passed and no jobs missing from gate!"
