From 929be7713b006b6b28dfeedca30e427b1299e40b Mon Sep 17 00:00:00 2001 From: Juan Sugg Date: Sat, 4 Jul 2026 08:29:52 -0300 Subject: [PATCH] ci: run lock audit on main --- .github/workflows/ci-gate.yml | 3 ++- tests/suites/contracts/repo/test_ci_workflow_surfaces.py | 9 ++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-gate.yml b/.github/workflows/ci-gate.yml index 5bf1e3c..77a808b 100644 --- a/.github/workflows/ci-gate.yml +++ b/.github/workflows/ci-gate.yml @@ -88,7 +88,7 @@ jobs: dependency_review: name: Dependency Review needs: classify - if: github.event_name == 'pull_request' && needs.classify.outputs.dependency_review == 'true' + if: needs.classify.outputs.dependency_review == 'true' runs-on: ubuntu-latest permissions: contents: read @@ -103,6 +103,7 @@ jobs: version: "0.10.9" enable-cache: true - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + if: github.event_name == 'pull_request' continue-on-error: true - name: Audit resolved Python dependencies run: uv run python3 ./tests/scripts/ci_gate.py run-dependency-audit --repo-root . diff --git a/tests/suites/contracts/repo/test_ci_workflow_surfaces.py b/tests/suites/contracts/repo/test_ci_workflow_surfaces.py index e10d15a..9bcef35 100644 --- a/tests/suites/contracts/repo/test_ci_workflow_surfaces.py +++ b/tests/suites/contracts/repo/test_ci_workflow_surfaces.py @@ -156,7 +156,7 @@ def test_ci_gate_workflow_runs_on_pull_requests_main_push_and_emits_verdict() -> def test_ci_gate_dependency_review_is_blocking_and_path_selected() -> None: - """Dependency review should block dependency PRs with vulnerable lock output.""" + """Dependency review should block dependency changes on PRs and main pushes.""" workflow = yaml.safe_load(_workflow_text("ci-gate.yml")) jobs = cast(dict[str, object], workflow["jobs"]) dependency_review = cast(dict[str, object], jobs["dependency_review"]) @@ -164,10 +164,7 @@ def test_ci_gate_dependency_review_is_blocking_and_path_selected() -> None: filters_text = _ci_gate_filters_text() assert dependency_review["name"] == "Dependency Review" - assert ( - dependency_review["if"] - == "github.event_name == 'pull_request' && needs.classify.outputs.dependency_review == 'true'" - ) + assert dependency_review["if"] == "needs.classify.outputs.dependency_review == 'true'" assert dependency_review["permissions"] == { "contents": "read", "pull-requests": "read", @@ -175,6 +172,7 @@ def test_ci_gate_dependency_review_is_blocking_and_path_selected() -> None: assert any( step.get("uses") == "actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294" + and step.get("if") == "github.event_name == 'pull_request'" and step.get("continue-on-error") is True for step in dependency_review_steps ) @@ -185,6 +183,7 @@ def test_ci_gate_dependency_review_is_blocking_and_path_selected() -> None: assert any( str(step.get("run", "")) == "uv run python3 ./tests/scripts/ci_gate.py run-dependency-audit --repo-root ." + and step.get("if") is None for step in dependency_review_steps ) assert "dependency_review:" in filters_text