diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 8d9cbb3..b09b1d6 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -2,11 +2,12 @@ name: Backend on: pull_request: - push: - branches: - - main workflow_dispatch: +concurrency: + group: backend-${{ github.head_ref || github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 9e8412b..0777e88 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -2,11 +2,12 @@ name: Frontend on: pull_request: - push: - branches: - - main workflow_dispatch: +concurrency: + group: frontend-${{ github.head_ref || github.ref }} + cancel-in-progress: true + permissions: contents: read diff --git a/docs/development/branch-protection-readiness.md b/docs/development/branch-protection-readiness.md index caadb15..16c0839 100644 --- a/docs/development/branch-protection-readiness.md +++ b/docs/development/branch-protection-readiness.md @@ -11,7 +11,15 @@ The current required check candidates are: - `Composer Check` from `.github/workflows/backend.yml` - `npm Check` from `.github/workflows/frontend.yml` -Do not require a check before the workflow has run successfully on both pull requests and `main` pushes. +Do not require a check before the workflow has run successfully on pull requests at least once. + +## CI Trigger Policy + +Backend and Frontend workflows run on **pull requests only** (plus `workflow_dispatch`). They do not re-run on `main` push after merge — branch protection required checks on the PR are the merge gate. + +The Docs workflow runs on **`main` push only** to build and deploy GitHub Pages. + +Both Backend and Frontend use `concurrency` with `cancel-in-progress: true` so only the latest commit on a PR branch is checked. ## Recommended Protection @@ -30,32 +38,32 @@ Recommended `main` protection: Before enabling or tightening branch protection: -- [ ] `docs/workflow.md` describes the PR-first workflow. -- [ ] `.github/workflows/backend.yml` runs on pull requests and pushes to `main`. -- [ ] `.github/workflows/frontend.yml` runs on pull requests and pushes to `main`. -- [ ] The latest `main` push has passing Backend and Frontend workflow runs. -- [ ] `composer check` passes locally or in CI. -- [ ] `npm run check --prefix frontend` and `npm run build --prefix frontend` pass in CI. -- [ ] `docs/todo/current.md` does not list an incomplete CI setup task as complete. -- [ ] The team agrees whether merge commits remain the default. +- [x] `docs/workflow.md` describes the PR-first workflow. +- [x] `.github/workflows/backend.yml` runs on pull requests. +- [x] `.github/workflows/frontend.yml` runs on pull requests. +- [x] Backend and Frontend workflows pass on pull requests. +- [x] `composer check` passes locally or in CI. +- [x] `npm run check --prefix frontend` and `npm run build --prefix frontend` pass in CI. +- [x] The team agrees merge commits remain the default. ## Current Decision -As of the `v0.1.0` release readiness milestone, `main` is not protected in GitHub repository settings. +As of 2026-05-23, `main` is protected via GitHub ruleset **main protection** (active). Decision: -- Do not enable branch protection as an incidental documentation change. -- Treat `main` as ready for the smallest recommended protection once the release owner explicitly approves the repository setting change. +- Require pull requests before merging to `main`. +- Require `Composer Check` and `npm Check` as status checks on pull requests. +- Block force pushes and branch deletion on `main`. - Keep merge commits as the default history policy. -- Use `Composer Check` and `npm Check` as the initial required status checks when protection is enabled. -- Reconfirm the exact required check names from a fresh `main` run immediately before changing repository settings. +- Backend/Frontend CI runs on PR only; Docs CI runs on `main` push for GitHub Pages deploy. +- Avoid bypass except for documented emergencies. Reason: -- The workflows are passing on pull requests and `main` pushes. -- Enabling repository protection is an operational setting change, not a source-code change. -- The first `v0.1.0` release can still be prepared while this remains a documented pre-tag decision. +- Workflows pass reliably on pull requests. +- Duplicate Backend/Frontend runs on every `main` push were removed to reduce CI usage. +- Branch protection ensures no merge without passing PR checks. ## Rollout Notes diff --git a/docs/development/release-ci.md b/docs/development/release-ci.md index 0389448..bb634e9 100644 --- a/docs/development/release-ci.md +++ b/docs/development/release-ci.md @@ -109,6 +109,22 @@ The initial frontend workflow lives at `.github/workflows/frontend.yml` and runs 4. npm run build --prefix frontend ``` +## CI Trigger Timing + +To avoid duplicate runs while keeping the merge gate safe: + +| Workflow | Triggers | Purpose | +|---|---|---| +| Backend (`.github/workflows/backend.yml`) | `pull_request`, `workflow_dispatch` | Merge gate: `Composer Check` | +| Frontend (`.github/workflows/frontend.yml`) | `pull_request`, `workflow_dispatch` | Merge gate: `npm Check` | +| Docs (`.github/workflows/docs.yml`) | `push` to `main`, `workflow_dispatch` | VitePress build + GitHub Pages deploy | + +Backend and Frontend do **not** re-run on `main` push after merge. Branch protection required checks on the PR are sufficient. + +Both PR workflows use `concurrency` with `cancel-in-progress: true` so intermediate pushes cancel stale runs. + +Docs-only changes are not validated in CI until merge. Run `npm run docs:build` locally before merging doc changes, or add a Docs PR workflow later if needed. + ## Branch Protection `main` should be protected before releases become public.