fix(ci): add permissions block to pr-checks.yml orchestrator #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Checks | |
| # Orchestrator workflow that runs all PR checks intelligently | |
| # Provides a single "all-checks-pass" status for branch protection | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, ready_for_review] | |
| concurrency: | |
| group: pr-checks-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| # Permissions required by reusable workflows | |
| # Union of: component-validation, version-check, claude-pr-review | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| id-token: write | |
| actions: read | |
| jobs: | |
| # Detect what files changed to determine which checks to run | |
| changes: | |
| name: Detect Changes | |
| runs-on: ubuntu-latest | |
| # Skip draft PRs entirely | |
| if: github.event.pull_request.draft == false | |
| outputs: | |
| markdown: ${{ steps.filter.outputs.markdown }} | |
| components: ${{ steps.filter.outputs.components }} | |
| workflows: ${{ steps.filter.outputs.workflows }} | |
| version-files: ${{ steps.filter.outputs.version-files }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Detect changed files | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: filter | |
| with: | |
| filters: | | |
| markdown: | |
| - '**/*.md' | |
| components: | |
| - 'plugins/plugin-dev/commands/**' | |
| - 'plugins/plugin-dev/skills/**' | |
| - 'plugins/plugin-dev/agents/**' | |
| - 'plugins/plugin-dev/hooks/**' | |
| workflows: | |
| - '.github/workflows/**' | |
| version-files: | |
| - 'plugins/plugin-dev/.claude-plugin/plugin.json' | |
| - '.claude-plugin/marketplace.json' | |
| - 'CLAUDE.md' | |
| # Run markdown linting if markdown files changed | |
| markdown-lint: | |
| name: Markdown Lint | |
| needs: changes | |
| if: needs.changes.outputs.markdown == 'true' | |
| uses: ./.github/workflows/markdownlint.yml | |
| # Check links in markdown files if markdown changed | |
| link-check: | |
| name: Link Check | |
| needs: changes | |
| if: needs.changes.outputs.markdown == 'true' | |
| uses: ./.github/workflows/links.yml | |
| # Validate plugin components if component files changed | |
| component-validation: | |
| name: Component Validation | |
| needs: changes | |
| if: needs.changes.outputs.components == 'true' | |
| uses: ./.github/workflows/component-validation.yml | |
| secrets: inherit | |
| # Check version consistency if version files changed | |
| version-check: | |
| name: Version Check | |
| needs: changes | |
| if: needs.changes.outputs.version-files == 'true' | |
| uses: ./.github/workflows/version-check.yml | |
| secrets: inherit | |
| # Validate GitHub Actions workflows if workflow files changed | |
| validate-workflows: | |
| name: Validate Workflows | |
| needs: changes | |
| if: needs.changes.outputs.workflows == 'true' | |
| uses: ./.github/workflows/validate-workflows.yml | |
| # AI-powered PR review (always runs for non-draft PRs) | |
| ai-review: | |
| name: AI Review | |
| needs: changes | |
| uses: ./.github/workflows/claude-pr-review.yml | |
| secrets: inherit | |
| # Final gate - provides single status for branch protection | |
| all-checks-pass: | |
| name: All Checks Pass | |
| needs: | |
| - changes | |
| - markdown-lint | |
| - link-check | |
| - component-validation | |
| - version-check | |
| - validate-workflows | |
| - ai-review | |
| if: always() && needs.changes.result == 'success' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check all job results | |
| run: | | |
| echo "## PR Check Results" >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| # Track failures | |
| failed=false | |
| # Check each job result | |
| # Jobs that were skipped (condition not met) are OK | |
| # Jobs that failed are NOT OK | |
| check_job() { | |
| local name="$1" | |
| local result="$2" | |
| if [ "$result" == "failure" ]; then | |
| echo "❌ **$name**: Failed" >> "$GITHUB_STEP_SUMMARY" | |
| failed=true | |
| elif [ "$result" == "cancelled" ]; then | |
| echo "⚠️ **$name**: Cancelled" >> "$GITHUB_STEP_SUMMARY" | |
| failed=true | |
| elif [ "$result" == "skipped" ]; then | |
| echo "⏭️ **$name**: Skipped (not needed)" >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| echo "✅ **$name**: Passed" >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| } | |
| check_job "Markdown Lint" "${{ needs.markdown-lint.result }}" | |
| check_job "Link Check" "${{ needs.link-check.result }}" | |
| check_job "Component Validation" "${{ needs.component-validation.result }}" | |
| check_job "Version Check" "${{ needs.version-check.result }}" | |
| check_job "Validate Workflows" "${{ needs.validate-workflows.result }}" | |
| check_job "AI Review" "${{ needs.ai-review.result }}" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| if [ "$failed" == "true" ]; then | |
| echo "❌ **Some checks failed. Please review the results above.**" >> "$GITHUB_STEP_SUMMARY" | |
| exit 1 | |
| else | |
| echo "✅ **All required checks passed!**" >> "$GITHUB_STEP_SUMMARY" | |
| fi |