[TT-16977] fix: prevent dep-guard from skipping downstream jobs on push

[buger]

Summary

• Add !cancelled() + result checks to all downstream jobs that depend on goreleaser (test-controller-api, api-tests, test-controller-distros, upgrade-deb, upgrade-rpm, sbom) to prevent GitHub Actions transitive skip propagation when dep-guard is skipped on push/tag events
• Add dep-guard to aggregator-ci-test needs for complete status aggregation

Test plan

• Push to branch triggers all downstream jobs
• PR still runs dep-guard and blocks on failure

🤖 Generated with Claude Code

[probelabs]

This pull request fixes an issue in the release.yml GitHub Actions workflow where downstream jobs were being skipped during push events. The dep-guard job is designed to run only on pull requests, and when it was skipped on a push, it caused a cascading skip of all dependent jobs, including tests and artifact builds.

The fix involves updating the conditional logic (if statements) for several downstream jobs (test-controller-api, api-tests, test-controller-distros, upgrade-deb, upgrade-rpm, sbom). These jobs now explicitly check that their dependencies completed with a result of 'success' and that the workflow was not cancelled(). This change ensures that these critical jobs run as expected during push events, provided their direct dependencies succeed, breaking the transitive skip propagation from the dep-guard job.

Additionally, the aggregator-ci-test job's dependencies have been updated to include dep-guard, ensuring its status is correctly included in the aggregated CI status check for pull requests.

Files Changed Analysis

• .github/workflows/release.yml: Modified to adjust job execution conditions and dependencies. The changes add more robust if conditions to several jobs to prevent them from being skipped incorrectly and update the needs array for the final status aggregation job.

Architecture & Impact Assessment

• What this PR accomplishes: It ensures the reliability of the CI/CD release pipeline by preventing essential testing and build jobs from being skipped during push events (e.g., on merge to a release branch).
• Key technical changes introduced: Replaces or adds if conditions on multiple GitHub Actions jobs to check for !cancelled() and needs.<job>.result == 'success'. It also adds dep-guard to the needs list of the aggregator-ci-test job.
• Affected system components: The CI/CD workflow defined in .github/workflows/release.yml is the only component affected. This change directly impacts the execution flow of jobs responsible for testing, building, and generating SBOMs.

Here is a diagram illustrating the job dependency and the logic change:

graph TD
    subgraph on_pull_request ["on: pull_request"]
        A[dep-guard] --> B[goreleaser]
    end
    subgraph on_push ["on: push"]
        A_skipped((dep-guard))
        style A_skipped fill:#f9f,stroke:#333,stroke-width:2px
        A_skipped -.-> B_skipped((goreleaser))
        style B_skipped fill:#f9f,stroke:#333,stroke-width:2px
    end

    B --> C[test-controller-api]
    B --> D[api-tests]
    B --> E[sbom]

    C --> D

    classDef skipped fill:#f9f,stroke:#333,stroke-width:2px

    subgraph before_change ["Before Change (on push)"]
        direction LR
        A_skipped_before((dep-guard)) --> B_skipped_before((goreleaser)) --> C_skipped((test-controller-api))
        B_skipped_before --> D_skipped((api-tests))
        B_skipped_before --> E_skipped((sbom))
        class A_skipped_before,B_skipped_before,C_skipped,D_skipped,E_skipped skipped
    end

    subgraph after_change ["After Change (on push)"]
        direction LR
        A_skipped_after((dep-guard))
        B_runs[goreleaser]
        C_runs[test-controller-api]
        D_runs[api-tests]
        E_runs[sbom]
        A_skipped_after --|if: github.event_name == 'pull_request'|-->x B_runs
        B_runs --|if: needs.goreleaser.result == 'success'|--> C_runs
        B_runs --|if: ...|--> D_runs
        B_runs --|if: ...|--> E_runs
        class A_skipped_after skipped
    end

Loading

Scope Discovery & Context Expansion

This change is confined to the GitHub Actions workflow configuration. While it doesn't alter application code, it has a significant impact on the development and release process by ensuring that CI checks that were previously being skipped on push events will now run. This improves the integrity of the release process by guaranteeing that tests and builds are consistently executed before a release.

Metadata

• Review Effort: 2 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T12:01:21.417Z | Triggered by: pr_opened | Commit: 561024f

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n \n\n

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟠 Error	.github/workflows/release.yml:398	The `aggregator-ci-status` job's `needs` are updated to include `dep-guard`, but the corresponding `run` script that checks job statuses has not been updated. The script's `required_jobs` variable (not visible in the diff) still only lists `goreleaser` and `api-tests`. Consequently, a failure in the `dep-guard` job will not be detected by this aggregate status check, potentially leading to a misleading "success" status for pull requests where `dep-guard` fails. 💡 Suggestion Modify the `run` script within the `aggregator-ci-status` job to include `dep-guard` in the `required_jobs` variable to ensure its status is correctly aggregated.

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T12:01:07.018Z | Triggered by: pr_opened | Commit: 561024f

💡 TIP: You can chat with Visor using /visor ask <your question>

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🚨 Jira Linter Failed

Commit: 561024f
Failed at: 2026-04-17 16:49:45 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to get Jira issue: failed to fetch Jira issue TT-16977: Issue does not exist or you do not have permission to see it.: request failed. Please analyze the request body for more details. Status code: 404

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.