From c01970b86d19f81a2013b35df6b4dc7998740fbd Mon Sep 17 00:00:00 2001
From: Szymon Janikowski <szymon.janikowski@itlibrium.com>
Date: Thu, 25 Jun 2026 18:10:56 +0200
Subject: [PATCH] ci: scope Quality Gate concurrency to the calling workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

publish.yml calls quality-gate.yml as a reusable workflow, and a reusable
workflow's concurrency group is evaluated in the caller's ref context. On a
release (merge to main → push, immediately followed by a tag/dry-run Publish),
the publish-embedded gate joined the same `quality-refs/heads/main` group as the
standalone push-triggered gate, and `cancel-in-progress: true` cancelled the
latter — which GitHub renders as a red ✗ on main even though nothing failed.

Key the concurrency group on github.workflow too, so the standalone gate and the
publish-embedded gate never share a group while each still de-dupes among its own
runs. github.workflow resolves to the caller's workflow name ("Quality Gate" vs
"Publish"), which relies on each caller declaring an explicit `name:` (both do);
documented in a comment.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/quality-gate.yml | 9 ++++++++-
 CHANGELOG.md                       | 6 ++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
index fae1dc0..7d62d4c 100644
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -8,7 +8,14 @@ on:
   workflow_call:
 
 concurrency:
-  group: quality-${{ github.ref }}
+  # github.workflow is the CALLER's workflow name ("Quality Gate" on a direct
+  # push/PR, "Publish" when invoked via `uses:` from publish.yml). Keying the
+  # group on it keeps the publish-embedded gate out of the standalone gate's
+  # group, so the release push's gate isn't cancelled by the follow-up publish
+  # run (which renders as a red ✗ on main even though nothing failed).
+  # NOTE: this relies on each caller declaring an explicit `name:` — without one
+  # GitHub falls back to the file path and the group silently changes.
+  group: quality-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 283763e..ce0516b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,11 @@ See [docs/RELEASING.md](docs/RELEASING.md) for the release procedure.
 - Added the NASDE branding source assets and updated the README and
   documentation website to use the new brand. ([#73])
 
+### Fixed
+- Quality Gate no longer shows a spurious red ✗ on `main` after a release: the
+  concurrency group is now scoped per calling workflow so the publish-embedded
+  gate no longer cancels the standalone push-triggered one. ([#74])
+
 ## [0.5.0] — 2026-06-24
 
 ### Added
@@ -602,4 +607,5 @@ Initial release under the **nasde-toolkit** name (rebrand from
 [#70]: https://github.com/NoesisVision/nasde-toolkit/pull/70
 [#71]: https://github.com/NoesisVision/nasde-toolkit/pull/71
 [#73]: https://github.com/NoesisVision/nasde-toolkit/pull/73
+[#74]: https://github.com/NoesisVision/nasde-toolkit/pull/74
 [gh-litellm-2026-04]: https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862