From c6edf60c371d501c991ff76714d434a5391b8876 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Mon, 1 Jun 2026 10:24:58 -0400 Subject: [PATCH 1/2] =?UTF-8?q?docs:=20require=20Build=20gate=20(not=20per?= =?UTF-8?q?-OS=20legs)=20in=20the=20=C2=A79=20required-checks=20note?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Aligns the architecture note with #228: the gate workflows now always report (skip == passing check), so they can be required without blocking docs-/CI-only PRs. The matrix build's required-check target is the always-present aggregate "Build gate" (the per-OS "Build and test module (...)" contexts aren't created when the matrix job is skipped). Required set: Build gate, Validate upstream compatibility tooling, dependency-review. Co-Authored-By: Claude Opus 4.8 --- docs/Architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Architecture.md b/docs/Architecture.md index 703a32a..1b5113c 100644 --- a/docs/Architecture.md +++ b/docs/Architecture.md @@ -117,7 +117,7 @@ When changing the preload contract, follow this loop: ## 9. Known gaps / follow-ups -- **Required status checks not configured.** The "Protect Main" ruleset requires a PR (with review-thread resolution), Copilot review, and code quality — but **no required *status* checks**. So the Build Module / Dependency Review / Upstream-Compatibility signals do not block `gh pr merge --auto` (Dependabot auto-approve): a dependency PR can merge before they pass. Configure the **Build Module** (`Build and test module (…)`), **Upstream-Compatibility** (`Validate upstream compatibility tooling` — the only PR job running the conflict-surface drift gate; omitting it lets a Dependabot PR auto-merge against a stale upstream fingerprint), and **Dependency Review** checks as required status checks to close this (the `Dependabot-Auto-Approve.yml` header already assumes it). Note: those workflows are path-filtered, so requiring them blocks PRs that don't trigger them (e.g. docs-only) — pair the requirement with an always-running status shim, or scope it appropriately. +- **Required status checks.** The "Protect Main" ruleset enforces a PR (with review-thread resolution), Copilot review, and code quality, but historically had **no required *status* checks** — so `gh pr merge --auto` (Dependabot auto-approve) could complete before the build/drift/security checks passed. The gate workflows now **always report**: they trigger on every PR and a `changes`/`pr-changes` job skips the expensive work (skip == passing check) when no relevant paths changed, so they can be required without blocking docs-/CI-only PRs. Required set to configure on the ruleset: **`Build gate`** (the always-present aggregate for the matrix build — *not* the per-OS `Build and test module (…)` legs, which aren't created when the matrix job is skipped), **`Validate upstream compatibility tooling`** (the only PR job running the conflict-surface drift gate; omitting it lets a Dependabot PR auto-merge against a stale upstream fingerprint), and **`dependency-review`**. The `Dependabot-Auto-Approve.yml` header already assumes these are required. - **`Az.Resources` is not in `monitoredModules`.** It is the observed #193 collision source, but its copy and future drift are **not** inventoried. Among monitored modules the `Microsoft.Extensions.*` transitives are observed only in `MicrosoftTeams` (a single shipper → not in the conflict surface), recorded as `trackingScope` on the blocked entries. Note #193 was a *bundle-vs-consumer* collision (DLLPickle's preloaded copy vs Az.Resources'), which the cross-module drift gate does not model — the regression guard is the integration test that keeps these transitives out of `bin`, not the matrix. Re-adjudicate manually if an Az.Resources change is suspected, or add it to `monitoredModules` to track it directly. - **EXO/Teams ALC ownership** is not yet captured — a bare `Import-Module` doesn't eager-load their identity assemblies; the probe needs a representative `-ProbeCommand`. - **Multi-TFM (net9.0/net10.0):** deferred; the methodology is TFM-parameterizable. net9.0/net10.0 are ALC-capable, so the `block` verdicts in §3 carry over to them. The `net8.0` bundle is confirmed to load on **PS 7.6 / .NET 10 via roll-forward** (Az.Resources import verified, no #193 regression) — a positive signal that multi-TFM is mostly a packaging exercise, not a behavioral one, on ALC-capable runtimes. From 3a175ba8594b15a112acd82da8b5437bb11f1ac5 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Mon, 1 Jun 2026 10:28:51 -0400 Subject: [PATCH 2/2] docs: reword Dependabot-Auto-Approve reference to match the workflow header Co-Authored-By: Claude Opus 4.8 --- docs/Architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Architecture.md b/docs/Architecture.md index 1b5113c..da47105 100644 --- a/docs/Architecture.md +++ b/docs/Architecture.md @@ -117,7 +117,7 @@ When changing the preload contract, follow this loop: ## 9. Known gaps / follow-ups -- **Required status checks.** The "Protect Main" ruleset enforces a PR (with review-thread resolution), Copilot review, and code quality, but historically had **no required *status* checks** — so `gh pr merge --auto` (Dependabot auto-approve) could complete before the build/drift/security checks passed. The gate workflows now **always report**: they trigger on every PR and a `changes`/`pr-changes` job skips the expensive work (skip == passing check) when no relevant paths changed, so they can be required without blocking docs-/CI-only PRs. Required set to configure on the ruleset: **`Build gate`** (the always-present aggregate for the matrix build — *not* the per-OS `Build and test module (…)` legs, which aren't created when the matrix job is skipped), **`Validate upstream compatibility tooling`** (the only PR job running the conflict-surface drift gate; omitting it lets a Dependabot PR auto-merge against a stale upstream fingerprint), and **`dependency-review`**. The `Dependabot-Auto-Approve.yml` header already assumes these are required. +- **Required status checks.** The "Protect Main" ruleset enforces a PR (with review-thread resolution), Copilot review, and code quality, but historically had **no required *status* checks** — so `gh pr merge --auto` (Dependabot auto-approve) could complete before the build/drift/security checks passed. The gate workflows now **always report**: they trigger on every PR and a `changes`/`pr-changes` job skips the expensive work (skip == passing check) when no relevant paths changed, so they can be required without blocking docs-/CI-only PRs. Required set to configure on the ruleset: **`Build gate`** (the always-present aggregate for the matrix build — *not* the per-OS `Build and test module (…)` legs, which aren't created when the matrix job is skipped), **`Validate upstream compatibility tooling`** (the only PR job running the conflict-surface drift gate; omitting it lets a Dependabot PR auto-merge against a stale upstream fingerprint), and **`dependency-review`**. (The `Dependabot-Auto-Approve.yml` header already notes that `--auto` relies on the Dependency Review and build/test checks being configured as required status checks.) - **`Az.Resources` is not in `monitoredModules`.** It is the observed #193 collision source, but its copy and future drift are **not** inventoried. Among monitored modules the `Microsoft.Extensions.*` transitives are observed only in `MicrosoftTeams` (a single shipper → not in the conflict surface), recorded as `trackingScope` on the blocked entries. Note #193 was a *bundle-vs-consumer* collision (DLLPickle's preloaded copy vs Az.Resources'), which the cross-module drift gate does not model — the regression guard is the integration test that keeps these transitives out of `bin`, not the matrix. Re-adjudicate manually if an Az.Resources change is suspected, or add it to `monitoredModules` to track it directly. - **EXO/Teams ALC ownership** is not yet captured — a bare `Import-Module` doesn't eager-load their identity assemblies; the probe needs a representative `-ProbeCommand`. - **Multi-TFM (net9.0/net10.0):** deferred; the methodology is TFM-parameterizable. net9.0/net10.0 are ALC-capable, so the `block` verdicts in §3 carry over to them. The `net8.0` bundle is confirmed to load on **PS 7.6 / .NET 10 via roll-forward** (Az.Resources import verified, no #193 regression) — a positive signal that multi-TFM is mostly a packaging exercise, not a behavioral one, on ALC-capable runtimes.