From 27b79afd92f16ad2704b09b5995c33cca4a2fe44 Mon Sep 17 00:00:00 2001
From: Allison Piper <alliepiper16@gmail.com>
Date: Fri, 3 May 2024 14:10:04 -0400
Subject: [PATCH] Branch protection WAR: #605 Reprise

---
 .github/workflows/ci-workflow-nightly.yml     | 29 ++++++++-----
 .../workflows/ci-workflow-pull-request.yml    | 41 ++++++++++++-------
 2 files changed, 45 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/ci-workflow-nightly.yml b/.github/workflows/ci-workflow-nightly.yml
index ed1bb149b32..f6543149b40 100644
--- a/.github/workflows/ci-workflow-nightly.yml
+++ b/.github/workflows/ci-workflow-nightly.yml
@@ -61,10 +61,11 @@ jobs:
       name: ${{ matrix.name }}
       jobs: ${{ toJSON(fromJSON(needs.build-workflow.outputs.workflow)[matrix.name]) }}
 
-  # Check all other job statuses. This job gates branch protection checks.
-  ci:
-    name: CI
-    if: ${{ always() || !cancelled() }}
+  # This job acts as a sentry and will fail if any leaf job in the workflow tree fails, as
+  # run-workflow always succeeds. Use this job when checking for successful matrix workflow job completion.
+  verify-workflow:
+    name: Verify and summarize workflow results
+    if: ${{ always() && !cancelled() }}
     needs:
       - build-workflow
       - run-workflow
@@ -78,9 +79,19 @@ jobs:
       - name: Check workflow success
         id: check-workflow
         uses: ./.github/actions/workflow-results
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
 
+  # Check all other job statuses. This job gates branch protection checks.
+  ci:
+    name: CI
+    # !! Important: This job is used for branch protection checks.
+    # !! Need to use always() instead of !cancelled() because skipped jobs count as success
+    # !! for Github branch protection checks. Yes, really: by default, branch protections
+    # !! can be bypassed by cancelling CI. See NVIDIA/cccl#605.
+    if: ${{ always() }}
+    needs:
+      - verify-workflow
+    runs-on: ubuntu-latest
+    steps:
       - name: Check results
         run: |
           status="passed"
@@ -98,10 +109,8 @@ jobs:
             fi
           }
 
-          # Note that run-workflow is different:
-          check_result "build-workflow" "success" "${{needs.build-workflow.result}}"
-          check_result "run-workflow" "true" "${{steps.check-workflow.outputs.success}}"
+          check_result "verify-workflow"      "success" "${{needs.verify-workflow.result}}"
 
-          if [[ "$status" == "failed" ]]; then
+          if [[ "$status" != "success" ]]; then
             exit 1
           fi
diff --git a/.github/workflows/ci-workflow-pull-request.yml b/.github/workflows/ci-workflow-pull-request.yml
index 3ff29cfeb2e..8fc17bd5bfa 100644
--- a/.github/workflows/ci-workflow-pull-request.yml
+++ b/.github/workflows/ci-workflow-pull-request.yml
@@ -73,21 +73,14 @@ jobs:
       name: ${{ matrix.name }}
       jobs: ${{ toJSON(fromJSON(needs.build-workflow.outputs.workflow)[matrix.name]) }}
 
-  verify-devcontainers:
-    name: Verify Dev Containers
-    permissions:
-      id-token: write
-      contents: read
-    uses: ./.github/workflows/verify-devcontainers.yml
-
-  # Check all other job statuses. This job gates branch protection checks.
-  ci:
-    name: CI
+  # This job acts as a sentry and will fail if any leaf job in the workflow tree fails, as
+  # run-workflow always succeeds. Use this job when checking for successful matrix workflow job completion.
+  verify-workflow:
+    name: Verify and summarize workflow results
     if: ${{ always() && !cancelled() }}
     needs:
       - build-workflow
       - run-workflow
-      - verify-devcontainers
     permissions:
       contents: read
       pull-requests: write # Posts a comment back to the PR.
@@ -107,6 +100,26 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           pr_number: ${{ fromJSON(steps.get-pr-info.outputs.pr-info).number }}
 
+  verify-devcontainers:
+    name: Verify Dev Containers
+    permissions:
+      id-token: write
+      contents: read
+    uses: ./.github/workflows/verify-devcontainers.yml
+
+  # Check all other job statuses. This job gates branch protection checks.
+  ci:
+    name: CI
+    # !! Important: This job is used for branch protection checks.
+    # !! Need to use always() instead of !cancelled() because skipped jobs count as success
+    # !! for Github branch protection checks. Yes, really: by default, branch protections
+    # !! can be bypassed by cancelling CI. See NVIDIA/cccl#605.
+    if: ${{ always() }}
+    needs:
+      - verify-workflow
+      - verify-devcontainers
+    runs-on: ubuntu-latest
+    steps:
       - name: Check results
         run: |
           status="passed"
@@ -124,11 +137,9 @@ jobs:
             fi
           }
 
-          # Note that run-workflow is different:
-          check_result "build-workflow" "success" "${{needs.build-workflow.result}}"
-          check_result "run-workflow" "true" "${{steps.check-workflow.outputs.success}}"
+          check_result "verify-workflow"      "success" "${{needs.verify-workflow.result}}"
           check_result "verify-devcontainers" "success" "${{needs.verify-devcontainers.result}}"
 
-          if [[ "$status" == "failed" ]]; then
+          if [[ "$status" != "success" ]]; then
             exit 1
           fi