ci(checks): serialize render after lock-update gate#17248
Merged
christopherco merged 2 commits intoMay 16, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the rendered-specs CI workflow to run the lock-update gate before the render drift check, so stale locks prevent render from running and producing misleading drift output.
Changes:
- Adds
pr-base-shaplumbing from the stub into the reusable workflow for future scoped-render work. - Reorders the reusable workflow so
renderdepends onupdate_locks. - Skips the render comment job when render is skipped due to lock-check failure.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/check-rendered-specs.yml |
Serializes render after lock checking and updates render comment conditions. |
.github/workflows/check-rendered-specs-stub.yml |
Passes the PR base SHA into the reusable workflow. |
Comments suppressed due to low confidence (1)
.github/workflows/check-rendered-specs.yml:245
- This comment refers to a render-scope helper, but this job currently performs an unscoped full render (
azldev component render -a --clean-stale) and never usespr-base-sha. Keeping this as present-tense behavior will mislead future workflow debugging until the scoped helper is actually wired in.
# Gate render on a clean lock check. `azldev component changed` (used by
# the render-scope helper) reads input fingerprints that include lock
# content, so stale locks would steer it toward the wrong scope. Skip
dmcilvaney
force-pushed
the
damcilva/scoped-gates/serialize-gates
branch
from
0341748 to
9d421bc
Compare
dmcilvaney
force-pushed
the
damcilva/scoped-gates/serialize-gates
branch
from
9d421bc to
373f152
Compare
christopherco
approved these changes
May 16, 2026
Today the 'render' and 'update_locks' jobs run in parallel and each operates on the full distro. That keeps the gate honest but leaves no room to scale render with PR size, because we have no trustworthy 'what did this PR touch' signal: 'azldev component changed' reads input fingerprints that include lock content, so its output is only reliable when locks are known-clean. Serializing render behind a successful lock check unlocks that optimization. With a green locks gate, the follow-up commit can shrink render to just the PR-touched components and have CI confidence in the result. The serialization is also defensive in its own right: if locks were stale, a parallel full-distro render would produce output against the wrong upstream pins, and maintainers would chase a phantom drift report that disappears the moment locks are fixed. Skip the render PR comment when render itself was skipped (no report artifact to post; the locks PR comment already carries the fix). Also plumb pull_request.base.sha through stub -> reusable workflow as 'pr-base-sha'. No consumer yet -- the follow-up render-scope commit needs the base SHA to compute the diff range. Declared as required now so the stub contract is stable when the consumer lands.
dmcilvaney
force-pushed
the
damcilva/scoped-gates/serialize-gates
branch
from
373f152 to
12b786a
Compare
christopherco
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: Requires #17247 and an associated cherry-pick of the stub into the default branch: #17249
Today the 'render' and 'update_locks' jobs run in parallel and each operates on the full distro. That keeps the gate honest but leaves no room to scale render with PR size, because we have no trustworthy 'what did this PR touch' signal: 'azldev component changed' reads input fingerprints that include lock content, so its output is only reliable when locks are known-clean.
Serializing render behind a successful lock check unlocks that optimization. With a green locks gate, the follow-up commit can shrink render to just the PR-touched components and have CI confidence in the result.
The serialization is also defensive in its own right: if locks were stale, a parallel full-distro render would produce output against the wrong upstream pins, and maintainers would chase a phantom drift report that disappears the moment locks are fixed.
Skip the render PR comment when render itself was skipped (no report artifact to post; the locks PR comment already carries the fix).
Also plumb pull_request.base.sha through stub -> reusable workflow as 'pr-base-sha'. No consumer yet -- the follow-up render-scope commit needs the base SHA to compute the diff range. Declared as required now so the stub contract is stable when the consumer lands.