From 8c6ccb37ee52a622ba1767c64ca15eec83814b14 Mon Sep 17 00:00:00 2001
From: Max Isbey <224885523+maxisbey@users.noreply.github.com>
Date: Thu, 22 Jan 2026 14:54:56 +0000
Subject: [PATCH] ci: run checks in weekly lockfile update workflow

PRs created by the weekly lockfile update workflow use the default
GITHUB_TOKEN via peter-evans/create-pull-request. GitHub does not
trigger pull_request workflows for PRs created this way, so the CI
workflow (and its all-green job) never runs, blocking merge.

Fix by having the lockfile update workflow call shared.yml directly
after creating the PR, producing its own all-green status check.

Changes:
- Add optional ref input to shared.yml for explicit checkout control
- Run shared checks against the weekly-lockfile-update branch
- Gate checks on a PR actually being created
- Add all-green job matching the required status check
---
 .github/workflows/shared.yml                 | 12 ++++++++++++
 .github/workflows/weekly-lockfile-update.yml | 20 ++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/.github/workflows/shared.yml b/.github/workflows/shared.yml
index 108e6c667..254270531 100644
--- a/.github/workflows/shared.yml
+++ b/.github/workflows/shared.yml
@@ -2,6 +2,12 @@ name: Shared Checks
 
 on:
   workflow_call:
+    inputs:
+      ref:
+        description: "Git ref to checkout (defaults to the triggering event ref)"
+        required: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
@@ -14,6 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ inputs.ref || github.sha }}
 
       - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
         with:
@@ -45,6 +53,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ inputs.ref || github.sha }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
@@ -66,6 +76,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ inputs.ref || github.sha }}
 
       - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
         with:
diff --git a/.github/workflows/weekly-lockfile-update.yml b/.github/workflows/weekly-lockfile-update.yml
index 09e1efe51..bfa8be2b2 100644
--- a/.github/workflows/weekly-lockfile-update.yml
+++ b/.github/workflows/weekly-lockfile-update.yml
@@ -13,6 +13,8 @@ permissions:
 jobs:
   update-lockfile:
     runs-on: ubuntu-latest
+    outputs:
+      pull-request-number: ${{ steps.create-pr.outputs.pull-request-number }}
     steps:
       - uses: actions/checkout@v6.0.1
 
@@ -29,6 +31,7 @@ jobs:
           echo '```' >> pr_body.md
 
       - name: Create pull request
+        id: create-pr
         uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         with:
           commit-message: "chore: update uv.lock with latest dependencies"
@@ -38,3 +41,20 @@ jobs:
           delete-branch: true
           add-paths: uv.lock
           labels: dependencies
+
+  checks:
+    if: needs.update-lockfile.outputs.pull-request-number
+    needs: [update-lockfile]
+    uses: ./.github/workflows/shared.yml
+    with:
+      ref: weekly-lockfile-update
+
+  all-green:
+    if: always()
+    needs: [update-lockfile, checks]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}
+          allowed-skips: checks