From 30f455f2e7b85e12ea30a3e79a281b85e20733b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9gory=20Demay?= <gregory.demay@dfinity.org>
Date: Fri, 8 May 2026 10:35:59 +0000
Subject: [PATCH] ci: add checks-pass aggregator job

Add a single status check that depends on every quality-gate job in
this workflow and explicitly fails if any of them is non-success
(failure, cancelled, or skipped).

This lets GitHub branch protection / rulesets gate merges on a single
context name (`checks-pass`) instead of enumerating every job
individually. It is also future-proof: adding or removing a CI job
only needs an update to the needs: list here, not to the protection
rule.

Mirrors the pattern already in use in dfinity/dogecoin-canister and
dfinity/sol-rpc-canister.
---
 .github/workflows/ci.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0927ff4..38f82da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -90,3 +90,24 @@ jobs:
 
       - name: 'Run integration tests'
         run: cargo test --locked -p http_canister -p json_rpc_canister
+
+  # Single aggregator status check. Configure GitHub branch protection
+  # to require `checks-pass` so that any failing, cancelled, or skipped
+  # upstream job blocks the merge, without having to enumerate every
+  # individual job in the ruleset.
+  checks-pass:
+    # Always run this job!
+    if: always()
+    needs:
+      [
+        lint,
+        cargo-doc,
+        unit-tests,
+        integration-tests,
+      ]
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          if [[ "${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped') }}" == "true" ]]; then
+            exit 1
+          fi