ci: fix 'Run Go Tests' required check never reporting on PRs

[taliesin-ai]

Summary

• Add permissions: contents: read at workflow level to satisfy CodeQL
• Add go_test_results fan-in job that posts a single Run Go Tests status check, matching the branch protection required check name
• The job uses if: always() and needs: [test_go, skip_tests] so it always reports, covering both normal PRs and sponsor-update PRs

Background

The test_go matrix job reports per-platform checks like Run Go Tests (ubuntu-22.04, 1.23). No aggregate Run Go Tests check is ever posted, so the branch protection requirement (which expects exactly that name) is permanently unsatisfied on every PR.

Changes

File	Change
.github/workflows/pr-master.yml	Add permissions: contents: read; add go_test_results fan-in job

Closes #5316

Summary by CodeRabbit

• Chores
  • Improved CI/CD pipeline configuration to enhance security and reliability of automated testing workflows.

[coderabbitai]

Walkthrough

The PR updates the pr-master.yml workflow with a default job permissions scope and adds a fan-in go_test_results job that aggregates Go test matrix outcomes. This job runs after both test_go and skip_tests complete and reports a single consolidated status check to satisfy branch-protection requirements.

Changes

CI Workflow Test Results Aggregation

Layer / File(s)	Summary
Workflow Permissions .github/workflows/pr-master.yml	Added top-level permissions.contents: read to set default job-scoped permissions.
Test Results Fan-In Job .github/workflows/pr-master.yml	New go_test_results job depends on test_go and skip_tests matrices, uses if: always() for unconditional evaluation, and exits with status 0 when Go tests succeed or are skipped, or when skip job succeeds; otherwise fails the workflow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• wailsapp/wails#5377: Both PRs modify .github/workflows/pr-master.yml to add a non-matrix gate job that aggregates the test_go matrix results and exits based on those outcomes.
• wailsapp/wails#5313: Both PRs modify .github/workflows/pr-master.yml and directly affect the test_go job control flow through conditional logic and aggregation patterns.

Poem

🐰 A check that never came to rest,
Now aggregates the matrix test.
With always() and a steady fan-in,
The Run Go Tests green light will grin! ✅

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a required CI check that was previously not reporting on PRs.
Description check	✅ Passed	The description includes a summary of changes, background context, and a table of modified files, though it does not follow the template's checklist structure.
Linked Issues check	✅ Passed	The code changes directly address the linked issue #5316 by adding a fan-in go_test_results job with if: always() and proper dependencies to report the required 'Run Go Tests' status check.
Out of Scope Changes check	✅ Passed	All changes are in-scope: adding workflow permissions and the go_test_results fan-in job as specified in issue #5316.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-master.yml:
- Around line 128-145: The aggregation job go_test_results currently treats a
skipped test_go as success; update the workflow so go_test_results only runs or
exits 0 when tests actually ran: either (A) tighten the go_test_results job
condition to match test_go (same event filters/conditions that cause test_go to
run), or (B) add an explicit runtime check inside go_test_results that treats
the combination test_result=="skipped" && skip_result=="skipped" as failure
(exit non‑zero) instead of success; reference the job names test_go, skip_tests
and the variables test_result/skip_result when making this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1b1630cc-b5d7-4975-819b-0f168cf9bdb1

📥 Commits

Reviewing files that changed from the base of the PR and between 75d4d06 and 0c9ff8f.

📒 Files selected for processing (1)

• .github/workflows/pr-master.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Analyze when test_go vs go_test_results execute based on event types

echo "=== test_go conditions ==="
echo "Runs when:"
echo "  - repo == 'wailsapp/wails'"
echo "  - head.ref != 'update-sponsors'"
echo "  - AND one of:"
echo "    * event_name == 'workflow_dispatch'"
echo "    * base.ref == 'master' AND event_name == 'pull_request'"
echo "    * base.ref == 'master' AND event_name == 'pull_request_review' AND review.state == 'approved'"
echo ""

echo "=== go_test_results conditions ==="
echo "Runs when:"
echo "  - always() [even if dependencies fail/skip]"
echo "  - repo == 'wailsapp/wails'"
echo "  - AND one of:"
echo "    * event_name == 'workflow_dispatch'"
echo "    * base.ref == 'master'"
echo ""

echo "=== Problematic scenario ==="
echo "Event: pull_request_review with review.state='changes_requested' on PR to master"
echo "Branch: feature-branch (not update-sponsors)"
echo ""
echo "Result:"
echo "  test_go:        SKIPPED (review.state != 'approved')"
echo "  skip_tests:     SKIPPED (head.ref != 'update-sponsors')"
echo "  go_test_results: RUNS (base.ref == 'master' and always())"
echo "  Check status:   PASSES (line 133 catches test_result == 'skipped')"
echo ""
echo "⚠️  This creates a passing check without running any tests!"

Repository: wailsapp/wails

Length of output: 1046

---

🏁 Script executed:

cat -n .github/workflows/pr-master.yml | sed -n '1,160p'

Repository: wailsapp/wails

Length of output: 5406

---

Critical: Aggregation logic passes without verifying tests actually ran.

The go_test_results job can pass when both test_go and skip_tests are skipped, without any actual tests executing in the workflow run.

Problematic scenario: A pull_request_review event with a non-approved review on a PR targeting master (and branch is not update-sponsors):

1. test_go is skipped (condition requires review.state == 'approved' for pull_request_review events)
2. skip_tests is skipped (condition requires head.ref == 'update-sponsors')
3. go_test_results runs (because always() and base.ref == 'master')
4. Line 133 evaluates test_result == "skipped" as true and exits 0 ✅

The check passes without running any tests, potentially masking test failures and violating branch protection intent.

Root cause: The go_test_results condition (lines 118-124) is less restrictive than test_go (lines 44-56). The aggregation job runs for any pull_request_review event on master, but test_go only runs if the review is approved.

Fix options:

Tighten go_test_results condition (recommended)

Match the event-type restrictions from test_go:

   if: >
     always() &&
     github.repository == 'wailsapp/wails' &&
     (
       github.event_name == 'workflow_dispatch' ||
-      github.event.pull_request.base.ref == 'master'
+      (
+        github.event.pull_request.base.ref == 'master' &&
+        (
+          github.event_name == 'pull_request' ||
+          (github.event_name == 'pull_request_review' && github.event.review.state == 'approved')
+        )
+      )
     )

Add explicit validation when both jobs skip

     - name: Check matrix result
       run: |
         test_result="${{ needs.test_go.result }}"
         skip_result="${{ needs.skip_tests.result }}"
+
+        if [[ "$test_result" == "skipped" && "$skip_result" == "skipped" ]]; then
+          echo "ERROR: Both test_go and skip_tests were skipped - no tests ran"
+          exit 1
+        fi

         if [[ "$test_result" == "success" || "$test_result" == "skipped" ]]; then

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-master.yml around lines 128 - 145, The aggregation job
go_test_results currently treats a skipped test_go as success; update the
workflow so go_test_results only runs or exits 0 when tests actually ran: either
(A) tighten the go_test_results job condition to match test_go (same event
filters/conditions that cause test_go to run), or (B) add an explicit runtime
check inside go_test_results that treats the combination test_result=="skipped"
&& skip_result=="skipped" as failure (exit non‑zero) instead of success;
reference the job names test_go, skip_tests and the variables
test_result/skip_result when making this change.