fix: CI pipeline gate stalling by ensuring image outputs and gate execution

- Fixed "Emit image outputs" step to always populate image references - Primary: uses digest from docker/build-push-action when available - Fallback: extracts image tag from steps.tags when digest unavailable - Ensures image_ref_dockerhub is never empty after successful build - Added `if: always()` to all gate jobs (integration, coverage, codecov, pipeline) - Gates now always execute to evaluate upstream job results - Prevents cascading skips when jobs intentionally skip or fail - Properly blocks downstream jobs only when gates actually fail Pipeline now continues through all stages as designed, blocking only on real failures. Fixes https://github.com/Wikid82/Charon/actions/runs/21803232380
2026-02-08 21:16:34 +00:00
parent ef227a316b
commit 903ef191ec
1 changed files with 16 additions and 8 deletions
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@@ -289,17 +289,21 @@ jobs:
        id: outputs
        run: |
          DIGEST="${{ steps.build.outputs.digest }}"
-          if [ -z "${DIGEST}" ]; then
-            echo "image_ref_dockerhub=" >> "$GITHUB_OUTPUT"
-            echo "image_ref_ghcr=" >> "$GITHUB_OUTPUT"
-          else
+
+          # Try digest first; fall back to tags if digest unavailable
+          if [ -n "${DIGEST}" ]; then
            IMAGE_REF_DOCKERHUB="${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${DIGEST}"
            IMAGE_REF_GHCR="${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${DIGEST}"
-            echo "image_ref_dockerhub=${IMAGE_REF_DOCKERHUB}" >> "$GITHUB_OUTPUT"
-            echo "image_ref_ghcr=${IMAGE_REF_GHCR}" >> "$GITHUB_OUTPUT"
-            echo "::add-mask::${IMAGE_REF_DOCKERHUB}"
-            echo "::add-mask::${IMAGE_REF_GHCR}"
+          else
+            # Extract Docker Hub and GHCR references from pushed tags
+            IMAGE_REF_DOCKERHUB=$(echo "${{ steps.tags.outputs.tags }}" | grep "^${{ env.DOCKERHUB_REGISTRY }}" | head -1)
+            IMAGE_REF_GHCR=$(echo "${{ steps.tags.outputs.tags }}" | grep "^${{ env.GHCR_REGISTRY }}" | head -1)
          fi
+
+          echo "image_ref_dockerhub=${IMAGE_REF_DOCKERHUB}" >> "$GITHUB_OUTPUT"
+          echo "image_ref_ghcr=${IMAGE_REF_GHCR}" >> "$GITHUB_OUTPUT"
+          echo "::add-mask::${IMAGE_REF_DOCKERHUB}"
+          echo "::add-mask::${IMAGE_REF_GHCR}"
          echo "image_tag=${{ steps.tags.outputs.image_tag }}" >> "$GITHUB_OUTPUT"

  integration-cerberus:
@@ -412,6 +416,7 @@ jobs:
      - integration-crowdsec
      - integration-waf
      - integration-ratelimit
+    if: always()
    steps:
      - name: Evaluate integration results
        run: |
@@ -530,6 +535,7 @@ jobs:
      - coverage-backend
      - coverage-frontend
      - e2e
+    if: always()
    steps:
      - name: Evaluate coverage results
        run: |
@@ -609,6 +615,7 @@ jobs:
    runs-on: ubuntu-latest
    needs:
      - codecov-upload
+    if: always()
    steps:
      - name: Evaluate Codecov upload results
        run: |
@@ -750,6 +757,7 @@ jobs:
      - security-codeql
      - security-trivy
      - security-supply-chain
+    if: always()
    steps:
      - name: Evaluate pipeline results
        run: |