From edb6245ad86ab7662273c36806edb5a74cd3db4d Mon Sep 17 00:00:00 2001
From: Abhijeet Prasad <abhijeet@braintrustdata.com>
Date: Tue, 24 Mar 2026 14:17:05 -0700
Subject: [PATCH] ci: consolidate checks and require checks-passed

---
 .github/workflows/{py.yaml => checks.yaml} | 77 +++++++++++++++++++---
 .github/workflows/lint.yaml                | 31 ---------
 .github/workflows/test-publish-py-sdk.yaml |  8 +--
 CONTRIBUTING.md                            |  3 +-
 docs/publishing.md                         |  2 +-
 5 files changed, 75 insertions(+), 46 deletions(-)
 rename .github/workflows/{py.yaml => checks.yaml} (54%)
 delete mode 100644 .github/workflows/lint.yaml

diff --git a/.github/workflows/py.yaml b/.github/workflows/checks.yaml
similarity index 54%
rename from .github/workflows/py.yaml
rename to .github/workflows/checks.yaml
index 95ce9b72..122f4b69 100644
--- a/.github/workflows/py.yaml
+++ b/.github/workflows/checks.yaml
@@ -1,18 +1,38 @@
-name: py
+name: checks
 
 on:
   pull_request:
-    paths:
-      - "py/**"
-      - "integrations/langchain-py/**"
-      - "integrations/adk-py/**"
-      - ".github/workflows/py.yaml"
-      - ".github/workflows/adk-py-test.yaml"
-      - ".github/workflows/langchain-py-test.yaml"
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0 # Fetch full history for proper diff
+      - name: Set up mise
+        uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
+        with:
+          cache: true
+          experimental: true
+      - name: Run pre-commit
+        run: |
+          mise exec -- pre-commit run --from-ref origin/${{ github.base_ref || 'main' }} --to-ref HEAD
+
+  ensure-pinned-actions:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@70c4af2ed5282c51ba40566d026d6647852ffa3e # v5.0.1
+
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
@@ -82,3 +102,44 @@ jobs:
           name: python-wheel
           path: py/dist/*.whl
           retention-days: 5
+
+  checks-passed:
+    name: checks-passed
+    needs:
+      - lint
+      - ensure-pinned-actions
+      - build
+      - adk-py
+      - langchain-py
+      - upload-wheel
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: always()
+    steps:
+      - name: Verify all required checks passed
+        run: |
+          FAILED=0
+
+          check_result() {
+            local job_name="$1"
+            local job_result="$2"
+
+            if [ "$job_result" != "success" ] && [ "$job_result" != "skipped" ]; then
+              echo "Job '$job_name' finished with result: $job_result"
+              FAILED=1
+            fi
+          }
+
+          check_result "lint" "${{ needs.lint.result }}"
+          check_result "ensure-pinned-actions" "${{ needs.ensure-pinned-actions.result }}"
+          check_result "build" "${{ needs.build.result }}"
+          check_result "adk-py" "${{ needs.adk-py.result }}"
+          check_result "langchain-py" "${{ needs.langchain-py.result }}"
+          check_result "upload-wheel" "${{ needs.upload-wheel.result }}"
+
+          if [ "$FAILED" -ne 0 ]; then
+            echo "One or more required checks failed"
+            exit 1
+          fi
+
+          echo "All required checks passed"
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
deleted file mode 100644
index 10690ad3..00000000
--- a/.github/workflows/lint.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-name: lint
-
-on:
-  pull_request:
-  push:
-    branches: [main]
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-        with:
-          fetch-depth: 0 # Fetch full history for proper diff
-      - name: Set up mise
-        uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
-        with:
-          cache: true
-          experimental: true
-      - name: Run pre-commit
-        run: |
-          mise exec -- pre-commit run --from-ref origin/${{ github.base_ref || 'main' }} --to-ref HEAD
-
-  ensure-pinned-actions:
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@70c4af2ed5282c51ba40566d026d6647852ffa3e # v5.0.1
diff --git a/.github/workflows/test-publish-py-sdk.yaml b/.github/workflows/test-publish-py-sdk.yaml
index 4a7e9fe4..3e41a430 100644
--- a/.github/workflows/test-publish-py-sdk.yaml
+++ b/.github/workflows/test-publish-py-sdk.yaml
@@ -112,7 +112,7 @@ jobs:
             const response = await github.rest.actions.listWorkflowRuns({
               owner,
               repo,
-              workflow_id: "py.yaml",
+              workflow_id: "checks.yaml",
               branch: process.env.TARGET_BRANCH,
               status: "completed",
               per_page: 1,
@@ -121,7 +121,7 @@ jobs:
             const run = response.data.workflow_runs[0];
             if (!run) {
               core.setOutput("should_publish", "false");
-              core.setOutput("reason", `No completed py.yaml run found on ${process.env.TARGET_BRANCH}.`);
+              core.setOutput("reason", `No completed checks.yaml run found on ${process.env.TARGET_BRANCH}.`);
               return;
             }
 
@@ -129,7 +129,7 @@ jobs:
               core.setOutput("should_publish", "false");
               core.setOutput(
                 "reason",
-                `Latest completed py.yaml run on ${process.env.TARGET_BRANCH} concluded with ${run.conclusion} (${run.html_url}).`,
+                `Latest completed checks.yaml run on ${process.env.TARGET_BRANCH} concluded with ${run.conclusion} (${run.html_url}).`,
               );
               return;
             }
@@ -137,7 +137,7 @@ jobs:
             core.setOutput("should_publish", "true");
             core.setOutput(
               "reason",
-              `Latest completed py.yaml run on ${process.env.TARGET_BRANCH} succeeded (${run.html_url}).`,
+              `Latest completed checks.yaml run on ${process.env.TARGET_BRANCH} succeeded (${run.html_url}).`,
             );
       - name: Build and verify
         if: env.RELEASE_TYPE != 'canary' || (steps.should_publish.outputs.should_publish == 'true' && steps.ci_status.outputs.should_publish == 'true')
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 695994c1..bd198652 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -153,10 +153,9 @@ GitHub Actions workflows live in `.github/workflows/`.
 
 Main workflows:
 
-- `py.yaml`: SDK test matrix
+- `checks.yaml`: merged SDK checks workflow, including lint, pinned-action validation, the Python test matrix, wheel build, and the `checks-passed` required-check aggregator
 - `langchain-py-test.yaml`: LangChain integration tests
 - `adk-py-test.yaml`: ADK integration tests
-- `lint.yaml`: pre-commit and formatting checks
 - `publish-py-sdk.yaml`: PyPI release
 - `test-publish-py-sdk.yaml`: TestPyPI release validation
 
diff --git a/docs/publishing.md b/docs/publishing.md
index c1cf0adc..0378a5ca 100644
--- a/docs/publishing.md
+++ b/docs/publishing.md
@@ -81,7 +81,7 @@ Run `Publish Python SDK to TestPyPI` with:
 - Only publish to TestPyPI; there is no matching canary mode in the real PyPI workflow
 - Do not create a git tag or GitHub Release
 - Skip publishing if the current `HEAD` commit matches the latest published TestPyPI artifact marked with release channel `canary`
-- Skip publishing unless the latest completed `py.yaml` run on the target branch succeeded
+- Skip publishing unless the latest completed `checks.yaml` run on the target branch succeeded
 
 install canaries like so: