ci: close ci-status gate gap + drop redundant installs

[goosewobbler]

Two small, low-risk CI fixes found during a review of the workflow graph. No behavior change to what the tests do — only which jobs gate CI and how fast they start.

P1 — ci-status gating gap (correctness)

ci-status is the single required check, designed to list every job in needs:. Two real jobs were missing from the list:

• build-tauri-package-app-macos-arm
• build-tauri-package-app-macos-intel

(every other build-*-app job is listed). Failure mode: if one of these builds fails, its consumer package-tauri-macos-{arm,intel} is skipped (a failed needs: skips the dependent), and ci-status only trips on failure/cancelled — skipped passes. The build job itself isn't in the needs set, so a failed macOS Tauri package build reported CI green. Added both to ci-status.needs.

Follow-up worth considering (not in this PR): a test:scripts-style assertion that fails if any top-level job is absent from ci-status.needs, so this can't regress when jobs are added (it will recur for Capacitor/Neutralino).

Perf-3 — decouple build-matrix from build

build-matrix (Electron Windows/macOS build-verify) builds from source on each OS and never downloads the Linux build artifact (_ci-build.reusable.yml only uploads on Linux), so needs: build only delayed its start. Dropped to needs: [detect-changes].

Perf-2 — drop redundant pnpm install

actions/setup-workspace already runs pnpm install --frozen-lockfile. Six build reusables ran it a second time. The intervening artifact download only drops dist/ folders — it doesn't invalidate the install or the workspace symlinks — so the second install was a per-job no-op. Removed from:

• _ci-build-tauri-e2e-app
• _ci-build-dioxus-e2e-app
• _ci-build-dioxus-package-app
• _ci-build-electrobun-e2e-app
• _ci-build-electrobun-package-app
• _ci-build-electron-package-apps

Validation

• actionlint 1.7.12 (the pinned version CI runs) — clean across all top-level workflows and reusables.

Not included (from the same review, deferred)

• The larger structural change — moving the native/CEF e2e+package app builds off the build chain (needs: [detect-changes], build their small JS surface locally like the RN/Flutter iOS builds already do). Kept separate so the build-graph change is isolated and easy to bisect.
• Investigating/re-enabling the pnpm store cache in setup-workspace (currently disabled).

🤖 Generated with Claude Code

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: goosewobbler / name: Sam Maister (a1ce374, ab86ce2)

[github-actions]

Release Preview — no release

No bump label detected.
Reason: No release labels found (need bump:* or channel:stable)
Note: Add bump:patch, bump:minor, or bump:major to trigger a release.

---

Updated automatically by ReleaseKit

[greptile-apps]

Greptile Summary

Three independent CI correctness and efficiency fixes with no change to what tests actually run. All changes were validated with actionlint 1.7.12.

• ci-status gap closed: build-tauri-package-app-macos-arm and build-tauri-package-app-macos-intel were missing from ci-status.needs; a failure in either job would leave its package-tauri-macos-* consumer skipped rather than failed, which the required check treated as green. Both jobs are now listed.
• build-matrix decoupled: _ci-build.reusable.yml only uploads an artifact on Linux; the Windows/macOS build-matrix jobs never consumed that artifact, so needs: build was pure serialization overhead. Dropped to needs: [detect-changes].
• Redundant installs removed: actions/setup-workspace runs pnpm install --frozen-lockfile unconditionally; six reusable workflows called it a second time immediately after downloading an artifact (which only drops dist/ — it doesn't invalidate the node_modules install). The duplicate calls are removed from all six workflows. A new dependabot-ci.yml workflow and a matching gate on detect-changes + ci-status implement an opt-in CI path for Dependabot PRs via the ci:run label.

Confidence Score: 5/5

Safe to merge — all changes are in CI workflow configuration only, with no effect on what tests run or how they run.

The ci-status fix is mechanically correct: the two jobs now appear in needs, so a failure status on either is caught before the gate passes. The build-matrix needs change is validated by the reusable workflow itself only uploading on Linux. The six redundant-install removals are backed by reading setup-workspace/action.yml which confirms pnpm install --frozen-lockfile always runs there. The Dependabot bypass logic — github.event.pull_request.user.login evaluating to empty string on workflow_dispatch, making the Dependabot gate transparent to manual runs — is a standard GitHub Actions pattern and works as described.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Three targeted changes: adds build-tauri-package-app-macos-arm/intel to ci-status.needs (closing false-green gap), drops build from build-matrix.needs (unnecessary serialisation), and adds the Dependabot gate on detect-changes plus a ci-status fail-step to block Dependabot merges until CI is manually run.
.github/workflows/dependabot-ci.yml	New workflow: dispatches the full CI pipeline (force_all=true) when ci:run label is added to a Dependabot PR, then removes the label so re-adding it re-triggers. Permissions scoped to actions:write + pull-requests:write + contents:read.
.github/workflows/_ci-build-tauri-e2e-app.reusable.yml	Removes the redundant pnpm install --frozen-lockfile step; setup-workspace already performs this install before any downstream steps run.
.github/workflows/_ci-build-dioxus-e2e-app.reusable.yml	Removes redundant pnpm install --frozen-lockfile; same rationale as the Tauri reusable.
.github/workflows/_ci-build-dioxus-package-app.reusable.yml	Removes redundant pnpm install --frozen-lockfile; same rationale as the Tauri reusable.
.github/workflows/_ci-build-electrobun-e2e-app.reusable.yml	Removes redundant pnpm install --frozen-lockfile; same rationale as the Tauri reusable.
.github/workflows/_ci-build-electrobun-package-app.reusable.yml	Removes redundant pnpm install --frozen-lockfile; same rationale as the Tauri reusable.
.github/workflows/_ci-build-electron-package-apps.reusable.yml	Removes redundant pnpm install --frozen-lockfile; same rationale as the Tauri reusable.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    PR[Pull Request Event]
    WD[workflow_dispatch\n force_all=true]
    LABEL[ci:run label added\nto Dependabot PR]

    PR -->|Dependabot PR| GATE{detect-changes\nif: login != dependabot}
    PR -->|Regular PR| GATE
    GATE -->|Regular PR: runs| DC[detect-changes]
    GATE -->|Dependabot PR: skipped| SKIP[All build/test/\npackage jobs skipped]

    DC --> BUILD[build\nLinux artifact only]
    DC --> BM[build-matrix\nneeds: detect-changes only]
    BUILD --> BTP_ARM[build-tauri-package-app\nmacos-arm]
    BUILD --> BTP_INTEL[build-tauri-package-app\nmacos-intel]
    BTP_ARM --> PKG_ARM[package-tauri-macos-arm]
    BTP_INTEL --> PKG_INTEL[package-tauri-macos-intel]

    SKIP --> CISTATUS
    PKG_ARM --> CISTATUS[ci-status\nif: always]
    PKG_INTEL --> CISTATUS
    BM --> CISTATUS

    CISTATUS -->|Dependabot PR| FAIL[exit 1\nblocks merge]
    CISTATUS -->|Regular PR| CHECK[Check results\nfail on failure/cancelled]

    LABEL --> DEPBOT[dependabot-ci.yml\ndispatch + remove label]
    DEPBOT --> WD
    WD -->|no pull_request context| GATE

Loading

_{Reviews (3): Last reviewed commit: "ci: skip CI on Dependabot PRs by default..." | Re-trigger Greptile}