From e9a97ee0f90e44fe29e2d8dd1f41ddb16ed0ca9e Mon Sep 17 00:00:00 2001
From: helly25 <6420169+helly25@users.noreply.github.com>
Date: Sat, 13 Jun 2026 10:34:02 +0100
Subject: [PATCH 1/2] ci: upgrade done gate to self-check + 1-line aggregation

Pattern source: helly25/bzl. Two parts:

1. Self-check: parses the workflow with yq, fails if any declared
   job (other than done itself) is absent from done.needs. A newly
   added job that someone forgets to wire in fails CI loudly.
2. Failure aggregation: single-line contains(needs.*.result, ...)
   guard. GitHub's Actions UI already shows per-job results.

Part of a batch syncing the gate across helly25/* repos.
---
 .github/workflows/main.yml | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 76ec374..bf11234 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -156,7 +156,30 @@ jobs:
 
   done:
     needs: [pre-commit, test-gcc, test-clang, test-bcr]
+    if: always()
     runs-on: ubuntu-latest
     steps:
-      - name: Done
-        run: echo "Done"
+      - uses: actions/checkout@v4
+      - name: Ensure every job is wired into this gate
+        env:
+          NEEDS_JSON: ${{ toJSON(needs) }}
+        run: |
+          # Parse the workflow with a real YAML reader (yq) and fail if any
+          # declared job (other than this gate) is absent from `needs` above, so
+          # a newly added job cannot silently escape the required gate.
+          declared="$(yq '.jobs | keys | .[]' .github/workflows/main.yml |
+            grep -vx done | sort)"
+          wired="$(jq -r 'keys[]' <<<"${NEEDS_JSON}" | sort)"
+          missing="$(comm -23 <(printf '%s\n' "${declared}") <(printf '%s\n' "${wired}"))"
+          if [[ -n "${missing}" ]]; then
+            echo "Jobs declared in the workflow but missing from done.needs:"
+            while read -r job; do
+              echo "  - ${job}"
+              echo "::error title=Gate is missing a job::${job} not in done.needs"
+            done <<<"${missing}"
+            exit 1
+          fi
+          echo "done covers all $(grep -c . <<<"${declared}") workflow jobs."
+      - name: Fail if any dependency did not succeed
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1

From d94e80eba92a24c52f98ec6fb0247c2b80667a7b Mon Sep 17 00:00:00 2001
From: helly25 <6420169+helly25@users.noreply.github.com>
Date: Sat, 13 Jun 2026 14:45:15 +0100
Subject: [PATCH 2/2] pre-commit: bump beautysh to v6.4.3 + add setuptools dep

beautysh v6.2.1 imports pkg_resources from setuptools. setuptools
>= 80 (released 2025) dropped that shim, so the hook fails on
fresh CI runners with ModuleNotFoundError.

bzl already has the fix: bump to v6.4.3 + add additional_dependencies:
[setuptools]. Copying that pattern verbatim.
---
 .pre-commit-config.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 17e74c4..633882a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -115,9 +115,13 @@ repos:
   - id: clang-format
 
 - repo: https://github.com/lovesegfault/beautysh
-  rev: v6.2.1
+  rev: v6.4.3
   hooks:
   - id: beautysh
+    # setuptools is a runtime dep on Python 3.12+ where pkg_resources
+    # is no longer bundled; pre-commit's isolated env doesn't get it
+    # otherwise. Pattern copied from helly25/bzl.
+    additional_dependencies: [setuptools]
 
 - repo: https://github.com/koalaman/shellcheck-precommit
   rev: v0.10.0