Skip to content

title: phpboyscout/cicd v0.11.1 — gate components skip tag pipelines description: The four gate components (zensical-build, tofu-lint, tofu-security, tofu-validate) run when: on_success, so they also fire on tag pipelines — where they add nothing (the code already passed the gate at MR time, and zensical-build's docs can never deploy from a tag). Add a $CI_COMMIT_TAG → never guard alongside the existing schedule guard. status: approved date: 2026-06-21 authors: [Matt Cockayne] tags: [spec, cicd, components, rules, tag, churn]

Spec: phpboyscout/cicd v0.11.1 — gate components skip tag pipelines

  • Repository: gitlab.com/phpboyscout/cicd
  • Released as: v0.11.1 (patch — a fix across the gate components: stop running where they add no value).
  • Driver: the task-2 churn audit's F3, generalised. The gate jobs run on tag pipelines for every consumer, adding redundant work.

Problem

The gate jobs carry an unconditional when: on_success (with the v0.10.8 schedule guard ahead of it):

rules:
  - if: '$CI_PIPELINE_SOURCE == "schedule"'
    when: never
  - when: on_success

when: on_success matches every remaining pipeline source — including tags. On a release tag:

  • The gate already passed at MR time, and the tag is cut from already-green default branch. Re-linting / re-scanning / re-validating adds nothing.
  • zensical-build specifically builds the docs site, but the pages deploy is branch-only ($CI_COMMIT_BRANCH == deploy_branch, never set on a tag) — so a tag build can never deploy. Pure waste.

Tag pipelines are for publish jobs (goreleaser, tofu-module-publish, ref-mode tofu-apply), not gates.

Decisions

D1 — Add a $CI_COMMIT_TAG → never guard to every gate job

rules:
  - if: '$CI_PIPELINE_SOURCE == "schedule"'
    when: never
  - if: '$CI_COMMIT_TAG'
    when: never
  - when: on_success

Applied to: zensical-build (zensical-pages); tofu-fmt, tflint, terraform-docs-drift (tofu-lint); trivy-config, checkov, gitleaks (tofu-security); tofu-validate (tofu-validate). The pages deploy job is already branch-only, so it needs no guard.

Net effect per source: MR / branch / default-branch unchanged (gates still run); schedule unchanged (still skipped); tag now skipped.

D2 — Scope: only the when: on_success gates

The go/rust gate components default their if: input to merge_request_event, so they never run on tags already. The tag-gated publish components (goreleaser, tofu-module-publish, ref-mode tofu-apply) must run on tags and are untouched. Only the four when: on_success gate components need the guard.

D3 — Self-test: no change

Component self-tests run as parent_pipeline (no $CI_COMMIT_TAG), so the new guard is inert there — every existing self-test behaves as before. Same reasoning as v0.4 D3 / v0.10.8 D4.

D4 — Versioning

A non-breaking behaviour fix across the gate components → v0.11.1 (patch). Consumers pick it up via the Renovate preset; no consumer edit required.