[DRAFT] fix: add validation gate and misleading check status in PR workflows

.github/workflows/frontmatter-validation.yml

@@ -77,7 +77,10 @@ jobs:
           }
 
           & scripts/linting/Validate-MarkdownFrontmatter.ps1 @params
-        continue-on-error: true
+          if ($LASTEXITCODE -ne 0) {
+            "FRONTMATTER_VALIDATION_FAILED=true" >> $env:GITHUB_ENV
+          }
+          exit 0
 
       - name: Upload frontmatter validation results
         if: always()

.github/workflows/link-lang-check.yml

@@ -33,7 +33,10 @@ jobs:
         shell: pwsh
         run: |
           & scripts/linting/Invoke-LinkLanguageCheck.ps1 -ExcludePaths 'scripts/tests/**'
-        continue-on-error: true
+          if ($LASTEXITCODE -ne 0) {
+            "LINK_LANG_FAILED=true" >> $env:GITHUB_ENV
+          }
+          exit 0
 
       - name: Upload results
         if: always()

.github/workflows/markdown-lint.yml

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    env:
+      MARKDOWN_LINT_FAILED: 'false'
     steps:
       - name: Checkout code
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -40,9 +42,15 @@ jobs:
       - name: Run markdown lint
         id: markdown-lint
         run: |
-          npm run lint:md > markdown-lint-output.txt 2>&1 || echo "MARKDOWN_LINT_FAILED=true" >> "$GITHUB_ENV"
+          set +e
+          npm run lint:md > markdown-lint-output.txt 2>&1
+          EXIT_CODE=$?
+          set -e
+          if [ "$EXIT_CODE" -ne 0 ]; then
+            echo "MARKDOWN_LINT_FAILED=true" >> "$GITHUB_ENV"
+          fi
           cat markdown-lint-output.txt
-        continue-on-error: true
+          exit 0
 
       - name: Create annotations
         if: env.MARKDOWN_LINT_FAILED == 'true'

.github/workflows/pr-validation.yml

@@ -341,3 +341,112 @@ jobs:
       security-events: write  # Required for SARIF upload to Security tab
       actions: read
 
+  validation-gate:
+    name: Validation Gate
+    if: always()
+    needs:
+      - spell-check
+      - markdown-lint
+      - table-format
+      - psscriptanalyzer
+      - discover-python-projects
+      - python-lint
+      - copyright-headers
+      - yaml-lint
+      - pester-tests
+      - pytest
+      - fuzz-tests
+      - pip-audit
+      - docusaurus-tests
+      - frontmatter-validation
+      - adr-consistency-validation
+      - ai-artifact-validation
+      - msdate-freshness
+      - plugin-validation
+      - skill-validation
+      - link-lang-check
+      - markdown-link-check
+      - dependency-pinning-check
+      - workflow-permissions-check
+      - action-version-consistency-scan
+      - gitleaks-scan
+      - npm-audit
+      - codeql
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check job results
+        shell: bash
+        run: |
+          {
+            echo "## Validation Gate Summary"
+            echo ""
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          FAILED=""
+
+          check_result() {
+            local name="$1"
+            local result="$2"
+
+            if [ "$result" = "success" ]; then
+              echo "✅ **$name**: passed" >> "$GITHUB_STEP_SUMMARY"
+            elif [ "$result" = "skipped" ]; then
+              echo "⏭️ **$name**: skipped" >> "$GITHUB_STEP_SUMMARY"
+            elif [ "$result" = "failure" ]; then
+              echo "❌ **$name**: failed" >> "$GITHUB_STEP_SUMMARY"
+              FAILED="${FAILED}${name}, "
+            elif [ "$result" = "cancelled" ]; then
+              echo "⚠️ **$name**: cancelled" >> "$GITHUB_STEP_SUMMARY"
+              FAILED="${FAILED}${name} (cancelled), "
+            else
+              echo "⚠️ **$name**: ${result}" >> "$GITHUB_STEP_SUMMARY"
+              FAILED="${FAILED}${name} (${result}), "
+            fi
+          }
+
+          check_result "Spell Check" "${{ needs.spell-check.result }}"
+          check_result "Markdown Lint" "${{ needs.markdown-lint.result }}"
+          check_result "Table Format" "${{ needs.table-format.result }}"
+          check_result "PowerShell Lint" "${{ needs.psscriptanalyzer.result }}"
+          check_result "Discover Python Projects" "${{ needs.discover-python-projects.result }}"
+          check_result "Python Lint" "${{ needs.python-lint.result }}"
+          check_result "Copyright Headers" "${{ needs.copyright-headers.result }}"
+          check_result "YAML Lint" "${{ needs.yaml-lint.result }}"
+          check_result "PowerShell Tests" "${{ needs.pester-tests.result }}"
+          check_result "Python Tests" "${{ needs.pytest.result }}"
+          check_result "Fuzz Tests" "${{ needs.fuzz-tests.result }}"
+          check_result "pip-audit" "${{ needs.pip-audit.result }}"
+          check_result "Docusaurus Tests" "${{ needs.docusaurus-tests.result }}"
+          check_result "Frontmatter Validation" "${{ needs.frontmatter-validation.result }}"
+          check_result "ADR Consistency" "${{ needs.adr-consistency-validation.result }}"
+          check_result "AI Artifact Validation" "${{ needs.ai-artifact-validation.result }}"
+          check_result "ms.date Freshness" "${{ needs.msdate-freshness.result }}"
+          check_result "Plugin Validation" "${{ needs.plugin-validation.result }}"
+          check_result "Skill Validation" "${{ needs.skill-validation.result }}"
+          check_result "Link Language Check" "${{ needs.link-lang-check.result }}"
+          check_result "Markdown Link Check" "${{ needs.markdown-link-check.result }}"
+          check_result "Dependency Pinning" "${{ needs.dependency-pinning-check.result }}"
+          check_result "Workflow Permissions" "${{ needs.workflow-permissions-check.result }}"
+          check_result "Action Version Consistency" "${{ needs.action-version-consistency-scan.result }}"
+          check_result "Gitleaks" "${{ needs.gitleaks-scan.result }}"
+          check_result "npm Audit" "${{ needs.npm-audit.result }}"
+          check_result "CodeQL" "${{ needs.codeql.result }}"
+
+          if [ -n "$FAILED" ]; then
+            {
+              echo ""
+              echo "---"
+              echo "❌ **Validation failed**: ${FAILED%, }"
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "One or more required checks failed: ${FAILED%, }"
+            exit 1
+          fi
+
+          {
+            echo ""
+            echo "---"
+            echo "✅ **All validations passed**"
+          } >> "$GITHUB_STEP_SUMMARY"
+

.github/workflows/spell-check.yml

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    env:
+      SPELL_CHECK_FAILED: 'false'
     steps:
       - name: Checkout code
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -40,16 +42,15 @@ jobs:
       - name: Run spell check
         id: spell-check
         run: |
-          set +e  # Disable errexit to capture exit code
+          set +e
           npm run spell-check > logs/spell-check-results.txt 2>&1
           EXIT_CODE=$?
-          set -e  # Re-enable errexit
+          set -e
           if [ "$EXIT_CODE" -ne 0 ]; then
             echo "SPELL_CHECK_FAILED=true" >> "$GITHUB_ENV"
           fi
           cat logs/spell-check-results.txt
-          exit "$EXIT_CODE"
-        continue-on-error: true
+          exit 0
 
       - name: Create annotations
         if: env.SPELL_CHECK_FAILED == 'true'

.github/workflows/table-format.yml

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+    env:
+      TABLE_FORMAT_FAILED: 'false'
     steps:
       - name: Checkout code
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -49,7 +51,7 @@ jobs:
               git diff --name-only
             fi
           fi
-        continue-on-error: true
+          exit 0
 
       - name: Create annotations
         if: env.TABLE_FORMAT_FAILED == 'true'