Skip to content
Latchkey

How to Use Required Status Checks as Controls

Marking a scan or policy job as a required status check turns it into a merge-blocking control that cannot be skipped.

A check is only a control if it blocks merge. This page makes named jobs required and turns on strict mode so branches must be up to date first. It is educational configuration guidance for wiring compliance jobs into the merge gate.

Steps

  • Give each control job a stable name (it becomes the check context).
  • Add those names to the required status checks list.
  • Enable strict mode so stale branches must re-run the checks.

Name the control jobs

.github/workflows/ci.yml
jobs:
  policy-gate:
    name: policy-gate     # this string is the required check context
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: ./run-policy.sh
  sca-scan:
    name: sca-scan
    runs-on: ubuntu-latest
    steps:
      - run: ./scan.sh

Require them

Terminal
gh api -X PATCH repos/acme/app/branches/main/protection/required_status_checks \
  -f strict=true -f 'contexts[]=policy-gate' -f 'contexts[]=sca-scan'

Notes

  • A required check that never reports on some events can deadlock merges; add a placeholder job for skipped paths.
  • strict=true forces the branch to include the latest main before merge, so checks reflect final code.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →