[QT-353] Use a different approach to branch restrictions (#17998)

Create a new workflow job that is only triggered when all build and
integration workflows have completed. This will allow us to require
branch restrictions on a single workflow.

Of note, we tried to allow docs branches to bypass testing using the
method suggested by Github[0], however, the `branches-ignore`
functionality did not work for the `pull_request` event type. Therefore,
bypassing build and integration workflows for docs branches is no longer
supported.

[0] https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks

Signed-off-by: Ryan Cragun <me@ryan.ec>

.github/workflows/build-docs.yml

@@ -1,20 +0,0 @@
----
-name: build-docs
-
-on:
-  push:
-    branches:
-      - docs/**
-      - backport/docs/**
-
-jobs:
-  # This is a workaround to allow docs PRs to fullfil the required branch
-  # protection rules which require that the 'build' workflow has
-  # succeeded before a PR is allowed to be merged. We validate that via the
-  # 'build-ensure-success' workflow that is triggered either by either the
-  # 'build' or 'build-docs' workflow. Without this trigger the required branch
-  # protection rules would never be met on docs branches.
-  trigger-build-success-workflow:
-    runs-on: ubuntu-latest
-    steps:
-      - run: exit 0

.github/workflows/build-ensure-success.yml

@@ -1,32 +0,0 @@
----
-name: ensure_build_workflow_succeeded
-
-on:
-  # Github's branch protection rules for required workflow checks are a bit
-  # cumbersome when you have many jobs. The required checks have to be configured
-  # at the workflow job level. As child workflows of build.yml and Enos can be
-  # dynamic and change often, there's no way to create or maintain a valid list
-  # of workflow checks that need to succeeded in order to merge.
-  #
-  # To work around this problem we've chosen to trigger this workflow on
-  # completion of all the jobs that are triggered by build or build-docs. This
-  # workflow inspects the conclusion of the build workflow event and either passes
-  # or fails. This allows our branch protection rules for the build workflow to
-  # depend only on this workflow succeeding, which can only happen if all child
-  # workflows of the build job have succeeded.
-  workflow_run:
-    workflows: [build, build-docs]
-    types: [completed]
-
-jobs:
-  ensure-all-build-workflows-succeeded:
-    name: Ensure that all workflows spawned by the build workflow succeeded
-    runs-on: ubuntu-latest
-    steps:
-      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
-        uses: actions/github-script@v6
-        with:
-          script: |
-            core.setFailed('One or more workflows spawned by the build job did not succeed. All build job workflows are required to pass before merge')
-      - if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        run: echo "All build and integration workflows have succeeded!"

.github/workflows/build.yml

@@ -1,15 +1,9 @@
+---
 name: build
 
 on:
   workflow_dispatch:
   pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-    branches-ignore:
-      - docs/**
-      - backport/docs/**
   push:
     branches:
       - main
@@ -200,3 +194,16 @@ jobs:
       artifact-revision: ${{ needs.product-metadata.outputs.vault-revision }}
       artifact-version: ${{ needs.product-metadata.outputs.vault-version }}
     secrets: inherit
+
+  completed-successfully:
+    runs-on: ubuntu-latest
+    needs:
+      - build-other
+      - build-linux
+      - build-darwin
+      - build-docker
+      - build-ubi
+      - enos
+      - enos-docker-k8s
+    steps:
+      - run: echo "All build and integration workflows have succeeded!"