fix(ci): wait for versions json upload before dispatch

[gsavage]

The evidence-reporter-upload-package-and-deploy and environment-reporter-upload-package-and-deploy jobs fire repository_dispatch events into other Kosli repos. Those repos dispatch onward to further downstream repos, which read lambda_layer_versions.json from S3 -- the file written by environment-reporter-upload-layer in this workflow.

Until now, the two dispatching jobs only declared pre-build and goreleaser as needs, so they could run before
environment-reporter-upload-layer had finished uploading lambda_layer_versions.json. Jobs at the end of the dispatch chain were intermittently failing because the file was not yet in S3; manually re-running them succeeded, since by then the upload had completed -- a clear race-condition defect.

Add environment-reporter-upload-layer to the needs list for both jobs so the dispatches only fire once the file is in S3.

[claude]

Claude finished @mbevc1's task in 1m 48s —— View job

---

PR Review: fix(ci): wait for versions json upload before dispatch

• Phase 1: Static analysis (go build, go vet, go mod tidy)
• Phase 2: Code review
• Phase 3: Post review

---

Static Analysis

All green — go build ./..., go vet ./..., and go mod tidy pass with no issues. (No Go source files were changed in this PR, so this is expected.)

Review

The fix is correct and well-scoped. The two dispatch jobs (evidence-reporter-upload-package-and-deploy and environment-reporter-upload-package-and-deploy) fire repository_dispatch events into downstream repos that ultimately read lambda_layer_versions.json from S3. That file is written by environment-reporter-upload-layer, which previously ran in parallel with these dispatch jobs. Adding it to their needs list serializes things in the right order.

A few observations:

1. Dependency graph is sound. environment-reporter-upload-layer already depends on [pre-build, goreleaser] (line 336), so adding it to the two dispatch jobs doesn't introduce a cycle — it just adds a transitive wait. The needs lists now read [pre-build, goreleaser, environment-reporter-upload-layer], which is technically redundant for pre-build and goreleaser (they're already transitive deps via environment-reporter-upload-layer), but keeping them explicit is fine — it matches the existing style in this workflow and makes the intent readable.

2. Failure semantics are preserved. GitHub Actions' default behavior is to skip downstream jobs when a needs dependency fails, which is the correct behavior here — if the layer upload fails, the dispatches should not fire. No if: always() is needed.

3. No impact on parallelism for non-dependent jobs. Other jobs like docs-repo-dispatch, homebrew-pr, and binary-provenance are unaffected and still run in parallel as before. The only added latency is that the two dispatch jobs now wait for the layer upload, which is exactly the intent.

4. PR description is excellent — clearly explains the race, why re-runs succeeded, and what the fix does. This is a model CI fix PR.

Verdict

No issues found. Clean, minimal, correct fix for a real race condition. LGTM.