# Pull Request Gating & Branch Policies

Establishing CI/CD Integration & Automated Quality Gating as a mandatory workflow prevents accessibility regressions from reaching production. This blueprint details how to configure repository branch policies and pull request checks to enforce WCAG compliance automatically.

Implementation targets for engineering teams:

• Block merges on critical a11y violations
• Configure required status checks in GitHub/GitLab
• Define severity-based gating thresholds
• Integrate with existing QA review cycles

# Repository Setup & Branch Protection

Protected branches form the enforcement layer for automated accessibility validation. Enable branch protection on your primary integration branches (main or develop) to mandate passing status checks before merge. Restrict force pushes and direct commits to maintain audit integrity.

Map your GitHub Actions a11y Pipeline Setup workflow as a required check. Use the repository API to enforce strict validation:

curl -X PATCH \
 -H "Accept: application/vnd.github+json" \
 -H "Authorization: Bearer $GITHUB_TOKEN" \
 https://api.github.com/repos/{owner}/{repo}/branches/main/protection \
 -d '{
 "required_status_checks": {
 "strict": true,
 "contexts": ["axe-core-a11y-scan"]
 },
 "enforce_admins": true,
 "required_pull_request_reviews": {
 "required_approving_review_count": 1
 }
 }'

This payload enforces strict status check validation and blocks direct admin merges until a11y checks pass. The strict flag ensures the branch is synchronized with the base before evaluation.

# Threshold Configuration & Severity Mapping

Automated scanners report hundreds of findings. Gating must distinguish between critical blockers and informational warnings. Map WCAG success criteria to CI exit codes to implement tiered gating. Configure --fail-on or --exit-code flags in tools like axe-cli or pa11y to trigger hard blocks only on Level A/AA violations.

Apply Progressive Threshold Management to legacy codebases. This prevents pipeline paralysis while establishing a downward trend in violation counts.

jobs:
 a11y-gate:
 runs-on: ubuntu-latest
 steps:
 - uses: actions/checkout@v4
 - name: Run Accessibility Scan
 id: a11y
 run: npx axe-cli ./dist --exit-code 2 --tags wcag2aa
 - name: Evaluate Threshold
 if: ${{ steps.a11y.outcome == 'failure' }}
 run: |
 echo "::error::Critical a11y violations detected. Merge blocked."
 exit 1

This configuration maps CLI exit codes directly to CI job status. A non-zero exit code triggers a hard block, while warnings pass through for manual QA review.

# Pipeline Gating & Status Check Integration

CI job outputs must reliably communicate with the PR status API to enforce merge blocks. Configure continue-on-error: false for all gating jobs to prevent silent failures. Use PR comment bots to post structured violation summaries directly into the pull request thread.

Implement timeout and retry logic for flaky a11y scans. Headless browser rendering can introduce timing variability. Wrap scanner execution in a retry wrapper with exponential backoff to stabilize status check reporting.

steps:
 - name: Retry Flaky Scan
 uses: nick-fields/retry@v2
 with:
 max_attempts: 3
 timeout_minutes: 5
 command: npx axe-cli ./dist --exit-code 2

Ensure the job name matches the exact string defined in your branch protection contexts array. Mismatched context names result in bypassed gates.

# Troubleshooting & False Positive Mitigation

Gating failures often stem from environmental mismatches or overly aggressive scanner rules. Isolate dynamic content rendering delays by adding explicit wait conditions before scanner execution. Configure axe.run context selectors to exclude third-party widgets or known inaccessible legacy components.

Implement a controlled bypass mechanism for urgent hotfixes. Use a skip-a11y-check commit tag or PR label, but enforce mandatory post-merge remediation tracking. Audit custom component patterns against default scanner rules to suppress known false positives via .axerc configuration files.

# Common Pitfalls

• Blocking PRs on non-actionable warnings without severity filtering
• Failing to configure strict mode, allowing outdated status checks to pass
• Ignoring iframe/shadow DOM context boundaries causing false negatives
• Overriding branch policies via admin bypass without audit trails
• Running scans on un-built or un-staged assets leading to inaccurate results

# FAQ

How do I bypass a11y gating for urgent hotfixes? Use a protected branch bypass label (e.g., hotfix-skip-a11y) with mandatory post-merge remediation tracking, or temporarily lower thresholds via environment variables.

Why does my PR show a pending status check despite passing locally? CI environments often lack headless browser configurations or differ in viewport/DPI settings. Ensure puppeteer/playwright args match CI runner specs.

Can I gate on specific WCAG success criteria only? Yes. Use CLI flags like --tags wcag2aa or --rules color-contrast to restrict gating to targeted compliance levels.