Consolidate CI workflows into a single entry point

[ashwin-ant]

Summary

• Creates a new ci-all.yml workflow that orchestrates all CI workflows (ci, test-base-action, test-custom-executables, test-mcp-servers, test-settings, test-structured-output)
• Updates individual test workflows to support workflow_call for reuse and removes redundant push triggers
• Modifies release.yml to auto-trigger on successful CI All runs for version bump commits

Test plan

• Verify CI All workflow triggers on PRs and runs all sub-workflows
• Verify CI All workflow triggers on pushes to main
• Verify individual workflows can still be triggered via workflow_dispatch
• Verify release workflow auto-triggers after successful CI All on version bump commits
• Verify manual workflow_dispatch for releases still works

Changelog

🤖 Generated with Claude Code (100% 10-shotted by claude-opus-4-5)

[claude]

SECURITY: The workflow_run trigger has a potential security vulnerability. The current condition only checks the commit message, which is insufficient.

Attack vector: A malicious PR could craft a commit message starting with "chore: bump Claude Code to" and potentially trigger a release if the branch filter is bypassed.

Recommendation: Add explicit branch and event type verification:

Suggested change

	if: |
	github.event_name == 'workflow_dispatch' ||
	(github.event.workflow_run.conclusion == 'success' &&
	startsWith(github.event.workflow_run.head_commit.message, 'chore: bump Claude Code to'))
	if: |
	github.event_name == 'workflow_dispatch' ||
	(github.event.workflow_run.conclusion == 'success' &&
	github.event.workflow_run.head_branch == 'main' &&
	github.event.workflow_run.event == 'push' &&
	startsWith(github.event.workflow_run.head_commit.message, 'chore: bump Claude Code to'))

This adds defense-in-depth by verifying:

• The workflow ran on the main branch (not just filtered to it)
• The triggering event was a push (not a pull_request)

[claude]

SECURITY: Missing explicit permission declarations. When no permissions are declared, workflows get default read-all permissions for GITHUB_TOKEN.

Recommendation: Add explicit minimal permissions:

Suggested change

	workflow_dispatch:
	workflow_dispatch:
	permissions:
	contents: read

This follows the principle of least privilege and ensures called workflows don't have more permissions than necessary.

[claude]

Test Coverage Concerns

Missing test coverage for the workflow_run auto-trigger logic

The most critical change—auto-triggering releases based on commit message matching—has no automated tests. This is a high-risk change that could silently fail or trigger unintended releases.

Edge cases not covered in the test plan:

• What happens if CI All fails on a version bump commit? (Should NOT trigger release)
• What happens if CI All succeeds on a non-version-bump commit? (Should NOT trigger release)
• What if the commit message format varies slightly (e.g., lowercase)?

Recommendation: Add validation tests for the commit message matching logic, or at minimum expand the test plan to include these negative test cases.

workflow_dispatch inputs and workflow_call incompatibility

In test-base-action.yml, the test_prompt input is available when manually dispatched but not when called from ci-all.yml. This creates two different code paths:

1. Direct workflow_dispatch → can customize test_prompt
2. Via ci-all.yml → always uses default test_prompt

Is this intentional? If yes, it should be documented. If no, consider harmonizing the workflows.

[claude]

Consider adding a brief header comment explaining the orchestrator role:

Suggested change

	name: CI All
	# Orchestrates all CI workflows - runs on PRs, pushes to main, and manual dispatch
	# Individual test workflows are called as reusable workflows
	name: CI All

This helps future maintainers understand the purpose of this workflow at a glance.

[claude]

Consider adding a brief comment explaining why secrets: inherit is necessary:

Suggested change

	uses: ./.github/workflows/test-base-action.yml
	test-base-action:
	uses: ./.github/workflows/test-base-action.yml
	secrets: inherit # Required for ANTHROPIC_API_KEY

This clarifies the security implications and dependencies.

[claude]

General Observations

Strengths:

• Excellent workflow composition pattern using workflow_call
• Clean separation between orchestration and execution
• Removes redundant workflow runs (was 6 separate workflows on push, now 1 orchestrator)
• Maintains backward compatibility—individual workflows can still be manually triggered
• All jobs run in parallel (optimal for CI throughput)

Performance:

• The consolidation is performance-positive, reducing GitHub Actions overhead
• All ~19 jobs across the suite run concurrently
• Minor optimization opportunity: ci.yml runs bun install three times (once per job). Consider adding Bun cache if install times exceed 15 seconds.

Documentation:

• PR description accurately reflects all changes
• Inline comments in release.yml are helpful and clear
• Test plan is comprehensive for happy paths