ci: consolidate and improve GHA workflows #5446
Conversation
mramotowski
force-pushed
the
mramotowski/gr311
branch
2 times, most recently
from
6a48131 to
7f2835c
Compare
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
mramotowski
force-pushed
the
mramotowski/gr311
branch
15 times, most recently
from
1b6ec65 to
ad24205
Compare
There was a problem hiding this comment.
Pull request overview
Consolidates and standardizes GitHub Actions workflows by reusing common steps via YAML anchors, tightening default permissions, and simplifying security/CodeQL workflow behavior; also fixes Windows Tauri debug option handling.
Changes:
- Reuse checkout/setup/install steps across workflows with YAML anchors and standardize formatting.
- Set default workflow permissions to none and move required permissions to the job level.
- Consolidate PR security scanning into
security-scan.yamland adjust Windows installer Tauri build options.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/windows-installer.yml | Adds default no-permissions and fixes Tauri debug option handling on Windows. |
| .github/workflows/ui-lint-and-test.yaml | Introduces YAML anchors to reuse checkout/setup/install and OpenAPI steps across UI jobs. |
| .github/workflows/stale_marker.yaml | Changes default permissions to none and scopes issue/PR write permissions to the job. |
| .github/workflows/security-scan.yaml | Expands triggers (PR/push/schedule), adds concurrency, and uses anchors + PR-specific scan behavior. |
| .github/workflows/scorecard.yaml | Adds comment clarifying default no-permissions at workflow level. |
| .github/workflows/renovate-config-validator.yml | Sets default workflow permissions to none; re-adds minimal job permissions. |
| .github/workflows/publish.yaml | Consolidates build and publish into one job and updates formatting. |
| .github/workflows/pr_comment_trigger.yaml | Removes PR-comment-triggered integration workflow. |
| .github/workflows/pr-security-scan.yaml | Removes separate PR-only security scan workflow in favor of consolidated scanning. |
| .github/workflows/lib-lint-and-test.yaml | Adds YAML anchors in non-matrix jobs; tweaks needs graph; minor formatting. |
| .github/workflows/docs_stable.yaml | Formatting-only spacing/blank-line adjustments. |
| .github/workflows/docs.yaml | Formatting-only spacing/blank-line adjustments. |
| .github/workflows/dependency-review.yaml | Standardizes trigger syntax and permissions moved to job level. |
| .github/workflows/codeql.yaml | Anchor reuse for checkout and simplifies CodeQL build-mode handling. |
| .github/workflows/build.yaml | Anchor reuse for checkout step. |
| .github/workflows/backend-lint-and-test.yaml | Anchor reuse and simplifies several multi-line run commands into one-liners. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| python-version: ["3.10", "3.14"] | ||
| name: unit-tests-with-Python${{ matrix.python-version }} | ||
| steps: | ||
| # YAML anchors not used cause currently zizmor don't support them in matrix strategies |
There was a problem hiding this comment.
Minor grammar issue in the comment. Consider rewording to something like: "YAML anchors aren't used because Zizmor currently doesn't support them in matrix strategies." (Also consider capitalizing "Zizmor" consistently.)
| # YAML anchors not used cause currently zizmor don't support them in matrix strategies | |
| # YAML anchors aren't used because Zizmor currently doesn't support them in matrix strategies. |
mramotowski
force-pushed
the
mramotowski/gr311
branch
from
ad24205 to
7fd7945
Compare
leoll2
left a comment
leoll2
left a comment
There was a problem hiding this comment.
Thanks for the cleanup! LGTM provided that you test the Windows installer worflow.
There was a problem hiding this comment.
Before merging, can you trigger this workflow on this branch to verify that it still works?
https://github.com/open-edge-platform/training_extensions/actions/workflows/windows-installer.yml
There was a problem hiding this comment.
release https://github.com/mramotowski/training_extensions/actions/runs/21858858445/job/63082357061
debug https://github.com/mramotowski/training_extensions/actions/runs/21858875659/job/63082414883
They are failing cause I run them on fork and don't have credential for signing.
There was a problem hiding this comment.
I see. I suggest you to merge the PR then test the workflow, if there's any error (hopefully not) you can fix it in another PR. For the future, it may be handy to open PRs from a branch in this repo instead of a fork; I think you have the permissions to do it since you're in training_extensions-write.
ivanzati
left a comment
ivanzati
left a comment
There was a problem hiding this comment.
Brilliant job! Nice and tidy
- Reuse checkout/setup steps via YAML anchors - Standardize formatting and add permissions defaults - Simplify CodeQL build-mode handling - Tidy workflow commands and spacing - Fix Tauri build option handling in Windows installer Signed-off-by: mramotowski <maciej.ramotowski@intel.com>
mramotowski
dismissed stale reviews from ivanzati, AlexanderBarabanov, and leoll2
via
0d8bbc6
mramotowski
force-pushed
the
mramotowski/gr311
branch
from
7fd7945 to
0d8bbc6
Compare
5 participants
Summary
Consolidate and improve GHA workflows
Resolves: https://github.com/intel-innersource/applications.ai.geti.geti-release/issues/311
How to test
I tested it manually creating separate testing workflows.
Checklist