Improve PR CI workflow readability, caching, and structure

[akshajtiwari]

This PR

closes #818

Summary

This PR cleans up the existing PR CI workflows to improve readability, maintainability, and CI performance without changing their behavior.

The changes focus on reducing duplication, clarifying step intent, and improving caching and job structure while keeping the original directory layout and logic intact.

Changes

• Standardized workflow structure and comments for readability
• Removed redundant installs already handled by pre-commit
• Used working-directory consistently instead of cd
• Improved pip and Cargo caching for faster CI runs
• Simplified job dependencies and removed duplicate build steps
• Fixed Windows matrix builds by running robocopy under PowerShell
• Added backend coverage reporting using pytest-cov

Files Affected

• .github/workflows/pr-check-tests.yml
• .github/workflows/pr-check-build.yml
• .github/workflows/build-and-release.yml

Scope

• CI-only changes (.github/workflows/*)
• No application or test behavior changes
• No release logic changes

Summary by CodeRabbit

• Chores
  • Consolidated per-platform CI into matrix-driven build and sync jobs for simpler cross-platform building.
  • Unified packaging and publish flows to handle server and microservice artifacts across platforms.
  • Added platform-aware commands and conditional dependency handling (including optional runtime packages).
  • Expanded caching (npm, pip, Rust/cargo) and standardized tool setup; added workflow permissions, concurrency, and timeouts.
  • Reorganized lint/test jobs with clearer frontend/backend steps and updated CI tooling versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces per-OS GitHub Actions jobs with matrix-driven workflows, centralizes build/publish steps, adds pip/npm/Cargo/Rust caching, upgrades action/tool versions, introduces workflow permissions/concurrency, and standardizes platform-aware shell/working-directory and artifact handling across CI workflows.

Changes

Cohort / File(s)	Summary
Build & Release workflow .github/workflows/build-and-release.yml	Replaced multiple per-OS jobs with matrix-driven build-server and build-sync-microservice jobs (windows/ubuntu/macos). Introduced matrix fields (mkdir-cmd, copy-cmd, zip-cmd, onnx-package), unified artifact creation/extraction in publish-tauri, added pip/npm/Rust caching, and conditional ONNX installs and shell selection for Windows vs POSIX.
PR Check — Build .github/workflows/pr-check-build.yml	Added permissions and concurrency; extended matrix to include macOS/Ubuntu/Windows with per-platform args; upgraded actions (checkout v5, setup-node v5); added Cargo/npm/pip caches; matrix-driven Rust target handling and explicit Ubuntu apt installs; standardized working-directory steps and tauri-action bump.
PR Check — Tests .github/workflows/pr-check-tests.yml	Added permissions/concurrency; migrated to newer actions (checkout v5, setup-node v5, setup-python v6); introduced Rust toolchain/cargo cache and format checks; split frontend/backend dependency installs and tests (Node 22, Python 3.12); reorganized lint/test steps with explicit working-directory contexts.

Sequence Diagram(s)

(Skipped — changes are workflow orchestration and do not introduce a runtime control flow diagram meeting diagram criteria.)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Add Release Drafter configuration and workflow #457: Modifies .github/workflows/build-and-release.yml and release steps; overlaps on release packaging and workflow modernizations.

Poem

🐰 Hopping through YAML fields so bright,

I plant a matrix under CI light,
caches snug, artifacts tied in strings,
one build to rule them—oh how it sings,
carrot crumbs and a published thing.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main objectives of the PR: improving CI workflow readability, caching, and structure across GitHub Actions workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/build-and-release.yml:
- Line 68: The shell expression on the step uses a conditional in the shell
property (shell: ${{ matrix.platform == 'windows-latest' && 'pwsh' || 'bash'
}}), which actionlint flags; replace this pattern by splitting the step into two
steps with step-level if conditions: one step with if: matrix.platform ==
'windows-latest' and shell: pwsh, and a second step with if: matrix.platform !=
'windows-latest' (or == 'ubuntu-latest' etc.) and shell: bash, keeping the same
run body in both so behavior remains unchanged.

In @.github/workflows/pr-check-tests.yml:
- Around line 33-40: The workflow uses mixed actions/setup-python versions;
standardize to a single version (prefer actions/setup-python@v6) by replacing
all occurrences of actions/setup-python@v5 with actions/setup-python@v6 across
the workflow (e.g., the linting job step using actions/setup-python@v6 and the
backend job step currently using actions/setup-python@v5—also update the other
occurrence around the block referenced in lines 118-125) so all jobs use the
same setup action version and keep any existing with: settings (python-version,
cache, cache-dependency-path) unchanged.

🧹 Nitpick comments (5)

.github/workflows/pr-check-tests.yml (2)

133-144: Misleading step names: these are build steps, not tests.

The steps "Backend Test" (line 133) and "Test Micro Services" (line 142) run pyinstaller to create executables, which is building, not testing. The actual test is the pytest step at line 147.

Consider renaming these steps to accurately reflect their purpose:

Proposed fix

-      - name: Backend Test
+      - name: Build Backend Executable
        working-directory: backend
        run: pyinstaller main.py --name PictoPy_Server --onedir --distpath dist

      - name: Install Micro Services Dependencies
        working-directory: sync-microservice
        run: |
          pip install -r requirements.txt

-      - name: Test Micro Services 
+      - name: Build Micro Services Executable
        working-directory: sync-microservice
        run: pyinstaller main.py --name PictoPy_Sync_Microservice --onedir --distpath dist

---

110-111: Missing timeout-minutes for the backend job.

The linting job (line 21) and frontend job (line 89) both have timeout-minutes: 15, but the backend job lacks this setting. Add a timeout to prevent hung jobs from consuming CI resources.

Proposed fix

  backend:
    needs: [linting,frontend]
    name: Backend Tests
    runs-on: ubuntu-latest
+   timeout-minutes: 15
    steps:

.github/workflows/pr-check-build.yml (1)

74-83: Remove commented-out code.

This dead code block duplicates the active Cache Cargo step above (lines 59-68). Remove it to improve maintainability.

Proposed fix

-      # - name: cache cargo registry and build
-      #   uses: actions/cache@v3
-      #   with:
-      #     path: |
-      #       frontend/src-tauri/target
-      #       ~/.cargo/registry
-      #       ~/.cargo/git
-      #     key: ${{ runner.os }}-cargo-${{ hashFiles('frontend/src-tauri/Cargo.lock') }}
-      #     restore-keys: |
-      #       ${{ runner.os }}-cargo-
-
       - uses: tauri-apps/tauri-action@v0.6.0

.github/workflows/build-and-release.yml (2)

40-48: Action versions inconsistent with other PR workflows.

This workflow uses older action versions compared to pr-check-tests.yml:

• actions/checkout@v4 vs @v5
• actions/setup-python@v4 vs @v5/@v6
• actions/setup-node@v4 (line 206) vs @v5

Consider aligning versions across all workflows for consistency.

Also applies to: 110-115

---

228-231: Use npm ci instead of npm install for consistency.

Other workflows (pr-check-tests.yml, pr-check-build.yml) use npm ci for deterministic installs. Consider aligning this step:

Proposed fix

      - name: Install frontend dependencies
        working-directory: frontend
        run: |
-         npm install
+         npm ci

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3af96c and f618327.

📒 Files selected for processing (3)

• .github/workflows/build-and-release.yml
• .github/workflows/pr-check-build.yml
• .github/workflows/pr-check-tests.yml

🧰 Additional context used

🪛 actionlint (1.7.10)

.github/workflows/build-and-release.yml

68-68: context "matrix" is not allowed here. no context is available here. see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

---

131-131: context "matrix" is not allowed here. no context is available here. see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🔇 Additional comments (5)

.github/workflows/pr-check-tests.yml (2)

8-14: Good addition of permissions and concurrency controls.

The explicit contents: read permission follows the principle of least privilege, and the concurrency group with cancel-in-progress: true will prevent redundant workflow runs on the same PR.

---

147-149: PR objectives mention pytest-cov but coverage flags are missing.

The PR description states "Adds backend coverage reporting using pytest-cov", but the pytest command runs without coverage options. If coverage reporting was intended, update the command accordingly.

If coverage was intended:

      - name: Run Tests
        working-directory: backend
-       run: pytest
+       run: pytest --cov=. --cov-report=term-missing

Also ensure pytest-cov is installed in the backend dependencies step.

.github/workflows/pr-check-build.yml (2)

7-14: Permissions and concurrency controls added correctly.

The workflow-level permissions and concurrency group are well-configured.

---

59-68: Cargo caching setup looks appropriate.

The cache paths and key strategy are well-defined for Rust dependencies.

.github/workflows/build-and-release.yml (1)

13-38: Well-structured matrix consolidation for multi-platform builds.

The matrix strategy effectively consolidates platform-specific build logic with per-platform commands (mkdir-cmd, copy-cmd, zip-cmd). The robocopy exit code handling for Windows (lines 23-24) correctly accounts for robocopy's non-standard exit codes.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent actions/setup-python versions.

The linting job uses actions/setup-python@v6 (line 34) while the backend job uses actions/setup-python@v5 (line 119). Standardize on one version across the workflow.

Proposed fix

      - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

Also applies to: 118-125

🤖 Prompt for AI Agents

In @.github/workflows/pr-check-tests.yml around lines 33 - 40, The workflow uses
mixed actions/setup-python versions; standardize to a single version (prefer
actions/setup-python@v6) by replacing all occurrences of actions/setup-python@v5
with actions/setup-python@v6 across the workflow (e.g., the linting job step
using actions/setup-python@v6 and the backend job step currently using
actions/setup-python@v5—also update the other occurrence around the block
referenced in lines 118-125) so all jobs use the same setup action version and
keep any existing with: settings (python-version, cache, cache-dependency-path)
unchanged.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/pr-check-tests.yml:
- Around line 133-144: The workflow uses misleading step names "Backend Test"
and "Test Micro Services" while running pyinstaller; rename these steps to
reflect they are builds (e.g., change "Backend Test" -> "Build Backend
Executable" and "Test Micro Services" -> "Build Sync Microservice Executable")
or move these pyinstaller steps into a dedicated build job; update any step
names or job labels that reference "Backend Test" or "Backend Tests" to avoid
confusion and ensure consistency with the actual action performed.

🧹 Nitpick comments (2)

.github/workflows/pr-check-tests.yml (2)

74-76: Redundant || exit 1 clause.

GitHub Actions steps fail automatically on non-zero exit codes (unless continue-on-error: true is set). The || exit 1 is unnecessary.

Suggested simplification

       - name: Run backend Linters       
         working-directory: backend
-        run: pre-commit run --config ../.pre-commit-config.yaml --all-files || exit 1
+        run: pre-commit run --config ../.pre-commit-config.yaml --all-files

---

110-113: Missing timeout-minutes and unnecessary job dependency.

Two concerns:

1. Missing timeout: Unlike linting and frontend jobs, this job lacks timeout-minutes. Add it for consistency and to prevent hung jobs.

2. Unnecessary serialization: The needs: [linting, frontend] forces backend tests to wait for frontend tests to complete. Since these test suites are independent, backend should only depend on linting to allow parallel execution.

Suggested fix

   backend:
-    needs: [linting,frontend]
+    needs: [linting]
     name: Backend Tests
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f618327 and 7f0c8d6.

📒 Files selected for processing (1)

• .github/workflows/pr-check-tests.yml

🔇 Additional comments (3)

.github/workflows/pr-check-tests.yml (3)

8-14: Good additions for security and efficiency.

The explicit permissions: contents: read follows least-privilege principles, and the concurrency group with cancel-in-progress: true will efficiently cancel redundant workflow runs on the same PR.

---

83-107: LGTM!

Clean structure with proper caching, working directory usage, and timeout configuration.

---

147-149: Missing pytest-cov for coverage reporting.

The PR summary states "Adds backend coverage reporting using pytest-cov", but pytest-cov is neither installed (not in the pip install steps) nor invoked (no --cov flags on pytest).

If coverage reporting is intended, install and configure pytest-cov:

Suggested implementation

       - name: Install Backend Dependencies
         working-directory: backend
         run: |
           python -m pip install --upgrade pip
-          pip install -r requirements.txt
+          pip install -r requirements.txt pytest-cov

...

       - name: Run Tests
         working-directory: backend
-        run: pytest
+        run: pytest --cov=app --cov-report=term-missing

Please confirm whether coverage reporting was intended for this PR or deferred to a follow-up.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/pr-check-tests.yml:
- Around line 58-63: Remove the redundant explicit installation of ruff and
black in the "Install Backend Dependencies" job: keep upgrading pip and
installing pre-commit only, and remove "ruff" and "black" from the pip install
line since those tools are provided and managed by the hooks declared in
.pre-commit-config.yaml; update the run block in the Install Backend
Dependencies step accordingly so it only runs "python -m pip install --upgrade
pip" and "pip install pre-commit".
- Around line 110-150: Add pytest-cov to backend/requirements.txt and update the
backend job's Run Tests step (the pytest invocation) to run with coverage, e.g.,
change the pytest command in the Run Tests step to include flags like --cov=.
--cov-report=term-missing --cov-report=xml:coverage.xml, then add a new step
after Run Tests to upload the coverage.xml (using actions/upload-artifact or an
uploader of choice) so coverage results are preserved and can be consumed by
reporters.

🧹 Nitpick comments (1)

.github/workflows/pr-check-tests.yml (1)

133-145: Consider whether executable builds belong in the test job.

Building PyInstaller executables for the backend and sync microservice in the test job is unconventional. Typically, build steps belong in dedicated build jobs (like pr-check-build.yml).

If these executables are required for integration tests, this placement is acceptable. Otherwise, consider moving these steps to the build workflow to maintain clearer separation of concerns.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7f0c8d6 and d4f8a8d.

📒 Files selected for processing (1)

• .github/workflows/pr-check-tests.yml

🔇 Additional comments (4)

.github/workflows/pr-check-tests.yml (4)

8-14: LGTM! Good security and efficiency practices.

The explicit contents: read permission follows the principle of least privilege, and the concurrency configuration with cancel-in-progress: true will save CI resources by canceling outdated runs when new commits are pushed to the PR.

---

68-81: LGTM! Linting steps are well-structured.

The consistent use of working-directory improves clarity, and the linting commands are appropriate for each language/framework. The pre-commit config path correctly points to the repository root.

---

84-108: LGTM! Frontend test job is well-configured.

The job follows the established pattern with proper caching, updated action versions, and consistent use of working-directory. The dependency on the linting job ensures proper sequencing.

---

19-57: Action versions are valid and current. All GitHub Actions used in the workflow (checkout@v5, setup-node@v5, setup-python@v6, cache@v4) are stable releases as of January 2026. The caching strategy is comprehensive with proper dependency paths for npm, pip, and Cargo. Node.js 22, Python 3.12, and the Rust stable toolchain are well-configured for a multi-language linting job. The 15-minute timeout is appropriate.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/build-and-release.yml:
- Around line 74-78: The "Create ZIP package" step forces shell: bash which
causes Windows matrix entries to use GNU tar (no -a zip support); update that
step to use a conditional shell like the project's copy step so Windows runs
with PowerShell (pwsh) and non-Windows runs with bash (i.e., choose pwsh when
runner.os == 'Windows', bash otherwise) so the Windows zip-cmd (tar -a -c -f
...) uses native tar.exe; apply the same change to the sync microservice zip
step as well.

🧹 Nitpick comments (1)

.github/workflows/build-and-release.yml (1)

44-44: Consider upgrading actions/setup-python to v5.

actions/setup-python@v4 is used at lines 44 and 111. v5 has been available since December 2023 and includes multiple improvements: Node 20 runtime (v5.0.0), enhanced caching with architecture-aware keys (v5.2.0), free-threaded Python support (v5.5.0), and .tool-versions support (v5.5.0). Not urgent, but worth updating for long-term maintenance.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the workflow file to see the exact code
cat -n .github/workflows/build-and-release.yml | sed -n '13,150p'

Repository: AOSSIE-Org/PictoPy

Length of output: 5698

---

🏁 Script executed:

# Also check the specific lines 74-78 mentioned
cat -n .github/workflows/build-and-release.yml | sed -n '70,85p'

Repository: AOSSIE-Org/PictoPy

Length of output: 604

---

🏁 Script executed:

# Check the sync microservice zip step at lines 136-140
cat -n .github/workflows/build-and-release.yml | sed -n '132,145p'

Repository: AOSSIE-Org/PictoPy

Length of output: 502

---

🏁 Script executed:

# Verify the matrix definition including zip-cmd
cat -n .github/workflows/build-and-release.yml | sed -n '13,38p'

Repository: AOSSIE-Org/PictoPy

Length of output: 1359

---

🏁 Script executed:

# Check GNU tar documentation for -a flag behavior
# Let's search for information about tar -a with zip files in the codebase context
rg -i "tar.*-a.*zip|zip.*tar.*-a" || echo "No mixed tar/zip commands found in other files"

Repository: AOSSIE-Org/PictoPy

Length of output: 108

---

🌐 Web query:

GNU tar -a flag .zip format support Windows

💡 Result:

• GNU tar: -a/--auto-compress only auto-selects a compression filter for a tar archive based on the filename suffix (e.g., .tar.gz, .tar.xz). The GNU tar manual lists the supported compressors (gzip, bzip2, xz, zstd, etc.) and does not include ZIP, because ZIP is a different archive format, not a tar compression filter. So GNU tar cannot create a real .zip with -a. [1][5][6]

• Windows “tar.exe” (often not GNU tar): The tar that ships with modern Windows is typically bsdtar/libarchive, where -a does pick the archive format from the suffix, and archive.zip results in ZIP format (i.e., it can create ZIP). [2][3]

So: if you’re using GNU tar, tar -a -cf something.zip ... won’t produce a proper ZIP; if you’re using Windows’ built-in tar (bsdtar), it generally will.

Sources:
[1] GNU tar manual: supported compression programs (no zip)
[2] bsdtar man page (-a example shows archive.zip creates zip format)
[3] libarchive/bsdtar on Windows (issue describing Windows-included bsdtar)
[5] Explanation why GNU tar doesn’t handle zip like gzip/bzip2 filters
[6] GNU tar manual entry for --auto-compress (suffix-based compressed format recognition)

---

🌐 Web query:

GitHub Actions Windows bash shell Git Bash GNU tar vs Windows tar

💡 Result:

On GitHub Actions Windows runners, you can easily end up with different tar implementations depending on which shell/command is actually being used.

Which bash is used when you set shell: bash?

On Windows, shell: bash runs Git for Windows’ Git Bash explicitly:
C:\Program Files\Git\bin\bash.exe --noprofile --norc -e -o pipefail {0}. [1]
And the hosted image documents that gitbash.exe points to that same bash.exe. [2]

“Windows tar” vs “GNU tar” (what you’re really getting)

• Windows’ built-in tar is C:\Windows\System32\tar.exe, and it is bsdtar (libarchive-based). [3][4]
  Libarchive’s project explicitly provides the bsdtar tar implementation. [4]
• GNU tar is what you typically get from Unix-like environments on Windows (MSYS2 / Git for Windows). MSYS2’s tar package is GNU tar (homepage is gnu.org; package name tar). [5]

Why this matters in Actions workflows

• Some Actions/tools assume particular tar features/behavior. For example, actions/cache has Windows-specific behavior and notes that GNU tar (and zstd) are required/recommended on self-hosted Windows, especially for cross-OS caching. [6]
• If your workflow modifies PATH, you may unintentionally switch which tar.exe is found first.

How to force one or the other

• Force Windows bsdtar:
  • From Git Bash: /c/Windows/System32/tar.exe ...
  • Or use the full Windows path in any shell: C:\Windows\System32\tar.exe ... [3]
• Force GNU tar:
  • Use MSYS2 explicitly (shell: msys2 {0}) after setting it up (MSYS2 is preinstalled but not on PATH by default). [2]
  • Or call the GNU tar binary from the MSYS2/Git toolchain by absolute path (varies by install; verify with which tar / tar --version).

Quick check: run tar --version

• bsdtar prints something like bsdtar ... - libarchive ... [3][4]
• GNU tar prints tar (GNU tar) ... [5]

Sources: [1] [2] [3] [4] [5] [6]

---

Critical bug: Windows tar -a -c -f *.zip will fail under shell: bash.

The Create ZIP package step (lines 74–78) forces shell: bash, but the Windows zip-cmd (tar -a -c -f PictoPy-Windows.zip .) relies on Windows' native tar.exe (bsdtar/libarchive), which supports creating .zip archives via the -a flag. Under shell: bash on GitHub Actions, Git Bash's GNU tar is used instead, and GNU tar does not support .zip as a target format—only compression filters (gzip, bzip2, xz, zstd, etc.) for tar archives. This will fail on the Windows matrix entry.

The same issue applies to the sync microservice zip step at lines 136–140.

Recommended fix: Use conditional shell (mirrors the copy step pattern)

      - name: Create ZIP package
        working-directory: backend/dist/PictoPy_Server
-       shell: bash
+       shell: ${{ matrix.platform == 'windows-latest' && 'pwsh' || 'bash' }}
        run: |
          ${{ matrix.zip-cmd }}

Apply the same change to the sync microservice step at lines 136–140.

🤖 Prompt for AI Agents

In @.github/workflows/build-and-release.yml around lines 74 - 78, The "Create
ZIP package" step forces shell: bash which causes Windows matrix entries to use
GNU tar (no -a zip support); update that step to use a conditional shell like
the project's copy step so Windows runs with PowerShell (pwsh) and non-Windows
runs with bash (i.e., choose pwsh when runner.os == 'Windows', bash otherwise)
so the Windows zip-cmd (tar -a -c -f ...) uses native tar.exe; apply the same
change to the sync microservice zip step as well.