Add Dependabot and tests for reusable workflows#42
Conversation
Refs: RATY-350
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds Django (pip and uv) and Node (yarn and pnpm) workflow fixture projects, extends all reusable CI workflows with configurable ChangesReusable CI workflows and fixtures
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci-django-api.yml (1)
1-4:⚠️ Potential issue | 🟠 MajorAdd explicit least-privilege
permissionsat workflow scope.
.github/workflows/ci-django-api.ymlhas no workflow-levelpermissions:block, so it falls back to default (broader)GITHUB_TOKENpermissions. Add:permissions: contents: read
pull-requests: readisn’t evidenced as needed by this workflow (no PR API usage found).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci-django-api.yml around lines 1 - 4, The workflow "Common CI for Django APIs" currently lacks a workflow-level permissions block, so update the top-level of the YAML (the workflow named "Common CI for Django APIs") to add an explicit least-privilege permissions section; specifically add a top-level permissions setting that limits GITHUB_TOKEN to contents: read (and do not add pull-requests: read since PR API calls are not used), ensuring the permissions block is placed at the same level as name: and on: so it applies workflow-wide.Source: Linters/SAST tools
🧹 Nitpick comments (7)
.github/workflow-fixtures/django-api-uv/tests/test_smoke.py (1)
1-2: ⚡ Quick winStrengthen the smoke test to validate the fixture contract.
assert Truewon’t catch Django wiring regressions (settings/URL routing). A minimal/healthz/request assertion would provide real signal with very low effort.Suggested test shape
def test_smoke(): - assert True + from django.test import Client + response = Client().get("/healthz/") + assert response.status_code == 200 + assert response.content == b"ok"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py around lines 1 - 2, Replace the trivial assertion in test_smoke with a real minimal Django request: in the test_smoke function use the Django test client fixture (client) to perform client.get('/healthz/') and assert response.status_code == 200 (optionally assert a small expected body or JSON), so the test verifies URL routing and settings wiring instead of just asserting True..github/workflows/ci-pnpm-node.yml (1)
74-74: ⚡ Quick winConsider setting
persist-credentials: falsefor security.Static analysis flags that checkout steps don't explicitly disable credential persistence. Setting
persist-credentials: falseis a defense-in-depth measure to prevent credential leakage.🔒 Recommended security enhancement
- name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: falseApply this pattern to all checkout steps (lines 74, 88, 160, 215).
Also applies to: 88-88, 160-160, 215-217
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci-pnpm-node.yml at line 74, Update each GitHub Actions checkout step that uses actions/checkout (e.g., the step with uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and the other checkout occurrences) to include persist-credentials: false in the step configuration so credentials are not preserved in the workspace; apply this change to all checkout steps flagged (the ones at the noted occurrences) to harden against credential leakage.Source: Linters/SAST tools
.github/workflows/ci-node.yml (2)
66-66: ⚡ Quick winConsider setting
persist-credentials: falsefor security.Static analysis flags that checkout steps don't explicitly disable credential persistence. While the current artifact uploads don't include
.git, settingpersist-credentials: falseis a defense-in-depth measure to prevent credential leakage.🔒 Recommended security enhancement
- name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: falseApply this pattern to all four checkout steps (lines 66, 80, 148, 203).
Also applies to: 80-80, 148-148, 203-205
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci-node.yml at line 66, The checkout steps currently use actions/checkout (e.g., the entry with "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") but do not set persist-credentials, which can leak credentials to later steps; update each checkout step (the four occurrences referenced) to include the input persist-credentials: false so the GitHub token is not persisted in the workspace for downstream steps, ensuring you add this option to each uses: actions/checkout invocation.Source: Linters/SAST tools
66-66: ⚡ Quick winConsider setting
persist-credentials: falseacross all workflows (consolidated).Static analysis flags that multiple checkout steps across
ci-node.yml,ci-pnpm-node.yml, andci-uv-django-api.ymldon't explicitly disable credential persistence. Settingpersist-credentials: falseis a defense-in-depth security measure to prevent credential leakage through artifacts or subsequent steps.🔒 Recommended security enhancement
Apply this pattern to all checkout steps that don't already configure
persist-credentials:- name: Checkout uses: actions/checkout@<sha> # version + with: + persist-credentials: falseFor checkout steps that already have a
with:block (e.g.,ci-node.ymlline 203 andci-uv-django-api.ymllines 126, 176), add the option to the existing block.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci-node.yml at line 66, Multiple checkout steps (identify by the "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" occurrence) across the workflows ci-node.yml, ci-pnpm-node.yml, and ci-uv-django-api.yml are missing persist-credentials: false; update every actions/checkout step to include persist-credentials: false (for steps that already have a with: block, add persist-credentials: false inside that block; for plain checkout steps, replace with a with: block that sets persist-credentials: false) to prevent credential persistence between steps.Source: Linters/SAST tools
.github/workflows/sync-files.yml (2)
13-19: GitHub App token has organization-wide permissions.The app token inherits all installation permissions and is scoped to the entire organization (line 19). Ensure the app's installation permissions follow the principle of least privilege and are limited to only the repositories and permissions required for file synchronization.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sync-files.yml around lines 13 - 19, The workflow currently requests an organization-scoped GitHub App token via the create-github-app-token action (id: app-token) by setting owner: ${{ github.repository_owner }}, which grants organization-wide installation permissions; change this to use repository-scoped credentials and least-privilege permissions by removing or replacing the owner input so the token is only for the target repository, and update the GitHub App installation and permission settings (in the App configuration) to grant only the specific repo(s) and minimal permissions required for the sync operation; ensure the action still uses app-id and private-key inputs but with the App installation limited to the needed repo(s) and tightened permission scopes.Source: Linters/SAST tools
12-12: ⚡ Quick winAdd
persist-credentials: falsefor defense in depth.While the file-sync use case doesn't upload artifacts, setting
persist-credentials: falseprevents Git credentials from persisting on disk and being accessible to subsequent steps.🛡️ Proposed fix
- name: Checkout Repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sync-files.yml at line 12, Update the actions/checkout step to add persist-credentials: false for defense-in-depth: locate the checkout invocation (uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and add the persist-credentials: false input to that step so Git credentials are not persisted to disk for downstream steps..github/workflows/test-reusable-workflows.yml (1)
1-9: 💤 Low valueConsider adding explicit
permissionsdeclarations.The workflow uses default permissions, which may be overly broad. For a test workflow that calls reusable workflows and downloads artifacts, consider explicitly declaring minimal permissions.
Example minimal permissions
permissions: contents: read actions: read🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test-reusable-workflows.yml around lines 1 - 9, Add an explicit top-level permissions block to the workflow to avoid using default broad permissions: modify the workflow (around the top-level keys like name/on) to include a permissions mapping that grants only what's needed for running reusable workflows and downloading artifacts (e.g., set contents: read and actions: read, and add artifacts: read if your tests download artifacts). Ensure the new permissions key is at the same level as name and on so GitHub recognizes it.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflow-fixtures/django-api-uv/config/settings.py:
- Line 8: ALLOWED_HOSTS is currently an empty list which can block access to the
fixture from non-localhost hostnames in CI/containerized environments; update
the ALLOWED_HOSTS setting (the ALLOWED_HOSTS symbol in settings.py) to allow the
fixture to be reachable (e.g., use a permissive value such as allowing all hosts
or include the container/CI hostnames) while keeping DEBUG usage limited to test
fixtures only.
- Line 28: The TEMPLATES list is empty which can break Django features; replace
the empty assignment to TEMPLATES with a minimal DjangoTemplates backend
configuration by defining TEMPLATES as a list containing a dict with 'BACKEND':
'django.template.backends.django.DjangoTemplates', 'DIRS': [], 'APP_DIRS': True,
and an 'OPTIONS' dict that includes at least the standard 'context_processors'
(e.g., django.template.context_processors.request and
django.contrib.auth.context_processors.auth) so Django has a usable template
backend; update the TEMPLATES variable in settings.py accordingly.
In @.github/workflow-fixtures/django-api/requirements.txt:
- Line 1: The Django fixture currently pins Django==5.2.1 which is outdated;
update .github/workflow-fixtures/django-api/requirements.txt to pin a current
security-patched release (e.g., Django==5.2.15 or Django==6.0.6 depending on
your supported branch), run your test suite and CI build to validate
compatibility, and regenerate any lockfiles or rebuilt images so downstream
scans pick up the new version; also re-scan the container/artifact for bundled
library vulnerabilities (OpenSSL/libpq) after the bump.
In @.github/workflows/ci-django-api.yml:
- Around line 29-33: The workflow currently declares
workflow_call.secrets.SONAR_TOKEN as required: true which forces callers to
supply SONAR_TOKEN even when inputs.skip-sonar is true; change the secret
declaration SONAR_TOKEN to required: false under workflow_call.secrets and, in
the sonarcloud job (the job gated by if: ${{ !inputs.skip-sonar }}), keep or add
the guard referencing inputs.skip-sonar so the job only runs when skip-sonar is
false (i.e., use if: ${{ !inputs.skip-sonar }} or equivalent).
- Around line 62-63: Update every actions/checkout step that uses
actions/checkout@v4 (e.g., the occurrence shown as uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) to explicitly set
persist-credentials: false; locate all checkout usages (the ones around the
shown diff and the other checkouts referenced) and add the persist-credentials:
false input under each checkout step so the runner does not persist the
GITHUB_TOKEN/SSH credentials to the repository git config.
In @.github/workflows/ci-npm-publish.yml:
- Line 53: In the actions/checkout step that currently uses
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd, add the option
persist-credentials: false to the step configuration so Git credentials are not
stored for later steps; locate the checkout step reference ("uses:
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd") and add the
persist-credentials key with value false in that step.
---
Outside diff comments:
In @.github/workflows/ci-django-api.yml:
- Around line 1-4: The workflow "Common CI for Django APIs" currently lacks a
workflow-level permissions block, so update the top-level of the YAML (the
workflow named "Common CI for Django APIs") to add an explicit least-privilege
permissions section; specifically add a top-level permissions setting that
limits GITHUB_TOKEN to contents: read (and do not add pull-requests: read since
PR API calls are not used), ensuring the permissions block is placed at the same
level as name: and on: so it applies workflow-wide.
---
Nitpick comments:
In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py:
- Around line 1-2: Replace the trivial assertion in test_smoke with a real
minimal Django request: in the test_smoke function use the Django test client
fixture (client) to perform client.get('/healthz/') and assert
response.status_code == 200 (optionally assert a small expected body or JSON),
so the test verifies URL routing and settings wiring instead of just asserting
True.
In @.github/workflows/ci-node.yml:
- Line 66: The checkout steps currently use actions/checkout (e.g., the entry
with "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") but do
not set persist-credentials, which can leak credentials to later steps; update
each checkout step (the four occurrences referenced) to include the input
persist-credentials: false so the GitHub token is not persisted in the workspace
for downstream steps, ensuring you add this option to each uses:
actions/checkout invocation.
- Line 66: Multiple checkout steps (identify by the "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" occurrence) across
the workflows ci-node.yml, ci-pnpm-node.yml, and ci-uv-django-api.yml are
missing persist-credentials: false; update every actions/checkout step to
include persist-credentials: false (for steps that already have a with: block,
add persist-credentials: false inside that block; for plain checkout steps,
replace with a with: block that sets persist-credentials: false) to prevent
credential persistence between steps.
In @.github/workflows/ci-pnpm-node.yml:
- Line 74: Update each GitHub Actions checkout step that uses actions/checkout
(e.g., the step with uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and the other checkout
occurrences) to include persist-credentials: false in the step configuration so
credentials are not preserved in the workspace; apply this change to all
checkout steps flagged (the ones at the noted occurrences) to harden against
credential leakage.
In @.github/workflows/sync-files.yml:
- Around line 13-19: The workflow currently requests an organization-scoped
GitHub App token via the create-github-app-token action (id: app-token) by
setting owner: ${{ github.repository_owner }}, which grants organization-wide
installation permissions; change this to use repository-scoped credentials and
least-privilege permissions by removing or replacing the owner input so the
token is only for the target repository, and update the GitHub App installation
and permission settings (in the App configuration) to grant only the specific
repo(s) and minimal permissions required for the sync operation; ensure the
action still uses app-id and private-key inputs but with the App installation
limited to the needed repo(s) and tightened permission scopes.
- Line 12: Update the actions/checkout step to add persist-credentials: false
for defense-in-depth: locate the checkout invocation (uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and add the
persist-credentials: false input to that step so Git credentials are not
persisted to disk for downstream steps.
In @.github/workflows/test-reusable-workflows.yml:
- Around line 1-9: Add an explicit top-level permissions block to the workflow
to avoid using default broad permissions: modify the workflow (around the
top-level keys like name/on) to include a permissions mapping that grants only
what's needed for running reusable workflows and downloading artifacts (e.g.,
set contents: read and actions: read, and add artifacts: read if your tests
download artifacts). Ensure the new permissions key is at the same level as name
and on so GitHub recognizes it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: daa0d354-4399-4720-bfd7-fee087f37b9f
⛔ Files ignored due to path filters (3)
.github/workflow-fixtures/django-api-uv/uv.lockis excluded by!**/*.lock.github/workflow-fixtures/node-pnpm/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml.github/workflow-fixtures/node-yarn/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (36)
.github/dependabot.yml.github/workflow-fixtures/commitlint.config.mjs.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml.github/workflow-fixtures/django-api-uv/config/__init__.py.github/workflow-fixtures/django-api-uv/config/settings.py.github/workflow-fixtures/django-api-uv/config/urls.py.github/workflow-fixtures/django-api-uv/config/wsgi.py.github/workflow-fixtures/django-api-uv/manage.py.github/workflow-fixtures/django-api-uv/pyproject.toml.github/workflow-fixtures/django-api-uv/pytest.ini.github/workflow-fixtures/django-api-uv/tests/test_smoke.py.github/workflow-fixtures/django-api/.pre-commit-config.yaml.github/workflow-fixtures/django-api/config/__init__.py.github/workflow-fixtures/django-api/config/settings.py.github/workflow-fixtures/django-api/config/urls.py.github/workflow-fixtures/django-api/config/wsgi.py.github/workflow-fixtures/django-api/manage.py.github/workflow-fixtures/django-api/requirements-dev.txt.github/workflow-fixtures/django-api/requirements.txt.github/workflow-fixtures/django-api/tests/test_smoke.py.github/workflow-fixtures/node-pnpm/package.json.github/workflow-fixtures/node-yarn/package.json.github/workflows/build-python-dists.yml.github/workflows/ci-django-api-README.md.github/workflows/ci-django-api.yml.github/workflows/ci-node-README.md.github/workflows/ci-node.yml.github/workflows/ci-npm-publish.yml.github/workflows/ci-pnpm-node-README.md.github/workflows/ci-pnpm-node.yml.github/workflows/ci-python-library-README.md.github/workflows/ci-python-library.yml.github/workflows/ci-uv-django-api-README.md.github/workflows/ci-uv-django-api.yml.github/workflows/sync-files.yml.github/workflows/test-reusable-workflows.yml
9f917c5 to
fa6a63f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/test-reusable-workflows.yml:
- Around line 1-10: The workflow "Reusable Workflow Tests" currently relies on
repository default GITHUB_TOKEN permissions; add a top-level permissions block
to harden the token by specifying permissions: contents: read (e.g., add a
top-level permissions: contents: read entry under the workflow root alongside
name/on) so this workflow explicitly requires only read access to repository
contents and matches the other workflows' hardening.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3ec2e1a5-befc-45de-8c93-73e436420eaa
⛔ Files ignored due to path filters (3)
.github/workflow-fixtures/django-api-uv/uv.lockis excluded by!**/*.lock.github/workflow-fixtures/node-pnpm/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml.github/workflow-fixtures/node-yarn/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (29)
.github/dependabot.yml.github/workflow-fixtures/commitlint.config.mjs.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml.github/workflow-fixtures/django-api-uv/config/__init__.py.github/workflow-fixtures/django-api-uv/config/settings.py.github/workflow-fixtures/django-api-uv/config/urls.py.github/workflow-fixtures/django-api-uv/config/wsgi.py.github/workflow-fixtures/django-api-uv/manage.py.github/workflow-fixtures/django-api-uv/pyproject.toml.github/workflow-fixtures/django-api-uv/pytest.ini.github/workflow-fixtures/django-api-uv/tests/test_smoke.py.github/workflow-fixtures/django-api/.pre-commit-config.yaml.github/workflow-fixtures/django-api/config/__init__.py.github/workflow-fixtures/django-api/config/settings.py.github/workflow-fixtures/django-api/config/urls.py.github/workflow-fixtures/django-api/config/wsgi.py.github/workflow-fixtures/django-api/manage.py.github/workflow-fixtures/django-api/requirements-dev.txt.github/workflow-fixtures/django-api/requirements.txt.github/workflow-fixtures/django-api/tests/test_smoke.py.github/workflow-fixtures/node-pnpm/package.json.github/workflow-fixtures/node-yarn/package.json.github/workflows/ci-django-api.yml.github/workflows/ci-node.yml.github/workflows/ci-npm-publish.yml.github/workflows/ci-pnpm-node.yml.github/workflows/ci-python-library.yml.github/workflows/ci-uv-django-api.yml.github/workflows/test-reusable-workflows.yml
✅ Files skipped from review due to trivial changes (7)
- .github/workflow-fixtures/django-api/.pre-commit-config.yaml
- .github/workflow-fixtures/django-api/config/init.py
- .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
- .github/workflow-fixtures/django-api/tests/test_smoke.py
- .github/workflow-fixtures/django-api-uv/config/init.py
- .github/workflow-fixtures/node-yarn/package.json
- .github/workflow-fixtures/django-api-uv/pytest.ini
🚧 Files skipped from review as they are similar to previous changes (15)
- .github/workflow-fixtures/django-api-uv/config/wsgi.py
- .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
- .github/workflow-fixtures/django-api/manage.py
- .github/workflow-fixtures/django-api-uv/pyproject.toml
- .github/dependabot.yml
- .github/workflow-fixtures/django-api/requirements-dev.txt
- .github/workflow-fixtures/django-api-uv/config/settings.py
- .github/workflow-fixtures/commitlint.config.mjs
- .github/workflows/ci-python-library.yml
- .github/workflows/ci-django-api.yml
- .github/workflow-fixtures/django-api/config/wsgi.py
- .github/workflow-fixtures/django-api/config/settings.py
- .github/workflows/ci-node.yml
- .github/workflows/ci-uv-django-api.yml
- .github/workflow-fixtures/node-pnpm/package.json
f8a3f23 to
6199eeb
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py:
- Around line 1-2: The test_smoke function currently contains only a no-op
assertion that provides no validation of the Django application. Replace this
test with actual application verification by making an HTTP GET request to the
`/healthz/` endpoint and asserting that the response has a status code of 200
and contains an `ok` response. This will ensure that Django setup, URL routing,
and dependencies are properly validated during workflow execution.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5ca82553-ef11-49ff-ad23-0aac697f698a
⛔ Files ignored due to path filters (3)
.github/workflow-fixtures/django-api-uv/uv.lockis excluded by!**/*.lock.github/workflow-fixtures/node-pnpm/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml.github/workflow-fixtures/node-yarn/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (35)
.github/dependabot.yml.github/workflow-fixtures/commitlint.config.mjs.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml.github/workflow-fixtures/django-api-uv/config/__init__.py.github/workflow-fixtures/django-api-uv/config/settings.py.github/workflow-fixtures/django-api-uv/config/urls.py.github/workflow-fixtures/django-api-uv/config/wsgi.py.github/workflow-fixtures/django-api-uv/manage.py.github/workflow-fixtures/django-api-uv/pyproject.toml.github/workflow-fixtures/django-api-uv/pytest.ini.github/workflow-fixtures/django-api-uv/tests/test_smoke.py.github/workflow-fixtures/django-api/.pre-commit-config.yaml.github/workflow-fixtures/django-api/config/__init__.py.github/workflow-fixtures/django-api/config/settings.py.github/workflow-fixtures/django-api/config/urls.py.github/workflow-fixtures/django-api/config/wsgi.py.github/workflow-fixtures/django-api/manage.py.github/workflow-fixtures/django-api/requirements-dev.txt.github/workflow-fixtures/django-api/requirements.txt.github/workflow-fixtures/django-api/tests/test_smoke.py.github/workflow-fixtures/node-pnpm/package.json.github/workflow-fixtures/node-yarn/package.json.github/workflows/ci-django-api-README.md.github/workflows/ci-django-api.yml.github/workflows/ci-node-README.md.github/workflows/ci-node.yml.github/workflows/ci-npm-publish.yml.github/workflows/ci-pnpm-node-README.md.github/workflows/ci-pnpm-node.yml.github/workflows/ci-python-library-README.md.github/workflows/ci-python-library.yml.github/workflows/ci-uv-django-api-README.md.github/workflows/ci-uv-django-api.yml.github/workflows/test-reusable-workflows.ymlCODEOWNERS
✅ Files skipped from review due to trivial changes (15)
- .github/workflow-fixtures/django-api/requirements-dev.txt
- CODEOWNERS
- .github/workflow-fixtures/django-api/config/wsgi.py
- .github/workflow-fixtures/django-api-uv/pytest.ini
- .github/workflow-fixtures/django-api-uv/pyproject.toml
- .github/workflow-fixtures/node-pnpm/package.json
- .github/workflows/ci-pnpm-node-README.md
- .github/workflows/ci-node-README.md
- .github/workflow-fixtures/django-api-uv/config/init.py
- .github/workflows/ci-django-api-README.md
- .github/workflow-fixtures/django-api/config/init.py
- .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
- .github/workflow-fixtures/django-api/.pre-commit-config.yaml
- .github/workflow-fixtures/commitlint.config.mjs
- .github/dependabot.yml
🚧 Files skipped from review as they are similar to previous changes (15)
- .github/workflows/ci-uv-django-api-README.md
- .github/workflow-fixtures/node-yarn/package.json
- .github/workflow-fixtures/django-api/manage.py
- .github/workflow-fixtures/django-api-uv/manage.py
- .github/workflow-fixtures/django-api/config/settings.py
- .github/workflows/ci-node.yml
- .github/workflows/ci-python-library-README.md
- .github/workflows/ci-django-api.yml
- .github/workflow-fixtures/django-api-uv/config/settings.py
- .github/workflow-fixtures/django-api/tests/test_smoke.py
- .github/workflows/ci-npm-publish.yml
- .github/workflows/test-reusable-workflows.yml
- .github/workflow-fixtures/django-api-uv/config/wsgi.py
- .github/workflows/ci-uv-django-api.yml
- .github/workflows/ci-pnpm-node.yml
There was a problem hiding this comment.
Pull request overview
This PR hardens and regression-tests the repository’s reusable GitHub Actions workflows by pinning third‑party actions to SHAs, adding Dependabot updates for GitHub Actions, and introducing minimal fixture projects plus a dedicated workflow that exercises each reusable workflow on workflow-related PRs.
Changes:
- Added a
test-reusable-workflows.ymlworkflow plus minimal Node (yarn/pnpm) and Python/Django (pip/uv) fixture projects to validate reusable workflows in CI. - Hardened workflows by pinning action references to commit SHAs, setting workflow-level
permissions: contents: read, and usingpersist-credentials: falseon checkouts (with one exception noted in comments). - Added new optional workflow inputs (e.g.,
skip-sonar,commitlint-config-file,pre-commit-config-file,pnpm-version) and added a Dependabot config for GitHub Actions updates.
Reviewed changes
Copilot reviewed 36 out of 40 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| CODEOWNERS | Adds default code ownership for the repo. |
| .github/dependabot.yml | Adds Dependabot configuration for GitHub Actions (and ignores fixture deps). |
| .github/workflows/test-reusable-workflows.yml | New workflow that runs reusable workflows against fixture projects on workflow PR changes. |
| .github/workflows/sync-files.yml | Pins actions used by sync workflow; (commented) needs checkout hardening/permissions alignment. |
| .github/workflows/ci-uv-django-api.yml | Adds inputs for skipping sonar and custom config paths; hardens checkouts; updates sonar gating (commented). |
| .github/workflows/ci-uv-django-api-README.md | Documents new inputs for the uv Django API workflow. |
| .github/workflows/ci-django-api.yml | Adds inputs for skipping sonar and custom config paths; hardens checkouts; updates sonar gating (commented). |
| .github/workflows/ci-django-api-README.md | Documents new inputs for the Django API workflow. |
| .github/workflows/ci-python-library.yml | Adds optional inputs for commitlint/pre-commit config paths and hardens checkouts. |
| .github/workflows/ci-python-library-README.md | Documents new inputs for the Python library workflow. |
| .github/workflows/ci-node.yml | Adds optional commitlint config input; pins actions; hardens checkouts. |
| .github/workflows/ci-node-README.md | Documents new commitlint-config-file input. |
| .github/workflows/ci-pnpm-node.yml | Adds optional pnpm-version + commitlint config input; pins actions; hardens checkouts. |
| .github/workflows/ci-pnpm-node-README.md | Documents new pnpm-version and commitlint-config-file inputs. |
| .github/workflows/ci-npm-publish.yml | Pins actions; adds workflow-level permissions; hardens checkout. |
| .github/workflows/build-python-dists.yml | Minor formatting/pinning consistency for artifact upload step. |
| .github/workflow-fixtures/commitlint.config.mjs | Adds a permissive commitlint config for fixture-based workflow runs. |
| .github/workflow-fixtures/node-yarn/package.json | Minimal Node/yarn fixture project for ci-node workflow testing. |
| .github/workflow-fixtures/node-yarn/yarn.lock | Minimal yarn lockfile for the yarn fixture. |
| .github/workflow-fixtures/node-pnpm/package.json | Minimal Node/pnpm fixture project for ci-pnpm-node workflow testing. |
| .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml | Minimal pnpm lockfile for the pnpm fixture. |
| .github/workflow-fixtures/django-api/manage.py | Minimal Django fixture entrypoint for ci-django-api testing. |
| .github/workflow-fixtures/django-api/requirements.txt | Pins minimal runtime deps for Django (pip) fixture. |
| .github/workflow-fixtures/django-api/requirements-dev.txt | Pins minimal dev/test deps for Django (pip) fixture. |
| .github/workflow-fixtures/django-api/.pre-commit-config.yaml | Empty pre-commit config file for fixture workflow execution. |
| .github/workflow-fixtures/django-api/config/init.py | Package marker for Django fixture config module. |
| .github/workflow-fixtures/django-api/config/settings.py | Minimal Django settings for fixture project. |
| .github/workflow-fixtures/django-api/config/urls.py | Minimal URL config for fixture project. |
| .github/workflow-fixtures/django-api/config/wsgi.py | Minimal WSGI config for fixture project. |
| .github/workflow-fixtures/django-api/tests/test_smoke.py | Minimal smoke test for fixture project. |
| .github/workflow-fixtures/django-api-uv/pyproject.toml | Minimal uv-based Django fixture project definition. |
| .github/workflow-fixtures/django-api-uv/uv.lock | uv lockfile to make uv fixture installs reproducible. |
| .github/workflow-fixtures/django-api-uv/manage.py | Minimal Django fixture entrypoint for ci-uv-django-api testing. |
| .github/workflow-fixtures/django-api-uv/pytest.ini | Sets DJANGO_SETTINGS_MODULE for pytest-django in uv fixture. |
| .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml | Empty pre-commit config file for uv fixture workflow execution. |
| .github/workflow-fixtures/django-api-uv/config/init.py | Package marker for uv Django fixture config module. |
| .github/workflow-fixtures/django-api-uv/config/settings.py | Minimal Django settings for uv fixture project. |
| .github/workflow-fixtures/django-api-uv/config/urls.py | Minimal URL config for uv fixture project. |
| .github/workflow-fixtures/django-api-uv/config/wsgi.py | Minimal WSGI config for uv fixture project. |
| .github/workflow-fixtures/django-api-uv/tests/test_smoke.py | Minimal smoke test for uv fixture project. |
Files not reviewed (1)
- .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Riippi
left a comment
There was a problem hiding this comment.
I didn't find anything to complain so I put AI to do some reviewing:
Code review
Found 2 issues:
- Artifact name collision in the test workflow. Both
test-ci-nodeandtest-ci-pnpm-nodepassnode-version: "24", and both called workflows (ci-node.yml,ci-pnpm-node.yml) upload an artifact namedbuild-artifacts-${{ inputs.node-version }}, which resolves tobuild-artifacts-24for both. Two jobs uploading the same artifact name in one run is a hard failure underactions/upload-artifact@v4, and the downstream assert/download jobs become ambiguous. Use distinct node versions or distinct artifact names.
.github/.github/workflows/test-reusable-workflows.yml
Lines 40 to 45 in 20f6f50
permissions: contents: readdropspull-requeststonone. Declaring permissions explicitly sets every unlisted scope tonone. The called workflows runwagoid/commitlint-github-action, which queries the GitHub API to list PR commits and requirespull-requests: read. With onlycontents: readdeclared (and the reusable workflows declaring their owncontents: readblocks too), the commitlint jobs will fail with 403 on every PR run. Addpull-requests: read.
.github/.github/workflows/test-reusable-workflows.yml
Lines 10 to 13 in 20f6f50
20f6f50 to
1bf3798
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci-django-api.yml:
- Around line 88-90: The extra_args construction in the pre-commit step uses
conditional logic that results in an empty string when using default inputs
(pre-commit-config-file empty and working-directory set to dot). To fix this,
modify the extra_args conditional expressions to avoid passing empty arguments
to pre-commit. Either restructure the conditionals to only include extra_args
content when there are actual values to pass, or establish sensible default
behavior that ensures pre-commit executes with appropriate configuration even
when inputs use their default values, so that full-repo hook execution is not
bypassed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 55400e32-bee6-4548-9dba-b632b9932de4
⛔ Files ignored due to path filters (3)
.github/workflow-fixtures/django-api-uv/uv.lockis excluded by!**/*.lock.github/workflow-fixtures/node-pnpm/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml.github/workflow-fixtures/node-yarn/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (36)
.github/dependabot.yml.github/workflow-fixtures/commitlint.config.mjs.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml.github/workflow-fixtures/django-api-uv/config/__init__.py.github/workflow-fixtures/django-api-uv/config/settings.py.github/workflow-fixtures/django-api-uv/config/urls.py.github/workflow-fixtures/django-api-uv/config/wsgi.py.github/workflow-fixtures/django-api-uv/manage.py.github/workflow-fixtures/django-api-uv/pyproject.toml.github/workflow-fixtures/django-api-uv/pytest.ini.github/workflow-fixtures/django-api-uv/tests/test_smoke.py.github/workflow-fixtures/django-api/.pre-commit-config.yaml.github/workflow-fixtures/django-api/config/__init__.py.github/workflow-fixtures/django-api/config/settings.py.github/workflow-fixtures/django-api/config/urls.py.github/workflow-fixtures/django-api/config/wsgi.py.github/workflow-fixtures/django-api/manage.py.github/workflow-fixtures/django-api/requirements-dev.txt.github/workflow-fixtures/django-api/requirements.txt.github/workflow-fixtures/django-api/tests/test_smoke.py.github/workflow-fixtures/node-pnpm/package.json.github/workflow-fixtures/node-yarn/package.json.github/workflows/ci-django-api-README.md.github/workflows/ci-django-api.yml.github/workflows/ci-node-README.md.github/workflows/ci-node.yml.github/workflows/ci-npm-publish.yml.github/workflows/ci-pnpm-node-README.md.github/workflows/ci-pnpm-node.yml.github/workflows/ci-python-library-README.md.github/workflows/ci-python-library.yml.github/workflows/ci-uv-django-api-README.md.github/workflows/ci-uv-django-api.yml.github/workflows/sync-files.yml.github/workflows/test-reusable-workflows.ymlCODEOWNERS
✅ Files skipped from review due to trivial changes (13)
- .github/workflow-fixtures/django-api-uv/pytest.ini
- .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
- .github/workflow-fixtures/node-yarn/package.json
- .github/workflow-fixtures/django-api/.pre-commit-config.yaml
- .github/workflows/ci-node-README.md
- CODEOWNERS
- .github/workflow-fixtures/commitlint.config.mjs
- .github/workflows/ci-django-api-README.md
- .github/workflow-fixtures/django-api/config/init.py
- .github/workflows/ci-uv-django-api-README.md
- .github/workflows/ci-python-library-README.md
- .github/workflow-fixtures/django-api-uv/pyproject.toml
- .github/workflow-fixtures/node-pnpm/package.json
🚧 Files skipped from review as they are similar to previous changes (15)
- .github/workflows/sync-files.yml
- .github/workflow-fixtures/django-api/requirements-dev.txt
- .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
- .github/workflow-fixtures/django-api/manage.py
- .github/dependabot.yml
- .github/workflow-fixtures/django-api-uv/manage.py
- .github/workflow-fixtures/django-api/tests/test_smoke.py
- .github/workflow-fixtures/django-api/config/settings.py
- .github/workflows/ci-node.yml
- .github/workflows/ci-uv-django-api.yml
- .github/workflow-fixtures/django-api-uv/config/settings.py
- .github/workflows/ci-python-library.yml
- .github/workflows/ci-pnpm-node.yml
- .github/workflows/ci-npm-publish.yml
- .github/workflows/test-reusable-workflows.yml
1bf3798 to
528b80c
Compare
These are now fixed. |
3da5290 to
771b612
Compare
e7b069b to
867c948
Compare
867c948 to
c6e23b5
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci-node-README.md (1)
43-43: ⚡ Quick winDocument
artifact-nameand conditionalSONAR_TOKENrequirement here.Line 43 adds one new optional input, but the reusable workflow interface also added
artifact-name, andSONAR_TOKENis now only needed when Sonar is enabled. Keeping this README aligned prevents consumer-side misconfiguration.Suggested doc patch
### 🔶 Optional Inputs - **`extra-commands`** (string): Additional setup commands or checks to execute before running tests. Can be used to set environment variables: `echo "EXTRA_TEST_ENV_VAR=test" >> $GITHUB_ENV`. - **`typecheck`** (boolean): Run typecheck command. Default is `false`. - **`working-directory`** (string): Repository working directory where to run yarn installation and the tests. Default is `.` (the repository root). - **`app-directory`** (string): The subdirectory of the application where the tests are run. Default is **`working-directory`**. - **`commitlint-config-file`** (string): Path to the commitlint config file. If empty, commitlint uses its default config discovery (file in repository root). +- **`artifact-name`** (string): Optional build artifact name. Defaults to `build-artifacts-<node-version>`. ### 🔑 Secrets -- **`SONAR_TOKEN`**: Token for SonarQube Cloud Scan. Required. +- **`SONAR_TOKEN`**: Token for SonarQube Cloud Scan. Required only when Sonar is not skipped.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci-node-README.md at line 43, Update the README in the .github/workflows/ci-node-README.md file to document the newly added `artifact-name` input parameter and clarify that the `SONAR_TOKEN` environment variable is now conditionally required only when Sonar analysis is enabled. Add entries for both `artifact-name` (describing its purpose and that it is optional) and update the `SONAR_TOKEN` documentation to specify it is only needed when Sonar scanning is configured, ensuring the documentation accurately reflects the current reusable workflow interface.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci-node-README.md:
- Line 43: Update the README in the .github/workflows/ci-node-README.md file to
document the newly added `artifact-name` input parameter and clarify that the
`SONAR_TOKEN` environment variable is now conditionally required only when Sonar
analysis is enabled. Add entries for both `artifact-name` (describing its
purpose and that it is optional) and update the `SONAR_TOKEN` documentation to
specify it is only needed when Sonar scanning is configured, ensuring the
documentation accurately reflects the current reusable workflow interface.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e56f48e3-8617-406a-a3c8-84017f6ec678
⛔ Files ignored due to path filters (3)
.github/workflow-fixtures/django-api-uv/uv.lockis excluded by!**/*.lock.github/workflow-fixtures/node-pnpm/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml.github/workflow-fixtures/node-yarn/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (36)
.github/dependabot.yml.github/workflow-fixtures/commitlint.config.mjs.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml.github/workflow-fixtures/django-api-uv/config/__init__.py.github/workflow-fixtures/django-api-uv/config/settings.py.github/workflow-fixtures/django-api-uv/config/urls.py.github/workflow-fixtures/django-api-uv/config/wsgi.py.github/workflow-fixtures/django-api-uv/manage.py.github/workflow-fixtures/django-api-uv/pyproject.toml.github/workflow-fixtures/django-api-uv/pytest.ini.github/workflow-fixtures/django-api-uv/tests/test_smoke.py.github/workflow-fixtures/django-api/.pre-commit-config.yaml.github/workflow-fixtures/django-api/config/__init__.py.github/workflow-fixtures/django-api/config/settings.py.github/workflow-fixtures/django-api/config/urls.py.github/workflow-fixtures/django-api/config/wsgi.py.github/workflow-fixtures/django-api/manage.py.github/workflow-fixtures/django-api/requirements-dev.txt.github/workflow-fixtures/django-api/requirements.txt.github/workflow-fixtures/django-api/tests/test_smoke.py.github/workflow-fixtures/node-pnpm/package.json.github/workflow-fixtures/node-yarn/package.json.github/workflows/ci-django-api-README.md.github/workflows/ci-django-api.yml.github/workflows/ci-node-README.md.github/workflows/ci-node.yml.github/workflows/ci-npm-publish.yml.github/workflows/ci-pnpm-node-README.md.github/workflows/ci-pnpm-node.yml.github/workflows/ci-python-library-README.md.github/workflows/ci-python-library.yml.github/workflows/ci-uv-django-api-README.md.github/workflows/ci-uv-django-api.yml.github/workflows/sync-files.yml.github/workflows/test-reusable-workflows.ymlCODEOWNERS
✅ Files skipped from review due to trivial changes (10)
- .github/workflow-fixtures/node-pnpm/package.json
- .github/workflow-fixtures/django-api-uv/config/init.py
- .github/workflow-fixtures/django-api/config/init.py
- .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
- .github/workflow-fixtures/django-api/requirements-dev.txt
- .github/dependabot.yml
- .github/workflow-fixtures/commitlint.config.mjs
- .github/workflows/ci-uv-django-api-README.md
- .github/workflow-fixtures/django-api/.pre-commit-config.yaml
- .github/workflow-fixtures/django-api-uv/pytest.ini
🚧 Files skipped from review as they are similar to previous changes (20)
- CODEOWNERS
- .github/workflows/ci-django-api-README.md
- .github/workflow-fixtures/django-api-uv/config/wsgi.py
- .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
- .github/workflow-fixtures/django-api-uv/manage.py
- .github/workflows/ci-pnpm-node-README.md
- .github/workflow-fixtures/node-yarn/package.json
- .github/workflows/sync-files.yml
- .github/workflows/ci-python-library-README.md
- .github/workflow-fixtures/django-api/config/wsgi.py
- .github/workflow-fixtures/django-api/tests/test_smoke.py
- .github/workflow-fixtures/django-api-uv/pyproject.toml
- .github/workflow-fixtures/django-api/manage.py
- .github/workflow-fixtures/django-api/config/settings.py
- .github/workflows/ci-npm-publish.yml
- .github/workflows/ci-python-library.yml
- .github/workflows/ci-uv-django-api.yml
- .github/workflows/ci-django-api.yml
- .github/workflows/test-reusable-workflows.yml
- .github/workflow-fixtures/django-api-uv/config/settings.py
c6e23b5 to
4265f8d
Compare
4265f8d to
eb6eefd
Compare
terovirtanen
left a comment
There was a problem hiding this comment.
workflow-fixtures kaipaa READMEmd jossa kerrotaan tarkemmin mihin tarkoitukseen nämä ovat ja missä niitä käytetään, miten tämän riippuvuuksia on tarkoitus päivittää, yms.
Refs: RATY-350
Mostly to make testing the workflows possible. Refs: RATY-350
e003dea to
1d765ff
Compare
Refs: RATY-350
Refs: RATY-350
1d765ff to
029e68b
Compare
commitlint-config-file(all CI workflows),pre-commit-config-file(ci-django-api, ci-uv-django-api, ci-python-library),skip-sonar(ci-django-api, ci-uv-django-api), andpnpm-version(ci-pnpm-node). They are added primarily to support testing the reusable workflows, but can be useful in other use cases as well.test-reusable-workflows.ymlcalls each reusable workflow with minimal fixture projects on every PR that touches workflow files.permissions: contents: readat the workflow level andpersist-credentials: falseon every checkout step.Example showing Dependabot in action with this config in a forked repo: tuomas777#1
The workflows tested in actual client repos:
ci-django-api)ci-uv-django-api)ci-pnpm-node)Refs: RATY-350
Summary by CodeRabbit
Summary by CodeRabbit
New Features
healthzendpoint and smoke tests.Chores
skip-sonar, pluscommitlint-config-fileandpre-commit-config-fileoverrides; Sonar token is now optional.Documentation