Skip to content

Add Dependabot and tests for reusable workflows#42

Merged
tuomas777 merged 6 commits into
mainfrom
RATY-350-add-dependabot-and-tests-for-workflows
Jun 25, 2026
Merged

Add Dependabot and tests for reusable workflows#42
tuomas777 merged 6 commits into
mainfrom
RATY-350-add-dependabot-and-tests-for-workflows

Conversation

@tuomas777

@tuomas777 tuomas777 commented Jun 11, 2026

Copy link
Copy Markdown
Contributor
  • Pin actions to SHAs — All third party action references are now pinned to full commit SHAs instead of mutable tags.
  • Dependabot — added Dependabot config to keep third party actions up to date automatically. Uses grouping and generates one PR per week.
  • New optional inputs — commitlint-config-file (all CI workflows), pre-commit-config-file (ci-django-api, ci-uv-django-api, ci-python-library), skip-sonar (ci-django-api, ci-uv-django-api), and pnpm-version (ci-pnpm-node). They are added primarily to support testing the reusable workflows, but can be useful in other use cases as well.
  • Tests — new workflow test-reusable-workflows.yml calls each reusable workflow with minimal fixture projects on every PR that touches workflow files.
  • Hardening — all workflows now set permissions: contents: read at the workflow level and persist-credentials: false on every checkout step.

Example showing Dependabot in action with this config in a forked repo: tuomas777#1

The workflows tested in actual client repos:

Refs: RATY-350

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Added new fixture-based CI scaffolding for Node (Yarn/Pnpm) and Django, including a simple Django healthz endpoint and smoke tests.
    • Introduced a reusable workflow test runner to validate fixture-produced artifacts.
  • Chores

    • Extended reusable CI workflows with optional skip-sonar, plus commitlint-config-file and pre-commit-config-file overrides; Sonar token is now optional.
    • Pinned GitHub Actions steps, tightened workflow permissions, and enhanced dependency update scheduling.
  • Documentation

    • Updated reusable workflow READMEs to document the new optional inputs.

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds Django (pip and uv) and Node (yarn and pnpm) workflow fixture projects, extends all reusable CI workflows with configurable commitlint-config-file, pre-commit-config-file, skip-sonar, and pnpm-version inputs, pins GitHub Actions references to commit SHAs, adds permissions: contents: read and persist-credentials: false hardening, configures Dependabot, and introduces a new test-reusable-workflows.yml that validates reusable workflows against the fixtures.

Changes

Reusable CI workflows and fixtures

Layer / File(s) Summary
Dependency automation and baseline fixture config
.github/dependabot.yml, .github/workflow-fixtures/commitlint.config.mjs, CODEOWNERS
Configures Dependabot weekly update policies for GitHub Actions (with 7-day cooldown), pip, and npm (ignoring all deps in fixture directories), adds a permissive commitlint fixture config with empty rules, and establishes a CODEOWNERS rule for the repository.
Django API fixture projects
.github/workflow-fixtures/django-api/*, .github/workflow-fixtures/django-api-uv/*
Adds two parallel Django fixture applications — one pip-based (requirements.txt/requirements-dev.txt) and one uv-based (pyproject.toml) — each with full Django settings (PostgreSQL via env vars), a healthz/ URL, WSGI entrypoint, manage.py, empty pre-commit config, pytest configuration, and a smoke test.
Node.js fixture projects
.github/workflow-fixtures/node-yarn/package.json, .github/workflow-fixtures/node-pnpm/package.json
Adds yarn and pnpm fixture packages with private package metadata and stub lint, build, and test:coverage scripts that write minimal dist/index.js and coverage/coverage-final.json artifacts.
Reusable workflow inputs and documentation
.github/workflows/ci-*-README.md, .github/workflows/ci-*.yml
Adds commitlint-config-file, pre-commit-config-file, skip-sonar, and pnpm-version inputs to the reusable workflow workflow_call interfaces and documents them in the corresponding READMEs with fallback behavior when paths are empty.
Reusable workflow wiring and action pinning
.github/workflows/ci-*.yml, .github/workflows/sync-files.yml, .github/workflows/build-python-dists.yml
Pins all uses: action references to commit SHAs, adds permissions: contents: read and persist-credentials: false on checkout steps, wires commitlint-config-file into configFile, conditionally appends --config to pre-commit extra_args, gates sonarcloud jobs on !inputs.skip-sonar, and makes SONAR_TOKEN non-required in Django API workflows.
Reusable workflow validation harness
.github/workflows/test-reusable-workflows.yml
Adds a new workflow triggered on PR changes to workflow YAMLs and fixture files that invokes all reusable workflows against their respective fixtures (node-yarn, node-pnpm, django-api, django-api-uv, python-dist), with follow-on assertion jobs that download and verify produced artifacts.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐇 A rabbit hops through YAML fields so wide,
Pinning actions with SHA as the guide.
New fixtures bloom — Django, Node, and more,
skip-sonar, pre-commit, inputs galore!
The test harness checks each artifact in turn,
And Dependabot watches so versions don't burn. 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add Dependabot and tests for reusable workflows' directly and accurately reflects the main changes: Dependabot configuration setup and new test workflow for reusable workflows.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch RATY-350-add-dependabot-and-tests-for-workflows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci-django-api.yml (1)

1-4: ⚠️ Potential issue | 🟠 Major

Add explicit least-privilege permissions at workflow scope.

.github/workflows/ci-django-api.yml has no workflow-level permissions: block, so it falls back to default (broader) GITHUB_TOKEN permissions. Add:

permissions:
  contents: read

pull-requests: read isn’t evidenced as needed by this workflow (no PR API usage found).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-django-api.yml around lines 1 - 4, The workflow "Common
CI for Django APIs" currently lacks a workflow-level permissions block, so
update the top-level of the YAML (the workflow named "Common CI for Django
APIs") to add an explicit least-privilege permissions section; specifically add
a top-level permissions setting that limits GITHUB_TOKEN to contents: read (and
do not add pull-requests: read since PR API calls are not used), ensuring the
permissions block is placed at the same level as name: and on: so it applies
workflow-wide.

Source: Linters/SAST tools

🧹 Nitpick comments (7)
.github/workflow-fixtures/django-api-uv/tests/test_smoke.py (1)

1-2: ⚡ Quick win

Strengthen the smoke test to validate the fixture contract.

assert True won’t catch Django wiring regressions (settings/URL routing). A minimal /healthz/ request assertion would provide real signal with very low effort.

Suggested test shape
 def test_smoke():
-    assert True
+    from django.test import Client
+    response = Client().get("/healthz/")
+    assert response.status_code == 200
+    assert response.content == b"ok"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py around lines 1 -
2, Replace the trivial assertion in test_smoke with a real minimal Django
request: in the test_smoke function use the Django test client fixture (client)
to perform client.get('/healthz/') and assert response.status_code == 200
(optionally assert a small expected body or JSON), so the test verifies URL
routing and settings wiring instead of just asserting True.
.github/workflows/ci-pnpm-node.yml (1)

74-74: ⚡ Quick win

Consider setting persist-credentials: false for security.

Static analysis flags that checkout steps don't explicitly disable credential persistence. Setting persist-credentials: false is a defense-in-depth measure to prevent credential leakage.

🔒 Recommended security enhancement
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false

Apply this pattern to all checkout steps (lines 74, 88, 160, 215).

Also applies to: 88-88, 160-160, 215-217

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-pnpm-node.yml at line 74, Update each GitHub Actions
checkout step that uses actions/checkout (e.g., the step with uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and the other checkout
occurrences) to include persist-credentials: false in the step configuration so
credentials are not preserved in the workspace; apply this change to all
checkout steps flagged (the ones at the noted occurrences) to harden against
credential leakage.

Source: Linters/SAST tools

.github/workflows/ci-node.yml (2)

66-66: ⚡ Quick win

Consider setting persist-credentials: false for security.

Static analysis flags that checkout steps don't explicitly disable credential persistence. While the current artifact uploads don't include .git, setting persist-credentials: false is a defense-in-depth measure to prevent credential leakage.

🔒 Recommended security enhancement
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false

Apply this pattern to all four checkout steps (lines 66, 80, 148, 203).

Also applies to: 80-80, 148-148, 203-205

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-node.yml at line 66, The checkout steps currently use
actions/checkout (e.g., the entry with "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") but do not set
persist-credentials, which can leak credentials to later steps; update each
checkout step (the four occurrences referenced) to include the input
persist-credentials: false so the GitHub token is not persisted in the workspace
for downstream steps, ensuring you add this option to each uses:
actions/checkout invocation.

Source: Linters/SAST tools


66-66: ⚡ Quick win

Consider setting persist-credentials: false across all workflows (consolidated).

Static analysis flags that multiple checkout steps across ci-node.yml, ci-pnpm-node.yml, and ci-uv-django-api.yml don't explicitly disable credential persistence. Setting persist-credentials: false is a defense-in-depth security measure to prevent credential leakage through artifacts or subsequent steps.

🔒 Recommended security enhancement

Apply this pattern to all checkout steps that don't already configure persist-credentials:

       - name: Checkout
         uses: actions/checkout@<sha> # version
+        with:
+          persist-credentials: false

For checkout steps that already have a with: block (e.g., ci-node.yml line 203 and ci-uv-django-api.yml lines 126, 176), add the option to the existing block.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-node.yml at line 66, Multiple checkout steps (identify
by the "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5"
occurrence) across the workflows ci-node.yml, ci-pnpm-node.yml, and
ci-uv-django-api.yml are missing persist-credentials: false; update every
actions/checkout step to include persist-credentials: false (for steps that
already have a with: block, add persist-credentials: false inside that block;
for plain checkout steps, replace with a with: block that sets
persist-credentials: false) to prevent credential persistence between steps.

Source: Linters/SAST tools

.github/workflows/sync-files.yml (2)

13-19: GitHub App token has organization-wide permissions.

The app token inherits all installation permissions and is scoped to the entire organization (line 19). Ensure the app's installation permissions follow the principle of least privilege and are limited to only the repositories and permissions required for file synchronization.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-files.yml around lines 13 - 19, The workflow
currently requests an organization-scoped GitHub App token via the
create-github-app-token action (id: app-token) by setting owner: ${{
github.repository_owner }}, which grants organization-wide installation
permissions; change this to use repository-scoped credentials and
least-privilege permissions by removing or replacing the owner input so the
token is only for the target repository, and update the GitHub App installation
and permission settings (in the App configuration) to grant only the specific
repo(s) and minimal permissions required for the sync operation; ensure the
action still uses app-id and private-key inputs but with the App installation
limited to the needed repo(s) and tightened permission scopes.

Source: Linters/SAST tools


12-12: ⚡ Quick win

Add persist-credentials: false for defense in depth.

While the file-sync use case doesn't upload artifacts, setting persist-credentials: false prevents Git credentials from persisting on disk and being accessible to subsequent steps.

🛡️ Proposed fix
       - name: Checkout Repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-files.yml at line 12, Update the actions/checkout
step to add persist-credentials: false for defense-in-depth: locate the checkout
invocation (uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and
add the persist-credentials: false input to that step so Git credentials are not
persisted to disk for downstream steps.
.github/workflows/test-reusable-workflows.yml (1)

1-9: 💤 Low value

Consider adding explicit permissions declarations.

The workflow uses default permissions, which may be overly broad. For a test workflow that calls reusable workflows and downloads artifacts, consider explicitly declaring minimal permissions.

Example minimal permissions
permissions:
  contents: read
  actions: read
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-reusable-workflows.yml around lines 1 - 9, Add an
explicit top-level permissions block to the workflow to avoid using default
broad permissions: modify the workflow (around the top-level keys like name/on)
to include a permissions mapping that grants only what's needed for running
reusable workflows and downloading artifacts (e.g., set contents: read and
actions: read, and add artifacts: read if your tests download artifacts). Ensure
the new permissions key is at the same level as name and on so GitHub recognizes
it.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflow-fixtures/django-api-uv/config/settings.py:
- Line 8: ALLOWED_HOSTS is currently an empty list which can block access to the
fixture from non-localhost hostnames in CI/containerized environments; update
the ALLOWED_HOSTS setting (the ALLOWED_HOSTS symbol in settings.py) to allow the
fixture to be reachable (e.g., use a permissive value such as allowing all hosts
or include the container/CI hostnames) while keeping DEBUG usage limited to test
fixtures only.
- Line 28: The TEMPLATES list is empty which can break Django features; replace
the empty assignment to TEMPLATES with a minimal DjangoTemplates backend
configuration by defining TEMPLATES as a list containing a dict with 'BACKEND':
'django.template.backends.django.DjangoTemplates', 'DIRS': [], 'APP_DIRS': True,
and an 'OPTIONS' dict that includes at least the standard 'context_processors'
(e.g., django.template.context_processors.request and
django.contrib.auth.context_processors.auth) so Django has a usable template
backend; update the TEMPLATES variable in settings.py accordingly.

In @.github/workflow-fixtures/django-api/requirements.txt:
- Line 1: The Django fixture currently pins Django==5.2.1 which is outdated;
update .github/workflow-fixtures/django-api/requirements.txt to pin a current
security-patched release (e.g., Django==5.2.15 or Django==6.0.6 depending on
your supported branch), run your test suite and CI build to validate
compatibility, and regenerate any lockfiles or rebuilt images so downstream
scans pick up the new version; also re-scan the container/artifact for bundled
library vulnerabilities (OpenSSL/libpq) after the bump.

In @.github/workflows/ci-django-api.yml:
- Around line 29-33: The workflow currently declares
workflow_call.secrets.SONAR_TOKEN as required: true which forces callers to
supply SONAR_TOKEN even when inputs.skip-sonar is true; change the secret
declaration SONAR_TOKEN to required: false under workflow_call.secrets and, in
the sonarcloud job (the job gated by if: ${{ !inputs.skip-sonar }}), keep or add
the guard referencing inputs.skip-sonar so the job only runs when skip-sonar is
false (i.e., use if: ${{ !inputs.skip-sonar }} or equivalent).
- Around line 62-63: Update every actions/checkout step that uses
actions/checkout@v4 (e.g., the occurrence shown as uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) to explicitly set
persist-credentials: false; locate all checkout usages (the ones around the
shown diff and the other checkouts referenced) and add the persist-credentials:
false input under each checkout step so the runner does not persist the
GITHUB_TOKEN/SSH credentials to the repository git config.

In @.github/workflows/ci-npm-publish.yml:
- Line 53: In the actions/checkout step that currently uses
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd, add the option
persist-credentials: false to the step configuration so Git credentials are not
stored for later steps; locate the checkout step reference ("uses:
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd") and add the
persist-credentials key with value false in that step.

---

Outside diff comments:
In @.github/workflows/ci-django-api.yml:
- Around line 1-4: The workflow "Common CI for Django APIs" currently lacks a
workflow-level permissions block, so update the top-level of the YAML (the
workflow named "Common CI for Django APIs") to add an explicit least-privilege
permissions section; specifically add a top-level permissions setting that
limits GITHUB_TOKEN to contents: read (and do not add pull-requests: read since
PR API calls are not used), ensuring the permissions block is placed at the same
level as name: and on: so it applies workflow-wide.

---

Nitpick comments:
In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py:
- Around line 1-2: Replace the trivial assertion in test_smoke with a real
minimal Django request: in the test_smoke function use the Django test client
fixture (client) to perform client.get('/healthz/') and assert
response.status_code == 200 (optionally assert a small expected body or JSON),
so the test verifies URL routing and settings wiring instead of just asserting
True.

In @.github/workflows/ci-node.yml:
- Line 66: The checkout steps currently use actions/checkout (e.g., the entry
with "uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5") but do
not set persist-credentials, which can leak credentials to later steps; update
each checkout step (the four occurrences referenced) to include the input
persist-credentials: false so the GitHub token is not persisted in the workspace
for downstream steps, ensuring you add this option to each uses:
actions/checkout invocation.
- Line 66: Multiple checkout steps (identify by the "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" occurrence) across
the workflows ci-node.yml, ci-pnpm-node.yml, and ci-uv-django-api.yml are
missing persist-credentials: false; update every actions/checkout step to
include persist-credentials: false (for steps that already have a with: block,
add persist-credentials: false inside that block; for plain checkout steps,
replace with a with: block that sets persist-credentials: false) to prevent
credential persistence between steps.

In @.github/workflows/ci-pnpm-node.yml:
- Line 74: Update each GitHub Actions checkout step that uses actions/checkout
(e.g., the step with uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and the other checkout
occurrences) to include persist-credentials: false in the step configuration so
credentials are not preserved in the workspace; apply this change to all
checkout steps flagged (the ones at the noted occurrences) to harden against
credential leakage.

In @.github/workflows/sync-files.yml:
- Around line 13-19: The workflow currently requests an organization-scoped
GitHub App token via the create-github-app-token action (id: app-token) by
setting owner: ${{ github.repository_owner }}, which grants organization-wide
installation permissions; change this to use repository-scoped credentials and
least-privilege permissions by removing or replacing the owner input so the
token is only for the target repository, and update the GitHub App installation
and permission settings (in the App configuration) to grant only the specific
repo(s) and minimal permissions required for the sync operation; ensure the
action still uses app-id and private-key inputs but with the App installation
limited to the needed repo(s) and tightened permission scopes.
- Line 12: Update the actions/checkout step to add persist-credentials: false
for defense-in-depth: locate the checkout invocation (uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5) and add the
persist-credentials: false input to that step so Git credentials are not
persisted to disk for downstream steps.

In @.github/workflows/test-reusable-workflows.yml:
- Around line 1-9: Add an explicit top-level permissions block to the workflow
to avoid using default broad permissions: modify the workflow (around the
top-level keys like name/on) to include a permissions mapping that grants only
what's needed for running reusable workflows and downloading artifacts (e.g.,
set contents: read and actions: read, and add artifacts: read if your tests
download artifacts). Ensure the new permissions key is at the same level as name
and on so GitHub recognizes it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: daa0d354-4399-4720-bfd7-fee087f37b9f

📥 Commits

Reviewing files that changed from the base of the PR and between 4de6bb1 and 3d63781.

⛔ Files ignored due to path filters (3)
  • .github/workflow-fixtures/django-api-uv/uv.lock is excluded by !**/*.lock
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • .github/workflow-fixtures/node-yarn/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (36)
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/config/__init__.py
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api-uv/config/urls.py
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/__init__.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflow-fixtures/django-api/config/urls.py
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api/requirements.txt
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/build-python-dists.yml
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/sync-files.yml
  • .github/workflows/test-reusable-workflows.yml

Comment thread .github/workflow-fixtures/django-api-uv/config/settings.py Outdated
Comment thread .github/workflow-test-fixtures/django-api-uv/config/settings.py
Comment thread .github/workflow-fixtures/django-api/requirements.txt Outdated
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-npm-publish.yml
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch 2 times, most recently from 9f917c5 to fa6a63f Compare June 12, 2026 08:22

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-reusable-workflows.yml:
- Around line 1-10: The workflow "Reusable Workflow Tests" currently relies on
repository default GITHUB_TOKEN permissions; add a top-level permissions block
to harden the token by specifying permissions: contents: read (e.g., add a
top-level permissions: contents: read entry under the workflow root alongside
name/on) so this workflow explicitly requires only read access to repository
contents and matches the other workflows' hardening.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3ec2e1a5-befc-45de-8c93-73e436420eaa

📥 Commits

Reviewing files that changed from the base of the PR and between 3d63781 and fa6a63f.

⛔ Files ignored due to path filters (3)
  • .github/workflow-fixtures/django-api-uv/uv.lock is excluded by !**/*.lock
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • .github/workflow-fixtures/node-yarn/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (29)
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/config/__init__.py
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api-uv/config/urls.py
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/__init__.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflow-fixtures/django-api/config/urls.py
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api/requirements.txt
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/test-reusable-workflows.yml
✅ Files skipped from review due to trivial changes (7)
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/init.py
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/django-api-uv/config/init.py
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflow-fixtures/django-api-uv/pytest.ini
🚧 Files skipped from review as they are similar to previous changes (15)
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/dependabot.yml
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-django-api.yml
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflow-fixtures/node-pnpm/package.json

Comment thread .github/workflows/test-reusable-workflows.yml
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch 2 times, most recently from f8a3f23 to 6199eeb Compare June 12, 2026 10:47
@tuomas777 tuomas777 marked this pull request as ready for review June 15, 2026 07:14

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflow-fixtures/django-api-uv/tests/test_smoke.py:
- Around line 1-2: The test_smoke function currently contains only a no-op
assertion that provides no validation of the Django application. Replace this
test with actual application verification by making an HTTP GET request to the
`/healthz/` endpoint and asserting that the response has a status code of 200
and contains an `ok` response. This will ensure that Django setup, URL routing,
and dependencies are properly validated during workflow execution.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ca82553-ef11-49ff-ad23-0aac697f698a

📥 Commits

Reviewing files that changed from the base of the PR and between 3d63781 and 20f6f50.

⛔ Files ignored due to path filters (3)
  • .github/workflow-fixtures/django-api-uv/uv.lock is excluded by !**/*.lock
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • .github/workflow-fixtures/node-yarn/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (35)
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/config/__init__.py
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api-uv/config/urls.py
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/__init__.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflow-fixtures/django-api/config/urls.py
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api/requirements.txt
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/test-reusable-workflows.yml
  • CODEOWNERS
✅ Files skipped from review due to trivial changes (15)
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • CODEOWNERS
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-node-README.md
  • .github/workflow-fixtures/django-api-uv/config/init.py
  • .github/workflows/ci-django-api-README.md
  • .github/workflow-fixtures/django-api/config/init.py
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/dependabot.yml
🚧 Files skipped from review as they are similar to previous changes (15)
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/test-reusable-workflows.yml
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/ci-pnpm-node.yml

Comment thread .github/workflow-fixtures/django-api-uv/tests/test_smoke.py Outdated
@tuomas777 tuomas777 requested a review from a team June 15, 2026 13:45
@Riippi Riippi requested a review from Copilot June 16, 2026 07:29

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens and regression-tests the repository’s reusable GitHub Actions workflows by pinning third‑party actions to SHAs, adding Dependabot updates for GitHub Actions, and introducing minimal fixture projects plus a dedicated workflow that exercises each reusable workflow on workflow-related PRs.

Changes:

  • Added a test-reusable-workflows.yml workflow plus minimal Node (yarn/pnpm) and Python/Django (pip/uv) fixture projects to validate reusable workflows in CI.
  • Hardened workflows by pinning action references to commit SHAs, setting workflow-level permissions: contents: read, and using persist-credentials: false on checkouts (with one exception noted in comments).
  • Added new optional workflow inputs (e.g., skip-sonar, commitlint-config-file, pre-commit-config-file, pnpm-version) and added a Dependabot config for GitHub Actions updates.

Reviewed changes

Copilot reviewed 36 out of 40 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
CODEOWNERS Adds default code ownership for the repo.
.github/dependabot.yml Adds Dependabot configuration for GitHub Actions (and ignores fixture deps).
.github/workflows/test-reusable-workflows.yml New workflow that runs reusable workflows against fixture projects on workflow PR changes.
.github/workflows/sync-files.yml Pins actions used by sync workflow; (commented) needs checkout hardening/permissions alignment.
.github/workflows/ci-uv-django-api.yml Adds inputs for skipping sonar and custom config paths; hardens checkouts; updates sonar gating (commented).
.github/workflows/ci-uv-django-api-README.md Documents new inputs for the uv Django API workflow.
.github/workflows/ci-django-api.yml Adds inputs for skipping sonar and custom config paths; hardens checkouts; updates sonar gating (commented).
.github/workflows/ci-django-api-README.md Documents new inputs for the Django API workflow.
.github/workflows/ci-python-library.yml Adds optional inputs for commitlint/pre-commit config paths and hardens checkouts.
.github/workflows/ci-python-library-README.md Documents new inputs for the Python library workflow.
.github/workflows/ci-node.yml Adds optional commitlint config input; pins actions; hardens checkouts.
.github/workflows/ci-node-README.md Documents new commitlint-config-file input.
.github/workflows/ci-pnpm-node.yml Adds optional pnpm-version + commitlint config input; pins actions; hardens checkouts.
.github/workflows/ci-pnpm-node-README.md Documents new pnpm-version and commitlint-config-file inputs.
.github/workflows/ci-npm-publish.yml Pins actions; adds workflow-level permissions; hardens checkout.
.github/workflows/build-python-dists.yml Minor formatting/pinning consistency for artifact upload step.
.github/workflow-fixtures/commitlint.config.mjs Adds a permissive commitlint config for fixture-based workflow runs.
.github/workflow-fixtures/node-yarn/package.json Minimal Node/yarn fixture project for ci-node workflow testing.
.github/workflow-fixtures/node-yarn/yarn.lock Minimal yarn lockfile for the yarn fixture.
.github/workflow-fixtures/node-pnpm/package.json Minimal Node/pnpm fixture project for ci-pnpm-node workflow testing.
.github/workflow-fixtures/node-pnpm/pnpm-lock.yaml Minimal pnpm lockfile for the pnpm fixture.
.github/workflow-fixtures/django-api/manage.py Minimal Django fixture entrypoint for ci-django-api testing.
.github/workflow-fixtures/django-api/requirements.txt Pins minimal runtime deps for Django (pip) fixture.
.github/workflow-fixtures/django-api/requirements-dev.txt Pins minimal dev/test deps for Django (pip) fixture.
.github/workflow-fixtures/django-api/.pre-commit-config.yaml Empty pre-commit config file for fixture workflow execution.
.github/workflow-fixtures/django-api/config/init.py Package marker for Django fixture config module.
.github/workflow-fixtures/django-api/config/settings.py Minimal Django settings for fixture project.
.github/workflow-fixtures/django-api/config/urls.py Minimal URL config for fixture project.
.github/workflow-fixtures/django-api/config/wsgi.py Minimal WSGI config for fixture project.
.github/workflow-fixtures/django-api/tests/test_smoke.py Minimal smoke test for fixture project.
.github/workflow-fixtures/django-api-uv/pyproject.toml Minimal uv-based Django fixture project definition.
.github/workflow-fixtures/django-api-uv/uv.lock uv lockfile to make uv fixture installs reproducible.
.github/workflow-fixtures/django-api-uv/manage.py Minimal Django fixture entrypoint for ci-uv-django-api testing.
.github/workflow-fixtures/django-api-uv/pytest.ini Sets DJANGO_SETTINGS_MODULE for pytest-django in uv fixture.
.github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml Empty pre-commit config file for uv fixture workflow execution.
.github/workflow-fixtures/django-api-uv/config/init.py Package marker for uv Django fixture config module.
.github/workflow-fixtures/django-api-uv/config/settings.py Minimal Django settings for uv fixture project.
.github/workflow-fixtures/django-api-uv/config/urls.py Minimal URL config for uv fixture project.
.github/workflow-fixtures/django-api-uv/config/wsgi.py Minimal WSGI config for uv fixture project.
.github/workflow-fixtures/django-api-uv/tests/test_smoke.py Minimal smoke test for uv fixture project.
Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/sync-files.yml
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-uv-django-api.yml

@Riippi Riippi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find anything to complain so I put AI to do some reviewing:

Code review

Found 2 issues:

  1. Artifact name collision in the test workflow. Both test-ci-node and test-ci-pnpm-node pass node-version: "24", and both called workflows (ci-node.yml, ci-pnpm-node.yml) upload an artifact named build-artifacts-${{ inputs.node-version }}, which resolves to build-artifacts-24 for both. Two jobs uploading the same artifact name in one run is a hard failure under actions/upload-artifact@v4, and the downstream assert/download jobs become ambiguous. Use distinct node versions or distinct artifact names.

test-ci-pnpm-node:
name: Test ci-pnpm-node
uses: ./.github/workflows/ci-pnpm-node.yml
with:
node-version: "24"
working-directory: ".github/workflow-fixtures/node-pnpm"

  1. permissions: contents: read drops pull-requests to none. Declaring permissions explicitly sets every unlisted scope to none. The called workflows run wagoid/commitlint-github-action, which queries the GitHub API to list PR commits and requires pull-requests: read. With only contents: read declared (and the reusable workflows declaring their own contents: read blocks too), the commitlint jobs will fail with 403 on every PR run. Add pull-requests: read.

permissions:
contents: read

@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from 20f6f50 to 1bf3798 Compare June 17, 2026 11:11

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci-django-api.yml:
- Around line 88-90: The extra_args construction in the pre-commit step uses
conditional logic that results in an empty string when using default inputs
(pre-commit-config-file empty and working-directory set to dot). To fix this,
modify the extra_args conditional expressions to avoid passing empty arguments
to pre-commit. Either restructure the conditionals to only include extra_args
content when there are actual values to pass, or establish sensible default
behavior that ensures pre-commit executes with appropriate configuration even
when inputs use their default values, so that full-repo hook execution is not
bypassed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 55400e32-bee6-4548-9dba-b632b9932de4

📥 Commits

Reviewing files that changed from the base of the PR and between 20f6f50 and 1bf3798.

⛔ Files ignored due to path filters (3)
  • .github/workflow-fixtures/django-api-uv/uv.lock is excluded by !**/*.lock
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • .github/workflow-fixtures/node-yarn/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (36)
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/config/__init__.py
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api-uv/config/urls.py
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/__init__.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflow-fixtures/django-api/config/urls.py
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api/requirements.txt
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/sync-files.yml
  • .github/workflows/test-reusable-workflows.yml
  • CODEOWNERS
✅ Files skipped from review due to trivial changes (13)
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflows/ci-node-README.md
  • CODEOWNERS
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflows/ci-django-api-README.md
  • .github/workflow-fixtures/django-api/config/init.py
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-python-library-README.md
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/node-pnpm/package.json
🚧 Files skipped from review as they are similar to previous changes (15)
  • .github/workflows/sync-files.yml
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/dependabot.yml
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/test-reusable-workflows.yml

Comment thread .github/workflows/ci-django-api.yml
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from 1bf3798 to 528b80c Compare June 17, 2026 11:44
@tuomas777

Copy link
Copy Markdown
Contributor Author

I didn't find anything to complain so I put AI to do some reviewing:

Code review

Found 2 issues:

  1. Artifact name collision in the test workflow. Both test-ci-node and test-ci-pnpm-node pass node-version: "24", and both called workflows (ci-node.yml, ci-pnpm-node.yml) upload an artifact named build-artifacts-${{ inputs.node-version }}, which resolves to build-artifacts-24 for both. Two jobs uploading the same artifact name in one run is a hard failure under actions/upload-artifact@v4, and the downstream assert/download jobs become ambiguous. Use distinct node versions or distinct artifact names.

test-ci-pnpm-node:
name: Test ci-pnpm-node
uses: ./.github/workflows/ci-pnpm-node.yml
with:
node-version: "24"
working-directory: ".github/workflow-fixtures/node-pnpm"

  1. permissions: contents: read drops pull-requests to none. Declaring permissions explicitly sets every unlisted scope to none. The called workflows run wagoid/commitlint-github-action, which queries the GitHub API to list PR commits and requires pull-requests: read. With only contents: read declared (and the reusable workflows declaring their own contents: read blocks too), the commitlint jobs will fail with 403 on every PR run. Add pull-requests: read.

permissions:
contents: read

These are now fixed.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 12 comments.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/workflows/ci-node.yml
Comment thread .github/workflows/ci-node.yml
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-pnpm-node.yml
Comment thread .github/workflows/ci-python-library.yml
Comment thread .github/workflows/ci-python-library.yml
Comment thread .github/workflows/ci-uv-django-api.yml
Comment thread .github/workflows/ci-uv-django-api.yml
Comment thread .github/workflows/ci-uv-django-api.yml
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch 2 times, most recently from 3da5290 to 771b612 Compare June 17, 2026 20:22
@tuomas777 tuomas777 requested a review from Copilot June 17, 2026 20:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/workflows/ci-npm-publish.yml
Comment thread .github/workflows/test-reusable-workflows.yml
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch 2 times, most recently from e7b069b to 867c948 Compare June 17, 2026 21:11

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/dependabot.yml Outdated
Comment thread .github/workflows/test-reusable-workflows.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 1 comment.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/dependabot.yml Outdated
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from 867c948 to c6e23b5 Compare June 17, 2026 23:47

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/ci-node-README.md (1)

43-43: ⚡ Quick win

Document artifact-name and conditional SONAR_TOKEN requirement here.

Line 43 adds one new optional input, but the reusable workflow interface also added artifact-name, and SONAR_TOKEN is now only needed when Sonar is enabled. Keeping this README aligned prevents consumer-side misconfiguration.

Suggested doc patch
 ### 🔶 Optional Inputs

 - **`extra-commands`** (string): Additional setup commands or checks to execute before running tests. Can be used to set environment variables: `echo "EXTRA_TEST_ENV_VAR=test" >> $GITHUB_ENV`.
 - **`typecheck`** (boolean): Run typecheck command. Default is `false`.
 - **`working-directory`** (string): Repository working directory where to run yarn installation and the tests. Default is `.` (the repository root).
 - **`app-directory`** (string): The subdirectory of the application where the tests are run. Default is **`working-directory`**.
 - **`commitlint-config-file`** (string): Path to the commitlint config file. If empty, commitlint uses its default config discovery (file in repository root).
+- **`artifact-name`** (string): Optional build artifact name. Defaults to `build-artifacts-<node-version>`.

 ### 🔑 Secrets

-- **`SONAR_TOKEN`**: Token for SonarQube Cloud Scan. Required.
+- **`SONAR_TOKEN`**: Token for SonarQube Cloud Scan. Required only when Sonar is not skipped.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-node-README.md at line 43, Update the README in the
.github/workflows/ci-node-README.md file to document the newly added
`artifact-name` input parameter and clarify that the `SONAR_TOKEN` environment
variable is now conditionally required only when Sonar analysis is enabled. Add
entries for both `artifact-name` (describing its purpose and that it is
optional) and update the `SONAR_TOKEN` documentation to specify it is only
needed when Sonar scanning is configured, ensuring the documentation accurately
reflects the current reusable workflow interface.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci-node-README.md:
- Line 43: Update the README in the .github/workflows/ci-node-README.md file to
document the newly added `artifact-name` input parameter and clarify that the
`SONAR_TOKEN` environment variable is now conditionally required only when Sonar
analysis is enabled. Add entries for both `artifact-name` (describing its
purpose and that it is optional) and update the `SONAR_TOKEN` documentation to
specify it is only needed when Sonar scanning is configured, ensuring the
documentation accurately reflects the current reusable workflow interface.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e56f48e3-8617-406a-a3c8-84017f6ec678

📥 Commits

Reviewing files that changed from the base of the PR and between 3da5290 and c6e23b5.

⛔ Files ignored due to path filters (3)
  • .github/workflow-fixtures/django-api-uv/uv.lock is excluded by !**/*.lock
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • .github/workflow-fixtures/node-yarn/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (36)
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/config/__init__.py
  • .github/workflow-fixtures/django-api-uv/config/settings.py
  • .github/workflow-fixtures/django-api-uv/config/urls.py
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/config/__init__.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflow-fixtures/django-api/config/urls.py
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/workflow-fixtures/django-api/requirements.txt
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/sync-files.yml
  • .github/workflows/test-reusable-workflows.yml
  • CODEOWNERS
✅ Files skipped from review due to trivial changes (10)
  • .github/workflow-fixtures/node-pnpm/package.json
  • .github/workflow-fixtures/django-api-uv/config/init.py
  • .github/workflow-fixtures/django-api/config/init.py
  • .github/workflow-fixtures/django-api-uv/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api/requirements-dev.txt
  • .github/dependabot.yml
  • .github/workflow-fixtures/commitlint.config.mjs
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflow-fixtures/django-api/.pre-commit-config.yaml
  • .github/workflow-fixtures/django-api-uv/pytest.ini
🚧 Files skipped from review as they are similar to previous changes (20)
  • CODEOWNERS
  • .github/workflows/ci-django-api-README.md
  • .github/workflow-fixtures/django-api-uv/config/wsgi.py
  • .github/workflow-fixtures/django-api-uv/tests/test_smoke.py
  • .github/workflow-fixtures/django-api-uv/manage.py
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflow-fixtures/node-yarn/package.json
  • .github/workflows/sync-files.yml
  • .github/workflows/ci-python-library-README.md
  • .github/workflow-fixtures/django-api/config/wsgi.py
  • .github/workflow-fixtures/django-api/tests/test_smoke.py
  • .github/workflow-fixtures/django-api-uv/pyproject.toml
  • .github/workflow-fixtures/django-api/manage.py
  • .github/workflow-fixtures/django-api/config/settings.py
  • .github/workflows/ci-npm-publish.yml
  • .github/workflows/ci-python-library.yml
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/ci-django-api.yml
  • .github/workflows/test-reusable-workflows.yml
  • .github/workflow-fixtures/django-api-uv/config/settings.py

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 8 comments.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-django-api.yml
Comment thread .github/workflows/ci-uv-django-api.yml
Comment thread .github/workflows/ci-uv-django-api.yml
Comment thread .github/workflows/ci-python-library.yml
Comment thread .github/workflows/ci-python-library.yml
Comment thread .github/workflows/ci-python-library.yml
Comment thread .github/workflows/ci-node-README.md
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from c6e23b5 to 4265f8d Compare June 18, 2026 00:43
@tuomas777 tuomas777 requested a review from Copilot June 18, 2026 00:49

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 40 changed files in this pull request and generated 7 comments.

Files not reviewed (1)
  • .github/workflow-fixtures/node-pnpm/pnpm-lock.yaml: Generated file

Comment thread .github/workflows/test-reusable-workflows.yml
Comment thread .github/workflows/test-reusable-workflows.yml
Comment thread .github/workflows/ci-node-README.md Outdated
Comment thread .github/workflows/ci-pnpm-node-README.md Outdated
Comment thread .github/workflows/ci-python-library-README.md Outdated
Comment thread .github/workflows/ci-django-api-README.md Outdated
Comment thread .github/workflows/ci-uv-django-api-README.md Outdated
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from 4265f8d to eb6eefd Compare June 18, 2026 01:14

@terovirtanen terovirtanen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow-fixtures kaipaa READMEmd jossa kerrotaan tarkemmin mihin tarkoitukseen nämä ovat ja missä niitä käytetään, miten tämän riippuvuuksia on tarkoitus päivittää, yms.

Comment thread .github/workflows/test-reusable-workflows.yml
Mostly to make testing the workflows possible.

Refs: RATY-350
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch 2 times, most recently from e003dea to 1d765ff Compare June 24, 2026 15:16
@tuomas777 tuomas777 force-pushed the RATY-350-add-dependabot-and-tests-for-workflows branch from 1d765ff to 029e68b Compare June 24, 2026 20:45

@mhieta mhieta left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@tuomas777 tuomas777 merged commit c95fe30 into main Jun 25, 2026
22 checks passed
@tuomas777 tuomas777 deleted the RATY-350-add-dependabot-and-tests-for-workflows branch June 25, 2026 11:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants