Skip to content

ci: add standard GitHub Actions workflows #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JarbasAl merged 1 commit into from
May 21, 2026
Merged

ci: add standard GitHub Actions workflows #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/build-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: Build Tests

on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:

jobs:
build:
uses: OpenVoiceOS/gh-automations/.github/workflows/build-tests.yml@dev
secrets: inherit
with:
python_versions: '["3.10", "3.11", "3.12", "3.13"]'
install_extras: 'test,ovos'
test_path: 'test'
10 changes: 10 additions & 0 deletions .github/workflows/conventional-label.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# auto add labels to PRs
on:
pull_request_target:
types: [ opened, edited ]
name: conventional-release-labels
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: bcoe/conventional-release-labels@v1
Comment on lines +6 to +10

@coderabbitai coderabbitai Bot May 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block — the job needs pull-requests: write to apply labels.

bcoe/conventional-release-labels@v1 calls the Issues/PRs API to add labels using GITHUB_TOKEN. In repositories (or orgs) where the default workflow token is read-only, the labeling step will fail with a 403. Declaring least-privilege permissions explicitly also tightens the security posture of a pull_request_target workflow (which runs with access to repo secrets) and silences the dangerous-triggers concern from static analysis since this job only labels and never checks out PR code.

🛡️ Proposed fix 
 # auto add labels to PRs
 on:
   pull_request_target:
     types: [ opened, edited ]
 name: conventional-release-labels
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   label:
     runs-on: ubuntu-latest
     steps:
       - uses: bcoe/conventional-release-labels@v1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: bcoe/conventional-release-labels@v1
# auto add labels to PRs
on:
pull_request_target:
types: [ opened, edited ]
name: conventional-release-labels
permissions:
contents: read
pull-requests: write
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: bcoe/conventional-release-labels@v1
🧰 Tools
🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-label.yaml around lines 6 - 10, Add an
explicit permissions block for the label job so the action can write labels: in
the job named "label" that runs the step using
bcoe/conventional-release-labels@v1, declare least-privilege permissions with
pull-requests: write (and keep other permissions minimal or read-only as needed)
to ensure the GITHUB_TOKEN can call the Issues/PRs API and avoid 403s in
read-only defaults.

@coderabbitai coderabbitai Bot May 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Resolve current v1 tag of bcoe/conventional-release-labels to a commit SHA
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1 --jq '.object'
gh api repos/bcoe/conventional-release-labels/releases --jq '.[0:3] | .[] | {tag_name, published_at}'

Repository: TigreGotico/markovonnx

Length of output: 430

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm the targeted workflow line
echo "---- workflow snippet ----"
sed -n '1,80p' .github/workflows/conventional-label.yaml

# 2) Resolve the tag object returned for refs/tags/v1 to the underlying commit SHA
echo "---- resolve tag object -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/tags/b503ca473654e07521c051628c5f1f969e7436da --jq '{sha: .object.sha, object_type: .object.type, tag: .tag}'

# Also resolve tags/v1.3.1, to ensure it matches
echo "---- resolve v1.3.1 tag -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1.3.1 --jq '.object'
EOF

Repository: TigreGotico/markovonnx

Length of output: 728

Pin bcoe/conventional-release-labels to an immutable commit SHA

This workflow runs on pull_request_target, so pinning avoids supply-chain risk from a moving tag. bcoe/conventional-release-labels@v1 currently resolves to commit 886f696738527c7be444262c327c89436dfb95a8 (v1.3.1).

Suggested change 
-      - uses: bcoe/conventional-release-labels@v1
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: bcoe/conventional-release-labels@v1
- uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1
🧰 Tools
🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-label.yaml at line 10, Replace the floating
action tag with the specific commit SHA: update the uses reference
`bcoe/conventional-release-labels@v1` to the immutable commit
`bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8` so
the workflow running on pull_request_target no longer follows a moving tag and
is pinned to the known commit.

16 changes: 16 additions & 0 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Code Coverage

on:
pull_request:
branches: [dev]
workflow_dispatch:

jobs:
coverage:
uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@dev
secrets: inherit
with:
python_version: '3.11'
coverage_source: 'markovonnx'
install_extras: '-e .[test,ovos]'
test_path: 'test'
11 changes: 11 additions & 0 deletions .github/workflows/license_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
name: License Check

on:
pull_request:
branches: [dev]
workflow_dispatch:

jobs:
license_check:
uses: OpenVoiceOS/gh-automations/.github/workflows/license-check.yml@dev
secrets: inherit
20 changes: 20 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Lint

on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:

jobs:
lint:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install ruff
run: pip install ruff
- name: Run ruff
run: ruff check . || true
13 changes: 13 additions & 0 deletions .github/workflows/opm-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: OPM Check

on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:

jobs:
opm_check:
uses: OpenVoiceOS/gh-automations/.github/workflows/opm-check.yml@dev
secrets: inherit
with:
plugin_type: 'auto'
11 changes: 11 additions & 0 deletions .github/workflows/pip_audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
name: PIP Audit

on:
pull_request:
branches: [dev]
workflow_dispatch:

jobs:
pip_audit:
uses: OpenVoiceOS/gh-automations/.github/workflows/pip-audit.yml@dev
secrets: inherit
17 changes: 17 additions & 0 deletions .github/workflows/publish_stable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Publish Stable Release

on:
workflow_dispatch:
pull_request:
types: [closed]
branches: [master, main]

jobs:
publish_stable:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
uses: OpenVoiceOS/gh-automations/.github/workflows/publish-stable.yml@dev
secrets: inherit
with:
version_file: 'markovonnx/version.py'
publish_pypi: true
notify_matrix: true
14 changes: 14 additions & 0 deletions .github/workflows/release-preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: Release Preview

on:
pull_request:
branches: [dev]
workflow_dispatch:

jobs:
release_preview:
uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@dev
secrets: inherit
Comment on lines +10 to +11

@coderabbitai coderabbitai Bot May 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section with line numbers
sed -n '1,200p' .github/workflows/release-preview.yml | nl -ba | sed -n '1,120p'

Repository: TigreGotico/markovonnx

Length of output: 109

🌐 Web query:

OpenVoiceOS gh-automations reusable workflow release-preview.yml secrets inherit requirements

💡 Result:

In GitHub Actions, the secrets: inherit keyword is a mechanism used when calling reusable workflows to implicitly pass all secrets from the caller workflow to the called (reusable) workflow [1][2][3]. Regarding your query about OpenVoiceOS release-preview.yml and secret inheritance requirements: 1. Functionality: When you specify secrets: inherit in a job that calls a reusable workflow, the called workflow gains access to all secrets available to the caller (including repository and environment secrets, provided the environment is correctly scoped) [1][3][4]. This avoids the need to explicitly map each individual secret [1][2]. 2. Requirements and Limitations: * Scope: Secret inheritance works only for reusable workflows within the same organization or enterprise [3]. * Principle of Least Privilege: While secrets: inherit simplifies configuration, it is often discouraged by security tooling (e.g., Semgrep rules) because it violates the principle of least privilege by granting the called workflow access to all repository secrets, rather than only those strictly required [5]. * Implementation in OpenVoiceOS: The release-preview.yml in OpenVoiceOS/gh-automations is a standard reusable workflow [6]. If you are implementing this in your own repository, you can call it using: yaml jobs: release-preview: uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@main secrets: inherit 3. Troubleshooting: If secrets are not propagating as expected, ensure you are not chaining workflows incorrectly. Secrets are only passed to directly called workflows [7][3]. In a chain of A > B > C, workflow C will only receive secrets from A if they are passed from A to B, and then from B to C [7][3]. If you continue to face evaluation errors, you may need to explicitly define the required secrets in the secrets map as a fallback [8].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Print file with line numbers (avoid `nl`, since it may not exist)
awk 'NR>=1 && NR<=60 {printf "%d: %s\n", NR, $0}' .github/workflows/release-preview.yml

Repository: TigreGotico/markovonnx

Length of output: 410

Pin the reusable workflow ref and avoid secrets: inherit

In .github/workflows/release-preview.yml (lines 10–11), the job calls OpenVoiceOS/gh-automations/.../release-preview.yml@dev (mutable ref) and forwards all secrets via secrets: inherit, increasing supply-chain and secret-exposure risk in the release preview path.

Suggested hardening diff 
-    uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@dev
-    secrets: inherit
+    uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@<pinned_commit_sha>
+    # Omit secrets unless this reusable workflow explicitly requires them.
🧰 Tools
🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 10-10: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-preview.yml around lines 10 - 11, The reusable
workflow invocation in release-preview.yml uses a mutable ref ("uses:
OpenVoiceOS/gh-automations/.../release-preview.yml@dev") and forwards all
secrets via "secrets: inherit"; change the "uses" ref to a pinned immutable ref
(tag or commit SHA) and remove "secrets: inherit", instead explicitly pass only
the minimum required secrets by name (or omit the secrets block if none are
needed) so secrets are not broadly exposed; update the "uses" line and replace
the "secrets: inherit" entry with an explicit mapping of required secrets (or
remove it) to harden the release-preview workflow.

with:
package_name: 'markovonnx'
version_file: 'markovonnx/version.py'
22 changes: 22 additions & 0 deletions .github/workflows/release_workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Release Alpha and Propose Stable

on:
workflow_dispatch:
pull_request:
types: [closed]
branches: [dev]

jobs:
publish_alpha:
if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
uses: OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev
secrets: inherit
Comment on lines +12 to +13

@coderabbitai coderabbitai Bot May 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the specific workflow and surrounding lines
ls -la .github/workflows || true
sed -n '1,220p' .github/workflows/release_workflow.yml | nl -ba | sed -n '1,220p'

# Extract the publish_alpha job section (best-effort)
rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|uses:\s*OpenVoiceOS/gh-automations" .github/workflows/release_workflow.yml -n || true

# Find other workflows using the same automation repo/workflow to see if they pin commits and how they handle secrets
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows -S || true

Repository: TigreGotico/markovonnx

Length of output: 949

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow with line numbers (using awk to avoid nl dependency)
awk '{printf "%4d\t%s\n", NR, $0}' .github/workflows/release_workflow.yml | sed -n '1,220p'

# Pull only the relevant bits for publish_alpha
awk 'NR>=1 && NR<=220 {print}' .github/workflows/release_workflow.yml | \
  rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|OpenVoiceOS/gh-automations" || true

# Search other workflows for the same automation and for secrets inheritance
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml@|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows || true

# Also check if publish_stable is similarly pinned
rg -n "publish_stable|publish-stable\.yml|OpenVoiceOS/gh-automations" .github/workflows || true

Repository: TigreGotico/markovonnx

Length of output: 2606

Pin the gh-automations ref and restrict secrets for alpha publish automation (publish_alpha)

  • In .github/workflows/release_workflow.yml lines 12-13, uses: OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev is not pinned to an immutable commit.
  • secrets: inherit grants the called workflow access to all available repo secrets; switch to an explicit secrets: list containing only what publish-alpha.yml requires (the same @dev + secrets: inherit pattern also exists in other workflows in this repo, e.g., release-preview.yml, publish_stable.yml).
🧰 Tools
🪛 zizmor (1.25.2)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 12-12: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release_workflow.yml around lines 12 - 13, Replace the
loose workflow reference and broad secrets inheritance with a pinned ref and an
explicit secrets list: change the uses entry currently pointing to
OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev to a commit
SHA or immutable tag (pin the ref) and replace secrets: inherit with an explicit
secrets: mapping that only supplies the secrets the publish-alpha workflow needs
(match the required secret names defined by publish-alpha.yml); apply the same
pin-and-explicit-secrets change for other occurrences (e.g., release-preview.yml
and publish_stable.yml) to ensure immutable inputs and least-privilege secrets.

with:
branch: 'dev'
version_file: 'markovonnx/version.py'
update_changelog: true
publish_prerelease: true
propose_release: true
changelog_max_issues: 100
publish_pypi: true
notify_matrix: true
13 changes: 13 additions & 0 deletions .github/workflows/repo-health.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Repo Health

on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:

jobs:
repo_health:
uses: OpenVoiceOS/gh-automations/.github/workflows/repo-health.yml@dev
secrets: inherit
with:
version_file: 'markovonnx/version.py'
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ dependencies = [
bpe = ["tokenizers"]
viz = ["matplotlib"]
quantize = ["onnxruntime-tools", "onnxconverter-common"]
test = ["pytest", "pytest-cov", "hypothesis"]
test = ["pytest", "pytest-cov", "hypothesis", "sympy"]
ovos = [
"ovos-plugin-manager>=2.4.0a1",
"ovos-bus-client>=0.1.0",
Expand Down
Loading