Skip to content

misc(ci): sync github workflows with kmp template#2652

Open
itsPronay wants to merge 4 commits into
openMF:devfrom
itsPronay:workflow-update
Open

misc(ci): sync github workflows with kmp template#2652
itsPronay wants to merge 4 commits into
openMF:devfrom
itsPronay:workflow-update

Conversation

@itsPronay

@itsPronay itsPronay commented Mar 16, 2026

Copy link
Copy Markdown
Member

Fixes - https://mifosforge.jira.com/browse/MIFOSAC-755

Summary by CodeRabbit

  • Chores
    • Optimized CI Gradle settings for more reliable, resource-controlled builds.
    • Updated several GitHub Actions references to newer versions and refined PR triggers/comments.
    • Enhanced directory sync logic and exclusions to prevent failures and preserve configs.
  • New Features
    • Added multi-platform build-and-publish workflow.
    • Added automated web build-and-deploy to GitHub Pages.
    • Added weekly tagging workflow to automate scheduled beta releases.
  • Removed
    • Removed legacy Android release, older weekly-release, and Firebase demo upload workflows.

@itsPronay itsPronay requested a review from a team March 16, 2026 13:09
@itsPronay itsPronay marked this pull request as draft March 16, 2026 13:09
@coderabbitai

coderabbitai Bot commented Mar 16, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Adds CI Gradle properties; removes several legacy Android/Firebase/weekly workflows; introduces multi-platform, web-deploy, and weekly-tag workflows; updates reusable-action versions; and expands sync-dirs logic and exclusions with safer handling.

Changes

Cohort / File(s) Summary
CI config
​.github/ci-gradle.properties
Adds CI Gradle settings: disable daemon, enable parallel tasks, increase JVM heap/metaspace, cap workers, disable Kotlin incremental compilation, and set Kotlin compiler in-process for CI.
Removed workflows
​.github/workflows/android-release.yml, ​.github/workflows/weekly-release.yaml, ​.github/workflows/upload-demo-app-on-firebase.yaml
Deleted legacy Android release, previous weekly-tag workflow, and Firebase demo upload workflow.
New workflows
​.github/workflows/build-and-deploy-site.yml, ​.github/workflows/multi-platform-build-and-publish.yml, ​.github/workflows/tag-weekly-release.yml
Adds web site build/deploy (Kotlin/JS → Pages), multi-platform build-and-publish (Android/iOS/Desktop/Web with many secrets/inputs and conditional iOS distribution), and a scheduled weekly tagging workflow that creates production tags and dispatches a beta multi-platform run.
Sync & PR updates
​.github/workflows/sync-dirs.yaml, ​.github/workflows/pr-check.yml
Extends sync-dirs to include fastlane-config, adds exclusions (build.gradle.kts, workflow file), improves existence checks, preserves/restores excluded paths, emits warnings on partial sync failures; updates PR-check trigger comments/branch name.
Version bumps & minor workflow edits
​.github/workflows/cache-cleanup.yaml, ​.github/workflows/monthly-version-tag.yml, ​.github/workflows/promote-to-production.yml
Bumps reusable-action references from v1.0.0v1.0.11; updates an inline comment URL in monthly-version-tag.
Other workflow changes
​.github/workflows/tag-weekly-release.yml (new) vs removed ​.github/workflows/weekly-release.yaml
Replaces removed weekly workflow with a new tag-weekly-release workflow that performs reckon tagging and dispatches the multi-platform workflow.

Sequence Diagram(s)

sequenceDiagram
    participant Scheduler as "Scheduler\n(tag-weekly-release)"
    participant Runner as "GitHub Actions Runner"
    participant ActionHub as "Reusable workflow\n(openMF/actionhub@v1.0.11)"
    participant Stores as "Distribution targets\n(Play Store / App Store / Pages)"

    Scheduler->>Runner: scheduled or manual dispatch
    Runner->>ActionHub: invoke multi-platform build/publish (inputs + secrets)
    ActionHub->>Stores: upload artifacts / trigger distributions
    Stores-->>ActionHub: ack/status
    ActionHub-->>Runner: workflow result/status
    Runner-->>Scheduler: complete
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Poem

🐇
I hopped through YAML, neat and spry,
Pruned old paths and helped new ones fly.
Tags, builds, and sites now dance in tune,
Gradle hums beneath the moon —
A rabbit's CI cheer, light as a June.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title 'misc(ci): sync github workflows with kmp template' accurately describes the primary change—synchronizing GitHub workflows with a KMP template.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (3)
.github/workflows/sync-dirs.yaml (1)

101-103: Substring matching may cause unintended exclusions.

The pattern [[ "$path" == *"$excluded"* ]] performs substring matching rather than exact path matching. This could exclude unintended paths if the exclusion string appears anywhere in the path (e.g., excluding "icons" would also exclude "myicons" or "icons-v2").

For the current exclusions (project_config.rb, build.gradle.kts, sync-dirs.yaml), this is unlikely to cause issues, but consider using more precise matching for future-proofing:

♻️ Suggested fix using exact basename or suffix matching
               for excluded in "${root_excluded_paths[@]}"; do
-                if [[ "$path" == *"$excluded"* ]]; then
+                if [[ "$(basename "$path")" == "$excluded" || "$path" == *"/$excluded" || "$path" == "$excluded" ]]; then
                   return 0
                 fi

Apply the same pattern to the directory-specific check at lines 111-113.

Also applies to: 111-113

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-dirs.yaml around lines 101 - 103, The current
substring check if [[ "$path" == *"$excluded"* ]] (using variables path and
excluded) can wrongly exclude paths that merely contain the excluded string;
change this to an exact match on the basename or a suffix match instead—for
example, compare "$(basename "$path")" to "$excluded" for filename-only
exclusions or use [[ "$path" == */"$excluded" ]] for exact trailing component
matching; update both occurrences (the current condition and the
directory-specific check at the other block using path/excluded) so only exact
basename or explicit suffix matches cause an exclusion.
.github/workflows/tag-weekly-release.yml (1)

106-114: Hardcoded ref: 'dev' limits flexibility.

The branch reference is hardcoded to 'dev', but if you add the target_branch input as described in the comments, this should reference the input value. Additionally, for scheduled runs, a fallback default would be needed.

Use input with fallback for scheduled runs
             github.rest.actions.createWorkflowDispatch({
               owner: context.repo.owner,
               repo: context.repo.repo,
               workflow_id: 'multi-platform-build-and-publish.yml',
-              ref: 'dev', 
+              ref: '${{ inputs.target_branch || 'dev' }}',
               inputs: {
                 "release_type": "beta",
               },
             })
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tag-weekly-release.yml around lines 106 - 114, The
workflow currently hardcodes ref: 'dev' when calling
github.rest.actions.createWorkflowDispatch; change it to use the incoming input
target_branch with a fallback for scheduled runs (e.g., use
github.event.inputs.target_branch || 'dev' or similar) so createWorkflowDispatch
uses the dynamic branch instead of 'dev'; update the ref expression and ensure
the inputs object still passes "release_type": "beta" and any other inputs
unchanged (look for the createWorkflowDispatch call and the "release_type" input
and replace the fixed 'dev' ref with the input/fallback expression).
.github/workflows/build-and-deploy-site.yml (1)

53-57: Consider removing unnecessary pull-requests: write permission.

This workflow builds and deploys to GitHub Pages. The pull-requests: write permission doesn't appear necessary for this use case and granting it violates the principle of least privilege.

Suggested fix
 permissions:
   contents: read  # Read repository contents
   pages: write    # Write to GitHub Pages
   id-token: write # Write authentication tokens
-  pull-requests: write # Write to pull requests
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-and-deploy-site.yml around lines 53 - 57, Remove the
unnecessary broad permission by deleting the "pull-requests: write" entry under
the permissions block (keys shown: contents, pages, id-token, pull-requests) so
the workflow only grants the least privilege required for Pages deployment; if
pull-request access is needed for read-only checks, replace it with
"pull-requests: read" instead of write.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/ci-gradle.properties:
- Around line 7-8: The JVM heap setting org.gradle.jvmargs currently uses -Xmx7g
which is too large for GitHub Actions runners; reduce this to -Xmx4g or -Xmx5g
to leave OS/native headroom and prevent OOMs, and verify
kotlin.compiler.execution.strategy is not forcing in-process compilation
(kotlin.compiler.execution.strategy) or switch it to a safer strategy (e.g.,
daemon) if you need more compiler isolation; update the org.gradle.jvmargs value
accordingly and run CI to confirm the change resolves memory pressure.

In @.github/workflows/build-and-deploy-site.yml:
- Around line 1-3: The workflow comment and actual triggers disagree: the header
states it runs "whenever changes are merged into the dev branch" but the
workflow only has workflow_dispatch. Either update the comment to state this is
a manual-only workflow, or add a push trigger for the dev branch to match the
comment (e.g., add a "push: branches: [dev]" entry alongside workflow_dispatch).
Locate the triggers block in .github/workflows/build-and-deploy-site.yml and
apply one of the two fixes so the documentation and configuration are
consistent.

In @.github/workflows/pr-check.yml:
- Around line 70-72: The workflow triggers are set to the non-existent branch
"dev" under the YAML keys for pushes and pull requests (the two occurrences of
branches: [ dev ]); update both occurrences to branches: [ development ] so the
workflow triggers on the repository's long-lived/default branch (change the
branches value under the push/on and pull_request/on sections accordingly).

In @.github/workflows/sync-dirs.yaml:
- Around line 208-210: The git checkout call currently suppresses stderr
(2>/dev/null) which hides real errors; change the logic in the TEMP_BRANCH
directory sync (the git checkout "${{ env.TEMP_BRANCH }}" -- "$dir" invocation
that references $dir) to capture stderr into a variable (e.g., run git checkout
... 2>&1 and store output), check the command exit status, and emit a warning or
error that includes the captured stderr and exit code instead of a generic
message; apply the same pattern for the file sync block that mirrors this logic
(the subsequent git checkout lines around 233-235) so both directory and file
sync failures preserve error context for debugging.

In @.github/workflows/tag-weekly-release.yml:
- Around line 38-40: The workflow comment mentions a workflow_dispatch input
named target_branch but no such input is defined; update the workflow_dispatch
trigger to declare an input named target_branch (with a sensible default like
'dev') and update any uses of the variable (e.g., in the tag or release steps)
to reference the input via github.event.inputs.target_branch; ensure both
occurrences referenced in the review (around the earlier block and the second
occurrence at lines noted) are updated so the documented configurability matches
the workflow definition.

---

Nitpick comments:
In @.github/workflows/build-and-deploy-site.yml:
- Around line 53-57: Remove the unnecessary broad permission by deleting the
"pull-requests: write" entry under the permissions block (keys shown: contents,
pages, id-token, pull-requests) so the workflow only grants the least privilege
required for Pages deployment; if pull-request access is needed for read-only
checks, replace it with "pull-requests: read" instead of write.

In @.github/workflows/sync-dirs.yaml:
- Around line 101-103: The current substring check if [[ "$path" ==
*"$excluded"* ]] (using variables path and excluded) can wrongly exclude paths
that merely contain the excluded string; change this to an exact match on the
basename or a suffix match instead—for example, compare "$(basename "$path")" to
"$excluded" for filename-only exclusions or use [[ "$path" == */"$excluded" ]]
for exact trailing component matching; update both occurrences (the current
condition and the directory-specific check at the other block using
path/excluded) so only exact basename or explicit suffix matches cause an
exclusion.

In @.github/workflows/tag-weekly-release.yml:
- Around line 106-114: The workflow currently hardcodes ref: 'dev' when calling
github.rest.actions.createWorkflowDispatch; change it to use the incoming input
target_branch with a fallback for scheduled runs (e.g., use
github.event.inputs.target_branch || 'dev' or similar) so createWorkflowDispatch
uses the dynamic branch instead of 'dev'; update the ref expression and ensure
the inputs object still passes "release_type": "beta" and any other inputs
unchanged (look for the createWorkflowDispatch call and the "release_type" input
and replace the fixed 'dev' ref with the input/fallback expression).

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e166c0c2-6c60-410c-baf6-2b3806f5cbd7

📥 Commits

Reviewing files that changed from the base of the PR and between d788bb4 and 8242e94.

📒 Files selected for processing (11)
  • .github/ci-gradle.properties
  • .github/workflows/android-release.yml
  • .github/workflows/build-and-deploy-site.yml
  • .github/workflows/cache-cleanup.yaml
  • .github/workflows/monthly-version-tag.yml
  • .github/workflows/multi-platform-build-and-publish.yml
  • .github/workflows/pr-check.yml
  • .github/workflows/promote-to-production.yml
  • .github/workflows/sync-dirs.yaml
  • .github/workflows/tag-weekly-release.yml
  • .github/workflows/weekly-release.yaml
💤 Files with no reviewable changes (2)
  • .github/workflows/weekly-release.yaml
  • .github/workflows/android-release.yml

Comment thread .github/ci-gradle.properties
Comment thread .github/workflows/build-and-deploy-site.yml
Comment thread .github/workflows/pr-check.yml Outdated
Comment thread .github/workflows/sync-dirs.yaml
Comment thread .github/workflows/tag-weekly-release.yml
@itsPronay itsPronay marked this pull request as ready for review March 16, 2026 14:12

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (1)
.github/workflows/sync-dirs.yaml (1)

208-210: ⚠️ Potential issue | 🟡 Minor

Sync warnings still suppress actionable error details.

Line 208 and Line 233 drop stderr (2>/dev/null), so non-“missing path” failures lose root-cause context.

🔧 Suggested logging improvement
-            if ! git checkout "${{ env.TEMP_BRANCH }}" -- "$dir" 2>/dev/null; then
-              echo "Warning: Could not sync directory $dir (may not exist in upstream)"
+            if ! output=$(git checkout "${{ env.TEMP_BRANCH }}" -- "$dir" 2>&1); then
+              echo "Warning: Could not sync directory $dir: $output"
             fi
@@
-            if ! git checkout "${{ env.TEMP_BRANCH }}" -- "$file" 2>/dev/null; then
-              echo "Warning: Could not sync file $file (may not exist in upstream)"
+            if ! output=$(git checkout "${{ env.TEMP_BRANCH }}" -- "$file" 2>&1); then
+              echo "Warning: Could not sync file $file: $output"
             fi

Also applies to: 233-235

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-dirs.yaml around lines 208 - 210, The git checkout
commands currently swallow stderr via "2>/dev/null" which hides real errors;
remove the stderr redirection and capture stderr output (or let it flow) for the
git checkout "${{ env.TEMP_BRANCH }}" -- "$dir" invocation(s) so you can
differentiate a benign "path missing" failure from other fatal git errors;
specifically, change the two occurrences that use "git checkout \"${{
env.TEMP_BRANCH }}\" -- \"$dir\" 2>/dev/null" to capture or inspect the
command's stderr and exit code, treat the missing-path message (or specific git
exit/status/regex) as a warning and log it, but for any other stderr content
echo/log the full error (and fail/exit non-zero if appropriate).
🧹 Nitpick comments (1)
.github/workflows/tag-weekly-release.yml (1)

100-114: Hardcoded branch contradicts documentation.

Line 110 hardcodes ref: 'development', but lines 38-40 describe a configurable target_branch input with default 'dev'. Either remove the documentation claim or implement the input:

Option 1: Remove misleading documentation
-# Workflow Inputs:
-# - target_branch: Branch to use for releases (default: 'dev')
-#   Allows flexible release targeting across different branches
+# Note:
+# - Releases are triggered on the 'development' branch
Option 2: Implement the configurable input
 on:
   # Allow manual triggering of the workflow
   workflow_dispatch:
+    inputs:
+      target_branch:
+        type: string
+        default: 'development'
+        description: 'Target branch for release dispatch'
   # Schedule the workflow to run weekly
   schedule:

Then update the dispatch call:

             workflow_id: 'multi-platform-build-and-publish.yml',
-            ref: 'development', 
+            ref: '${{ inputs.target_branch || 'development' }}',
             inputs: {
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tag-weekly-release.yml around lines 100 - 114, The
workflow hardcodes ref: 'development' in the createWorkflowDispatch call (inside
the "Trigger Workflow" step using actions/github-script@v7) but the file
documents a configurable input target_branch with default 'dev'; either remove
the misleading docs or make the dispatch use the input: change the
createWorkflowDispatch call to read the branch from the workflow input (e.g.,
use core.getInput('target_branch')/github-script context to pull inputs) and
pass that value to the ref field, or alternatively update the documentation to
reflect the hardcoded 'development' value so they match.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sync-dirs.yaml:
- Line 86: The current "fastlane-config" exclusion only lists
"project_config.rb" and "extract_config.rb" but misses common project identity
files that must not be synced; update the "fastlane-config" exclusions to also
include Fastlane/Appfile, Fastlane/Fastfile, Fastlane/Matchfile,
Fastlane/Pluginfile and any deliver/credentials files so app identifiers,
package names and lane-specific settings aren’t overwritten — locate the
"fastlane-config" key in the sync mapping and add these filenames (Appfile,
Fastfile, Matchfile, Pluginfile, credentials and deliver-related files) to the
exclusion list.
- Line 303: The workflow changed the target branch to "development" in the base
key but left other steps still referencing "dev", so standardize to a single
branch variable and update all uses: add a workflow-level env/input like
SYNC_BRANCH (or reuse the existing base value) set to "development", then
replace the hardcoded "dev" occurrences in the actions/checkout step, any
rsync/sync steps, and the PR/branch-targeting steps so they all reference
SYNC_BRANCH (or the base variable) instead of "dev" to ensure a single source of
truth for the branch name.

In @.github/workflows/tag-weekly-release.yml:
- Around line 76-98: The workflow lacks explicit GitHub permissions for pushing
tags; update the "tag" job (job name: tag) to include an explicit permissions
block granting at least contents: write so the Gradle reckonTagPush step (run:
./gradlew :reckonTagPush -Preckon.stage=final) can push tags reliably; add the
permissions at the job-level (or workflow-level) using permissions: contents:
write to ensure the Tag Weekly Release step has the required rights.

---

Duplicate comments:
In @.github/workflows/sync-dirs.yaml:
- Around line 208-210: The git checkout commands currently swallow stderr via
"2>/dev/null" which hides real errors; remove the stderr redirection and capture
stderr output (or let it flow) for the git checkout "${{ env.TEMP_BRANCH }}" --
"$dir" invocation(s) so you can differentiate a benign "path missing" failure
from other fatal git errors; specifically, change the two occurrences that use
"git checkout \"${{ env.TEMP_BRANCH }}\" -- \"$dir\" 2>/dev/null" to capture or
inspect the command's stderr and exit code, treat the missing-path message (or
specific git exit/status/regex) as a warning and log it, but for any other
stderr content echo/log the full error (and fail/exit non-zero if appropriate).

---

Nitpick comments:
In @.github/workflows/tag-weekly-release.yml:
- Around line 100-114: The workflow hardcodes ref: 'development' in the
createWorkflowDispatch call (inside the "Trigger Workflow" step using
actions/github-script@v7) but the file documents a configurable input
target_branch with default 'dev'; either remove the misleading docs or make the
dispatch use the input: change the createWorkflowDispatch call to read the
branch from the workflow input (e.g., use
core.getInput('target_branch')/github-script context to pull inputs) and pass
that value to the ref field, or alternatively update the documentation to
reflect the hardcoded 'development' value so they match.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 583dd0c6-e685-4e05-95f8-c44ef344e2e2

📥 Commits

Reviewing files that changed from the base of the PR and between 8242e94 and 1e5cc70.

📒 Files selected for processing (4)
  • .github/workflows/multi-platform-build-and-publish.yml
  • .github/workflows/pr-check.yml
  • .github/workflows/sync-dirs.yaml
  • .github/workflows/tag-weekly-release.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/pr-check.yml
  • .github/workflows/multi-platform-build-and-publish.yml

["cmp-desktop"]="icons"
["cmp-ios"]="iosApp/Assets.xcassets"
["cmp-desktop"]="icons build.gradle.kts"
["fastlane-config"]="project_config.rb extract_config.rb"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

fastlane-config exclusions look incomplete for project-specific files.

Line 86 excludes two files, but project-identity files in this folder are typically coupled. Syncing additional config files can overwrite app identifiers/package settings and break release lanes.

🔧 Suggested exclusion update
-            ["fastlane-config"]="project_config.rb extract_config.rb"
+            ["fastlane-config"]="project_config.rb extract_config.rb android_config.rb ios_config.rb"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
["fastlane-config"]="project_config.rb extract_config.rb"
["fastlane-config"]="project_config.rb extract_config.rb android_config.rb ios_config.rb"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-dirs.yaml at line 86, The current "fastlane-config"
exclusion only lists "project_config.rb" and "extract_config.rb" but misses
common project identity files that must not be synced; update the
"fastlane-config" exclusions to also include Fastlane/Appfile,
Fastlane/Fastfile, Fastlane/Matchfile, Fastlane/Pluginfile and any
deliver/credentials files so app identifiers, package names and lane-specific
settings aren’t overwritten — locate the "fastlane-config" key in the sync
mapping and add these filenames (Appfile, Fastfile, Matchfile, Pluginfile,
credentials and deliver-related files) to the exclusion list.

sync
automated pr
base: dev No newline at end of file
base: development No newline at end of file

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Branch rename is incomplete and can break or mis-target syncs.

Line 303 now targets development, but the workflow still checks out/syncs dev (Line 26, Line 43, Line 52, Line 193). This can fail on repos without dev or produce PRs against development from a dev-based snapshot.

🔧 Suggested fix (single source of truth for branch)
+env:
+  SYNC_BRANCH: development
+
 jobs:
   sync-directories:
@@
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: dev
+          ref: ${{ env.SYNC_BRANCH }}
@@
       - name: Check upstream/dev exists
         run: |
           set -euo pipefail
-          if ! git rev-parse --verify upstream/dev >/dev/null 2>&1; then
-            echo "Error: upstream/dev branch does not exist"
+          if ! git rev-parse --verify "upstream/${{ env.SYNC_BRANCH }}" >/dev/null 2>&1; then
+            echo "Error: upstream/${{ env.SYNC_BRANCH }} branch does not exist"
             exit 1
           fi
@@
           set -euo pipefail
           TEMP_BRANCH="temp-sync-branch-${{ github.run_number }}"
-          git checkout -b "$TEMP_BRANCH" upstream/dev || exit 1
+          git checkout -b "$TEMP_BRANCH" "upstream/${{ env.SYNC_BRANCH }}" || exit 1
           echo "TEMP_BRANCH=$TEMP_BRANCH" >> $GITHUB_ENV
@@
           # Switch to dev branch
-          git checkout dev
+          git checkout "${{ env.SYNC_BRANCH }}"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-dirs.yaml at line 303, The workflow changed the
target branch to "development" in the base key but left other steps still
referencing "dev", so standardize to a single branch variable and update all
uses: add a workflow-level env/input like SYNC_BRANCH (or reuse the existing
base value) set to "development", then replace the hardcoded "dev" occurrences
in the actions/checkout step, any rsync/sync steps, and the PR/branch-targeting
steps so they all reference SYNC_BRANCH (or the base variable) instead of "dev"
to ensure a single source of truth for the branch name.

Comment on lines +76 to +98
jobs:
tag:
name: Tag Weekly Release
runs-on: ubuntu-latest
steps:
# Checkout the repository with full history for proper versioning
- uses: actions/checkout@v4
with:
fetch-depth: 0

# Setup Java environment for Gradle operations
- name: Set up JDK 17
uses: actions/setup-java@v4.2.2
with:
distribution: 'temurin'
java-version: '17'

# Create and push a new version tag using Reckon
# This uses the 'final' stage for production-ready releases
- name: Tag Weekly Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew :reckonTagPush -Preckon.stage=final

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add explicit permissions for tag pushing.

The reckonTagPush task pushes a git tag, which requires contents: write permission. Without an explicit permissions block, the workflow relies on repository-level defaults, which may be restricted to read-only in some repositories.

🛡️ Proposed fix to add permissions
 jobs:
   tag:
     name: Tag Weekly Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout the repository with full history for proper versioning
       - uses: actions/checkout@v4
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
tag:
name: Tag Weekly Release
runs-on: ubuntu-latest
steps:
# Checkout the repository with full history for proper versioning
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Setup Java environment for Gradle operations
- name: Set up JDK 17
uses: actions/setup-java@v4.2.2
with:
distribution: 'temurin'
java-version: '17'
# Create and push a new version tag using Reckon
# This uses the 'final' stage for production-ready releases
- name: Tag Weekly Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew :reckonTagPush -Preckon.stage=final
jobs:
tag:
name: Tag Weekly Release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
# Checkout the repository with full history for proper versioning
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Setup Java environment for Gradle operations
- name: Set up JDK 17
uses: actions/setup-java@v4.2.2
with:
distribution: 'temurin'
java-version: '17'
# Create and push a new version tag using Reckon
# This uses the 'final' stage for production-ready releases
- name: Tag Weekly Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew :reckonTagPush -Preckon.stage=final
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tag-weekly-release.yml around lines 76 - 98, The workflow
lacks explicit GitHub permissions for pushing tags; update the "tag" job (job
name: tag) to include an explicit permissions block granting at least contents:
write so the Gradle reckonTagPush step (run: ./gradlew :reckonTagPush
-Preckon.stage=final) can push tags reliably; add the permissions at the
job-level (or workflow-level) using permissions: contents: write to ensure the
Tag Weekly Release step has the required rights.

@biplab1

biplab1 commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

This should be merged after #2639.

@biplab1

biplab1 commented Mar 25, 2026

Copy link
Copy Markdown
Contributor

@itsPronay This ticket was suppose to remove duplicate workflows instead of syncing the workflows with KMP template. Please review.

@itsPronay

Copy link
Copy Markdown
Member Author

@itsPronay This ticket was suppose to remove duplicate workflows instead of syncing the workflows with KMP template. Please review.

@biplab1 As far as I remember, Rajan bhaiya asked to sync workflow with KMP template. We did the same in mifos-mobile.

Maybe I assigned myself the wrong ticket!?! could you please confirm with him in today's standup. I won't be joining standup today.

@sonarqubecloud

Copy link
Copy Markdown

@biplab1

biplab1 commented Apr 13, 2026

Copy link
Copy Markdown
Contributor

@coderabbitai Improve PR title based on github.com/openMF/mobile-wallet/wiki/Commit-style-guide. Give us just the title.

@coderabbitai

coderabbitai Bot commented Apr 13, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@biplab1 Based on the commit style guide, which classifies "misc" as anything else that doesn't change production code, yet is not test or chore — e.g. updating GitHub actions workflow, here is the improved title:

misc(ci): sync github workflows with kmp template

🧠 Learnings used
Learnt from: biplab1
Repo: openMF/mifos-x-field-officer-app PR: 2647
File: feature/loan/src/commonMain/composeResources/values/strings.xml:460-460
Timestamp: 2026-03-24T00:43:11.613Z
Learning: In PR `#2647` (openMF/mifos-x-field-officer-app), the timeline string resource keys in `feature/loan/src/commonMain/composeResources/values/strings.xml` should follow the `_on_date` suffix naming pattern for date-type events (e.g., `feature_loan_timeline_amount_disbursed_on_date`, `feature_loan_timeline_application_submitted_on_date`, `feature_loan_timeline_application_approved_on_date`, `feature_loan_timeline_expected_disbursement_on_date`, `feature_loan_timeline_expected_maturity_on_date`, `feature_loan_timeline_maturity_on_date`). This was a naming convention decision by maintainer biplab1 to make date-carrying keys clearly distinguishable from state-only keys.

@biplab1 biplab1 changed the title Sync github workflow with KMP template misc(ci): sync github workflows with kmp template Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants