ci(common): simplify orchestration workflow

Author: eudelins-zama

.github/actionlint.yaml

@@ -14,3 +14,12 @@ self-hosted-runner:
     - m1mac
     - 4090-desktop
     - aws-mac1-metal
+
+# Path-specific configurations
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      - SC2001 # https://www.shellcheck.net/wiki/SC2129
+      - 'property "result" is not defined in object type.*'
+      - '".*" section is alias node but mapping node is expected'
+      - 'secret ".*" is required by ".*" reusable workflow.*'

.github/workflows/common-pull-request-lint.yml

@@ -24,7 +24,6 @@ jobs:
       - name: actionlint
         uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
         with:
-            flags: "-ignore SC2001"
             version: ${{ env.ACTIONLINT_VERSION }}
 
       - name: Ensure SHA pinned actions
@@ -48,4 +47,4 @@ jobs:
         uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
           persona: pedantic
-          version: 1.14.2
+          version: 1.17.0

.github/workflows/coprocessor-db-migration-docker-build.yml

@@ -1,18 +1,28 @@
 name: coprocessor-db-migration-docker-build
 
 on:
-  workflow_dispatch:
+  workflow_call:
+    secrets:
+      AWS_ACCESS_KEY_S3_USER:
+        required: true
+      AWS_SECRET_KEY_S3_USER:
+        required: true
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      CGR_USERNAME:
+        required: true
+      CGR_PASSWORD:
+        required: true
     inputs:
-      ref:
-        description: 'Branch/ref to build'
-        required: false
-        default: 'main'
-        type: string
-      trigger_source:
-        description: 'Source that triggered this workflow'
+      is_workflow_call:
+        description: 'To determine if the trigger was a workflow_call or a pull request'
+        type: boolean
         required: false
-        default: 'manual'
-        type: string
+        default: true
+    outputs:
+      build_result:
+        description: "Result of the build job of this workflow"
+        value: ${{ jobs.build.result }}
   pull_request:
   push:
     branches:
@@ -35,6 +45,9 @@ jobs:
       contents: 'read' # Required to checkout repository code
       pull-requests: 'read' # Required to read pull request information
     runs-on: ubuntu-latest
+    if: |
+      inputs.is_workflow_call
+# TODO: re-enable this      || (!inputs.is_workflow_call && !startsWith(github.head_ref, 'mergify/merge-queue/'))
     outputs:
       changes-coprocessor-db-migration: ${{ steps.filter.outputs.coprocessor-db-migration }}
     steps:
@@ -46,7 +59,7 @@ jobs:
         with:
           filters: |
             coprocessor-db-migration:
-              - .github/workflows/coprocessor-db-migration-docker-build.yml
+              # TODO: restore this - .github/workflows/coprocessor-db-migration-docker-build.yml
               - coprocessor/fhevm-engine/db-migration/**
   build:
     name: coprocessor-db-migration-docker-build/build (bpr)
@@ -74,27 +87,3 @@ jobs:
       image-name: "fhevm/coprocessor/db-migration"
       docker-file: "coprocessor/fhevm-engine/db-migration/Dockerfile"
       app-cache-dir: "fhevm-coprocessor-db-migration"
-  output-build-status:
-    name: coprocessor-db-migration-docker-build/output-build-status
-    needs: [check-changes, build]
-    if: always()
-    permissions:
-      contents: 'read'
-    runs-on: ubuntu-latest
-    outputs:
-      image-built: ${{ steps.check-build.outputs.image-built }}
-      image-tag: ${{ steps.check-build.outputs.image-tag }}
-    steps:
-      - name: Check if image was built
-        id: check-build
-        run: |
-          # Check if docker build job ran and succeeded
-          if [[ "${{ needs.build.result }}" == "success" ]]; then
-            echo "image-built=true" >> "$GITHUB_OUTPUT"
-            echo "image-tag=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-            echo "✅ Image was built successfully"
-          else
-            echo "image-built=false" >> "$GITHUB_OUTPUT"
-            echo "image-tag=" >> "$GITHUB_OUTPUT"
-            echo "⏭️ Image was not built (result: ${{ needs.build.result }})"
-          fi

.github/workflows/coprocessor-gw-listener-docker-build.yml

@@ -1,18 +1,28 @@
 name: coprocessor-gw-listener-docker-build
 
 on:
-  workflow_dispatch:
+  workflow_call:
+    secrets:
+      AWS_ACCESS_KEY_S3_USER:
+        required: true
+      AWS_SECRET_KEY_S3_USER:
+        required: true
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      CGR_USERNAME:
+        required: true
+      CGR_PASSWORD:
+        required: true
     inputs:
-      ref:
-        description: 'Branch/ref to build'
-        required: false
-        default: 'main'
-        type: string
-      trigger_source:
-        description: 'Source that triggered this workflow'
+      is_workflow_call:
+        description: 'To determine if the trigger was a workflow_call or a pull request'
+        type: boolean
         required: false
-        default: 'manual'
-        type: string
+        default: true
+    outputs:
+      build_result:
+        description: "Result of the build job of this workflow"
+        value: ${{ jobs.build.result }}
   pull_request:
   push:
     branches:
@@ -35,6 +45,9 @@ jobs:
       contents: 'read' # Required to checkout repository code
       pull-requests: 'read' # Required to read pull request information
     runs-on: ubuntu-latest
+    if: |
+      inputs.is_workflow_call
+# TODO: re-enable this      || (!inputs.is_workflow_call && !startsWith(github.head_ref, 'mergify/merge-queue/'))
     outputs:
       changes-coprocessor-gw-listener: ${{ steps.filter.outputs.coprocessor-gw-listener }}
     steps:
@@ -46,7 +59,7 @@ jobs:
         with:
           filters: |
             coprocessor-gw-listener:
-              - .github/workflows/coprocessor-docker-build-gw-listener.yml
+              # TODO: restore this - .github/workflows/coprocessor-docker-build-gw-listener.yml
               - coprocessor/fhevm-engine/gw-listener/**
               - coprocessor/fhevm-engine/Cargo.toml
               - coprocessor/fhevm-engine/Cargo.lock
@@ -76,27 +89,3 @@ jobs:
       image-name: "fhevm/coprocessor/gw-listener"
       docker-file: "./coprocessor/fhevm-engine/gw-listener/Dockerfile"
       app-cache-dir: "fhevm-coprocessor-gw-listener"
-  output-build-status:
-    name: coprocessor-gw-listener-docker-build/output-build-status
-    needs: [check-changes, build]
-    if: always()
-    permissions:
-      contents: 'read'
-    runs-on: ubuntu-latest
-    outputs:
-      image-built: ${{ steps.check-build.outputs.image-built }}
-      image-tag: ${{ steps.check-build.outputs.image-tag }}
-    steps:
-      - name: Check if image was built
-        id: check-build
-        run: |
-          # Check if docker build job ran and succeeded
-          if [[ "${{ needs.build.result }}" == "success" ]]; then
-            echo "image-built=true" >> "$GITHUB_OUTPUT"
-            echo "image-tag=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-            echo "✅ Image was built successfully"
-          else
-            echo "image-built=false" >> "$GITHUB_OUTPUT"
-            echo "image-tag=" >> "$GITHUB_OUTPUT"
-            echo "⏭️ Image was not built (result: ${{ needs.build.result }})"
-          fi

.github/workflows/coprocessor-host-listener-docker-build.yml

@@ -1,18 +1,28 @@
 name: coprocessor-host-listener-docker-build
 
 on:
-  workflow_dispatch:
+  workflow_call:
+    secrets:
+      AWS_ACCESS_KEY_S3_USER:
+        required: true
+      AWS_SECRET_KEY_S3_USER:
+        required: true
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      CGR_USERNAME:
+        required: true
+      CGR_PASSWORD:
+        required: true
     inputs:
-      ref:
-        description: 'Branch/ref to build'
-        required: false
-        default: 'main'
-        type: string
-      trigger_source:
-        description: 'Source that triggered this workflow'
+      is_workflow_call:
+        description: 'To determine if the trigger was a workflow_call or a pull request'
+        type: boolean
         required: false
-        default: 'manual'
-        type: string
+        default: true
+    outputs:
+      build_result:
+        description: "Result of the build job of this workflow"
+        value: ${{ jobs.build.result }}
   pull_request:
   push:
     branches:
@@ -35,6 +45,9 @@ jobs:
       contents: 'read' # Required to checkout repository code
       pull-requests: 'read' # Required to read pull request information
     runs-on: ubuntu-latest
+    if: |
+      inputs.is_workflow_call
+# TODO: re-enable this      || (!inputs.is_workflow_call && !startsWith(github.head_ref, 'mergify/merge-queue/'))
     outputs:
       changes-coprocessor-host-listener: ${{ steps.filter.outputs.coprocessor-host-listener }}
     steps:
@@ -46,7 +59,7 @@ jobs:
         with:
           filters: |
             coprocessor-host-listener:
-              - .github/workflows/coprocessor-host-listener-docker-build.yml
+              # TODO: restore this - .github/workflows/coprocessor-host-listener-docker-build.yml
               - coprocessor/fhevm-engine/host-listener/**
               - coprocessor/fhevm-engine/Cargo.toml
               - coprocessor/fhevm-engine/Cargo.lock
@@ -78,27 +91,3 @@ jobs:
       image-name: "fhevm/coprocessor/host-listener"
       docker-file: "coprocessor/fhevm-engine/host-listener/Dockerfile"
       app-cache-dir: "fhevm-coprocessor-host-listener"
-  output-build-status:
-    name: coprocessor-host-listener-docker-build/output-build-status
-    needs: [check-changes, build]
-    if: always()
-    permissions:
-      contents: 'read'
-    runs-on: ubuntu-latest
-    outputs:
-      image-built: ${{ steps.check-build.outputs.image-built }}
-      image-tag: ${{ steps.check-build.outputs.image-tag }}
-    steps:
-      - name: Check if image was built
-        id: check-build
-        run: |
-          # Check if docker build job ran and succeeded
-          if [[ "${{ needs.build.result }}" == "success" ]]; then
-            echo "image-built=true" >> "$GITHUB_OUTPUT"
-            echo "image-tag=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-            echo "✅ Image was built successfully"
-          else
-            echo "image-built=false" >> "$GITHUB_OUTPUT"
-            echo "image-tag=" >> "$GITHUB_OUTPUT"
-            echo "⏭️ Image was not built (result: ${{ needs.build.result }})"
-          fi

.github/workflows/coprocessor-sns-worker-docker-build.yml

@@ -1,18 +1,28 @@
 name: coprocessor-sns-worker-docker-build
 
 on:
-  workflow_dispatch:
+  workflow_call:
+    secrets:
+      AWS_ACCESS_KEY_S3_USER:
+        required: true
+      AWS_SECRET_KEY_S3_USER:
+        required: true
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      CGR_USERNAME:
+        required: true
+      CGR_PASSWORD:
+        required: true
     inputs:
-      ref:
-        description: 'Branch/ref to build'
-        required: false
-        default: 'main'
-        type: string
-      trigger_source:
-        description: 'Source that triggered this workflow'
+      is_workflow_call:
+        description: 'To determine if the trigger was a workflow_call or a pull request'
+        type: boolean
         required: false
-        default: 'manual'
-        type: string
+        default: true
+    outputs:
+      build_result:
+        description: "Result of the build job of this workflow"
+        value: ${{ jobs.build.result }}
   pull_request:
   push:
     branches:
@@ -35,6 +45,9 @@ jobs:
       contents: 'read' # Required to checkout repository code
       pull-requests: 'read' # Required to read pull request information
     runs-on: ubuntu-latest
+    if: |
+      inputs.is_workflow_call
+# TODO: re-enable this      || (!inputs.is_workflow_call && !startsWith(github.head_ref, 'mergify/merge-queue/'))
     outputs:
       changes-coprocessor-sns-worker: ${{ steps.filter.outputs.coprocessor-sns-worker }}
     steps:
@@ -76,27 +89,3 @@ jobs:
       image-name: "fhevm/coprocessor/sns-worker"
       docker-file: "coprocessor/fhevm-engine/sns-worker/Dockerfile"
       app-cache-dir: "fhevm-coprocessor-sns-worker"
-  output-build-status:
-    name: coprocessor-sns-worker-docker-build/output-build-status
-    needs: [check-changes, build]
-    if: always()
-    permissions:
-      contents: 'read'
-    runs-on: ubuntu-latest
-    outputs:
-      image-built: ${{ steps.check-build.outputs.image-built }}
-      image-tag: ${{ steps.check-build.outputs.image-tag }}
-    steps:
-      - name: Check if image was built
-        id: check-build
-        run: |
-          # Check if docker build job ran and succeeded
-          if [[ "${{ needs.build.result }}" == "success" ]]; then
-            echo "image-built=true" >> "$GITHUB_OUTPUT"
-            echo "image-tag=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-            echo "✅ Image was built successfully"
-          else
-            echo "image-built=false" >> "$GITHUB_OUTPUT"
-            echo "image-tag=" >> "$GITHUB_OUTPUT"
-            echo "⏭️ Image was not built (result: ${{ needs.build.result }})"
-          fi

.github/workflows/coprocessor-stress-test-tool-docker-build.yml

@@ -34,7 +34,7 @@ jobs:
         with:
           filters: |
             coprocessor-stress-test-tool:
-              - .github/workflows/coprocessor-docker-build-stress-test-tool.yml
+              # TODO: restore this - .github/workflows/coprocessor-docker-build-stress-test-tool.yml
               - coprocessor/fhevm-engine/stress-test-generator/**
               - coprocessor/fhevm-engine/Cargo.toml
               - coprocessor/fhevm-engine/Cargo.lock