Refactor workflows for external repositories #262
Conversation
greenc-FNAL
commented
Jan 21, 2026
greenc-FNAL
commented
- refactor: Make workflows reusable for external repositories
- refactor: Make workflows reusable for external repositories
- refactor: Make workflows reusable for external repositories
- refactor: Make workflows reusable for external repositories
- docs: Correct bot command example for forks
This change refactors the GitHub Actions workflows to support 'workflow_call' triggers. Key changes: - Added 'workflow_call' triggers to all relevant workflows. - Replaced hardcoded 'phlex' references with dynamic repository information. - Added inputs to configure checkout paths, build matrices, and skip relevance checks. - Ensured workflows remain backward-compatible with existing triggers. This allows the workflows to be called from external repositories, improving their reusability and portability.
This change refactors the GitHub Actions workflows to support 'workflow_call' triggers. Key changes: - Added 'workflow_call' triggers to all relevant workflows. - Replaced hardcoded 'phlex' references with dynamic repository information. - Added inputs to configure checkout paths, build matrices, and skip relevance checks. - Ensured workflows remain backward-compatible with existing triggers. - Fixed an issue with constructing CMake sanitizer options by correctly extracting the repository name. - Corrected the relevance check in `actionlint-check.yaml` to handle pull request context from `workflow_call`. This allows the workflows to be called from external repositories, improving their reusability and portability.
This change refactors the GitHub Actions workflows to support 'workflow_call' triggers. Key changes: - Added 'workflow_call' triggers to all relevant workflows. - Replaced hardcoded 'phlex' references with dynamic repository information. - Added inputs to configure checkout paths, build matrices, and skip relevance checks. - Ensured workflows remain backward-compatible with existing triggers. - Fixed an issue with constructing CMake sanitizer options by correctly extracting the repository name. - Corrected the relevance check in `actionlint-check.yaml` to handle pull request context from `workflow_call`. This allows the workflows to be called from external repositories, improving their reusability and portability.
This change refactors the GitHub Actions workflows to support 'workflow_call' triggers, making them self-contained and portable for use in external repositories. Key changes: - Added 'workflow_call' triggers to all relevant workflows with inputs to configure behavior like checkout paths, build matrices, and relevance check skipping. - Replaced hardcoded 'phlex' references with dynamic repository information. - Ensured workflows remain backward-compatible with existing triggers. - Fixed an issue with constructing CMake sanitizer options by correctly extracting the repository name from the full 'owner/repo' string. - Corrected the relevance check in `actionlint-check.yaml` to handle pull request context from `workflow_call`. - Updated workflows to explicitly check out the 'phlex' repository for ancillary scripts or to use canonical remote paths for reusable actions, ensuring they are self-contained.
Corrects the example bot command in the reusable workflows guide for contributors working on a fork of the repository. The previous example, `@your-github-usernamebot format`, was incorrect. The correct command is `@phlexbot format`, as the dynamic repository name in the workflow resolves to `phlex` even in a fork.
There was a problem hiding this comment.
Pull request overview
This pull request refactors GitHub Actions workflows to make them reusable for external repositories that want to leverage Phlex's CI/CD infrastructure. The changes introduce workflow_call triggers with configurable inputs, replace hardcoded "phlex" references with dynamic repository-specific values, and update bot commands to support repository-specific naming patterns.
Changes:
- Added
workflow_calltriggers to 7 workflows with inputs for checkout paths, repository references, and relevance check controls - Introduced dynamic path variables using
local-checkout-pathandlocal-build-pathenvironment variables - Updated bot command triggers to support both
@phlexbotand@{repository}botpatterns - Added comprehensive documentation for external consumers in
.github/REUSABLE_WORKFLOWS.md - Updated action references from local paths to Framework-R-D/phlex@main for external reusability
- Removed obsolete REFACTORING_SUMMARY.md documentation
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Added new CI/CD section with link to reusable workflows guide |
| .github/REUSABLE_WORKFLOWS.md | New comprehensive guide for external repositories to use Phlex workflows |
| .github/actions/README.md | Added note directing users to high-level workflow documentation |
| .github/actions/REFACTORING_SUMMARY.md | Deleted obsolete refactoring documentation |
| .github/workflows/python-fix.yaml | Added workflow_call trigger, dynamic paths, repository-specific bot command |
| .github/workflows/python-check.yaml | Added workflow_call trigger with relevance check inputs, dynamic paths |
| .github/workflows/codeql-analysis.yaml | Added workflow_call trigger, dynamic paths, support for external script checkout |
| .github/workflows/cmake-format-fix.yaml | Added workflow_call trigger, dynamic paths, repository-specific bot command |
| .github/workflows/cmake-format-check.yaml | Added workflow_call trigger, dynamic paths, updated error message |
| .github/workflows/cmake-build.yaml | Added workflow_call trigger, dynamic paths, repository name extraction for CMake variables |
| .github/workflows/actionlint-check.yaml | Added workflow_call trigger, dynamic paths, relevance check inputs |
| uses: Framework-R-D/phlex/.github/workflows/cmake-format-fix.yaml@main | ||
| with: | ||
| # The ref and repo of the PR need to be retrieved and passed | ||
| ref: ${{ steps.get_pr_info.outputs.ref }} | ||
| repo: ${{ steps.get_pr_info.outputs.repo }} | ||
| secrets: | ||
| WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }} |
There was a problem hiding this comment.
In the cmake-format-fix.yaml usage example, uses: Framework-R-D/phlex/.github/workflows/cmake-format-fix.yaml@main is combined with a high-privilege WORKFLOW_PAT secret, so any change to this repository's main branch immediately affects external consumers' workflows. A compromise of this repo or an accidental malicious commit to main would let an attacker exfiltrate WORKFLOW_PAT or arbitrarily modify dependent repositories via the auto-fix job. To limit this supply chain risk, the documentation should instruct users to pin the reusable workflow to a specific tag or commit SHA instead of using the mutable @main reference.
| uses: Framework-R-D/phlex/.github/workflows/<workflow_file_name>.yaml@main | ||
| with: | ||
| # ... inputs for the workflow ... | ||
| secrets: | ||
| WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }} | ||
| ``` | ||
| **Note:** Always reference the workflows using the `@main` ref to ensure you are using the latest stable version. |
There was a problem hiding this comment.
Referencing the reusable workflow via uses: Framework-R-D/phlex/.github/workflows/<workflow_file_name>.yaml@main uses a mutable branch ref for a workflow that will run with your repository secrets (such as WORKFLOW_PAT). If this repository or its main branch is ever compromised, consumers copying this pattern will automatically execute attacker-controlled workflow code with their secrets, enabling secret exfiltration or arbitrary modification of their repositories. Instead of recommending @main, this documentation should instruct users to pin to a specific version tag or commit SHA for the reusable workflow to reduce supply chain risk.
| ```yaml | ||
| jobs: | ||
| build_and_test: | ||
| uses: Framework-R-D/phlex/.github/workflows/cmake-build.yaml@main |
There was a problem hiding this comment.
The example uses: Framework-R-D/phlex/.github/workflows/cmake-build.yaml@main again relies on the mutable main branch of a remote workflow while running with the caller's secrets. If an attacker pushes a malicious workflow to this repository's main branch, any external project using this example verbatim will execute that code with its CI secrets, allowing secret exfiltration or code tampering. This usage should be documented with a pinned version tag or commit SHA instead of @main to mitigate supply chain compromise of dependent repositories.
| ```yaml | ||
| jobs: | ||
| check_python: | ||
| uses: Framework-R-D/phlex/.github/workflows/python-check.yaml@main |
There was a problem hiding this comment.
The python-check.yaml example calls uses: Framework-R-D/phlex/.github/workflows/python-check.yaml@main, which pulls workflow code from a mutable branch with whatever permissions and secrets the calling job provides. If this repository's main branch is compromised, external consumers following this pattern will immediately run attacker-controlled workflow code in their CI, exposing secrets and allowing unauthorized modifications. The guidance here should recommend pinning to a specific tag or commit SHA instead of the moving @main ref.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 participant
