From a65d8efccbd91deadcde3b0d60cb080cfe017595 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 19:03:52 +0000 Subject: [PATCH 1/7] refactor: Make workflows reusable for external repositories This change refactors the GitHub Actions workflows to support 'workflow_call' triggers. Key changes: - Added 'workflow_call' triggers to all relevant workflows. - Replaced hardcoded 'phlex' references with dynamic repository information. - Added inputs to configure checkout paths, build matrices, and skip relevance checks. - Ensured workflows remain backward-compatible with existing triggers. This allows the workflows to be called from external repositories, improving their reusability and portability. --- .github/workflows/actionlint-check.yaml | 40 ++++++--- .github/workflows/cmake-build.yaml | 100 ++++++++++++++++------ .github/workflows/cmake-format-check.yaml | 50 ++++++++--- .github/workflows/cmake-format-fix.yaml | 42 ++++++--- .github/workflows/codeql-analysis.yaml | 59 ++++++++++--- .github/workflows/python-check.yaml | 48 ++++++++--- .github/workflows/python-fix.yaml | 44 +++++++--- 7 files changed, 292 insertions(+), 91 deletions(-) diff --git a/.github/workflows/actionlint-check.yaml b/.github/workflows/actionlint-check.yaml index 95a4673e..e1ea3f21 100644 --- a/.github/workflows/actionlint-check.yaml +++ b/.github/workflows/actionlint-check.yaml @@ -9,6 +9,20 @@ on: pull_request: branches: [ main, develop ] workflow_dispatch: + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + skip-relevance-check: + description: "Bypass relevance check" + required: false + type: boolean + default: false + +env: + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -18,11 +32,14 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: Framework-R-D/phlex/.github/actions/detect-act-env@main + uses: ${{ github.repository }}/.github/actions/detect-act-env@main detect-changes: needs: pre-check - if: github.event_name != 'workflow_dispatch' && needs.pre-check.outputs.is_act != 'true' + if: > + github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && + needs.pre-check.outputs.is_act != 'true' runs-on: ubuntu-latest permissions: contents: read @@ -34,15 +51,15 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Detect workflow changes id: filter - uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main + uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main with: - repo-path: phlex-src - base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} - head-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} + repo-path: ${{ env.local-checkout-path }} + base-ref: ${{ github.event.pull_request.base.sha || github.event.before }} + head-ref: ${{ github.event.pull_request.head.sha || github.sha }} include-globs: | .github/workflows/**/*.yml .github/workflows/**/*.yaml @@ -63,6 +80,7 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name == 'workflow_dispatch' || + (github.event_name == 'workflow_call' && inputs.skip-relevance-check == 'true') || needs.pre-check.outputs.is_act == 'true' || (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes == 'true') runs-on: ubuntu-latest @@ -73,7 +91,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Announce actionlint check run: echo "➡️ Running actionlint check..." @@ -82,7 +100,7 @@ jobs: id: lint run: | docker run --rm \ - -v "${{ github.workspace }}/phlex-src:/work" \ + -v "${{ github.workspace }}/${{ env.local-checkout-path }}:/work" \ -w /work \ rhysd/actionlint:latest \ -config-file .github/actionlint.yaml @@ -102,9 +120,9 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && needs.pre-check.outputs.is_act != 'true' && - needs.detect-changes.result == 'success' && - needs.detect-changes.outputs.has_changes != 'true' + (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes != 'true') runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/cmake-build.yaml b/.github/workflows/cmake-build.yaml index a7bcc359..54721113 100644 --- a/.github/workflows/cmake-build.yaml +++ b/.github/workflows/cmake-build.yaml @@ -1,5 +1,5 @@ name: CMake Build and Test -run-name: "${{ github.actor }} building and testing Phlex" +run-name: "${{ github.actor }} building and testing ${{ github.repository }}" on: pull_request: @@ -21,6 +21,41 @@ on: Default (if empty): Run all except clang/none and clang/valgrind. required: false default: '' + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + build-path: + description: "Path for build artifacts" + required: false + type: string + skip-relevance-check: + description: "Bypass relevance check" + required: false + type: boolean + default: false + build-combinations: + description: "A space- or comma-separated list of build combinations to run" + required: false + type: string + ref: + description: "The branch or ref to checkout" + required: false + type: string + repo: + description: "The repository to checkout from" + required: false + type: string + pr-base-sha: + description: "Base SHA of the PR for relevance check" + required: false + type: string + pr-head-sha: + description: "Head SHA of the PR for relevance check" + required: false + type: string permissions: contents: read @@ -29,17 +64,23 @@ permissions: env: BUILD_TYPE: Release CICOLOR_FORCE: 1 + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local-build-path: ${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }} jobs: pre-check: if: > github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' || + github.event_name == 'workflow_call' || ( github.event_name == 'issue_comment' && github.event.issue.pull_request && (github.event.comment.author_association == 'COLLABORATOR' || github.event.comment.author_association == 'OWNER') && - startsWith(github.event.comment.body, '@phlexbot build') + ( + startsWith(github.event.comment.body, '@phlexbot build') || + startsWith(github.event.comment.body, format('@{0}bot build', github.event.repository.name)) + ) ) runs-on: ubuntu-latest permissions: @@ -48,9 +89,8 @@ jobs: outputs: is_act: ${{ steps.detect_act.outputs.is_act }} - pr_details: ${{ steps.pr.outputs.result }} - sha: ${{ steps.pr.outputs.sha || github.sha }} - repo: ${{ steps.pr.outputs.repo || github.repository }} + sha: ${{ (github.event_name == 'workflow_call' && inputs.ref) || steps.pr.outputs.sha || github.sha }} + repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || steps.pr.outputs.repo || github.repository }} steps: - name: Get PR details for comment trigger @@ -67,18 +107,23 @@ jobs: return { ref: pr.data.head.ref, sha: pr.data.head.sha, + repo: pr.data.head.repo.full_name, base_sha: pr.data.base.sha }; - name: Detect act environment id: detect_act - uses: Framework-R-D/phlex/.github/actions/detect-act-env@main + uses: ${{ github.repository }}/.github/actions/detect-act-env@main detect-changes: needs: pre-check if: > needs.pre-check.result == 'success' && - (github.event_name == 'pull_request' || github.event_name == 'push') && + ( + github.event_name == 'pull_request' || + github.event_name == 'push' || + (github.event_name == 'workflow_call' && inputs.skip-relevance-check != 'true') + ) && needs.pre-check.outputs.is_act != 'true' runs-on: ubuntu-latest permissions: @@ -91,15 +136,15 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Detect C++ and CMake changes id: filter - uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main + uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main with: - repo-path: phlex-src - base-ref: ${{ github.event.pull_request.base.sha || github.event.before }} - head-ref: ${{ github.event.pull_request.head.sha || github.sha }} + repo-path: ${{ env.local-checkout-path }} + base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} + head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: | cpp cmake @@ -122,9 +167,9 @@ jobs: matrix: ${{ steps.generate.outputs.matrix }} steps: - id: generate - uses: Framework-R-D/phlex/.github/actions/generate-build-matrix@main + uses: ${{ github.repository }}/.github/actions/generate-build-matrix@main with: - user-input: ${{ github.event.inputs.build-combinations }} + user-input: ${{ (github.event_name == 'workflow_call' && inputs.build-combinations) || github.event.inputs.build-combinations }} comment-body: ${{ github.event.comment.body }} build: @@ -134,6 +179,7 @@ jobs: ( github.event_name == 'workflow_dispatch' || github.event_name == 'issue_comment' || + (github.event_name == 'workflow_call' && inputs.skip-relevance-check == 'true') || needs.pre-check.outputs.is_act == 'true' || (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes == 'true') ) @@ -149,35 +195,41 @@ jobs: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src + path: ${{ env.local-checkout-path }} ref: ${{ needs.pre-check.outputs.sha }} repository: ${{ needs.pre-check.outputs.repo }} - name: Setup build environment - uses: Framework-R-D/phlex/.github/actions/setup-build-env@main + uses: ${{ github.repository }}/.github/actions/setup-build-env@main + with: + build-path: ${{ env.local-build-path }} - name: Announce CMake configuration run: echo "➡️ Configuring CMake..." - name: Configure CMake id: configure - uses: Framework-R-D/phlex/.github/actions/configure-cmake@main + uses: ${{ github.repository }}/.github/actions/configure-cmake@main with: + source-path: ${{ env.local-checkout-path }} + build-path: ${{ env.local-build-path }} build-type: ${{ env.BUILD_TYPE }} cpp-compiler: ${{ matrix.compiler == 'gcc' && 'g++' || 'clang++' }} extra-options: | - ${{ matrix.sanitizer == 'asan' && '-DPHLEX_ENABLE_ASAN=ON' || '' }} - ${{ matrix.sanitizer == 'tsan' && '-DPHLEX_ENABLE_TSAN=ON' || '' }} + ${{ matrix.sanitizer == 'asan' && format('-D{0}_ENABLE_ASAN=ON', needs.pre-check.outputs.repo) || '' }} + ${{ matrix.sanitizer == 'tsan' && format('-D{0}_ENABLE_TSAN=ON', needs.pre-check.outputs.repo) || '' }} - name: Build id: build - uses: Framework-R-D/phlex/.github/actions/build-cmake@main + uses: ${{ github.repository }}/.github/actions/build-cmake@main + with: + build-path: ${{ env.local-build-path }} - name: Run tests if: matrix.sanitizer != 'valgrind' run: | . /entrypoint.sh - cd "$GITHUB_WORKSPACE/phlex-build" + cd "$GITHUB_WORKSPACE/${{ env.local-build-path }}" echo "➡️ Running tests..." echo "::group::Running ctest" @@ -194,7 +246,7 @@ jobs: if: matrix.sanitizer == 'valgrind' run: | . /entrypoint.sh - cd "$GITHUB_WORKSPACE/phlex-build" + cd "$GITHUB_WORKSPACE/${{ env.local-build-path }}" echo "➡️ Running Valgrind tests..." echo "::group::Running ctest -T memcheck" @@ -211,9 +263,9 @@ jobs: if: > needs.pre-check.result == 'success' && github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && needs.pre-check.outputs.is_act != 'true' && - needs.detect-changes.result == 'success' && - needs.detect-changes.outputs.has_changes != 'true' + (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes != 'true') runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/cmake-format-check.yaml b/.github/workflows/cmake-format-check.yaml index 1fb01034..a6927d58 100644 --- a/.github/workflows/cmake-format-check.yaml +++ b/.github/workflows/cmake-format-check.yaml @@ -9,6 +9,28 @@ on: pull_request: branches: [ main, develop ] workflow_dispatch: + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + skip-relevance-check: + description: "Bypass relevance check" + required: false + type: boolean + default: false + pr-base-sha: + description: "Base SHA of the PR for relevance check" + required: false + type: string + pr-head-sha: + description: "Head SHA of the PR for relevance check" + required: false + type: string + +env: + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -18,11 +40,14 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: Framework-R-D/phlex/.github/actions/detect-act-env@main + uses: ${{ github.repository }}/.github/actions/detect-act-env@main detect-changes: needs: pre-check - if: github.event_name != 'workflow_dispatch' && needs.pre-check.outputs.is_act != 'true' + if: > + github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && + needs.pre-check.outputs.is_act != 'true' runs-on: ubuntu-latest permissions: contents: read @@ -34,15 +59,15 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Detect CMake formatting changes id: filter - uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main + uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main with: - repo-path: phlex-src - base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} - head-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} + repo-path: ${{ env.local-checkout-path }} + base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} + head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: cmake - name: Report detection outcome @@ -59,6 +84,7 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name == 'workflow_dispatch' || + (github.event_name == 'workflow_call' && inputs.skip-relevance-check == 'true') || needs.pre-check.outputs.is_act == 'true' || (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes == 'true') runs-on: ubuntu-latest @@ -67,7 +93,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -80,9 +106,9 @@ jobs: - name: Check CMake formatting run: | echo "➡️ Checking CMake file formatting..." - if ! gersemi --check phlex-src; then + if ! gersemi --check ${{ env.local-checkout-path }}; then echo "::error::Found files with formatting issues." - echo "::error::Run 'gersemi -i ' locally or comment '@phlexbot format' on the PR to auto-fix." + echo "::error::Run 'gersemi -i ' locally or comment '@${{ github.event.repository.name }}bot format' on the PR to auto-fix." exit 1 else echo "✅ All CMake files are properly formatted." @@ -92,9 +118,9 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && needs.pre-check.outputs.is_act != 'true' && - needs.detect-changes.result == 'success' && - needs.detect-changes.outputs.has_changes != 'true' + (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes != 'true') runs-on: ubuntu-latest steps: diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml index ef4beb87..632ec451 100644 --- a/.github/workflows/cmake-format-fix.yaml +++ b/.github/workflows/cmake-format-fix.yaml @@ -5,40 +5,60 @@ on: issue_comment: types: - created + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + ref: + description: "The branch or ref to checkout" + required: true + type: string + repo: + description: "The repository to checkout from" + required: true + type: string permissions: pull-requests: write contents: write +env: + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + jobs: parse-command: runs-on: ubuntu-latest name: Parse bot command if: > + github.event_name == 'issue_comment' && github.event.issue.pull_request && - startsWith(github.event.comment.body, '@phlexbot format') + ( + startsWith(github.event.comment.body, '@phlexbot format') || + startsWith(github.event.comment.body, format('@{0}bot format', github.event.repository.name)) + ) outputs: ref: ${{ steps.get_pr.outputs.ref }} - sha: ${{ steps.get_pr.outputs.sha }} repo: ${{ steps.get_pr.outputs.repo }} steps: - name: Get PR Info id: get_pr - uses: Framework-R-D/phlex/.github/actions/get-pr-info@main + uses: ${{ github.repository }}/.github/actions/get-pr-info@main apply_cmake_formatting: runs-on: ubuntu-latest name: Apply CMake formatting needs: parse-command - if: ${{ needs.parse-command.result == 'success' }} + if: github.event_name == 'workflow_call' || needs.parse-command.result == 'success' steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src - ref: ${{ needs.parse-command.outputs.ref }} - repository: ${{ needs.parse-command.outputs.repo }} + path: ${{ env.local-checkout-path }} + ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} + repository: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} token: ${{ secrets.WORKFLOW_PAT }} - name: Set up Python @@ -52,13 +72,13 @@ jobs: - name: Apply CMake formatting run: | echo "Applying CMake formatting..." - gersemi -i phlex-src + gersemi -i ${{ env.local-checkout-path }} - name: Handle fix commit - uses: ./phlex-src/.github/actions/handle-fix-commit + uses: ./${{ env.local-checkout-path }}/.github/actions/handle-fix-commit with: tool: cmake-format working-directory: phlex-src token: ${{ secrets.WORKFLOW_PAT }} - pr-info-ref: ${{ needs.parse-command.outputs.ref }} - pr-info-repo: ${{ needs.parse-command.outputs.repo }} + pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} + pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 167342ab..81bc8ece 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -9,6 +9,33 @@ on: schedule: - cron: '0 3 * * 0' # weekly (UTC) — adjust as needed workflow_dispatch: + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + build-path: + description: "Path for build artifacts" + required: false + type: string + language-matrix: + description: "JSON array of languages to analyze" + required: false + type: string + default: '["cpp", "python", "actions"]' + pr-number: + description: "PR number if run in PR context" + required: false + type: string + pr-head-repo: + description: "The full name of the PR head repository" + required: false + type: string + pr-base-repo: + description: "The full name of the PR base repository" + required: false + type: string permissions: actions: read @@ -18,7 +45,6 @@ permissions: env: BUILD_TYPE: RelWithDebInfo CPP_COMPILER: g++ - CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE: ${{ github.workspace }}/phlex-build/compile_commands.json jobs: codeql: @@ -26,36 +52,42 @@ jobs: runs-on: ubuntu-24.04 container: image: ghcr.io/framework-r-d/phlex-ci:latest + env: + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_build_path: ${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }} + CODEQL_EXTRACTOR_CPP_COMPILATION_DATABASE: ${{ github.workspace }}/${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }}/compile_commands.json strategy: fail-fast: false matrix: - language: ['cpp', 'python', 'actions'] + language: ${{ fromJson((github.event_name == 'workflow_call' && inputs.language-matrix) || '["cpp", "python", "actions"]') }} timeout-minutes: 120 steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src + path: ${{ env.local_checkout_path }} fetch-depth: 0 - name: Setup build environment - uses: Framework-R-D/phlex/.github/actions/setup-build-env@main + uses: ${{ github.repository }}/.github/actions/setup-build-env@main with: - build-path: phlex-build + build-path: ${{ env.local_build_path }} - name: Initialize CodeQL uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: languages: ${{ matrix.language }} - config-file: phlex-src/.github/codeql/codeql-config.yml - source-root: phlex-src + config-file: ${{ env.local_checkout_path }}/.github/codeql/codeql-config.yml + source-root: ${{ env.local_checkout_path }} build-mode: none - name: Produce compile_commands.json (C++ only) if: matrix.language == 'cpp' - uses: Framework-R-D/phlex/.github/actions/configure-cmake@main + uses: ${{ github.repository }}/.github/actions/configure-cmake@main with: build-type: ${{ env.BUILD_TYPE }} + source-path: ${{ env.local_checkout_path }} + build-path: ${{ env.local_build_path }} - name: Verify compile_commands.json (C++ only) if: matrix.language == 'cpp' @@ -70,7 +102,7 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: - checkout_path: phlex-src + checkout_path: ${{ env.local_checkout_path }} output: results category: ${{ matrix.language }} @@ -119,8 +151,15 @@ jobs: --min-level "${CODEQL_MIN_LEVEL}" --log-path "${{ steps.set_log_path.outputs.path }}" ) + PR_NUMBER="" if [ "${{ github.event_name }}" = "pull_request" ]; then - ARGS+=(--ref "refs/pull/${{ github.event.pull_request.number }}/merge") + PR_NUMBER="${{ github.event.pull_request.number }}" + elif [ "${{ github.event_name }}" = "workflow_call" ]; then + PR_NUMBER="${{ inputs.pr-number }}" + fi + + if [ -n "$PR_NUMBER" ]; then + ARGS+=(--ref "refs/pull/${PR_NUMBER}/merge") fi python3 scripts/check_codeql_alerts.py "${ARGS[@]}" diff --git a/.github/workflows/python-check.yaml b/.github/workflows/python-check.yaml index 61f00950..48ae05a4 100644 --- a/.github/workflows/python-check.yaml +++ b/.github/workflows/python-check.yaml @@ -9,6 +9,28 @@ on: pull_request: branches: [ main, develop ] workflow_dispatch: + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + skip-relevance-check: + description: "Bypass relevance check" + required: false + type: boolean + default: false + pr-base-sha: + description: "Base SHA of the PR for relevance check" + required: false + type: string + pr-head-sha: + description: "Head SHA of the PR for relevance check" + required: false + type: string + +env: + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -18,11 +40,14 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: Framework-R-D/phlex/.github/actions/detect-act-env@main + uses: ${{ github.repository }}/.github/actions/detect-act-env@main detect-changes: needs: pre-check - if: github.event_name != 'workflow_dispatch' && needs.pre-check.outputs.is_act != 'true' + if: > + github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && + needs.pre-check.outputs.is_act != 'true' runs-on: ubuntu-latest permissions: contents: read @@ -34,15 +59,15 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Detect Python changes id: filter - uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main + uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main with: - repo-path: phlex-src - base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }} - head-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} + repo-path: ${{ env.local-checkout-path }} + base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} + head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: python - name: Report detection outcome @@ -59,6 +84,7 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name == 'workflow_dispatch' || + (github.event_name == 'workflow_call' && inputs.skip-relevance-check == 'true') || needs.pre-check.outputs.is_act == 'true' || (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes == 'true') runs-on: ubuntu-latest @@ -69,7 +95,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src + path: ${{ env.local-checkout-path }} - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -81,7 +107,7 @@ jobs: pip install ruff mypy - name: Run ruff and mypy checks - working-directory: phlex-src + working-directory: ${{ env.local-checkout-path }} env: FORCE_COLOR: 1 # `ruff`/`colored` crate run: | @@ -115,9 +141,9 @@ jobs: needs: [pre-check, detect-changes] if: > github.event_name != 'workflow_dispatch' && + (github.event_name != 'workflow_call' || inputs.skip-relevance-check != 'true') && needs.pre-check.outputs.is_act != 'true' && - needs.detect-changes.result == 'success' && - needs.detect-changes.outputs.has_changes != 'true' + (needs.detect-changes.result == 'success' && needs.detect-changes.outputs.has_changes != 'true') runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/python-fix.yaml b/.github/workflows/python-fix.yaml index 415a258d..4d89912c 100644 --- a/.github/workflows/python-fix.yaml +++ b/.github/workflows/python-fix.yaml @@ -5,38 +5,58 @@ on: issue_comment: types: - created + workflow_call: + inputs: + checkout-path: + description: "Path to check out code to" + required: false + type: string + ref: + description: "The branch or ref to checkout" + required: true + type: string + repo: + description: "The repository to checkout from" + required: true + type: string permissions: pull-requests: write contents: write +env: + local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + jobs: parse-command: runs-on: ubuntu-latest name: Parse bot command - if: | + if: > + github.event_name == 'issue_comment' && github.event.issue.pull_request && - startsWith(github.event.comment.body, '@phlexbot python-fix') + ( + startsWith(github.event.comment.body, '@phlexbot python-fix') || + startsWith(github.event.comment.body, format('@{0}bot python-fix', github.event.repository.name)) + ) outputs: ref: ${{ steps.get_pr.outputs.ref }} - sha: ${{ steps.get_pr.outputs.sha }} repo: ${{ steps.get_pr.outputs.repo }} steps: - name: Get PR Info id: get_pr - uses: Framework-R-D/phlex/.github/actions/get-pr-info@main + uses: ${{ github.repository }}/.github/actions/get-pr-info@main apply_fixes: runs-on: ubuntu-latest name: Apply fixes needs: parse-command - if: ${{ needs.parse-command.result == 'success' }} + if: github.event_name == 'workflow_call' || needs.parse-command.result == 'success' steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: phlex-src - ref: ${{ needs.parse-command.outputs.ref }} - repository: ${{ needs.parse-command.outputs.repo }} + path: ${{ env.local-checkout-path }} + ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} + repository: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} token: ${{ secrets.WORKFLOW_PAT }} - name: Set up Python @@ -49,7 +69,7 @@ jobs: pip install ruff - name: Run ruff format and fix - working-directory: phlex-src + working-directory: ${{ env.local-checkout-path }} env: FORCE_COLOR: 1 run: | @@ -59,10 +79,10 @@ jobs: ruff check --fix . || true - name: Handle fix commit - uses: ./phlex-src/.github/actions/handle-fix-commit + uses: ./${{ env.local-checkout-path }}/.github/actions/handle-fix-commit with: tool: 'Python linting' working-directory: phlex-src token: ${{ secrets.WORKFLOW_PAT }} - pr-info-ref: ${{ needs.parse-command.outputs.ref }} - pr-info-repo: ${{ needs.parse-command.outputs.repo }} + pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} + pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} From b17b9eda5521f52a7d05a9fd41b94f52afb8e068 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 21:27:51 +0000 Subject: [PATCH 2/7] refactor: Make workflows reusable for external repositories This change refactors the GitHub Actions workflows to support 'workflow_call' triggers. Key changes: - Added 'workflow_call' triggers to all relevant workflows. - Replaced hardcoded 'phlex' references with dynamic repository information. - Added inputs to configure checkout paths, build matrices, and skip relevance checks. - Ensured workflows remain backward-compatible with existing triggers. - Fixed an issue with constructing CMake sanitizer options by correctly extracting the repository name. - Corrected the relevance check in `actionlint-check.yaml` to handle pull request context from `workflow_call`. This allows the workflows to be called from external repositories, improving their reusability and portability. --- .github/workflows/actionlint-check.yaml | 16 ++++++++++++---- .github/workflows/cmake-build.yaml | 20 ++++++++++++-------- .github/workflows/cmake-format-check.yaml | 4 ++-- .github/workflows/cmake-format-fix.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 4 ++-- .github/workflows/python-check.yaml | 4 ++-- .github/workflows/python-fix.yaml | 2 +- 7 files changed, 32 insertions(+), 20 deletions(-) diff --git a/.github/workflows/actionlint-check.yaml b/.github/workflows/actionlint-check.yaml index e1ea3f21..9df0035e 100644 --- a/.github/workflows/actionlint-check.yaml +++ b/.github/workflows/actionlint-check.yaml @@ -20,6 +20,14 @@ on: required: false type: boolean default: false + pr-base-sha: + description: "Base SHA of the PR for relevance check" + required: false + type: string + pr-head-sha: + description: "Head SHA of the PR for relevance check" + required: false + type: string env: local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} @@ -32,7 +40,7 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: ${{ github.repository }}/.github/actions/detect-act-env@main + uses: Framework-R-D/phlex/.github/actions/detect-act-env@main detect-changes: needs: pre-check @@ -55,11 +63,11 @@ jobs: - name: Detect workflow changes id: filter - uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main + uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: repo-path: ${{ env.local-checkout-path }} - base-ref: ${{ github.event.pull_request.base.sha || github.event.before }} - head-ref: ${{ github.event.pull_request.head.sha || github.sha }} + base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} + head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} include-globs: | .github/workflows/**/*.yml .github/workflows/**/*.yaml diff --git a/.github/workflows/cmake-build.yaml b/.github/workflows/cmake-build.yaml index 54721113..315184f2 100644 --- a/.github/workflows/cmake-build.yaml +++ b/.github/workflows/cmake-build.yaml @@ -113,7 +113,7 @@ jobs: - name: Detect act environment id: detect_act - uses: ${{ github.repository }}/.github/actions/detect-act-env@main + uses: Framework-R-D/phlex/.github/actions/detect-act-env@main detect-changes: needs: pre-check @@ -140,7 +140,7 @@ jobs: - name: Detect C++ and CMake changes id: filter - uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main + uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: repo-path: ${{ env.local-checkout-path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} @@ -167,7 +167,7 @@ jobs: matrix: ${{ steps.generate.outputs.matrix }} steps: - id: generate - uses: ${{ github.repository }}/.github/actions/generate-build-matrix@main + uses: Framework-R-D/phlex/.github/actions/generate-build-matrix@main with: user-input: ${{ (github.event_name == 'workflow_call' && inputs.build-combinations) || github.event.inputs.build-combinations }} comment-body: ${{ github.event.comment.body }} @@ -200,28 +200,32 @@ jobs: repository: ${{ needs.pre-check.outputs.repo }} - name: Setup build environment - uses: ${{ github.repository }}/.github/actions/setup-build-env@main + uses: Framework-R-D/phlex/.github/actions/setup-build-env@main with: build-path: ${{ env.local-build-path }} - name: Announce CMake configuration run: echo "➡️ Configuring CMake..." + - name: Extract repository name + id: repo_name + run: echo "name=$(echo '${{ needs.pre-check.outputs.repo }}' | sed 's:.*/::')" >> $GITHUB_OUTPUT + - name: Configure CMake id: configure - uses: ${{ github.repository }}/.github/actions/configure-cmake@main + uses: Framework-R-D/phlex/.github/actions/configure-cmake@main with: source-path: ${{ env.local-checkout-path }} build-path: ${{ env.local-build-path }} build-type: ${{ env.BUILD_TYPE }} cpp-compiler: ${{ matrix.compiler == 'gcc' && 'g++' || 'clang++' }} extra-options: | - ${{ matrix.sanitizer == 'asan' && format('-D{0}_ENABLE_ASAN=ON', needs.pre-check.outputs.repo) || '' }} - ${{ matrix.sanitizer == 'tsan' && format('-D{0}_ENABLE_TSAN=ON', needs.pre-check.outputs.repo) || '' }} + ${{ matrix.sanitizer == 'asan' && format('-D{0}_ENABLE_ASAN=ON', steps.repo_name.outputs.name) || '' }} + ${{ matrix.sanitizer == 'tsan' && format('-D{0}_ENABLE_TSAN=ON', steps.repo_name.outputs.name) || '' }} - name: Build id: build - uses: ${{ github.repository }}/.github/actions/build-cmake@main + uses: Framework-R-D/phlex/.github/actions/build-cmake@main with: build-path: ${{ env.local-build-path }} diff --git a/.github/workflows/cmake-format-check.yaml b/.github/workflows/cmake-format-check.yaml index a6927d58..d4f02b48 100644 --- a/.github/workflows/cmake-format-check.yaml +++ b/.github/workflows/cmake-format-check.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: ${{ github.repository }}/.github/actions/detect-act-env@main + uses: Framework-R-D/phlex/.github/actions/detect-act-env@main detect-changes: needs: pre-check @@ -63,7 +63,7 @@ jobs: - name: Detect CMake formatting changes id: filter - uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main + uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: repo-path: ${{ env.local-checkout-path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml index 632ec451..7fc0fb31 100644 --- a/.github/workflows/cmake-format-fix.yaml +++ b/.github/workflows/cmake-format-fix.yaml @@ -45,7 +45,7 @@ jobs: steps: - name: Get PR Info id: get_pr - uses: ${{ github.repository }}/.github/actions/get-pr-info@main + uses: Framework-R-D/phlex/.github/actions/get-pr-info@main apply_cmake_formatting: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 81bc8ece..4680d758 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -69,7 +69,7 @@ jobs: fetch-depth: 0 - name: Setup build environment - uses: ${{ github.repository }}/.github/actions/setup-build-env@main + uses: Framework-R-D/phlex/.github/actions/setup-build-env@main with: build-path: ${{ env.local_build_path }} @@ -83,7 +83,7 @@ jobs: - name: Produce compile_commands.json (C++ only) if: matrix.language == 'cpp' - uses: ${{ github.repository }}/.github/actions/configure-cmake@main + uses: Framework-R-D/phlex/.github/actions/configure-cmake@main with: build-type: ${{ env.BUILD_TYPE }} source-path: ${{ env.local_checkout_path }} diff --git a/.github/workflows/python-check.yaml b/.github/workflows/python-check.yaml index 48ae05a4..397562a4 100644 --- a/.github/workflows/python-check.yaml +++ b/.github/workflows/python-check.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Detect act environment id: detect_act - uses: ${{ github.repository }}/.github/actions/detect-act-env@main + uses: Framework-R-D/phlex/.github/actions/detect-act-env@main detect-changes: needs: pre-check @@ -63,7 +63,7 @@ jobs: - name: Detect Python changes id: filter - uses: ${{ github.repository }}/.github/actions/detect-relevant-changes@main + uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: repo-path: ${{ env.local-checkout-path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} diff --git a/.github/workflows/python-fix.yaml b/.github/workflows/python-fix.yaml index 4d89912c..2576e059 100644 --- a/.github/workflows/python-fix.yaml +++ b/.github/workflows/python-fix.yaml @@ -44,7 +44,7 @@ jobs: steps: - name: Get PR Info id: get_pr - uses: ${{ github.repository }}/.github/actions/get-pr-info@main + uses: Framework-R-D/phlex/.github/actions/get-pr-info@main apply_fixes: runs-on: ubuntu-latest From 428f5ba627b3d0b77811c8250b7803aba7791b32 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 21:50:07 +0000 Subject: [PATCH 3/7] refactor: Make workflows reusable for external repositories This change refactors the GitHub Actions workflows to support 'workflow_call' triggers, making them self-contained and portable for use in external repositories. Key changes: - Added 'workflow_call' triggers to all relevant workflows with inputs to configure behavior like checkout paths, build matrices, and relevance check skipping. - Replaced hardcoded 'phlex' references with dynamic repository information. - Ensured workflows remain backward-compatible with existing triggers. - Fixed an issue with constructing CMake sanitizer options by correctly extracting the repository name from the full 'owner/repo' string. - Corrected the relevance check in `actionlint-check.yaml` to handle pull request context from `workflow_call`. - Updated workflows to explicitly check out the 'phlex' repository for ancillary scripts or to use canonical remote paths for reusable actions, ensuring they are self-contained. --- .github/workflows/cmake-format-fix.yaml | 2 +- .github/workflows/codeql-analysis.yaml | 15 ++++++++++++++- .github/workflows/python-fix.yaml | 2 +- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml index 7fc0fb31..eb82fa39 100644 --- a/.github/workflows/cmake-format-fix.yaml +++ b/.github/workflows/cmake-format-fix.yaml @@ -75,7 +75,7 @@ jobs: gersemi -i ${{ env.local-checkout-path }} - name: Handle fix commit - uses: ./${{ env.local-checkout-path }}/.github/actions/handle-fix-commit + uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: cmake-format working-directory: phlex-src diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 4680d758..a0ee8e79 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -135,6 +135,14 @@ jobs: with: fetch-depth: 0 + - name: Checkout Phlex for scripts + if: github.event_name == 'workflow_call' + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + repository: Framework-R-D/phlex + path: phlex + fetch-depth: 0 + - name: Download CodeQL SARIF artifacts uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: @@ -161,7 +169,12 @@ jobs: if [ -n "$PR_NUMBER" ]; then ARGS+=(--ref "refs/pull/${PR_NUMBER}/merge") fi - python3 scripts/check_codeql_alerts.py "${ARGS[@]}" + + script_path="scripts/check_codeql_alerts.py" + if [ "${{ github.event_name }}" = "workflow_call" ]; then + script_path="phlex/$script_path" + fi + python3 "$script_path" "${ARGS[@]}" - name: Upload CodeQL alerts debug log if: always() diff --git a/.github/workflows/python-fix.yaml b/.github/workflows/python-fix.yaml index 2576e059..048598d6 100644 --- a/.github/workflows/python-fix.yaml +++ b/.github/workflows/python-fix.yaml @@ -79,7 +79,7 @@ jobs: ruff check --fix . || true - name: Handle fix commit - uses: ./${{ env.local-checkout-path }}/.github/actions/handle-fix-commit + uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: 'Python linting' working-directory: phlex-src From f6c70044fe5803e1eaae3f9f99c85d60573069fb Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 21 Jan 2026 15:34:24 +0000 Subject: [PATCH 4/7] docs: Correct bot command example for forks Corrects the example bot command in the reusable workflows guide for contributors working on a fork of the repository. The previous example, `@your-github-usernamebot format`, was incorrect. The correct command is `@phlexbot format`, as the dynamic repository name in the workflow resolves to `phlex` even in a fork. --- .github/REUSABLE_WORKFLOWS.md | 147 ++++++++++++++++++++++ .github/actions/README.md | 3 + .github/actions/REFACTORING_SUMMARY.md | 161 ------------------------- README.md | 4 + 4 files changed, 154 insertions(+), 161 deletions(-) create mode 100644 .github/REUSABLE_WORKFLOWS.md delete mode 100644 .github/actions/REFACTORING_SUMMARY.md diff --git a/.github/REUSABLE_WORKFLOWS.md b/.github/REUSABLE_WORKFLOWS.md new file mode 100644 index 00000000..0c469cb1 --- /dev/null +++ b/.github/REUSABLE_WORKFLOWS.md @@ -0,0 +1,147 @@ +# Using Reusable Workflows from the Phlex Repository + +This guide explains how to integrate the reusable GitHub Actions workflows from the `Framework-R-D/phlex` repository into your own project. + +### Prerequisites + +#### Personal Access Token (PAT) + +For workflows that automatically commit fixes to pull requests (e.g., formatters), you must create a Personal Access Token (PAT) and add it as a secret to your repository. + +1. **Create a PAT:** Follow the GitHub documentation to [create a fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token). + * Give it a descriptive name (e.g., `WORKFLOW_FIXES_PAT`). + * Grant it the following repository permissions: + * `Contents`: `Read and write` + * `Pull requests`: `Read and write` +2. **Add the PAT as a Repository Secret:** + * In your repository, go to `Settings` > `Secrets and variables` > `Actions`. + * Create a new repository secret named `WORKFLOW_PAT` and paste your PAT as the value. + +### Calling a Reusable Workflow + +To use a workflow, you call it from a workflow file in your own repository's `.github/workflows/` directory. The basic syntax is: + +```yaml +jobs: + some_job: + uses: Framework-R-D/phlex/.github/workflows/.yaml@main + with: + # ... inputs for the workflow ... + secrets: + WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }} +``` + +**Note:** Always reference the workflows using the `@main` ref to ensure you are using the latest stable version. + +--- + +### For Contributors Working on a Fork of Phlex + +If you are developing on a fork of `Framework-R-D/phlex` itself, the CI/CD workflows will run automatically on your pull requests within the fork, just as they do on the main repository. You do not need to use the `uses:` syntax described below. + +However, to enable the automatic fixing features (e.g., for `cmake-format-fix` or `python-fix`), you will need to perform two steps: + +1. **Enable Workflows:** By default, GitHub Actions are disabled on forks. You must manually enable them by going to the `Actions` tab of your forked repository and clicking the "I understand my workflows, go ahead and enable them" button. +2. **Create the `WORKFLOW_PAT` Secret:** The auto-fix workflows require a Personal Access Token (PAT) with write permissions to commit changes back to your PR branch. Follow the instructions in the "Prerequisites" section above to create a PAT and add it as a secret named `WORKFLOW_PAT` **to your forked repository's settings**. + +Once you have done this, you can trigger the auto-fix workflows by commenting on a pull request in your fork (e.g., `@phlexbot format`). + +--- + +### Available Workflows and Their Inputs + +#### 1. `cmake-build.yaml` + +Builds and tests your project using CMake. + +**Usage Example:** + +```yaml +jobs: + build_and_test: + uses: Framework-R-D/phlex/.github/workflows/cmake-build.yaml@main + with: + # Optional: A list of build combinations to run (e.g., "gcc/asan clang/tsan") + build-combinations: 'all -clang/valgrind' + # Required for PRs from forks if you want auto-formatting to work + ref: ${{ github.head_ref }} + repo: ${{ github.repository }} +``` + +**All Inputs:** +* `checkout-path` (string, optional): Path to check out code to. +* `build-path` (string, optional): Path for build artifacts. +* `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs the build if C++ or CMake files have changed. +* `build-combinations` (string, optional): A space-separated list of build combinations to run. +* `ref` (string, optional): The branch or ref to check out. +* `repo` (string, optional): The repository to check out from (e.g., `my-org/my-repo`). +* `pr-base-sha` (string, optional): Base SHA of the PR for relevance check. +* `pr-head-sha` (string, optional): Head SHA of the PR for relevance check. + +#### 2. `python-check.yaml` + +Checks Python code for formatting and type errors using `ruff` and `mypy`. + +**Usage Example:** + +```yaml +jobs: + check_python: + uses: Framework-R-D/phlex/.github/workflows/python-check.yaml@main +``` + +**All Inputs:** +* `checkout-path` (string, optional): Path to check out code to. +* `skip-relevance-check` (boolean, optional, default: `false`): Bypass the check that only runs if Python files have changed. +* `pr-base-sha` (string, optional): Base SHA of the PR for relevance check. +* `pr-head-sha` (string, optional): Head SHA of the PR for relevance check. + +#### 3. `cmake-format-fix.yaml` + +Automatically formats CMake files using `gersemi` and commits the changes. Typically triggered by an `issue_comment`. + +**Usage Example (in a workflow triggered by `issue_comment`):** + +```yaml +name: 'Bot Commands' +on: + issue_comment: + types: [created] + +jobs: + format-cmake: + # Run only on comments from collaborators/owners that start with the bot command + if: > + github.event.issue.pull_request && + (github.event.comment.author_association == 'COLLABORATOR' || github.event.comment.author_association == 'OWNER') && + startsWith(github.event.comment.body, format('@{0}bot format', github.event.repository.name)) + uses: Framework-R-D/phlex/.github/workflows/cmake-format-fix.yaml@main + with: + # The ref and repo of the PR need to be retrieved and passed + ref: ${{ steps.get_pr_info.outputs.ref }} + repo: ${{ steps.get_pr_info.outputs.repo }} + secrets: + WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }} +``` +*Note: You would need a preliminary step (`get_pr_info`) to extract the PR's `ref` and `repo` from the `issue_comment` event.* + +**All Inputs:** +* `checkout-path` (string, optional): Path to check out code to. +* `ref` (string, **required**): The branch or ref to check out. +* `repo` (string, **required**): The repository to check out from. + +#### 4. `python-fix.yaml` + +Automatically formats and fixes Python code using `ruff` and commits the changes. Typically triggered by an `issue_comment`. + +**Usage Example (in a workflow triggered by `issue_comment`):** +*Similar to `cmake-format-fix.yaml`, but triggered by a command like `@bot python-fix`.* + +**All Inputs:** +* `checkout-path` (string, optional): Path to check out code to. +* `ref` (string, **required**): The branch or ref to check out. +* `repo` (string, **required**): The repository to check out from. + +#### Other Workflows + +The repository also provides `actionlint-check.yaml`, `cmake-format-check.yaml`, and `codeql-analysis.yaml`, which can be used in a similar manner. diff --git a/.github/actions/README.md b/.github/actions/README.md index 07435c47..8f4537f8 100644 --- a/.github/actions/README.md +++ b/.github/actions/README.md @@ -1,5 +1,8 @@ # GitHub Actions Composite Actions +> **Note** +> This document describes the low-level reusable *actions* used within this repository. For instructions on how to use the complete, high-level *workflows* (e.g., `cmake-build.yaml`) from your own project, please see the guide in [`.github/REUSABLE_WORKFLOWS.md`](../REUSABLE_WORKFLOWS.md). + This directory contains reusable composite actions for Phlex CI/CD workflows. ## Available Actions diff --git a/.github/actions/REFACTORING_SUMMARY.md b/.github/actions/REFACTORING_SUMMARY.md deleted file mode 100644 index ad8d5ea2..00000000 --- a/.github/actions/REFACTORING_SUMMARY.md +++ /dev/null @@ -1,161 +0,0 @@ -# Composite Actions Refactoring Summary - -## Overview - -Refactored GitHub Actions workflows to use composite actions for better maintainability and single-point-of-maintenance of common functionality. - -## Created Composite Actions - -### 1. setup-build-env - -**Location**: `.github/actions/setup-build-env/action.yaml` - -**Purpose**: Verifies the Spack build environment and creates build directories - -**Provides**: - -- Creates build directory -- Outputs source and build directory paths - -### 2. configure-cmake - -**Location**: `.github/actions/configure-cmake/action.yaml` - -**Purpose**: Configures CMake with preset detection and standard options - -**Features**: - -- Automatic CMakePresets.json detection -- Configurable build type and extra options -- Standard FORM options applied -- Preset usage logging - -### 3. build-cmake - -**Location**: `.github/actions/build-cmake/action.yaml` - -**Purpose**: Builds the project with CMake - -**Features**: - -- Configurable target selection -- Auto-detected or custom parallel jobs - -## Updated Workflows - -### cmake-build.yaml - -**Before**: ~45 lines of inline bash with duplicated logic -**After**: Clean composite action calls - -**Changes**: - -- Replaced Configure CMake step with `configure-cmake` action -- Replaced Build step with `build-cmake` action -- Added `setup-build-env` action -- Reduced from ~45 to ~20 lines for core build logic - -### clang-tidy-check.yaml - -**Before**: ~30 lines of duplicated CMake configuration -**After**: Clean composite action calls - -**Changes**: - -- Replaced configuration/build steps with composite actions -- Specified Debug build type and compile commands export -- Consistent with cmake-build pattern - -### clang-tidy-fix.yaml - -**Before**: ~30 lines of duplicated CMake configuration -**After**: Clean composite action calls - -**Changes**: - -- Same refactoring as clang-tidy-check -- Maintains PR-specific checkout behavior - -## Benefits Achieved - -### 1. Single Point of Maintenance - -- **Container image**: Only needs updating in composite actions -- **Preset detection logic**: Centralized in `configure-cmake` -- **Standard CMake options**: Defined once in `configure-cmake` -- **Environment setup**: Centralized in `setup-build-env` - -### 2. Consistency - -- All workflows use identical configuration patterns -- Same preset detection across all builds -- Uniform directory structure handling - -### 3. Reduced Duplication - -- Eliminated ~100+ lines of duplicated bash code -- Preset detection logic written once, used everywhere -- Build commands standardized - -### 4. Easier Updates - -- To change container image: Update one place -- To add CMake option: Update `configure-cmake` inputs -- To modify preset logic: Update one action file - -### 5. Better Readability - -- Workflows are more declarative -- Intent is clearer (configure, then build) -- Less inline bash to parse - -## Migration Path for Future Workflows - -New workflows should follow this pattern: - -```yaml -steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - path: phlex-src - - - name: Setup build environment - uses: ./phlex-src/.github/actions/setup-build-env - - - name: Configure CMake - uses: ./phlex-src/.github/actions/configure-cmake - with: - build-type: - extra-options: '' - - - name: Build - uses: ./phlex-src/.github/actions/build-cmake - with: - target: -``` - -## Maintenance Guidelines - -1. **Updating container image**: Edit container specification in each workflow (still needs updating in multiple places due to GitHub Actions limitation that composite actions cannot specify containers) - -2. **Updating CMake options**: Edit `configure-cmake/action.yaml` inputs and defaults - -3. **Updating preset logic**: Edit `configure-cmake/action.yaml` preset detection - -4. **Updating build logic**: Edit `build-cmake/action.yaml` - -5. **Testing changes**: Test composite action changes on feature branch before merging - -## Future Enhancements - -Potential future improvements: - -1. Add composite action for test execution -2. Add composite action for artifact upload patterns -3. Create preset for coverage builds -4. Add validation checks to composite actions - -## Documentation - -Complete documentation available in `.github/actions/README.md` diff --git a/README.md b/README.md index c82ad405..99ca2cf4 100644 --- a/README.md +++ b/README.md @@ -19,3 +19,7 @@ Clone that repository and follow the instructions there to begin using Phlex. ## Developing Phlex Instructions for the development of Phlex itself are in the [developer notes](DEVELOPING.md) + +## CI/CD + +This repository provides a suite of reusable GitHub Actions workflows for building, testing, and formatting C++ and Python projects. For comprehensive instructions on how to use these workflows in your own project, please see the [reusable workflows guide](./.github/REUSABLE_WORKFLOWS.md). From 89ec0a3e8772642a26776914f0b54e727b5fafc7 Mon Sep 17 00:00:00 2001 From: Chris Green Date: Thu, 22 Jan 2026 12:24:36 -0600 Subject: [PATCH 5/7] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/cmake-format-fix.yaml | 2 +- .github/workflows/python-fix.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml index eb82fa39..751e9c0a 100644 --- a/.github/workflows/cmake-format-fix.yaml +++ b/.github/workflows/cmake-format-fix.yaml @@ -78,7 +78,7 @@ jobs: uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: cmake-format - working-directory: phlex-src + working-directory: ${{ env.local-checkout-path }} token: ${{ secrets.WORKFLOW_PAT }} pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} diff --git a/.github/workflows/python-fix.yaml b/.github/workflows/python-fix.yaml index 048598d6..86facd21 100644 --- a/.github/workflows/python-fix.yaml +++ b/.github/workflows/python-fix.yaml @@ -82,7 +82,7 @@ jobs: uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: 'Python linting' - working-directory: phlex-src + working-directory: ${{ env.local-checkout-path }} token: ${{ secrets.WORKFLOW_PAT }} pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} From 3bfb514964f893ae19ba647936e48d59176436cf Mon Sep 17 00:00:00 2001 From: Chris Green Date: Thu, 22 Jan 2026 15:29:32 -0600 Subject: [PATCH 6/7] Address `env:` consistency issue - per https://github.com/Framework-R-D/phlex/pull/262#discussion_r2717739765 --- .github/workflows/actionlint-check.yaml | 10 +++++----- .github/workflows/cmake-build.yaml | 22 +++++++++++----------- .github/workflows/cmake-format-check.yaml | 10 +++++----- .github/workflows/cmake-format-fix.yaml | 8 ++++---- .github/workflows/python-check.yaml | 10 +++++----- .github/workflows/python-fix.yaml | 8 ++++---- 6 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/workflows/actionlint-check.yaml b/.github/workflows/actionlint-check.yaml index 9df0035e..7341bcc8 100644 --- a/.github/workflows/actionlint-check.yaml +++ b/.github/workflows/actionlint-check.yaml @@ -30,7 +30,7 @@ on: type: string env: - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -59,13 +59,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Detect workflow changes id: filter uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: - repo-path: ${{ env.local-checkout-path }} + repo-path: ${{ env.local_checkout_path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} include-globs: | @@ -99,7 +99,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Announce actionlint check run: echo "➡️ Running actionlint check..." @@ -108,7 +108,7 @@ jobs: id: lint run: | docker run --rm \ - -v "${{ github.workspace }}/${{ env.local-checkout-path }}:/work" \ + -v "${{ github.workspace }}/${{ env.local_checkout_path }}:/work" \ -w /work \ rhysd/actionlint:latest \ -config-file .github/actionlint.yaml diff --git a/.github/workflows/cmake-build.yaml b/.github/workflows/cmake-build.yaml index 315184f2..0eae9566 100644 --- a/.github/workflows/cmake-build.yaml +++ b/.github/workflows/cmake-build.yaml @@ -64,8 +64,8 @@ permissions: env: BUILD_TYPE: Release CICOLOR_FORCE: 1 - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} - local-build-path: ${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_build_path: ${{ (github.event_name == 'workflow_call' && inputs.build-path) || format('{0}-build', github.event.repository.name) }} jobs: pre-check: @@ -136,13 +136,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Detect C++ and CMake changes id: filter uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: - repo-path: ${{ env.local-checkout-path }} + repo-path: ${{ env.local_checkout_path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: | @@ -195,14 +195,14 @@ jobs: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} ref: ${{ needs.pre-check.outputs.sha }} repository: ${{ needs.pre-check.outputs.repo }} - name: Setup build environment uses: Framework-R-D/phlex/.github/actions/setup-build-env@main with: - build-path: ${{ env.local-build-path }} + build-path: ${{ env.local_build_path }} - name: Announce CMake configuration run: echo "➡️ Configuring CMake..." @@ -215,8 +215,8 @@ jobs: id: configure uses: Framework-R-D/phlex/.github/actions/configure-cmake@main with: - source-path: ${{ env.local-checkout-path }} - build-path: ${{ env.local-build-path }} + source-path: ${{ env.local_checkout_path }} + build-path: ${{ env.local_build_path }} build-type: ${{ env.BUILD_TYPE }} cpp-compiler: ${{ matrix.compiler == 'gcc' && 'g++' || 'clang++' }} extra-options: | @@ -227,13 +227,13 @@ jobs: id: build uses: Framework-R-D/phlex/.github/actions/build-cmake@main with: - build-path: ${{ env.local-build-path }} + build-path: ${{ env.local_build_path }} - name: Run tests if: matrix.sanitizer != 'valgrind' run: | . /entrypoint.sh - cd "$GITHUB_WORKSPACE/${{ env.local-build-path }}" + cd "$GITHUB_WORKSPACE/${{ env.local_build_path }}" echo "➡️ Running tests..." echo "::group::Running ctest" @@ -250,7 +250,7 @@ jobs: if: matrix.sanitizer == 'valgrind' run: | . /entrypoint.sh - cd "$GITHUB_WORKSPACE/${{ env.local-build-path }}" + cd "$GITHUB_WORKSPACE/${{ env.local_build_path }}" echo "➡️ Running Valgrind tests..." echo "::group::Running ctest -T memcheck" diff --git a/.github/workflows/cmake-format-check.yaml b/.github/workflows/cmake-format-check.yaml index d4f02b48..a20ca889 100644 --- a/.github/workflows/cmake-format-check.yaml +++ b/.github/workflows/cmake-format-check.yaml @@ -30,7 +30,7 @@ on: type: string env: - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -59,13 +59,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Detect CMake formatting changes id: filter uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: - repo-path: ${{ env.local-checkout-path }} + repo-path: ${{ env.local_checkout_path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: cmake @@ -93,7 +93,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -106,7 +106,7 @@ jobs: - name: Check CMake formatting run: | echo "➡️ Checking CMake file formatting..." - if ! gersemi --check ${{ env.local-checkout-path }}; then + if ! gersemi --check ${{ env.local_checkout_path }}; then echo "::error::Found files with formatting issues." echo "::error::Run 'gersemi -i ' locally or comment '@${{ github.event.repository.name }}bot format' on the PR to auto-fix." exit 1 diff --git a/.github/workflows/cmake-format-fix.yaml b/.github/workflows/cmake-format-fix.yaml index 751e9c0a..ad4b75f0 100644 --- a/.github/workflows/cmake-format-fix.yaml +++ b/.github/workflows/cmake-format-fix.yaml @@ -25,7 +25,7 @@ permissions: contents: write env: - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: parse-command: @@ -56,7 +56,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} repository: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} token: ${{ secrets.WORKFLOW_PAT }} @@ -72,13 +72,13 @@ jobs: - name: Apply CMake formatting run: | echo "Applying CMake formatting..." - gersemi -i ${{ env.local-checkout-path }} + gersemi -i ${{ env.local_checkout_path }} - name: Handle fix commit uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: cmake-format - working-directory: ${{ env.local-checkout-path }} + working-directory: ${{ env.local_checkout_path }} token: ${{ secrets.WORKFLOW_PAT }} pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} diff --git a/.github/workflows/python-check.yaml b/.github/workflows/python-check.yaml index 397562a4..4421fcea 100644 --- a/.github/workflows/python-check.yaml +++ b/.github/workflows/python-check.yaml @@ -30,7 +30,7 @@ on: type: string env: - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: pre-check: @@ -59,13 +59,13 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Detect Python changes id: filter uses: Framework-R-D/phlex/.github/actions/detect-relevant-changes@main with: - repo-path: ${{ env.local-checkout-path }} + repo-path: ${{ env.local_checkout_path }} base-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-base-sha) || github.event.pull_request.base.sha || github.event.before }} head-ref: ${{ (github.event_name == 'workflow_call' && inputs.pr-head-sha) || github.event.pull_request.head.sha || github.sha }} file-type: python @@ -95,7 +95,7 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -107,7 +107,7 @@ jobs: pip install ruff mypy - name: Run ruff and mypy checks - working-directory: ${{ env.local-checkout-path }} + working-directory: ${{ env.local_checkout_path }} env: FORCE_COLOR: 1 # `ruff`/`colored` crate run: | diff --git a/.github/workflows/python-fix.yaml b/.github/workflows/python-fix.yaml index 86facd21..905d32cc 100644 --- a/.github/workflows/python-fix.yaml +++ b/.github/workflows/python-fix.yaml @@ -25,7 +25,7 @@ permissions: contents: write env: - local-checkout-path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} + local_checkout_path: ${{ (github.event_name == 'workflow_call' && inputs.checkout-path) || format('{0}-src', github.event.repository.name) }} jobs: parse-command: @@ -54,7 +54,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - path: ${{ env.local-checkout-path }} + path: ${{ env.local_checkout_path }} ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} repository: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} token: ${{ secrets.WORKFLOW_PAT }} @@ -69,7 +69,7 @@ jobs: pip install ruff - name: Run ruff format and fix - working-directory: ${{ env.local-checkout-path }} + working-directory: ${{ env.local_checkout_path }} env: FORCE_COLOR: 1 run: | @@ -82,7 +82,7 @@ jobs: uses: Framework-R-D/phlex/.github/actions/handle-fix-commit@main with: tool: 'Python linting' - working-directory: ${{ env.local-checkout-path }} + working-directory: ${{ env.local_checkout_path }} token: ${{ secrets.WORKFLOW_PAT }} pr-info-ref: ${{ (github.event_name == 'workflow_call' && inputs.ref) || needs.parse-command.outputs.ref }} pr-info-repo: ${{ (github.event_name == 'workflow_call' && inputs.repo) || needs.parse-command.outputs.repo }} From 64cc74577d89ac3c3f3e4c17176567e853b781df Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 19:28:06 +0000 Subject: [PATCH 7/7] docs: Recommend pinning reusable workflows to SHA Updates the `REUSABLE_WORKFLOWS.md` documentation to address the security concerns raised in the review comments on PR #262. The key changes are: - The introductory note now explains the security risks of using a mutable branch like `@main` and recommends pinning to a specific commit SHA for stability and security. - All `uses:` examples in the document have been updated to use a specific commit SHA instead of `@main`. - The explanatory text clarifies that `@main` can still be used for development purposes at the user's own risk. Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com> --- .github/REUSABLE_WORKFLOWS.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/REUSABLE_WORKFLOWS.md b/.github/REUSABLE_WORKFLOWS.md index 0c469cb1..ada8e8c7 100644 --- a/.github/REUSABLE_WORKFLOWS.md +++ b/.github/REUSABLE_WORKFLOWS.md @@ -24,14 +24,16 @@ To use a workflow, you call it from a workflow file in your own repository's `.g ```yaml jobs: some_job: - uses: Framework-R-D/phlex/.github/workflows/.yaml@main + uses: Framework-R-D/phlex/.github/workflows/.yaml@cef968c52aab432b836bb28119a9661c82c8b0d1 with: # ... inputs for the workflow ... secrets: WORKFLOW_PAT: ${{ secrets.WORKFLOW_PAT }} ``` -**Note:** Always reference the workflows using the `@main` ref to ensure you are using the latest stable version. +**Note:** For stability and security, it is highly recommended to pin the workflow to a specific commit SHA rather than a branch like `@main`. Using a mutable branch means you will automatically receive updates, which could include breaking changes or, in a worst-case scenario, malicious code. Pinning to a commit SHA ensures you are using a fixed, reviewed version of the workflow. + +For development purposes, you may choose to use `@main` at your own risk to get the latest changes. --- @@ -59,7 +61,7 @@ Builds and tests your project using CMake. ```yaml jobs: build_and_test: - uses: Framework-R-D/phlex/.github/workflows/cmake-build.yaml@main + uses: Framework-R-D/phlex/.github/workflows/cmake-build.yaml@cef968c52aab432b836bb28119a9661c82c8b0d1 with: # Optional: A list of build combinations to run (e.g., "gcc/asan clang/tsan") build-combinations: 'all -clang/valgrind' @@ -87,7 +89,7 @@ Checks Python code for formatting and type errors using `ruff` and `mypy`. ```yaml jobs: check_python: - uses: Framework-R-D/phlex/.github/workflows/python-check.yaml@main + uses: Framework-R-D/phlex/.github/workflows/python-check.yaml@cef968c52aab432b836bb28119a9661c82c8b0d1 ``` **All Inputs:** @@ -115,7 +117,7 @@ jobs: github.event.issue.pull_request && (github.event.comment.author_association == 'COLLABORATOR' || github.event.comment.author_association == 'OWNER') && startsWith(github.event.comment.body, format('@{0}bot format', github.event.repository.name)) - uses: Framework-R-D/phlex/.github/workflows/cmake-format-fix.yaml@main + uses: Framework-R-D/phlex/.github/workflows/cmake-format-fix.yaml@cef968c52aab432b836bb28119a9661c82c8b0d1 with: # The ref and repo of the PR need to be retrieved and passed ref: ${{ steps.get_pr_info.outputs.ref }}