Skip to content

AST-162357 Split CI workflows per job harden shared config and update docs#1521

Open
cx-anurag-dalke wants to merge 4 commits into
mainfrom
other/refactor_gh_workflow
Open

AST-162357 Split CI workflows per job harden shared config and update docs#1521
cx-anurag-dalke wants to merge 4 commits into
mainfrom
other/refactor_gh_workflow

Conversation

@cx-anurag-dalke

Copy link
Copy Markdown
Contributor
  • Split monolithic ci-tests.yml into unit-tests.yml, ci-tests.yml (integration matrix), lint.yml, govulncheck.yml, and docker-image-scan.yml so each job runs and reports independently
  • Consolidate the nightly parallel integration-test matrix into ci-tests.yml and have nightly-parallel.yml invoke it via workflow_call, removing duplicated matrix logic
  • Rework unit-tests.yml to run tests via gotestsum (JUnit output), publish a job summary with per-test failure reasons and coverage %, raise the unit test coverage gate to 85%, and upload coverage/JUnit artifacts
  • Add internal/commands/.scripts/print_test_summary.py to render the job summary from the JUnit report; update up.sh to run tests via gotestsum
  • Add descriptive job names across all workflow files
  • Pin actions/checkout to v6 with persist-credentials: false everywhere it's used
  • Replace secrets: inherit in issue_automation.yml with explicit secret references
  • Remove deprecated pr-label.yml
  • Update CLAUDE.md to reflect the new workflow layout, coverage thresholds, and removal of stale/no-longer-existing workflows (pr-add-reviewers.yml, ai-code-review.yml, dependabot-auto-merge.yml, Dependabot config)

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Please provide a summary of the changes and the related issue. Include relevant motivation and context.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Link any related issues or tickets.

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

- Split monolithic ci-tests.yml into unit-tests.yml, ci-tests.yml
  (integration matrix), lint.yml, govulncheck.yml, and
  docker-image-scan.yml so each job runs and reports independently
- Consolidate the nightly parallel integration-test matrix into
  ci-tests.yml and have nightly-parallel.yml invoke it via
  workflow_call, removing duplicated matrix logic
- Rework unit-tests.yml to run tests via gotestsum (JUnit output),
  publish a job summary with per-test failure reasons and coverage %,
  raise the unit test coverage gate to 85%, and upload coverage/JUnit
  artifacts
- Add internal/commands/.scripts/print_test_summary.py to render the
  job summary from the JUnit report; update up.sh to run tests via
  gotestsum
- Add descriptive job names across all workflow files
- Pin actions/checkout to v6 with persist-credentials: false
  everywhere it's used
- Replace secrets: inherit in issue_automation.yml with explicit
  secret references
- Remove deprecated pr-label.yml
- Update CLAUDE.md to reflect the new workflow layout, coverage
  thresholds, and removal of stale/no-longer-existing workflows
  (pr-add-reviewers.yml, ai-code-review.yml,
  dependabot-auto-merge.yml, Dependabot config)
@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.CX_BASE_URI at line 199
  • secrets.CX_CLIENT_ID at line 200
  • secrets.CX_CLIENT_SECRET at line 201
  • secrets.CX_BASE_AUTH_URI at line 202
  • secrets.CX_AST_USERNAME at line 203
  • secrets.CX_AST_PASSWORD at line 204
  • secrets.CX_APIKEY at line 205
  • secrets.CX_TENANT at line 206
  • secrets.CX_SCAN_SSH_KEY at line 207
  • secrets.PERSONAL_ACCESS_TOKEN at line 209
  • secrets.PROXY_USER at line 212
  • secrets.PROXY_PASSWORD at line 213
  • secrets.PR_GITLAB_TOKEN at line 218
  • secrets.PR_GITLAB_NAMESPACE at line 219
  • secrets.PR_GITLAB_REPO_NAME at line 220
  • secrets.PR_GITLAB_PROJECT_ID at line 221
  • secrets.PR_GITLAB_IID at line 222
  • secrets.AZURE_ORG at line 223
  • secrets.AZURE_PROJECT at line 224
  • secrets.AZURE_REPOS at line 225
  • secrets.AZURE_TOKEN at line 226
  • secrets.BITBUCKET_WORKSPACE at line 228
  • secrets.BITBUCKET_REPOS at line 229
  • secrets.BITBUCKET_USERNAME at line 230
  • secrets.BITBUCKET_PASSWORD at line 231
  • secrets.GITLAB_TOKEN at line 232
  • secrets.PR_BITBUCKET_TOKEN at line 234
  • secrets.MS_TEAMS_WEBHOOK_URL_INTEGRATION_TESTS at line 398

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-anurag-dalke) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@cx-anurag-dalke cx-anurag-dalke changed the title Split CI workflows per job, harden shared config, and update docs AST-162357 Split CI workflows per job harden shared config and update docs Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants