Consolidate CI workflow branches#2659
Merged
Merged
Conversation
- Added `verify-changes` gate job to `ci.yml`, `deploy.yml`, and `codeql.yml` - Gated heavy jobs behind `has_changes` output to save runner minutes - Consolidated `security.yml` and `conflict-check.yml` into `ci.yml` - Implemented `block-empty-jules-patches.yml` as global PR-closing failsafe - Fixed `actions/checkout` version hallucinations across modified workflows - Validated all workflow changes with `actionlint`
…workflows - Lifted environment variables to job level in `ci.yml`. - Created `scripts/lib/codeReviewUtils.ts` with shared code review logic. - Refactored `geminiCodeReviewClient.ts` and `githubModelsCodeReviewClient.ts` to use shared utilities. - Consolidated `parseVisualReviewFindings` in `scripts/lib/visualReviewUtils.ts`. - Updated visual review clients to use the shared parser.
Hoisted MAX_AI_REVIEWS, GEMINI_API_KEY, GITHUB_TOKEN, GITHUB_REPOSITORY, PR_NUMBER, and GITHUB_MODELS_MODEL to the job level in the impact-analysis job of .github/workflows/ci.yml. This removes configuration duplication and simplifies maintenance. Redundant step-level environment variables were removed from the four separate review steps. Similar cleanup was performed in the lint-typecheck and audit jobs for consistency.
- Refined `verify-changes` gate logic to use base-branch comparison for PRs. - Updated all workflows to use `fetch-depth: 0` for accurate diff detection. - Fixed `$GITHUB_OUTPUT` syntax and standardized `actions/checkout` to `@v4`. - Consolidated security and merge-conflict checks into the main `ci.yml`. - Maintained scheduled scan integrity in `codeql.yml`. - Deployed a global `block-empty-jules-patches.yml` failsafe to auto-close empty PRs.
- Refined `verify-changes` logic to use base-branch comparison (`...`) for PRs. - Standardized `actions/checkout` to `@v4` and ensured `fetch-depth: 0`. - Fixed `actionlint`/`shellcheck` violations by double-quoting variables. - Consolidated security and merge-conflict checks into the main gated `ci.yml`. - Deployed a global `block-empty-jules-patches.yml` to auto-close empty PRs. - Maintained scheduled scan integrity in `codeql.yml`.
…mits - Consolidated environment variables to job level in `ci.yml`. - Created `scripts/lib/codeReviewUtils.ts` with shared code review logic (system prompt, verdict/state parsing, token budgeting). - Refactored `geminiCodeReviewClient.ts` and `githubModelsCodeReviewClient.ts` to use shared utilities. - Consolidated `parseVisualReviewFindings` in `scripts/lib/visualReviewUtils.ts`. - Increased token budgeting and truncation limits to 100,000 characters in `codeReviewUtils.ts` and `codeReviewOrchestrator.ts` to prevent truncation of large refactor diffs.
- Created `reusable-gate.yml` to centralize CI gating logic and enforce DRY principles. - Refactored `ci.yml`, `deploy.yml`, and `codeql.yml` to utilize the reusable gate. - Re-architected `block-empty-jules-patches.yml` to depend on the reusable gate for policy enforcement (auto-closing PRs). - Secured shell scripts against injection by utilizing environment variables for context data. - Added defensive checks for single-commit histories and explicit base-branch fetching. - Standardized `actions/checkout` to `@v4` and ensured `fetch-depth: 0` for all gated workflows. - Validated the complete workflow suite with `actionlint`.
- Reverted character limits to 24,000 to respect model constraints. - Updated system prompt to instruct LLM not to fail reviews solely due to truncated context. - Ensured all shared utilities are exported and correctly imported.
- Centralized gating logic into `.github/workflows/reusable-gate.yml`. - Refactored `ci.yml`, `deploy.yml`, and `codeql.yml` to utilize the reusable gate. - Refined `push` logic to use `github.event.before` for accurate multi-commit diffing. - Implemented robust `pull_request` diffing against base branches (`...HEAD`). - Deployed `block-empty-jules-patches.yml` as a global auto-closing PR failsafe. - Secured shell scripts by utilizing environment variables for GitHub context data. - Maintained `actions/checkout@v6` as per explicit repository requirement. - Consolidated security scans and conflict checks into the main gated pipeline. - Validated all workflow enhancements with `actionlint`.
Hoisted MAX_AI_REVIEWS, GITHUB_REPOSITORY, PR_NUMBER, and GITHUB_MODELS_MODEL to the job level in the impact-analysis job of .github/workflows/ci.yml. Secrets (GEMINI_API_KEY and GITHUB_TOKEN) are maintained at the step level to ensure correct propagation into the containerized execution environment and to adhere to the principle of least privilege. Redundant job-level environment variables were also removed from the lint-typecheck and audit jobs for consistency.
- Lifted duplicated environment variables to the job level in `ci.yml`. - Centralized code review logic in `scripts/lib/codeReviewUtils.ts`. - Refactored review clients (Gemini and GitHub Models) to use shared utilities. - Hardened token budgeting and improved system prompts to handle truncation gracefully. - Consolidated visual review findings parsing in `scripts/lib/visualReviewUtils.ts`.
Hoisted common non-secret environment variables (CI, MAX_AI_REVIEWS, GITHUB_MODELS_MODEL) to the workflow level in .github/workflows/ci.yml. Job-specific non-secret variables were hoisted to their respective job levels (test-build, impact-analysis), and redundant step-level definitions were removed. Sensitive secrets (GH_TOKEN, GEMINI_API_KEY, GITHUB_TOKEN, LHCI_GITHUB_TOKEN) are maintained at the step level to ensure robust propagation in containerized jobs and adhere to the principle of least privilege. Cleaned up redundant job-level env blocks in lint-typecheck and audit jobs for better maintainability.
- Centralized gating logic into `.github/workflows/reusable-gate.yml`. - Refactored `ci.yml`, `deploy.yml`, and `codeql.yml` to utilize the reusable gate. - Re-architected `block-empty-jules-patches.yml` to utilize the centralized gate logic for PR closure. - Leaner implementation of `verify-changes` logic to minimize overhead. - Secured shell scripts by utilizing environment variables for GitHub context data. - Maintained `actions/checkout@v6` as per explicit repository requirement. - Consolidated security and merge-conflict checks into the main gated pipeline. - Validated the complete workflow suite with `actionlint`.
…134778754744111' into arii/workingbranch
…-6183521699809323700' into arii/workingbranch
…261384706071' into arii/workingbranch
Contributor
|
🚀 Deployment Details (Last updated: Jun 19, 2026, 4:49 PM PST) 🚀 Pushed to gh-pages; publish in progress
|
Contributor
🐙 GitHub Models Code Review
Reviewing: PR #2659 Model: gpt-4.1 Code Review FeedbackReview of Diff: CI Workflow Consolidation HIGH Severity Review1.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2644
Closes #2637
Closes #2636