Refactor build workflows (#20)

* Refactor AI-assisted action execution to use matrix strategy

* Refactor testing jobs to separate PR Summary and PR Review actions

* Update AI model from gpt-4o to o3 in PR Summary and PR Review actions

* Add permissions to jobs in workflow files for proper access control

* Disable major updates for SAP/ai-assisted-github-actions in Renovate configuration

* Update AI model to anthropic--claude-4-opus in PR Summary and PR Review actions; change model to o4-mini in build workflow

* Update action versions for PR Summary and PR Review steps to v3

* Update AI model in PR Summary and PR Review actions to anthropic--claude-4-sonnet

Author: daniel-richter

.github/workflows/ai-assistance.yaml

@@ -8,11 +8,14 @@ jobs:
     name: PR Summary
     if: github.actor != 'ospo-renovate[bot]'
     runs-on: [ubuntu-latest]
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: SAP/ai-assisted-github-actions/pr-summary@93162bffd6b396623ffa5b20e4666e427db88414 # v3.0.2
+      - uses: SAP/ai-assisted-github-actions/pr-summary@v3
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: gpt-4o
+          model: anthropic--claude-4-sonnet
           exclude-files: package-lock.json
           display-mode: append
           header-text: "---"
@@ -21,9 +24,12 @@ jobs:
     name: PR Review
     if: github.actor != 'ospo-renovate[bot]'
     runs-on: [ubuntu-latest]
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: SAP/ai-assisted-github-actions/pr-review@93162bffd6b396623ffa5b20e4666e427db88414 # v3.0.2
+      - uses: SAP/ai-assisted-github-actions/pr-review@v3
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: gpt-4o
+          model: anthropic--claude-4-sonnet
           exclude-files: package-lock.json

.github/workflows/build-cleanup.yaml

@@ -13,6 +13,8 @@ jobs:
   clean-up:
     name: Clean up
     runs-on: [ubuntu-latest]
+    permissions:
+      contents: write
     steps:
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:

.github/workflows/build.yaml

@@ -16,6 +16,8 @@ jobs:
     name: Build and push artifacts to release branch
     runs-on: [ubuntu-latest]
     if: ${{ !startsWith(github.head_ref || github.ref_name, 'release/') }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout source branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -90,11 +92,14 @@ jobs:
           git commit -m "${{ github.event.number && format('PR-{0}', github.event.number) || join(github.event.commits.*.message, ', ') }}" || true
           git push
 
-  testing:
-    name: Execute the AI-assisted action defined in this PR
+  testing-summary:
+    name: Execute the action (PR Summary) defined in this PR
     runs-on: [ubuntu-latest]
     needs: create-release
     if: ${{ github.ref_name != 'main' }}
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout release branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -104,14 +109,28 @@ jobs:
         uses: ./pr-summary # action.yml is in the pr-summary folder of the release branch
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: gpt-4o
+          model: o4-mini
           exclude-files: package-lock.json
           display-mode: comment-delta
-      - name: Run the AI-assisted action (PR Summary)
+
+  testing-review:
+    name: Execute the action (PR Review) defined in this PR
+    runs-on: [ubuntu-latest]
+    needs: create-release
+    if: ${{ github.ref_name != 'main' }}
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout release branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ env.RELEASE_BRANCH }}
+      - name: Run the AI-assisted action (PR Review)
         uses: ./pr-review # action.yml is in the pr-review folder of the release branch
         with:
           aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
-          model: gpt-4o
+          model: o4-mini
           exclude-files: package-lock.json
           display-mode: review-comment-delta
 
@@ -120,6 +139,8 @@ jobs:
     runs-on: [ubuntu-latest]
     needs: create-release
     if: ${{ github.ref_name == 'main' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout release branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/code-quality.yaml

@@ -12,6 +12,8 @@ jobs:
   lintCheck:
     runs-on: [ubuntu-latest]
     name: Linter (${{ matrix.path }})
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -35,6 +37,8 @@ jobs:
   formatCheck:
     runs-on: [ubuntu-latest]
     name: Formatter (${{ matrix.path }})
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:

.renovaterc

@@ -29,6 +29,15 @@
         "/^@?octokit//",
         "/^eslint$/"
       ]
+    },
+    {
+      "matchDepTypes": [
+        "action"
+      ],
+      "matchPackageNames": [
+        "SAP/ai-assisted-github-actions"
+      ],
+      "enabled": false
     }
   ],
   "schedule": [