Refactor build workflows

[daniel-richter]

• Refactor AI-assisted action execution to use matrix strategy (not possible: "In order to enact policies like only using actions defined in the org or repo we can’t allow actions to dynamically change at runtime. So using any sort of dynamic value in uses is not something we will be able to support.")
• Refactor testing jobs to separate PR Summary and PR Review actions
• Make the "Execute the action defined in this PR" jobs required for pull request merging
• Modifying the permissions for the GITHUB_TOKEN
• Disable major updates for SAP/ai-assisted-github-actions in Renovate configuration

---

This change enhances the GitHub Actions workflow security and testing capabilities by adding explicit permissions declarations, upgrading AI model configurations, restructuring test execution, and implementing dependency management controls.

Walkthrough

• Chore: Added explicit permissions to all workflow jobs for enhanced security compliance and access control
• Chore: Upgraded AI model from GPT-4o to Claude-4-Sonnet for PR summary and review actions, and o4-mini for testing
• Refactor: Split single testing job into separate PR Summary and PR Review testing jobs for better test isolation
• Chore: Updated action version references from specific commit hashes to semantic version tags for easier maintenance
• Chore: Disabled Renovate auto-updates for SAP AI-assisted GitHub Actions to prevent unwanted dependency changes

_{Model: anthropic--claude-4-sonnet | Prompt Tokens: 1787 | Completion Tokens: 179}

[github-actions]

This change refines the GitHub Actions workflow for handling pull requests by adjusting task names and adding a new testing step for PR review. The workflow now includes both summary and review actions aided by AI, enhancing automation and thoroughness in processing PRs without altering functionality.

Walkthrough

• Refactor: Renamed workflow steps for better clarity, changing 'testing' to 'testing-summary' and introducing 'testing-review'.
• New Feature: Added 'testing-review' step that runs AI-assisted actions for reviewing PRs, which complements the existing summary generation process, thereby broadening the scope of automated insight.
• Chore: Improved workflow automation with clearer step segmentation to support efficient AI-based evaluations of pull requests.

_{Model: gpt-4o | Prompt Tokens: 525 | Completion Tokens: 146}

[github-actions]

The CI workflow now references the newer o3 model instead of gpt-4o for both PR summary and review steps, ensuring consistency across automated AI-powered code analysis tasks.

Walkthrough

• Chore: Updated .github/workflows/build.yaml to use the o3 model in pr-summary and pr-review actions, aligning CI with the latest AI service configuration.

_{Model: o3 | Prompt Tokens: 351 | Completion Tokens: 233 | Diff Range: 2a12c4a...458520c}

[github-actions]

Here’s a friendly code review enriched by AI collaboration. Remember, some suggestions arise from predictive models and might not suit every situation, so select what aligns with your goals. You remain the expert; the AI is merely an ally, ready to support wherever you find it helpful.
_{Model: o3 | Prompt Tokens: 1141 | Completion Tokens: 1994}

[github-actions]

Both testing-summary and testing-review repeat the same boilerplate (runs-on, needs, checkout step, etc.). You can eliminate duplication and improve maintainability by employing a matrix strategy or by using a reusable composite action. Example with a matrix:

  pr-jobs:
    strategy:
      matrix:
        include:
          - name: PR Summary
            uses: ./pr-summary
            model: gpt-4o
            display: comment-delta
          - name: PR Review
            uses: ./pr-review
            model: gpt-4o
            display: review-comment-delta
    name: Execute ${{ matrix.name }} action defined in this PR
    runs-on: ubuntu-latest
    needs: create-release
    if: ${{ github.ref_name != 'main' }}
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ env.RELEASE_BRANCH }}
      - name: Run AI-assisted ${{ matrix.name }}
        uses: ${{ matrix.uses }}
        with:
          aicore-service-key: ${{ secrets.AICORE_SERVICE_KEY }}
          model: ${{ matrix.model }}
          exclude-files: package-lock.json
          display-mode: ${{ matrix.display }}

This drastically shortens the workflow file and ensures consistency between both jobs.

[daniel-richter]

not possible: "In order to enact policies like only using actions defined in the org or repo we can’t allow actions to dynamically change at runtime. So using any sort of dynamic value in uses is not something we will be able to support."

[github-actions]

Several GitHub Actions workflows now declare explicit permissions scopes, tightening token access for build, cleanup, PR-summary/review, and code-quality jobs. This aligns the project with GitHub’s fine-grained permission model, improves security posture, and prevents future warning logs without changing application functionality.

Walkthrough

• Chore: Added least-privilege permissions blocks (contents: read/write, pull-requests: write) across build, cleanup, PR summary/review, and lint/format workflows to comply with updated GitHub security guidelines. End-users see no functional changes, but CI pipelines operate with clearer, safer access scopes, reducing risk and silencing permission-related warnings.

_{Model: o3 | Prompt Tokens: 989 | Completion Tokens: 293 | Diff Range: 458520c...7187aca}

[github-actions]

Enjoy this AI-supported code review featuring friendly, prediction-based suggestions. Use what resonates with you, adapt or discard the rest, and let your expertise steer the project while AI lends a helpful hand.
_{Model: o3 | Prompt Tokens: 6168 | Completion Tokens: 4825 | Diff Range: 458520c...7187aca}

[github-actions]

The update shifts our AI-assisted pull-request workflow to the latest major release (v3) of SAP’s GitHub Action and prevents Renovate from repeatedly suggesting version bumps for that action. This simplifies maintenance while keeping CI features intact without affecting runtime code.

Walkthrough

• Chore: Upgraded SAP/ai-assisted-github-actions PR summary and review steps to major tag @3, ensuring we receive upstream fixes without manual pinning.
• Chore: Added Renovate rule to ignore future updates for this action, reducing PR noise and stabilizing CI configuration.

_{Model: o3 | Prompt Tokens: 509 | Completion Tokens: 332 | Diff Range: 7187aca...6cdd925}

[github-actions]

AI offers a friendly look over your code. It suggests likely improvements, though nothing is set in stone—use only what fits. You remain in charge; AI simply lends a hand.
_{Model: o3 | Prompt Tokens: 1119 | Completion Tokens: 2151 | Diff Range: 7187aca...6cdd925}

[github-actions]

Updated GitHub Actions AI configurations to switch the models used for pull request summaries and reviews. Replaced GPT-4 variants in the ai-assistance workflow with Anthropic Claude 4 Opus, and upgraded from o3 to o4-mini in the build workflow. No functional user-facing changes; this ensures more consistent AI-driven analysis in CI processes.

Walkthrough

• Chore: ai-assistance.yaml pr-summary model changed from gpt-4o to anthropic--claude-4-opus.
• Chore: ai-assistance.yaml pr-review model changed from gpt-4o to anthropic--claude-4-opus.
• Chore: build.yaml pr-summary model changed from o3 to o4-mini.
• Chore: build.yaml pr-review model changed from o3 to o4-mini.

_{Model: o4-mini | Prompt Tokens: 514 | Completion Tokens: 910 | Diff Range: 6cdd925...71a8c05}

[github-actions]

Here’s a supportive code review powered by AI. Think of these insights as suggestions rather than absolute truths—feel free to apply what feels right. You know your project best, so trust your instincts. AI is here to help, but your decisions drive the process.
_{Model: o4-mini | Prompt Tokens: 1500 | Completion Tokens: 2282 | Diff Range: 6cdd925...71a8c05}

[github-actions]

The double hyphen in anthropic--claude-4-opus may be a typo. Confirm the model identifier with the action documentation. For clarity, change to a single hyphen if appropriate:

model: anthropic-claude-4-opus

[daniel-richter]

See https://me.sap.com/notes/3437766/E

[github-actions]

This change updates the GitHub Actions workflow to reference the v3 tags for both the AI-assisted PR summary and review actions, aligning with versioning conventions and ensuring consistency in dependency management.

Walkthrough

• Chore: Bumped SAP/ai-assisted-github-actions/pr-summary from @3 to @v3.
• Chore: Bumped SAP/ai-assisted-github-actions/pr-review from @3 to @v3.

_{Model: o4-mini | Prompt Tokens: 373 | Completion Tokens: 505 | Diff Range: 71a8c05...67367a4}

[github-actions]

Swapped the AI model in GitHub Actions for PR summary and review workflows to a newer version, aiming to enhance the quality and consistency of automated feedback without altering user-facing features.

Walkthrough

• Chore: Updated the AI model for PR summaries from claude-4-opus to claude-4-sonnet, improving contextual accuracy.
• Chore: Switched the PR review assistant to claude-4-sonnet as well, ensuring consistent analysis quality.

_{Model: o4-mini | Prompt Tokens: 365 | Completion Tokens: 757 | Diff Range: 67367a4...bd13dfb}

[github-actions]

Here's a collaborative code review enhanced by AI assistance. These suggestions offer potential improvements and insights to consider, though they're recommendations rather than requirements. You have full autonomy over your code choices—AI simply provides additional perspective to support your decision-making process. Use whatever feels valuable and aligns with your project goals.
_{Model: anthropic--claude-4-sonnet | Prompt Tokens: 2759 | Completion Tokens: 1130}

[github-actions]

There appears to be a typo in the model name. 'Claude 4 Sonnet' should likely be 'claude-3-sonnet' based on Anthropic's naming convention:

model: claude-3-sonnet
# or
model: claude-3-5-sonnet

[daniel-richter]

see https://me.sap.com/notes/3437766/E