Skip to content

feat: Sequencing workflows so that faster workflows run before slower ones #4670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
denis256 merged 1 commit into from
Aug 15, 2025
Merged

feat: Sequencing workflows so that faster workflows run before slower ones #4670

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/base-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Base Tests

on:
push:
workflow_call:

Comment on lines 3 to 5
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reusable workflow conversion looks good; declare inputs and permissions.

Define inputs (e.g., OS matrix override, test timeout) and least-privilege permissions. This formalizes the contract and improves security.

 on:
-  workflow_call:
+  workflow_call:
+    inputs:
+      os:
+        description: 'Space-separated OS list (e.g., "ubuntu macos")'
+        required: false
+        type: string
+      timeout_minutes:
+        description: 'go test timeout in minutes'
+        required: false
+        type: number
+    secrets: {}

Then add (outside selected range):

permissions:
  contents: read
🤖 Prompt for AI Agents 
In .github/workflows/base-test.yml around lines 3 to 5, the reusable workflow is
missing declared inputs and least-privilege permissions; add a workflow_call
inputs block (for example inputs like os_matrix_override, test_timeout,
node_version or others your consumers need) directly under workflow_call to
formalize the contract, and add a top-level permissions block (e.g.,
permissions: contents: read) at the file root to enforce least-privilege access;
ensure input names, types and defaults are reasonable and documented in the file
so callers can override them.

jobs:
test:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build-no-proxy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Build Without Go Proxy

on:
push:
workflow_call:

jobs:
build-no-proxy:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Build

on:
push:
workflow_call:

Comment on lines 3 to 5
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reusable conversion approved; expose inputs for matrix control and set permissions.

Allow the orchestrator to pass a subset of OS/arch to shorten slow builds when not needed.

 on:
-  workflow_call:
+  workflow_call:
+    inputs:
+      matrix_include:
+        description: 'YAML/JSON list for matrix.include (os/arch pairs)'
+        required: false
+        type: string
+    secrets: {}

Then, adapt the matrix to read from input when provided (outside the selected range):

strategy:
  matrix:
    include: ${{ inputs.matrix_include && fromJSON(inputs.matrix_include) || matrix.include }}

Also add:

permissions:
  contents: read
🤖 Prompt for AI Agents 
In .github/workflows/build.yml around lines 3 to 5, the reusable workflow does
not expose inputs for controlling the OS/arch matrix nor set repository
permissions; add inputs for matrix control (e.g., matrix_include as a string)
under workflow_call so the orchestrator can pass a JSON subset, then update the
job strategy matrix to prefer the input when present (use the conditional:
include: ${{ inputs.matrix_include && fromJSON(inputs.matrix_include) ||
matrix.include }}), and add permissions: contents: read at the top-level of the
workflow so the reusable workflow has read access to repository contents.

jobs:
build:
Expand Down
62 changes: 62 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: CI

on:
push:

jobs:
Comment on lines +3 to +6
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add pull_request + workflow_dispatch triggers, default least-privilege permissions, and cancel-in-progress concurrency

This centralizes CI while ensuring PRs run, manual runs are possible, and redundant in-flight runs are canceled on new pushes to the same ref. Also sets minimal default GITHUB_TOKEN permissions.

Apply:

 name: CI

-on:
-  push:
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
🤖 Prompt for AI Agents 
In .github/workflows/ci.yml around lines 3-6, the workflow only triggers on push
and lacks least-privilege default permissions and concurrency control; update
the top-level YAML to include on: push, pull_request, and workflow_dispatch
triggers, add a minimal default permissions block (for example permissions:
contents: read, packages: read — adjust if your jobs need more), and add a
concurrency block (group: ${{ github.workflow }}-${{ github.ref }},
cancel-in-progress: true) so manual runs are possible, PRs trigger CI, runs use
least privilege, and in-flight runs for the same ref are cancelled.

lint:
uses: ./.github/workflows/lint.yml
secrets: inherit

precommit:
uses: ./.github/workflows/precommit.yml
secrets: inherit

codespell:
uses: ./.github/workflows/codespell.yml
secrets: inherit

markdownlint:
uses: ./.github/workflows/markdownlint.yml
secrets: inherit

license_check:
uses: ./.github/workflows/license-check.yml
secrets: inherit

Comment on lines +7 to +26
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify all referenced reusable workflows are switched to workflow_call and inputs/secrets match

Given the conversion, ensure each callee has on: workflow_call and that any required inputs match (none provided here). This avoids silent dispatch failures.

Also applies to: 27-44, 45-60

🏁 Script executed:

#!/bin/bash
set -euo pipefail

files=(
  ".github/workflows/lint.yml"
  ".github/workflows/precommit.yml"
  ".github/workflows/codespell.yml"
  ".github/workflows/markdownlint.yml"
  ".github/workflows/license-check.yml"
  ".github/workflows/base-test.yml"
  ".github/workflows/build.yml"
  ".github/workflows/build-no-proxy.yml"
  ".github/workflows/integration-test.yml"
  ".github/workflows/oidc-integration-test.yml"
)

echo "Checking reusable workflow configuration..."
for f in "${files[@]}"; do
  if [[ ! -f "$f" ]]; then
    echo "MISSING: $f"
    continue
  fi
  echo "---- $f"
  rg -n "^\s*on:\s*workflow_call" "$f" || echo "WARNING: $f is not configured with on: workflow_call"
  echo "Declared inputs (if any):"
  rg -n "^\s*inputs:" -n "$f" -A 50 | sed '/^\s*outputs:/,$d' || true
  echo
done

echo "If any workflow declares required inputs, add a with: { ... } block to the corresponding job in ci.yml."

Length of output: 6429

Add on: workflow_call to all referenced reusable workflows

All of the workflows invoked from ci.yml currently lack a workflow_call trigger. To ensure they can be dispatched without silent failures, each of the following files must begin with:

on:
  workflow_call:
    # define inputs here if the workflow requires any

• .github/workflows/lint.yml
• .github/workflows/precommit.yml
• .github/workflows/codespell.yml
• .github/workflows/markdownlint.yml
• .github/workflows/license-check.yml
• .github/workflows/base-test.yml
• .github/workflows/build.yml
• .github/workflows/build-no-proxy.yml
• .github/workflows/integration-test.yml
• .github/workflows/oidc-integration-test.yml

Since none of these declare required inputs, no with: blocks are currently needed in ci.yml. If you later add inputs to any reusable workflow, remember to pass them in the corresponding job’s with: section.

base_tests:
needs: [lint, precommit, codespell, markdownlint, license_check]
uses: ./.github/workflows/base-test.yml
permissions:
contents: read
checks: write
secrets: inherit

build:
needs: [lint, precommit, codespell, markdownlint, license_check]
uses: ./.github/workflows/build.yml
secrets: inherit

build_no_proxy:
needs: [lint, precommit, codespell, markdownlint, license_check]
uses: ./.github/workflows/build-no-proxy.yml
secrets: inherit

integration_tests:
needs: [base_tests, build, build_no_proxy]
uses: ./.github/workflows/integration-test.yml
permissions:
contents: read
checks: write
secrets: inherit

Comment on lines +45 to +52
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Guard integration tests on forked PRs and set a timeout

Secrets are not available to workflows on pull_request from forks. Guard to skip instead of fail, and add a sensible timeout to avoid hung runs.

   integration_tests:
     needs: [base_tests, build, build_no_proxy]
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     uses: ./.github/workflows/integration-test.yml
     permissions:
       contents: read
       checks: write
+    timeout-minutes: 90
     secrets: inherit

If your integration tests are expected to run on forked PRs (without secrets), reply and I can propose a paths-filter + conditional to only run a non-secret subset. Otherwise, verify the skip behavior matches expectations.

Guard integration tests on forked PRs and add a timeout

Integration tests rely on inherited secrets, which are not available for workflows triggered by pull_request from forked repos—causing failures. Skip the job for forked PRs and set a sensible timeout to prevent hung runs:

• File: .github/workflows/ci.yml (lines 45–52)
• Replace with:

 integration_tests:
   needs: [base_tests, build, build_no_proxy]
+  if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
   uses: ./.github/workflows/integration-test.yml
   permissions:
     contents: read
     checks: write
+  timeout-minutes: 90
   secrets: inherit

If you still need to run a subset of integration tests on forked PRs (without secrets), let me know and I can suggest a conditional paths filter. Otherwise, please apply this guard to avoid broken or hung CI runs.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
integration_tests:
needs: [base_tests, build, build_no_proxy]
uses: ./.github/workflows/integration-test.yml
permissions:
contents: read
checks: write
secrets: inherit
integration_tests:
needs: [base_tests, build, build_no_proxy]
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
uses: ./.github/workflows/integration-test.yml
permissions:
contents: read
checks: write
timeout-minutes: 90
secrets: inherit
🤖 Prompt for AI Agents 
In .github/workflows/ci.yml around lines 45 to 52, the integration_tests job
must be skipped for pull requests from forked repos and have a timeout to avoid
hanging; add an if condition to only run when the event is not a pull_request or
the pull_request head repo matches the current repository (use: if:
github.event.pull_request == null ||
github.event.pull_request.head.repo.full_name == github.repository) and add a
timeout-minutes value (e.g., timeout-minutes: 60) under the job definition so
the workflow exits after a sensible period.

oidc_integration_tests:
needs: [base_tests, build, build_no_proxy]
uses: ./.github/workflows/oidc-integration-test.yml
permissions:
id-token: write
contents: read
checks: write
secrets: inherit
Comment on lines +53 to +60
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Guard OIDC integration tests on forked PRs and set a timeout

Same motivation as the non-OIDC integration suite. Keeps forks green without exposing secrets and avoids hangs.

   oidc_integration_tests:
     needs: [base_tests, build, build_no_proxy]
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     uses: ./.github/workflows/oidc-integration-test.yml
     permissions:
       id-token: write
       contents: read
       checks: write
+    timeout-minutes: 90
     secrets: inherit

🏁 Script executed:

#!/bin/bash
set -e
echo "Searching in ci.yml for non-OIDC integration_tests job"
rg -n "integration_tests:" .github/workflows/ci.yml || true

echo
echo "Searching for timeout-minutes usage across all workflow files"
rg -n "timeout-minutes" .github/workflows || true

Length of output: 422

🏁 Script executed:

#!/bin/bash
set -e
echo "Showing lines around the non-OIDC integration_tests job for context"
rg -n -C5 "integration_tests:" .github/workflows/ci.yml

Length of output: 812

Guard OIDC integration tests on forked PRs and set a timeout

Same motivation as the non-OIDC integration suite: keeps forks green without exposing secrets and prevents hung jobs.

• File: .github/workflows/ci.yml
Job: oidc_integration_tests (lines 53–60)

Suggested diff:

   oidc_integration_tests:
     needs: [base_tests, build, build_no_proxy]
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
     uses: ./.github/workflows/oidc-integration-test.yml
     permissions:
       id-token: write
       contents: read
       checks: write
+    timeout-minutes: 90
     secrets: inherit

This will skip OIDC tests on forked PRs and fail any run exceeding 90 minutes.

🤖 Prompt for AI Agents 
In .github/workflows/ci.yml around lines 53 to 60, the oidc_integration_tests
job must be skipped for forked PRs and bounded to 90 minutes; update the job to
include an if guard that only runs when not a pull_request from a fork (for
example: github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository) and add
timeout-minutes: 90 to the job definition so any run longer than 90 minutes will
fail.



2 changes: 1 addition & 1 deletion .github/workflows/codespell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Codespell

on:
push:
workflow_call:

jobs:
codespell:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Integration Tests

on:
push:
workflow_call:

Comment on lines 3 to 5
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reusable conversion looks good; explicitly declare required secrets and inputs.

This workflow consumes many secrets via the setup and test steps. Make the requirements explicit to prevent accidental silent failures at call time and to document contract.

 on:
-  workflow_call:
+  workflow_call:
+    inputs:
+      include_matrix:
+        description: 'Subset of integrations to run (JSON/YAML list of matrix entries)'
+        required: false
+        type: string
+    secrets:
+      GHA_DEPLOY_KEY:
+        required: false
+      AWS_ACCESS_KEY_ID:
+        required: false
+      AWS_SECRET_ACCESS_KEY:
+        required: false
+      AWS_TEST_OIDC_ROLE_ARN:
+        required: false
+      GCLOUD_SERVICE_KEY:
+        required: false
+      GOOGLE_CLOUD_PROJECT:
+        required: false
+      GOOGLE_COMPUTE_ZONE:
+        required: false
+      GOOGLE_IDENTITY_EMAIL:
+        required: false
+      GOOGLE_PROJECT_ID:
+        required: false
+      GCLOUD_SERVICE_KEY_IMPERSONATOR:
+        required: false
+      AWS_TEST_S3_ASSUME_ROLE:
+        required: false

Add least-privilege permissions (outside selected range). If any test uses OIDC, add id-token: write for that job only:

permissions:
  contents: read
  # id-token: write  # enable only if OIDC tests are run in this workflow
🤖 Prompt for AI Agents 
In .github/workflows/integration-test.yml around lines 3 to 5, the reusable
workflow does not explicitly declare the required inputs/secrets or
least-privilege permissions, which can lead to silent failures when called;
update the workflow metadata to add an inputs and secrets section enumerating
every secret and required input the steps use (with descriptions and required:
true where applicable) and add a permissions block granting only needed scopes
(for example contents: read) and document/comment that id-token: write should be
added only for the job that uses OIDC; ensure the inputs/secrets names match
callers and update README/docs if needed.

jobs:
test:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/license-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: License Check

on:
push:
workflow_call:

jobs:
license-check:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Lint

on:
push:
workflow_call:

Comment on lines 3 to 5
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Good conversion to a reusable workflow; consider formalizing inputs/secrets and least-privilege permissions.

Switching to workflow_call is correct. To make this reusable workflow more robust and self-documenting, define explicit inputs/secrets and set minimal permissions. This clarifies the contract for callers and tightens security.

Apply this diff to expand workflow_call with optional inputs (example) and declare no required secrets for now:

 on:
-  workflow_call:
+  workflow_call:
+    inputs:
+      go_version:
+        description: 'Go toolchain version (mise will resolve)'
+        required: false
+        type: string
+      golangci_lint_cache_path:
+        description: 'Path to golangci-lint cache on runner'
+        required: false
+        type: string
+    secrets: {}

Then set least-privilege permissions at the workflow level (outside the selected range; add near the top-level keys):

permissions:
  contents: read

If you want, I can propagate the same pattern to all reusable workflows in this PR and wire inputs from the new orchestrator.

🏁 Script executed:

#!/bin/bash
# Inspect the presence and context of workflow_call, inputs, secrets, and permissions in lint.yml
echo "---- snippet around workflow_call ----"
rg -n "workflow_call" -A5 -B5 .github/workflows/lint.yml || true

echo -e "\n---- top of lint.yml (first 20 lines) ----"
sed -n '1,20p' .github/workflows/lint.yml

Length of output: 764

Formalize reusable workflow inputs/secrets and enforce least-privilege permissions

This workflow currently exposes workflow_call without any declared inputs, secrets, or explicit permissions. Defining them makes the contract clearer for callers and tightens security.

• File: .github/workflows/lint.yml
• Location: around lines 3–5 (the on: workflow_call: block)
• Also add a top-level permissions section (immediately under name:)

Suggested changes:

 name: Lint
+
+permissions:
+  contents: read
 on:
   workflow_call:
+    inputs:
+      go_version:
+        description: 'Go toolchain version (mise will resolve)'
+        required: false
+        type: string
+      golangci_lint_cache_path:
+        description: 'Path to golangci-lint cache on runner'
+        required: false
+        type: string
+    secrets: {}
 jobs:
   lint:
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
workflow_call:
name: Lint
permissions:
contents: read
on:
workflow_call:
inputs:
go_version:
description: 'Go toolchain version (mise will resolve)'
required: false
type: string
golangci_lint_cache_path:
description: 'Path to golangci-lint cache on runner'
required: false
type: string
secrets: {}
jobs:
lint:
runs-on: ubuntu-latest
🤖 Prompt for AI Agents 
.github/workflows/lint.yml around lines 3 to 5: the workflow_call trigger is
declared with no explicit inputs, secrets or permissions; update the on:
workflow_call block to declare named inputs and any required secrets (with types
and required: true/false) that callers must provide, and add a top-level
permissions section immediately under the name: key that grants only the minimal
rights needed (for example set contents: read, actions: read, pull-requests:
write or as appropriate), ensuring each permission is the least-privilege
option; also document default values and required flags for inputs so callers
have a clear contract.

jobs:
lint:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/markdownlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Markdown Lint

on:
push:
workflow_call:

Comment on lines 3 to 5
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Reusable workflow conversion is fine; add inputs and restrict permissions.

Let callers customize globs and keep permissions minimal.

 on:
-  workflow_call:
+  workflow_call:
+    inputs:
+      globs:
+        description: 'Markdown file globs to lint (newline separated)'
+        required: false
+        type: string
+    secrets: {}

Add (outside selected range):

permissions:
  contents: read
🤖 Prompt for AI Agents 
In .github/workflows/markdownlint.yml around lines 3 to 5, the reusable workflow
currently only declares workflow_call; update it to accept configurable glob
inputs and restrict permissions: add a workflow_call.inputs block exposing at
least a globs input (string or array) with a sensible default so callers can
customize file globs, and add a top-level permissions block (outside the shown
lines) setting contents: read to minimize token scope. Ensure inputs are
documented in the workflow and referenced where the lint job reads file
patterns.

jobs:
markdownlint:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/oidc-integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
name: OIDC Integration Tests

on:
push:
workflow_call:

permissions:
id-token: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/precommit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Pre-commit

on:
push:
workflow_call:

jobs:
precommit:
Expand Down