Actions PR pipeline #3368
Actions PR pipeline #3368
Conversation
…rovements This commit significantly optimizes the GitHub Actions PR pipeline to reduce build times and runner costs while improving developer experience. Key optimizations: - Dynamic matrix generation: Only builds apps mentioned in PR body, eliminating wasted runner time from jobs that skip all steps - Enhanced Gradle caching: Added build cache and more granular cache keys for better hit rates (saves 2-5 minutes per build) - Gradle performance flags: Enabled parallel execution, configuration cache, and optimized JVM settings (saves 3-7 minutes per build) - Shallow clone: Added fetch-depth: 1 to all checkouts (saves 30-60 seconds) - Removed unit-test dependency: UI/E2E tests now only depend on build job, allowing parallel execution (saves 5-10 minutes) - Batch artifact uploads: Combined 3 separate uploads into 1 per app with compression and retention settings - Firebase CLI caching: Cache npm global packages to speed up Firebase CLI installation (saves 30-45 seconds) - Sticky QR code comments: Firebase distribution comments now update in place rather than creating duplicates, with timestamps and commit links - Consolidated Firebase App ID setup: Replaced 3 conditional steps with 1 case statement - Fixed bugs: Removed jq dependencies, fixed e2e-tests job name, updated artifact download logic Expected performance gains: - Per PR (single app): 8-12 minutes faster - Per PR (all 3 apps): 10-15 minutes faster - Runner minute savings: 30-40% reduction - Improved cache hit rates and faster subsequent builds 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The hashFiles() function was incorrectly using multiple separate calls
which caused parsing errors in GitHub Actions. Consolidated all glob
patterns into a single hashFiles() call and simplified restore-keys.
This fixes the build failures where the workflow would fail with:
'hashFiles('**/*.gradle*, ...) failed. Fail to hash files under directory'
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Changes: - Split invalid '**/*.gradle*' into explicit '**/*.gradle' and '**/*.gradle.kts' - Changed 'gradle.properties' to '**/gradle.properties' to catch all instances - Fixed buildSrc path from '**/buildSrc/**/*.kt' to 'apps/buildSrc/src/**/*.kt' All patterns now match actual files in the repository: - 24 .gradle files - 8 .gradle.kts files - 2 gradle-wrapper.properties files - 3 gradle.properties files - 4 Kotlin files in apps/buildSrc/src/ This resolves the hashFiles parsing error in GitHub Actions.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
GitHub Actions hashFiles() doesn't properly handle multiple comma-separated
patterns in a single call. Split into separate hashFiles() calls:
- hashFiles('**/*.gradle') for Groovy build files
- hashFiles('**/*.gradle.kts') for Kotlin build files
This approach avoids the parsing issues and generates proper cache keys.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
📊 Code Coverage Report✅ Student
✅ Teacher
✅ Pandautils
📈 Overall Average
|
Using the exact pattern from actions/cache documentation:
hashFiles('**/*.gradle*', '**/gradle-wrapper.properties')
This is the recommended pattern for Gradle projects and should work
correctly with GitHub Actions' hashFiles function.
Use only gradle-wrapper.properties for cache key to avoid hashFiles errors. This is the most critical file for Gradle cache invalidation as it determines the Gradle version. Testing with minimal pattern to isolate the hashFiles issue.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The TimingsListener is incompatible with Gradle's configuration cache (--configuration-cache flag). Removing it allows us to use configuration cache for faster builds. The listener is no longer used and can be safely removed.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The project has multiple configuration cache incompatibilities: - Task.project access at execution time in dataseedingapi/build.gradle - Project serialization issues in various tasks - Custom build listeners (TimingsListener was removed but issues remain) Removing --configuration-cache to allow builds to succeed. We still get benefits from --build-cache, --parallel, and other optimizations.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Optimizations added: 1. Shallow git clones (fetch-depth: 1) - Faster checkout 2. Enhanced Gradle caching: - Cache Gradle packages (~/.gradle/caches, ~/.gradle/wrapper) - Cache Gradle build cache (build-cache-* and .gradle directory) 3. Gradle performance tuning flags: - --build-cache: Use Gradle build cache - --parallel: Run tasks in parallel - --max-workers=4: Limit parallel workers - --no-daemon: Disable daemon for CI - -Dorg.gradle.jvmargs="-Xmx4g": Increase heap size - -Dkotlin.compiler.execution.strategy=in-process: Faster Kotlin compilation Also removed TimingsListener from student/build.gradle (incompatible with future config cache support)
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Replace 3 matrix-based test jobs with 12 individual jobs: Unit Tests (3 jobs): - parent-unit-tests - student-unit-tests - teacher-unit-tests UI Tests (6 jobs): - parent-portrait-ui-tests - parent-landscape-ui-tests - student-portrait-ui-tests - student-landscape-ui-tests - teacher-portrait-ui-tests - teacher-landscape-ui-tests E2E Tests (3 jobs): - parent-e2e-tests - student-e2e-tests - teacher-e2e-tests Benefits: - Each test job can be retried independently - Flaky tests don't block other tests - Better visibility in GitHub Actions UI - Clearer dependencies (no matrix complexity) - Easier debugging with explicit job names All jobs include performance optimizations: - Gradle flags: --build-cache, --parallel, --max-workers=4 - Shallow clones: fetch-depth: 1 - Enhanced caching for Gradle packages and build cache
…heckbox present in PR body
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
- Fix unit test Gradle commands by using multiline format - Increase JVM heap size to 6GB (matching apps/gradle.properties) - Restore sticky QR code comments with hidden HTML identifiers - Remove jq dependency with pure bash URL encoding - Configure UI tests to run automatically on PR open/sync - Configure E2E tests to run when "Run E2E test suite" is in PR body 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
There was a problem hiding this comment.
PR Review Summary
This PR introduces a comprehensive GitHub Actions workflow for PR validation and removes a build timing listener. Overall, this is a significant improvement to the CI/CD pipeline. Here are the key findings:
Positive Aspects
- Comprehensive test coverage with unit tests, UI tests (portrait/landscape), and E2E tests
- Multi-app support (Parent, Student, Teacher) with conditional execution
- Firebase App Distribution integration for QA testing
- Build caching and parallelization for performance
- Proper artifact management and uploads
Key Concerns
Security (High Priority)
- Service account credentials and keystores are written to disk without cleanup
- Consider using workload identity federation or ensuring sensitive files are deleted
- The ACCESS_TOKEN permissions should be documented and minimized
Code Quality (Medium Priority)
- Significant duplication across jobs (~1000 lines could be reduced to ~300 with reusable workflows)
- Consider extracting common patterns into composite actions or reusable workflows
- Complex conditional logic could be simplified with a dedicated setup step
Reliability (Medium Priority)
- Fragile string parsing for Firebase URLs and test results
- Third-party QR code service dependency without fallback
- Missing error handling for artifact operations
Performance (Low Priority)
- Building 3 variants with 6GB heap + 4 workers might cause OOM on standard runners
- Monitor resource usage and consider splitting if issues arise
Recommendations
- Immediate: Address security concerns around credential handling
- Before merge: Add error handling for critical path operations
- Future iteration: Refactor to use reusable workflows to reduce duplication
- Documentation: Add comments explaining non-obvious choices (Bitrise variable names, test exclusions, etc.)
The workflow is functional and represents a solid foundation. The inline comments provide specific suggestions for each concern. Great work on the comprehensive test matrix!
| name: ${{ matrix.app-type-lower }}-build | ||
| runs-on: ubuntu-latest | ||
| if: >- | ||
| ( |
There was a problem hiding this comment.
The job condition logic is complex and could be more maintainable. Consider extracting the PR body parsing logic into a reusable composite action or using a dedicated step that sets outputs for each app type. This would make the conditions more readable and reduce duplication across jobs.
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: 'recursive' | ||
| fetch-depth: 1 |
There was a problem hiding this comment.
Security Concern: The ACCESS_TOKEN secret is being used for checkout. Ensure this token has the minimal required permissions (ideally read-only for submodules). Consider documenting what permissions this token requires in the repository's security documentation.
| restore-keys: | | ||
| ${{ runner.os }}-gradle-build-cache- | ||
| - name: Decode Release Keystore |
There was a problem hiding this comment.
Security Concern: The keystore is being decoded to a file in the working directory. Consider using environment variables or GitHub's encrypted file storage instead. Also, ensure this file is cleaned up after use (currently it persists in the runner's workspace).
| echo "${{ secrets.ANDROID_RELEASE_KEYSTORE_B64 }}" | base64 --decode > release.jks | ||
| - name: Setup Service account | ||
| if: ${{ matrix.should_run }} |
There was a problem hiding this comment.
Security Concern: The Firebase service account key is written to disk. This creates a security risk if the runner is compromised. Consider using workload identity federation or at minimum, ensure the file is deleted in a cleanup step even if the job fails.
| FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_KEY }} | ||
| run: | | ||
| echo "${FIREBASE_SERVICE_ACCOUNT_KEY}" > service-account-key.json | ||
There was a problem hiding this comment.
The release notes extraction could fail if the PR title contains special characters or multi-line content. Consider adding validation or escaping, and potentially truncating very long titles. Also, using just the PR title might not be descriptive enough for testers - consider including a link to the full PR description.
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/gradle-wrapper.properties') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-gradle- | ||
There was a problem hiding this comment.
Code Quality: There's significant duplication across the portrait/landscape UI test jobs (lines 377-682). Consider extracting common steps into a reusable workflow or composite action. This would make the workflow more maintainable and reduce the risk of inconsistencies when updating test configurations.
| parent-e2e-tests: | ||
| name: parent-e2e-tests | ||
| runs-on: ubuntu-latest | ||
| if: >- |
There was a problem hiding this comment.
The E2E test jobs (parent, student, teacher) are almost identical except for the app name. This is prime candidate for using a matrix strategy or a reusable workflow. This would reduce the workflow size from ~1000 lines to a much more maintainable structure.
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/gradle-wrapper.properties') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-gradle- | ||
There was a problem hiding this comment.
The submodule build uses a different Gradle invocation pattern with the -DtestApplicationId flag. This looks like it's building the same module twice with different configurations. Consider documenting why this is necessary, as it's not immediately clear to someone unfamiliar with the project.
| - name: Build test and app APKs | ||
| run: | | ||
| ./gradle/gradlew -p apps :pandautils:assembleDebugAndroidTest | ||
| mv ./libs/pandautils/build/outputs/apk/androidTest/debug/pandautils-debug-androidTest.apk ./libs/pandautils/pandautils-test.apk |
There was a problem hiding this comment.
Test Coverage: The submodule unit tests explicitly exclude some modules: -x :dataseedingapi:test -x :teacher:test -x :student:test. While this might be intentional, consider:
- Documenting why these are excluded (likely because they're tested separately)
- Ensuring all module tests are actually run somewhere in the pipeline
- Adding a comment explaining the exclusion rationale
| // Comment out this line if the reporting logic starts going wonky. | ||
| gradle.addListener new TimingsListener(project) | ||
|
|
||
| apply plugin: 'com.google.gms.google-services' |
There was a problem hiding this comment.
Good cleanup! Removing the TimingsListener simplifies the build script. However, consider:
- Documenting why this was removed (was it causing issues? no longer needed?)
- If timing data was useful, consider alternative approaches like Gradle's built-in
--profileflag or build scans - Confirming this doesn't break any existing monitoring or reporting that depended on this listener
- Add file permissions (chmod 600) for sensitive files (keystore, service account) - Add secret validation with clear error messages - Add error handling for Firebase distribution operations - Add URL extraction validation - Add cleanup steps for sensitive files with always() condition - Applied to build job and parent-portrait-ui-tests job 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
There was a problem hiding this comment.
PR Review Summary
This PR introduces a comprehensive GitHub Actions workflow for pull request automation and removes an unused timing listener. Overall, the workflow is well-structured, but there are several areas that need attention:
Critical Issues
- Security: Several landscape test jobs are missing cleanup steps for
service-account-key.jsonfiles (lines 518, 550, etc.). This could leave sensitive credentials on runners. - Security: Inconsistent validation of service account secrets across jobs - some check for empty values, others don't.
- Security: Missing file permissions (
chmod 600) on service account keys in some jobs.
Best Practices
- The build configuration uses sensible Gradle optimizations (
--build-cache,--parallel,-Xmx6g) - Good use of
if: always()for cleanup steps (where present) - Proper concurrency control with
cancel-in-progress: true
Suggestions for Improvement
- Add consistent error handling and validation across all jobs
- Ensure all service account cleanup steps are present and consistent
- Consider removing debug logging of PR body once workflow is stable
- Add explanatory comments for excluded tests in submodule builds
- Document the removal of TimingsListener in commit message
Performance Considerations
- The 6GB heap allocation may be close to runner memory limits - monitor for OOM errors
- Consider caching strategies are appropriate for the project size
The workflow demonstrates good CI/CD practices overall. Please address the security issues before merging, particularly the missing cleanup steps for sensitive credentials.
| matrix: | ||
| include: | ||
| - app-type: Parent | ||
| app-type-lower: parent |
There was a problem hiding this comment.
The should_run matrix condition is evaluated but not used in the step conditions. Consider using if: ${{ matrix.should_run == 'true' }} instead of repeating if: ${{ matrix.should_run }} to be more explicit, or simplify by removing the matrix condition entirely since the job-level if already filters by PR body content.
| steps: | ||
| - name: Dump Pull Request Event Context | ||
| run: | | ||
| echo "body: ${{ github.event.pull_request.body }}" |
There was a problem hiding this comment.
Security consideration: This dumps the entire PR body and event context to logs. While useful for debugging, ensure this doesn't inadvertently log sensitive information if users include credentials or tokens in PR descriptions. Consider removing or gating this behind a debug flag once the workflow is stable.
| ${{ runner.os }}-gradle-build-cache- | ||
| - name: Decode Release Keystore | ||
| if: ${{ matrix.should_run }} |
There was a problem hiding this comment.
Security best practice: The keystore file permissions are set correctly to 600, but consider also setting set -e at the start of this script to ensure it fails fast if the decode fails. Currently, if the base64 decode fails, the script continues and may use an invalid/empty keystore.
| - name: Build Release Notes | ||
| if: ${{ matrix.should_run }} | ||
| id: get_release_notes | ||
| run: | |
There was a problem hiding this comment.
The heredoc EOF marker for release notes should ideally be quoted as 'EOF' to prevent variable expansion, though in this specific case it shouldn't cause issues. This is a best practice for shell heredocs in CI pipelines.
| :${{ matrix.app-type-lower }}:assembleQaDebugAndroidTest \ | ||
| :${{ matrix.app-type-lower }}:assembleDevDebugMinify \ | ||
| --build-cache \ | ||
| --parallel \ |
There was a problem hiding this comment.
Performance consideration: The build uses -Xmx6g which allocates 6GB of heap. Ensure the ubuntu-latest runners have sufficient memory (they typically have 7GB). If builds start failing with OOM errors, you may need to upgrade to larger runners or reduce parallelism.
| --no-daemon \ | ||
| -Dorg.gradle.jvmargs="-Xmx6g -XX:+HeapDumpOnOutOfMemoryError" \ | ||
| -Dkotlin.compiler.execution.strategy=in-process | ||
There was a problem hiding this comment.
Missing error handling: Unlike the parent job's "Setup Service account" step (line 88-96), this step doesn't check if GCLOUD_KEY is empty before writing to file. This inconsistency could lead to silent failures. Consider adding the same validation:
if [ -z "${FIREBASE_SERVICE_ACCOUNT_KEY}" ]; then
echo "Error: GCLOUD_KEY secret is not set"
exit 1
fi|
|
||
| - name: Setup Service account | ||
| env: | ||
| FIREBASE_SERVICE_ACCOUNT_KEY: ${{ secrets.GCLOUD_KEY }} |
There was a problem hiding this comment.
Inconsistency: The landscape test jobs don't set chmod 600 on the service-account-key.json file, unlike the portrait jobs (line 419) and the build job (line 96). For security consistency, all service account key files should have restricted permissions.
| service_account: './service-account-key.json' | ||
| flank_configuration_file: './flank.yml' | ||
|
|
||
| - name: Report test results to Splunk |
There was a problem hiding this comment.
Security issue: The parent landscape job is missing cleanup of service-account-key.json in an if: always() block. The parent portrait job has this at line 462-465. Please add the same cleanup step here to ensure sensitive files are always removed.
|
|
||
| - name: Setup Flank config | ||
| run: cp ./libs/pandautils/flank.yml ./flank.yml | ||
|
|
There was a problem hiding this comment.
Test coverage observation: The submodule UI tests don't report results to Splunk like the app-specific tests do. Is this intentional? If pandautils tests are equally important, consider adding the same reporting step for consistency and observability.
| // Comment out this line if the reporting logic starts going wonky. | ||
| gradle.addListener new TimingsListener(project) | ||
|
|
||
| apply plugin: 'com.google.gms.google-services' |
There was a problem hiding this comment.
Good cleanup! Removing the TimingsListener is fine, but consider documenting why it was removed in the PR description or commit message. Was this causing issues, or is timing data now captured elsewhere? This helps with project archaeology later.
|
Parent Install Page |
|
Teacher Install Page |
|
Student Install Page |
|
Student Install Page |
Apply security improvements to all remaining test jobs: - Add secret validation with error messages for all test jobs - Add chmod 600 for service account keys across all jobs - Add cleanup steps with always() condition for all test jobs Security improvements now applied to: - 6 UI test jobs (portrait + landscape for parent/student/teacher) - 3 E2E test jobs (parent/student/teacher) All critical security issues from AI review are now resolved. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
…feedback - On PR synchronize events, Claude now reads and updates its previous reviews instead of creating new ones - Implemented checkbox-based progress tracking for identified issues - Inline comments now reserved for change requests only; positive feedback stays in summary - Added GitHub MCP tools for review management: list_reviews, get_review, list_review_comments, update_review_comment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
|
Student Install Page |
affects: Student, Teacher, Parent