From 0fd0402bb775a39bb7f77ef2201941310a22ffce Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 09:09:10 +0000 Subject: [PATCH 1/7] ci: consolidate runner selection --- .github/workflows/continuous-integration.yml | 2 +- .github/workflows/wc-build-push-test.yml | 12 ++++-------- .github/workflows/wc-build-push.yml | 11 +++-------- .github/workflows/wc-dependency-review.yml | 6 +++--- .github/workflows/wc-integration-test.yml | 3 +-- .github/workflows/wc-sanitize-image-name.yml | 2 +- 6 files changed, 13 insertions(+), 23 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 99d13f86..4985568e 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -14,7 +14,7 @@ permissions: {} jobs: build-push-test: - name: ๐Ÿ› ๏ธ Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) + name: Build โ†’ Push โ†’ Test (๐Ÿจ ${{ matrix.flavor }}) strategy: matrix: flavor: [cpp, rust] diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 170a930c..702c4e92 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -22,23 +22,19 @@ on: type: string default: "ghcr.io" build-test-runner-labels: - description: >- - JSON object passed to fromJson to become the build matrix. Example: - '["ubuntu-latest", "ubuntu-24.04-arm"]' + description: 'JSON array used for build matrix (e.g. ["ubuntu-latest", "ubuntu-24.04-arm"]). Must be valid JSON.' required: false type: string default: '["ubuntu-latest", "ubuntu-24.04-arm"]' runner-labels: description: >- - Single runner label OR JSON array of runner labels for non-build jobs. + JSON array of runner labels for non-build jobs. Examples: - ubuntu-latest '["ubuntu-latest"]' '["self-hosted", "linux", "x86_64"]' - Provide a valid JSON array (starting with '[') to use multiple labels; any other value is treated as a single label string. required: false type: string - default: ubuntu-latest + default: '["ubuntu-latest"]' integration-test-file: description: "Path to the BATS test file to run for integration tests" required: false @@ -96,7 +92,7 @@ jobs: if: ${{ inputs.integration-test-file }} strategy: matrix: - runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }} + runner: ${{ fromJson(inputs.build-test-runner-labels) }} needs: build-push uses: ./.github/workflows/wc-integration-test.yml permissions: diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index f03e791b..28346317 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -57,10 +57,10 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-push: - name: ${{ matrix.runner }} + name: Build (${{ matrix.runner }}) strategy: matrix: - runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }} + runner: ${{ fromJson(inputs.build-test-runner-labels) }} runs-on: ${{ matrix.runner }} needs: sanitize-image-name permissions: @@ -137,9 +137,7 @@ jobs: merge-image: name: ๐Ÿ”— Merge Image - # Support either a plain single label (e.g. ubuntu-latest) OR a JSON array of labels. - # If the input starts & ends with brackets we attempt JSON parsing; otherwise we pass the raw string. - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} needs: - build-push - sanitize-image-name @@ -159,9 +157,6 @@ jobs: with: disable-sudo: true egress-policy: audit - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: path: ${{ runner.temp }}/digests diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 1415f8d9..47a39576 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -5,17 +5,17 @@ on: workflow_call: inputs: runner-labels: - description: "Runner to use for the job, will be passed to `runs-on`" + description: "JSON array of runner labels (default [\"ubuntu-latest\"]). Must be valid JSON." required: false type: string - default: ubuntu-latest + default: '["ubuntu-latest"]' permissions: {} jobs: dependency-review: name: Review - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} permissions: contents: read pull-requests: write diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index cc7479d2..46144149 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -17,7 +17,6 @@ on: required: true type: string runner-labels: - description: "Runner to use for the job, will be passed to `runs-on`" required: true type: string registry: @@ -36,7 +35,7 @@ permissions: {} jobs: run-test: name: ๐Ÿงช Integration Test - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} container: image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} credentials: diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 5629c4a4..878d37a2 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -29,7 +29,7 @@ permissions: {} jobs: sanitize: name: Sanitize Image Name - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + runs-on: ${{ fromJson(inputs.runner-labels) }} outputs: image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }} image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }} From 963b084bdfac84c65f8c90010b3d3018c30fbf8d Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 09:29:40 +0000 Subject: [PATCH 2/7] ci: fix execution of integration tests --- .github/workflows/wc-integration-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 46144149..57a3a77d 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -35,7 +35,7 @@ permissions: {} jobs: run-test: name: ๐Ÿงช Integration Test - runs-on: ${{ fromJson(inputs.runner-labels) }} + runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} container: image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} credentials: From 29e1369a499898852ca50a4f47cd47787e00ad0f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 09:35:12 +0000 Subject: [PATCH 3/7] ci: make build-push and integration-test symmetrical --- .github/workflows/wc-build-push-test.yml | 5 +---- .github/workflows/wc-integration-test.yml | 9 ++++++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 702c4e92..b2e47104 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -90,9 +90,6 @@ jobs: integration-test: name: ๐Ÿงช if: ${{ inputs.integration-test-file }} - strategy: - matrix: - runner: ${{ fromJson(inputs.build-test-runner-labels) }} needs: build-push uses: ./.github/workflows/wc-integration-test.yml permissions: @@ -102,7 +99,7 @@ jobs: image-basename: ${{ needs.build-push.outputs.image-basename }} image-digest: ${{ needs.build-push.outputs.digest }} test-file: ${{ inputs.integration-test-file }} - runner-labels: ${{ matrix.runner }} + build-test-runner-labels: ${{ inputs.build-test-runner-labels }} acceptance-test: name: ๐Ÿ—๏ธ diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 57a3a77d..62166e3a 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -16,7 +16,7 @@ on: test-file: required: true type: string - runner-labels: + build-test-runner-labels: required: true type: string registry: @@ -34,8 +34,11 @@ permissions: {} jobs: run-test: - name: ๐Ÿงช Integration Test - runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }} + name: ๐Ÿงช Integration Test (${{ matrix.runner }}) + strategy: + matrix: + runner: ${{ fromJson(inputs.build-test-runner-labels) }} + runs-on: ${{ matrix.runner }} container: image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }} credentials: From 9f364ce29003578c425b4ccd1635d4c322fe766c Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 09:46:12 +0000 Subject: [PATCH 4/7] ci: use toJson in inputs that can be strings or arrays --- .github/workflows/wc-build-push.yml | 2 +- .github/workflows/wc-integration-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 28346317..b2dfbe21 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -57,7 +57,7 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-push: - name: Build (${{ matrix.runner }}) + name: Build (${{ toJson(matrix.runner) }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 62166e3a..ba9b13d3 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -34,7 +34,7 @@ permissions: {} jobs: run-test: - name: ๐Ÿงช Integration Test (${{ matrix.runner }}) + name: Integration Test (${{ toJson(matrix.runner) }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} From 79fda9e3fd77177edcccfc9ae4212b38903874e2 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 10:57:55 +0000 Subject: [PATCH 5/7] ci: make sure we keep to our own conventions --- .github/workflows/wc-build-push-test.yml | 37 +++++++++++++++++++---- .github/workflows/wc-build-push.yml | 2 +- .github/workflows/wc-integration-test.yml | 10 +++--- 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index b2e47104..df501abd 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -9,26 +9,47 @@ on: required: true type: string image-name: - description: "Name of the Docker image to build, without registry or tag. E.g. 'my-image' or 'my-org/my-image'" + description: >- + Name of the Docker image to build, without registry or tag. + + Examples: + 'my-image' + 'my-org/my-image' required: true type: string devcontainer-metadata-file: - description: "Path to a JSON file containing devcontainer metadata to add as a label to the built image" + description: >- + Path to a JSON file containing devcontainer metadata to add as a label to the built image. + + Examples: + '.devcontainer/devcontainer-metadata.json' + '.devcontainer//devcontainer-metadata.json' required: false type: string registry: - description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry" + description: >- + Docker registry to push built containers to. + `DOCKER_REGISTRY_USERNAME` and `DOCKER_REGISTRY_PASSWORD` secrets must be set if not using GitHub Container Registry (ghcr.io). required: false type: string default: "ghcr.io" build-test-runner-labels: - description: 'JSON array used for build matrix (e.g. ["ubuntu-latest", "ubuntu-24.04-arm"]). Must be valid JSON.' + description: >- + JSON array used to select multi-architecture runners for build and test jobs. + Must be valid JSON. + + Examples: + '["ubuntu-latest"]' + '["ubuntu-latest", "ubuntu-24.04-arm"]' + '[["self-hosted", "linux", "x86_64"], ["self-hosted", "linux", "arm64"]]' required: false type: string default: '["ubuntu-latest", "ubuntu-24.04-arm"]' runner-labels: description: >- - JSON array of runner labels for non-build jobs. + JSON array used to select the default linux runner for non-build jobs. + Must be valid JSON. + Examples: '["ubuntu-latest"]' '["self-hosted", "linux", "x86_64"]' @@ -94,12 +115,16 @@ jobs: uses: ./.github/workflows/wc-integration-test.yml permissions: contents: read + secrets: + DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} with: + build-test-runner-labels: ${{ inputs.build-test-runner-labels }} fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }} image-basename: ${{ needs.build-push.outputs.image-basename }} image-digest: ${{ needs.build-push.outputs.digest }} + registry: ${{ inputs.registry }} test-file: ${{ inputs.integration-test-file }} - build-test-runner-labels: ${{ inputs.build-test-runner-labels }} acceptance-test: name: ๐Ÿ—๏ธ diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index b2dfbe21..90503c9c 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -57,7 +57,7 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-push: - name: Build (${{ toJson(matrix.runner) }}) + name: Build (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index ba9b13d3..a52393c6 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -20,21 +20,19 @@ on: required: true type: string registry: - description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry" - required: false + required: true type: string - default: "ghcr.io" secrets: DOCKER_REGISTRY_USERNAME: - required: false + required: true DOCKER_REGISTRY_PASSWORD: - required: false + required: true permissions: {} jobs: run-test: - name: Integration Test (${{ toJson(matrix.runner) }}) + name: Integration Test (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} From 1b5ee3376c9d8baa4cbb83b689df142d7c1ec6cf Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 11:39:00 +0000 Subject: [PATCH 6/7] ci: correct for array rendering --- .github/workflows/wc-build-push.yml | 2 +- .github/workflows/wc-integration-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 90503c9c..16d59a59 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -57,7 +57,7 @@ jobs: runner-labels: ${{ inputs.runner-labels }} build-push: - name: Build (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }}) + name: Build (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index a52393c6..f4118777 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -32,7 +32,7 @@ permissions: {} jobs: run-test: - name: Integration Test (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }}) + name: Integration Test (${{ (startsWith(matrix.runner, '[') && endsWith(matrix.runner, ']')) && join(matrix.runner, ', ') || matrix.runner }}) strategy: matrix: runner: ${{ fromJson(inputs.build-test-runner-labels) }} From 6167fc627378232f3362c103f9fd1c812dcecd0f Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Thu, 16 Oct 2025 12:26:43 +0000 Subject: [PATCH 7/7] ci: process linter feedback --- .github/workflows/wc-dependency-review.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 47a39576..b3c49c2a 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -5,7 +5,13 @@ on: workflow_call: inputs: runner-labels: - description: "JSON array of runner labels (default [\"ubuntu-latest\"]). Must be valid JSON." + description: >- + JSON array used to select the action runner. + Must be valid JSON. + + Examples: + '["ubuntu-latest"]' + '["self-hosted", "linux", "x86_64"]' required: false type: string default: '["ubuntu-latest"]'