Fix GitHub Actions workflows: standardize runner config and remove duplication

KartalJelena · KartalJelena · commit d08053622cb4 · 2025-09-08T14:23:38.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,89 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  secrets_scan:
+    name: Secrets scan
+    uses: ./.github/workflows/secrets-scan.yml
+    secrets: inherit
+
+  notify_slack_success:
+    name: Notify success status to Slack
+    runs-on: ubuntu-latest
+    if: success() && github.ref == 'refs/heads/master' && github.event_name == 'push'
+    needs: [secrets_scan]
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/actions/gsm-secrets@main
+        with:
+          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
+          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
+          secrets_name: |-
+            SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK
+            SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK
+
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/actions/expose-json-outputs@main
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - uses: toptal/slack-workflow-status@master
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_RELEASES_WEBHOOK }}
+          name: gha-bot
+          icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png
+          include_jobs: on-failure
+          display_only_failed: true
+          include_commit_message: true
+
+  notify_slack_failure:
+    name: Notify failure status to Slack
+    runs-on: ubuntu-latest
+    if: (failure() || cancelled()) && github.ref == 'refs/heads/master' && github.event_name == 'push'
+    needs: [secrets_scan]
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+    steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/actions/gsm-secrets@main
+        with:
+          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
+          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
+          secrets_name: |-
+            SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK:toptal-ci/SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK
+            SLACK_TEST_PUB_BOT_WEBHOOK:toptal-ci/SLACK_TEST_PUB_BOT_WEBHOOK
+
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/actions/expose-json-outputs@main
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - uses: toptal/slack-workflow-status@master
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          slack_webhook_url: ${{ steps.parse_secrets.outputs.SLACK_MARKETING_TOOLS_2_BULLHORN_WEBHOOK }}
+          name: gha-bot
+          icon_url: https://avatars.slack-edge.com/2021-05-17/2068859221653_526c61e414df90dd67f7_192.png
+          include_jobs: on-failure
+          display_only_failed: true
+          include_commit_message: true
+
diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml
@@ -6,7 +6,7 @@ on:
 jobs:
   specs:
     name: Secrets scan
-    runs-on: ubuntu-latest
+    runs-on: squad-growth-ubuntu2204-x64-standard
     permissions: write-all
     timeout-minutes: 10
     steps:
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -6,39 +6,6 @@ on:
   pull_request:
 
 jobs:
-  secrets_scan:
-    name: Secrets scan
-    runs-on: squad-growth-ubuntu2204-x64-standard
-    permissions: write-all
-    timeout-minutes: 10
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Get the secrets from GSM
-        id: secrets_manager
-        uses: toptal/actions/gsm-secrets@v1.0.2
-        with:
-          workload_identity_provider: projects/858873486241/locations/global/workloadIdentityPools/gha-pool/providers/github-com
-          service_account: gha-keycodes@toptal-ci.iam.gserviceaccount.com
-          secrets_name: |-
-            SLACK_BOT_TOKEN:toptal-ci/SLACK_BOT_TOKEN
-
-      - name: Parse secrets
-        id: parse_secrets
-        uses: toptal/actions/expose-json-outputs@v1.0.2
-        with:
-          json: ${{ steps.secrets_manager.outputs.secrets }}
-
-      - name: Secrets Scan
-        uses: toptal/actions/secret-scanning-action@main
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          full-scan: true
-          slack-channel: -marketing-tools-2-releases
-          slack-token: ${{ steps.parse_secrets.outputs.SLACK_BOT_TOKEN }}
-
   # unit_tests:
   #   name: Unit tests
   #   runs-on: ubuntu-latest
