fix: resolve CI workflow startup and configuration failures

[williaby]

Summary

Fixes multiple critical issues in reusable workflows causing startup failures and execution errors in downstream projects (identified in rag-processor#3).

Issues Resolved

1. FIPS Compatibility - Invalid setup-uv SHA ✅

File: .github/workflows/python-fips-compatibility.yml

• Problem: Invalid SHA reference 1e862dfacbd1d6d858c55d9b792c756523627244 causing "action could not be found" error
• Fix: Updated to stable version tag v5.1.1
• Impact: FIPS compatibility workflow now starts successfully

2. Python Compatibility - Multiline JSON Output Bug ✅

File: .github/workflows/python-compatibility.yml

• Problem: Multiline JSON output breaks $GITHUB_OUTPUT parsing with "Invalid format" error
• Fix: Added -c flag to jq for compact single-line JSON output
• Impact: Matrix generation succeeds without format errors

3. ClusterFuzzLite - Invalid Action SHA ✅

File: .github/workflows/python-fuzzing.yml

• Problem: Invalid SHA 884713a6c30a92e5e8544c39945cd7cb630abcd1 for 3 ClusterFuzzLite actions
• Fix: Updated all references to stable @v1 tag
• Impact: Fuzzing workflow starts successfully

4. SonarCloud - Missing Token Handling ✅

File: .github/workflows/python-ci.yml

• Problem: Job executes even when SONAR_TOKEN secret is missing, causing execution failure
• Fix: Added token check to job condition: if: inputs.enable-sonarcloud && secrets.SONAR_TOKEN != ''
• Impact: Analysis gracefully skips when token not configured

Testing

Validated against failure scenarios from rag-processor#3:

• Run ID 20148614888: FIPS workflow startup failure
• Run ID 20148614958: Compatibility matrix format error
• Run ID 20148614891: ClusterFuzzLite startup failure
• Run ID 20148614860: SonarCloud execution failure

Files Changed

• .github/workflows/python-ci.yml (SonarCloud token check)
• .github/workflows/python-compatibility.yml (compact JSON output)
• .github/workflows/python-fips-compatibility.yml (setup-uv version)
• .github/workflows/python-fuzzing.yml (ClusterFuzzLite versions)

Impact on Downstream Projects

All projects using these reusable workflows will benefit:

• ✅ No more startup failures from invalid action SHAs
• ✅ Matrix workflows execute without JSON parsing errors
• ✅ Optional integrations (SonarCloud) skip gracefully when not configured
• ✅ Reduced CI failure noise from infrastructure issues

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD workflow security by adding token validation requirements for sensitive operations.
  • Upgraded workflow automation actions to stable release versions for improved reliability.
  • Optimized workflow configuration output formatting.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions workflow configuration updates across four Python CI/CD pipelines. Changes include: adding a conditional guard for SonarCloud token validation, reformatting matrix JSON output for compatibility, updating action version pinning from commit SHAs to stable release tags, and upgrading a reusable action reference.

Changes

Cohort / File(s)	Summary
SonarCloud Guard Condition .github/workflows/python-ci.yml	Added requirement that SonarCloud Quality Gate job only runs when enable-sonarcloud is true AND the SONAR_TOKEN secret is non-empty
Matrix JSON Formatting .github/workflows/python-compatibility.yml	Changed matrix generation command from jq -n to jq -c -n to output compact single-line JSON representation
Action Version Pinning .github/workflows/python-fips-compatibility.yml, .github/workflows/python-fuzzing.yml	Updated action references: setup-uv from commit hash to v5.1.1; ClusterFuzzLite actions (build_fuzzers, run_fuzzers, prune) from commit SHAs to stable v1 tag

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Action version updates: Verify v5.1.1 and v1 tags are compatible and intended upgrades
• Conditional logic: Confirm SONAR_TOKEN check aligns with secret management practices
• Matrix JSON command: Validate that compact format doesn't affect downstream job matrix consumption

Possibly related PRs

• feat: add FIPS compatibility reusable workflow #4: Modifies .github/workflows/python-fips-compatibility.yml with related action pinning updates

Poem

🐰 Workflows are hopping with updates today,
Version tags and tokens leading the way,
From commit hashes to v1 we spring,
Tightened conditions and JSON that sings!
A rabbit's delight—CI pipelines aligned!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: fixing CI workflow startup and configuration failures across multiple workflow files.
Description check	✅ Passed	The description is comprehensive and follows the template structure with clear sections: Summary, Issues Resolved, Testing, Files Changed, and Impact. All required information is present and well-documented.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/ci-workflow-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 21c068c and 1f83eb7.

📒 Files selected for processing (4)

• .github/workflows/python-ci.yml (1 hunks)
• .github/workflows/python-compatibility.yml (1 hunks)
• .github/workflows/python-fips-compatibility.yml (2 hunks)
• .github/workflows/python-fuzzing.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/python-ci.yml

413-413: context "secrets" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🔇 Additional comments (2)

.github/workflows/python-compatibility.yml (1)

130-134: ✓ Fix multiline JSON parsing via jq compact output.

Adding the -c flag to jq forces single-line JSON output, resolving the GITHUB_OUTPUT parsing failure caused by multiline JSON. This is the correct fix for the stated issue and maintains functional equivalence.

.github/workflows/python-fuzzing.yml (1)

181-181: ✓ Stable action pin update for ClusterFuzzLite actions.

All three google/clusterfuzzlite action references (build_fuzzers, run_fuzzers, prune) are updated from invalid commit SHAs to the stable @v1 tag, resolving "action could not be found" errors. The @v1 tags are confirmed available and appropriate for these stable releases.

Also applies to: 189-189, 198-198

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitHub Actions secrets context job-level if condition availability

💡 Result:

Short answer: You cannot use the secrets context directly in a job-level if. The only contexts allowed at jobs.<job_id>.if are (for example) github, needs, vars, inputs — not secrets. GitHub's docs explicitly say secrets cannot be used in if conditionals and recommend using env/job env + step-level if or other contexts. You can, however, check github.secret_source at the job if-level to detect whether secrets are available (e.g., github.secret_source == 'Actions'). [1][2][3]

Sources:

• Contexts reference (shows allowed contexts at jobs.<job_id>.if). [1]
• Using secrets in GitHub Actions (states secrets cannot be used in if conditionals; suggests alternatives). [2]
• Community note / example showing github.secret_source for detecting secret availability. [3]

---

🌐 Web query:

GitHub Actions contexts which contexts available job level if condition

💡 Result:

At the job-level if (jobs.<job_id>.if) you can use these contexts: github, needs, vars, and inputs. [1][2]

Sources:

• GitHub contexts reference (context availability). [1]
• Community confirmation / example (Stack Overflow). [2]

---

⛔ Job-level condition cannot reference secrets context.

GitHub Actions restricts context availability at the job level to: github, inputs, needs, and vars. The secrets context is only available within step-level env or with parameters. This condition will fail to evaluate correctly.

To fix this, move the token check into a step-level condition (preferred):

  sonarcloud-quality-gate:
    name: SonarCloud Quality Gate
    runs-on: ubuntu-latest
    needs: [quality-checks]
-   if: inputs.enable-sonarcloud && secrets.SONAR_TOKEN != ''
+   if: inputs.enable-sonarcloud
    timeout-minutes: 15
    
    steps:
      # ... earlier steps ...
      
      - name: SonarCloud Scan
+       if: secrets.SONAR_TOKEN != ''
        uses: SonarSource/sonarcloud-github-action@ffc3010689be73b8e5ae0c57ce35968afd7909e8  # v5.0.0

Reference: GitHub Actions context availability.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 actionlint (1.7.9)

413-413: context "secrets" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🤖 Prompt for AI Agents

.github/workflows/python-ci.yml around line 413: the job-level if uses
secrets.SONAR_TOKEN which is not available at job level; move the secrets check
into a step-level condition or use an input/var at job level. Update the job to
only use inputs or vars in its if (e.g., keep if: inputs.enable-sonarcloud) and
add a conditional on secrets.SONAR_TOKEN on the step that needs it (or set a
job/step env from secrets and check that env in the step if needed), ensuring
the token check runs at step level where secrets context is allowed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

astral-sh/setup-uv v5.1.1 release

💡 Result:

Do you want the v5.1.1 release notes, download link (GitHub tag), or help upgrading/using astral-sh/setup-uv@v5.1.1?

---

🌐 Web query:

astral-sh/setup-uv GitHub releases tags versions

💡 Result:

Here are the recent GitHub release tags for astral-sh/setup-uv (with dates shown on the releases page):

• v7.1.4 — 21 Nov 2025. [1]
• v7.1.2 — (November 2025). [1]
• v7.1.1 — 19 Oct 2025. [1]
• v7.1.0 — 12 Oct 2025. [1]
• v7.0.0 — (Sep/Oct 2025). [1]
• v6.8.0, v6.7.0, v6.6.1, v6.6.0, ... — (earlier 2025). [1]

Source: astral-sh/setup-uv Releases page on GitHub. [1]

Reference
[1] https://github.com/astral-sh/setup-uv/releases

---

🌐 Web query:

astral-sh/setup-uv v5.1.1 release date

💡 Result:

I can look that up — do you want the GitHub release date for astral-sh/setup-uv v5.1.1?

---

Update setup-uv action to current stable release.

The setup-uv action pin should be updated from v5.1.1 to the current stable release v7.1.4 (released 21 Nov 2025). v5.1.1 is over two major versions behind and missing critical updates and improvements from v6.x and v7.x releases. While v5.1.1 is a valid tag, pinning to an outdated release introduces technical debt and potential compatibility issues.

Also applies to: 343-343

🤖 Prompt for AI Agents

.github/workflows/python-fips-compatibility.yml lines 101 and 343: the workflow
pins the astral-sh/setup-uv action to an outdated tag v5.1.1; update both
occurrences to the current stable release v7.1.4, keeping the same uses: syntax
(uses: astral-sh/setup-uv@v7.1.4) so the workflow benefits from fixes and
improvements in v6.x/v7.x.