Workflow and action maintenance: working-directory, cmake-build skip logic, dependabot robustness, CodeQL suppression#434
Open
greenc-FNAL wants to merge 8 commits intomainfrom
Open
Conversation
Replace all uses of `cd "$GITHUB_WORKSPACE/$PATH"` at the start of
`run:` blocks with the idiomatic `working-directory:` step key. This
applies to:
- `.github/actions/build-cmake/action.yaml`: use `working-directory:
${{ inputs.build-path }}`; remove now-redundant `BUILD_PATH` and
unused `SOURCE_PATH` env vars.
- `.github/actions/configure-cmake/action.yaml`: same, remove `BUILD_PATH`
env var (keep `SOURCE_PATH` which is used to construct `SOURCE_DIR`).
- `.github/workflows/cmake-build.yaml`: apply to Run tests, Run Valgrind
tests, and Run Perfetto profiling steps; also fix a second bug introduced
during the rebase where `env.local_build_path` (a job-level env var that
was dropped when the workflow was refactored to use workflow-setup) was
still referenced in the Perfetto step and the Upload Perfetto traces
artifact paths — all replaced with `needs.setup.outputs.build_path`. The
now-redundant duplicate glob pattern in the artifact path list is also
removed (pftrace files are already matched by the `**/*.pftrace` pattern).
- `.github/workflows/clang-tidy-fix.yaml`: apply to Apply fixes, Generate
fixes, and Apply clang-tidy fixes steps; remove the pointless
`cd "$GITHUB_WORKSPACE"` from Prepare CMake configuration options
(the step performs only string manipulation, so the cwd is irrelevant).
For Apply fixes, the `find` search is updated to use an absolute path
since the working directory is now set to the checkout path.
- `.github/workflows/coverage.yaml`: apply to all six build-path steps.
The `PROFILE_ROOT` construction in Run tests with coverage is simplified
from `$GITHUB_WORKSPACE/$BUILD_PATH/test/profraw` to `$(pwd)/test/profraw`,
eliminating the need for the `BUILD_PATH` env var in that step.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
Review the full CodeQL report for details. |
Contributor
Author
|
@phlexbot yaml-fix |
Contributor
|
Automatic YAML formatter fixes pushed (commit 947dec9). |
Codecov Report✅ All modified and coverable lines are covered by tests. @@ Coverage Diff @@
## main #434 +/- ##
==========================================
- Coverage 84.43% 84.40% -0.04%
==========================================
Files 127 127
Lines 3329 3329
Branches 564 564
==========================================
- Hits 2811 2810 -1
Misses 325 325
- Partials 193 194 +1
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
greenc-FNAL
requested review from
aolivier23,
knoepfel,
marcpaterno and
sabasehrish
as code owners
greenc-FNAL
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR focuses on GitHub Actions workflow quality-of-life improvements by standardizing directory handling (moving from cd to working-directory) and refining CMake build workflow skip/messaging behavior.
Changes:
- Replace
cd ...patterns withworking-directory:across workflows/composite actions. - Adjust
cmake-build.yamlrelevance-based skip behavior and improve “skipped” messaging. - Update build-matrix defaults/available combinations in the matrix generator.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/coverage.yaml | Uses working-directory and relative paths (pwd) for coverage steps. |
| .github/workflows/cmake-build.yaml | Adds relevance-aware gating for matrix/build and introduces an explicit “skipped” job + updated comment messaging. |
| .github/workflows/clang-tidy-fix.yaml | Removes cd usage and makes fix-artifact discovery path explicit. |
| .github/actions/run-change-detection/action.yaml | Adds justification + CodeQL suppression comment around checkout safety. |
| .github/actions/generate-build-matrix/generate_matrix.py | Changes default combinations and adds new perfetto combinations. |
| .github/actions/configure-cmake/action.yaml | Runs configuration directly in build dir via working-directory. |
| .github/actions/build-cmake/action.yaml | Runs builds directly in build dir via working-directory. |
You can also share your feedback on Copilot code review. Take the survey.
greenc-FNAL
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR performs maintenance updates across GitHub workflows and composite actions to make directory handling more declarative, improve CI skip behavior and messaging when no relevant changes are detected, harden Dependabot auto-merge against common failure modes, and suppress an inapposite CodeQL alert for a safe checkout pattern.
Changes:
- Replace
cd ...patterns withworking-directory:in several workflows/actions to simplify scripts and reduce reliance on intermediate env vars. - Update
cmake-build.yamljob gating so matrix generation/build is skipped when relevance detection finds no C++/CMake changes, and add a dedicated “skipped” notice job + clearer PR comment text. - Improve
dependabot-auto-merge.yamlrobustness by auto-remediating a disabled “Allow auto-merge” setting and handling concurrent base-branch updates via@dependabot rebase.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/dependabot-auto-merge.yaml | Adds retry/self-heal logic for auto-merge enablement and handles base-branch race via Dependabot rebase. |
| .github/workflows/coverage.yaml | Uses working-directory and makes coverage paths relative to the build directory. |
| .github/workflows/cmake-build.yaml | Adds skip gating on relevance detection, emits a skip notice job, and improves skip messaging. |
| .github/workflows/clang-tidy-fix.yaml | Uses working-directory and adjusts artifact lookup paths accordingly. |
| .github/actions/run-change-detection/action.yaml | Adds a CodeQL suppression comment for checkout ref input in this composite action. |
| .github/actions/configure-cmake/action.yaml | Switches to working-directory and removes BUILD_PATH env usage. |
| .github/actions/build-cmake/action.yaml | Switches to working-directory and removes cd + unused env vars. |
You can also share your feedback on Copilot code review. Take the survey.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Use
working-directory:instead ofcdin actions and workflowsReplace
cd "$GITHUB_WORKSPACE/$BUILD_PATH"(via an env var) with a nativeworking-directory:key inconfigure-cmake,build-cmake,cmake-build,coverage, andclang-tidy-fix. This removes the unnecessaryBUILD_PATHenvvars and makes the working directory intent explicit and declarative.
cmake-build.yaml: relevance-check skip logic and messaginggenerate-matrixandbuildjobs now gate oninputs.skip-relevance-check || needs.setup.outputs.has_changes == 'true' || workflow_dispatchso they are correctly skipped when no relevant changes are detected.
cmake-build-skippedjob that emits a::notice::annotation when thebuild is skipped due to no relevant changes, giving clear feedback in the Actions UI.
workflow_dispatchhelp text: the default combination isgcc/none, not"all except clang/none and clang/valgrind".
build-completecomment to say "No relevant C++ or CMake changesdetected; build skipped" instead of the generic "Build job was skipped".
dependabot-auto-merge.yaml: robustness against two failure modesAuto merge is not allowed for this repository):re-enable the
allow_auto_mergerepository setting via the API and retry once.This self-heals accidental toggling in the repository admin UI.
Base branch was modified): post@dependabot rebaseand exit 0. The workflow re-triggers naturally via
check_suite:completedonce therebased branch passes checks. With N concurrent Dependabot PRs this converges in N−1
rounds, each round merging one PR and rebasing the remainder.
run-change-detection/action.yaml: suppress inapposite CodeQL alertAdd a
# codeql[actions/pull-request-target-injection]suppression directive with anexplanatory comment on the
ref:input. This action is never called from apull_request_targetworkflow, and the empty sparse checkout (sparse-checkout: "")prevents any file from being materialized on disk regardless.