Skip to content

ci: split CI pipeline workflows#46

Merged
willkill07 merged 5 commits into
NVIDIA:mainfrom
willkill07:wkk_split-ci-workflows
May 3, 2026
Merged

ci: split CI pipeline workflows#46
willkill07 merged 5 commits into
NVIDIA:mainfrom
willkill07:wkk_split-ci-workflows

Conversation

@willkill07
Copy link
Copy Markdown
Member

@willkill07 willkill07 commented May 3, 2026
edited by coderabbitai Bot
Loading

Summary

  • Split the monolithic CI reusable workflow into surface-specific reusable workflows.
  • Keep the top-level CI workflow as the orchestrator with a required aggregate gate for deploy and publish jobs.
  • Add a shared CI tool-version file plus a local composite action so split workflows can load versions without passing them through each caller.

Validation

  • uv run pre-commit run --files .github/ci-tool-versions.env .github/actions/load-ci-tool-versions/action.yml .github/workflows/ci.yaml .github/workflows/ci_changes.yml .github/workflows/ci_check.yml .github/workflows/ci_docs.yml .github/workflows/ci_go.yml .github/workflows/ci_node.yml .github/workflows/ci_python.yml .github/workflows/ci_rust.yml .github/workflows/ci_wasm.yml
  • go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/ci.yaml .github/workflows/ci_changes.yml .github/workflows/ci_check.yml .github/workflows/ci_docs.yml .github/workflows/ci_go.yml .github/workflows/ci_node.yml .github/workflows/ci_python.yml .github/workflows/ci_rust.yml .github/workflows/ci_wasm.yml
  • Ruby YAML parse check for workflow, action, and GitHub YAML files

Breaking Changes

  • None

Summary by CodeRabbit

  • Chores
    • Reorganized CI into modular, reusable workflows (Changes, Check, Documentation, Rust, Go, Node, Python, WebAssembly) replacing the prior monolithic pipeline for faster, targeted runs.
    • Centralized and pinned CI tool versions in a shared config and added a loader that validates and exposes those versions to workflows.
    • Added an aggregator gate enforcing required CI outcomes and updated publishing/docs flows to use the new gating and version loader.

@willkill07
Split CI pipeline workflows
b1ebfe2 
Signed-off-by: Will Killian <wkillian@nvidia.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 13e4b2cf-27a5-4f8c-aded-18adee79595c

📥 Commits

Reviewing files that changed from the base of the PR and between ecf4b9d and 88272e3.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (24)
  • GitHub Check: Rust / Test / windows-amd64
  • GitHub Check: Python / Test / linux-arm64
  • GitHub Check: Python / Test / windows-amd64
  • GitHub Check: Rust / Test / macos-arm64
  • GitHub Check: Rust / Test / linux-arm64
  • GitHub Check: Node.js / Test / linux-arm64
  • GitHub Check: Node.js / Test / macos-arm64
  • GitHub Check: Node.js / Test / windows-amd64
  • GitHub Check: Python / Test / windows-arm64
  • GitHub Check: Node.js / Test / windows-arm64
  • GitHub Check: Python / Test / linux-amd64
  • GitHub Check: Python / Test / macos-arm64
  • GitHub Check: Rust / Test / windows-arm64
  • GitHub Check: WebAssembly / Test / linux-arm64
  • GitHub Check: WebAssembly / Test / windows-arm64
  • GitHub Check: WebAssembly / Test / macos-arm64
  • GitHub Check: WebAssembly / Test / linux-amd64
  • GitHub Check: Go / Test / windows-arm64
  • GitHub Check: WebAssembly / Test / windows-amd64
  • GitHub Check: Go / Test / macos-arm64
  • GitHub Check: Go / Test / windows-amd64
  • GitHub Check: Go / Test / linux-arm64
  • GitHub Check: Go / Test / linux-amd64
  • GitHub Check: Documentation / Build
🧰 Additional context used
📓 Path-based instructions (4)
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

  • .github/workflows/ci.yaml
{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

  • .github/workflows/ci.yaml
{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

  • .github/workflows/ci.yaml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .github/workflows/ci.yaml
🔇 Additional comments (3)
.github/workflows/ci.yaml (3)

213-214: Make ci_required tokenless.

This aggregate job only inspects needs.*.result in bash, so contents: read is still broader than required. Please drop it or set permissions: {}.

As per coding guidelines, "Ensure each job has the minimum permissions it needs during GitHub Actions CI review" and "contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs."

46-58: Release-tag validation is in the right place.

Doing the raw-SemVer check in prepare fails bad tags before the reusable-workflow fan-out starts.

As per coding guidelines, "Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior" and "Tag-triggered release workflows must fail early when a tag violates repo policy".

253-269: The publish gate now enforces producer completion.

Requiring docs/package producers to be success when the corresponding publish flag is true closes the skipped-producer path for deploy-docs and the package publish jobs.

As per coding guidelines, "Ensure concurrency, branch filters, and publish guards still reflect release intent in GitHub Actions workflows."

Walkthrough

Monolithic CI was split into reusable workflows (Changes, Check, Docs, Rust/Go/Node/Python/WASM). A composite action loads pinned tool-version envs and emits outputs. The main workflow orchestrates calls, gates results via an aggregator job, and publish jobs consume loaded tool versions.

Changes

CI Infrastructure Refactoring

Layer / File(s) Summary
Tool Version Pins
.github/ci-tool-versions.env		 Adds SPDX header and pinned CI tool env vars (NEMO_FLOW_CI_*) for Go, default Python, Rust, Node, uv, just, wasm-pack, cargo-llvm-cov, cargo-nextest, cargo-deny, cargo-about.
Load Versions Action (implementation)
.github/actions/load-ci-tool-versions/action.yml		 New composite action: sources .github/ci-tool-versions.env, validates required env vars, and writes each tool version to $GITHUB_OUTPUT (declares outputs like go_version, default_python_version, rust_version, node_version, uv_version, just_version, wasm_pack_version, cargo_llvm_cov_version, cargo_nextest_version, cargo_deny_version, cargo_about_version).
Change Detection / Base Resolution
.github/workflows/ci_changes.yml		 New reusable Changes workflow (workflow_call) that resolves comparison base (handles PR refs, SHAs, fallback to origin/<default_branch>), runs dorny/paths-filter with .github/ci-path-filters.yml, and exposes base plus run_* booleans.
Check Workflow (pre-commit)
.github/workflows/ci_check.yml		 New reusable Check workflow: loads pinned versions, installs uv/Go/Node/Rust and managed Python, installs cargo-deny/cargo-about, and runs pre-commit either --all-files or --from-ref <base_ref> --to-ref HEAD after normalizing/computing base.
Language & Docs Workflows
.github/workflows/ci_rust.yml, .github/workflows/ci_go.yml, .github/workflows/ci_node.yml, .github/workflows/ci_python.yml, .github/workflows/ci_wasm.yml, .github/workflows/ci_docs.yml		 Add reusable workflows per domain: load pinned versions, set up toolchains (Rust/Go/Node/Python/wasm-pack/just/uv), run platform-matrix tests with coverage, package artifacts, and upload Codecov reports and Actions artifacts.
Main Orchestration / Gate
.github/workflows/ci.yaml		 Refactors main workflow to call reusable workflows, introduces ci_required aggregator job enforcing success/skipped semantics, re-wires downstream jobs (pr-builder, deploy-docs, publish-rust, publish-python, publish-npm) to depend on ci_required, and updates publish jobs to obtain tool versions from the loader action.
Publish Jobs: dynamic tooling
.github/workflows/ci.yaml (publish-rust, publish-npm, publish-python sections)		 Publish jobs now call ./.github/actions/load-ci-tool-versions and consume its outputs to configure tool setup (Rust/uv/Python/Node/just); publish-rust changes working-directory to ${{ github.workspace }} for release steps.
Removed Monolith
.github/workflows/ci_pipe.yml (deleted)		 Removes previous monolithic pipeline workflow and replaces it with the new set of reusable workflows and aggregator gate.

Sequence Diagram

sequenceDiagram
    participant Orchestrator as ci.yaml
    participant Changes as ci_changes
    participant Check as ci_check
    participant Lang as ci_rust/ci_go/ci_node/ci_python/ci_wasm
    participant Docs as ci_docs
    participant Loader as load-ci-tool-versions
    participant Aggregator as ci_required
    participant Publisher as publish jobs
    participant Codecov as Codecov/Artifacts

    Orchestrator->>Changes: call (pr_info, ref_name, default_branch, full_ci)
    Changes-->>Orchestrator: return base + run_* flags
    Orchestrator->>Check: call (full_ci, base)
    Check-->>Orchestrator: return result
    Orchestrator->>Lang: call (ref_type, ref_name)
    Lang-->>Orchestrator: return results + artifacts
    Orchestrator->>Docs: call (ref_type, ref_name, publish_docs)
    Docs-->>Orchestrator: return result + docs artifact
    Orchestrator->>Aggregator: evaluate job results (success/skipped rules)
    Aggregator-->>Orchestrator: gating status
    Orchestrator->>Loader: run action to load tool versions (for publish)
    Loader-->>Publisher: outputs (node_version, rust_version, python_version, etc.)
    Orchestrator->>Publisher: trigger publish jobs (depends on ci_required)
    Publisher->>Codecov: upload coverage / upload artifacts
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title follows Conventional Commits format with type 'ci' and a concise imperative summary under 72 characters, clearly describing the main change.
Description check ✅ Passed The description provides a clear summary, implementation details, validation steps, and confirms no breaking changes. It addresses all key aspects though not in the exact template structure.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Review rate limit: 9/10 reviews remaining, refill in 6 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added the size:XL PR is extra large label May 3, 2026
@willkill07 willkill07 self-assigned this May 3, 2026
@willkill07 willkill07 changed the title Split CI pipeline workflows ci: split CI pipeline workflows May 3, 2026
@github-actions github-actions Bot added the ci label May 3, 2026
@willkill07 willkill07 marked this pull request as ready for review May 3, 2026 04:04
@willkill07 willkill07 requested a review from a team as a code owner May 3, 2026 04:04
@willkill07
Shorten split CI check names
b24edb3 
Signed-off-by: Will Killian <wkillian@nvidia.com>
coderabbitai[bot]
coderabbitai Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci_changes.yml:
- Around line 68-89: The Resolve comparison base step (id: comparison-base)
currently falls back to GITHUB_REF on first push, causing empty diffs; add a
required workflow input default_branch and expose it to the step as an env var
(e.g. DEFAULT_BRANCH from inputs.default_branch), then change the fallback
branch assignment to use the origin of that default (set base to
origin/${DEFAULT_BRANCH} instead of GITHUB_REF) so dorny/paths-filter compares
against the real default branch; also update the caller workflow that invokes
ci_changes.yml to pass default_branch: ${{
github.event.repository.default_branch }}.

In @.github/workflows/ci_python.yml:
- Around line 216-220: When inputs.ref_type == "tag" validate inputs.ref_name
against a strict SemVer-without-leading-v pattern before assigning version; if
the tag does not match (e.g. non-numeric or leading "v") print an error and exit
non‑zero to fail the workflow early. Modify the tag branch that sets
version="${{ inputs.ref_name }}" to first run a regex check on ${{
inputs.ref_name }} and only set version when it passes, otherwise echo a clear
message and exit 1; keep the non-tag branch (version="${version}+${sha}")
unchanged.

In @.github/workflows/ci_wasm.yml:
- Around line 154-158: When inputs.ref_type is "tag" we must validate
inputs.ref_name is raw SemVer (no leading "v") before assigning version; add a
guard that tests inputs.ref_name against a SemVer-without-v regex and if it
fails print a clear error and exit non‑zero so the workflow fails fast. Put the
check immediately before or in the same branch that sets version="${{
inputs.ref_name }}" (the block referencing inputs.ref_type, inputs.ref_name,
version and sha) and ensure invalid tags abort the job rather than proceeding to
package.

In @.github/workflows/ci.yaml:
- Around line 97-108: The ci_changes reusable workflow is invoked even when
prepare emitted an empty pr_info (causing the callee's "Resolve comparison base"
step to fail); update the invocation so that when needs.prepare.outputs.pr_info
is empty you either force full_ci to true or provide an explicit fallback base
to the callee. Concretely, change the ci_changes call that sets pr_info and
full_ci (referenced as ci_changes, pr_info, full_ci) so it detects an empty
pr_info and: (a) sets full_ci to true when pr_info == '' OR (b) passes an
explicit fallback base parameter (e.g., a default base branch output from
prepare) into the reusable workflow so the Resolve comparison base step has a
valid value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 3765c653-8d33-4765-af20-5934e8ecd756

📥 Commits

Reviewing files that changed from the base of the PR and between c2c765e and 09fb72b.

📒 Files selected for processing (12)
  • .github/actions/load-ci-tool-versions/action.yml
  • .github/ci-tool-versions.env
  • .github/workflows/ci.yaml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_go.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_pipe.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_wasm.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/ci_pipe.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .github/ci-tool-versions.env
  • .github/actions/load-ci-tool-versions/action.yml
  • .github/workflows/ci_go.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_wasm.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_node.yml
{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

  • .github/actions/load-ci-tool-versions/action.yml
  • .github/workflows/ci_go.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_wasm.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_node.yml
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_wasm.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_node.yml
{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_wasm.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_node.yml

Comment thread .github/workflows/ci_changes.yml
Comment thread .github/workflows/ci_python.yml
Comment thread .github/workflows/ci_wasm.yml
Comment thread .github/workflows/ci.yaml
@willkill07
Fix CI change detection fallback
ecf4b9d 
Signed-off-by: Will Killian <wkillian@nvidia.com>
coderabbitai[bot]
coderabbitai Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
.github/workflows/ci_changes.yml (1)

8-21: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix first-push base fallback to avoid self-diff gating.

When github.event.before is the zero SHA, falling back to GITHUB_REF makes paths-filter compare the branch to itself, which can set all run_* outputs to false and skip required suites. Pass default_branch from the caller and fallback to origin/${DEFAULT_BRANCH} instead.

Suggested patch 
 on:
   workflow_call:
     inputs:
+      default_branch:
+        description: 'The repository default branch from the triggering workflow'
+        required: true
+        type: string
       pr_info:
         description: 'The JSON string containing the PR information'
         required: true
@@
       - name: Resolve comparison base
         id: comparison-base
         if: ${{ ! inputs.full_ci }}
         env:
+          DEFAULT_BRANCH: ${{ inputs.default_branch }}
           EVENT_BEFORE: ${{ github.event.before }}
           PR_INFO: ${{ inputs.pr_info }}
           REF_NAME: ${{ inputs.ref_name }}
@@
           elif [[ -n "$EVENT_BEFORE" && "$EVENT_BEFORE" != "0000000000000000000000000000000000000000" ]]; then
             base="$EVENT_BEFORE"
           else
-            base="${GITHUB_REF}"
+            base="origin/${DEFAULT_BRANCH}"
           fi
# caller (.github/workflows/ci.yaml)
 jobs:
   ci_changes:
     uses: ./.github/workflows/ci_changes.yml
     with:
+      default_branch: ${{ github.event.repository.default_branch }}
       pr_info: ${{ needs.pr_metadata.outputs.pr_info }}
       ref_name: ${{ github.ref_name }}
       full_ci: ${{ inputs.full_ci }}

As per coding guidelines, "Read both caller and callee when a workflow uses workflow_call in GitHub Actions workflows."

In reusable GitHub Actions workflows (`workflow_call`), is `github.event.repository.default_branch` guaranteed to be available in the callee context, and what is the recommended fallback base for first-push zero-SHA diffs with `dorny/paths-filter`?

Also applies to: 68-88

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci_changes.yml around lines 8 - 21, Add a new
workflow_call input named default_branch and update the paths comparison
fallback logic so that when github.event.before is the zero SHA you use
origin/${{ inputs.default_branch }} instead of GITHUB_REF; specifically add
inputs.default_branch to the inputs block and change the base used by the
paths-filter step (or any step referencing github.event.before) to fall back to
origin/${{ inputs.default_branch }} to avoid self-diff gating—ensure the caller
passes default_branch into this reusable workflow.
.github/workflows/ci_wasm.yml (1)

154-158: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add raw-SemVer tag validation before deriving WASM package version.

For tag builds, validate inputs.ref_name (no leading v) before assigning version; abort on mismatch so packaging does not proceed with an invalid release version.

Suggested patch 
           sha="${GITHUB_SHA::8}"
           if [ "${{ inputs.ref_type }}" = "tag" ]; then
-            version="${{ inputs.ref_name }}"
+            tag="${{ inputs.ref_name }}"
+            if [[ "$tag" == v* || ! "$tag" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
+              echo "Error: invalid release tag '$tag' (expected raw SemVer, no leading 'v')" >&2
+              exit 1
+            fi
+            version="$tag"
           else
             version="${version}-${sha}"
           fi

As per coding guidelines, "Tag-triggered release workflows must fail early when a tag violates repo policy" and "Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci_wasm.yml around lines 154 - 158, When inputs.ref_type
equals "tag" validate inputs.ref_name matches a raw SemVer (no leading "v")
before assigning version: check inputs.ref_name against a SemVer regex (e.g.
major.minor.patch with optional prerelease/build) and if it does not match,
print an error mentioning inputs.ref_name and exit non‑zero to abort the
workflow; if it matches, assign version="${{ inputs.ref_name }}". Use the same
variables shown (inputs.ref_type, inputs.ref_name, version, sha) and perform the
check only in the tag branch so non‑tag builds keep the existing version
derivation.
.github/workflows/ci_python.yml (1)

216-220: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate tag format before using it as Python package version.

inputs.ref_name is used directly for tag builds. Add a raw-SemVer (no leading v) guard and fail early on mismatch.

Suggested patch 
           sha="${GITHUB_SHA::8}"
           if [ "${{ inputs.ref_type }}" = "tag" ]; then
-            version="${{ inputs.ref_name }}"
+            tag="${{ inputs.ref_name }}"
+            if [[ "$tag" == v* || ! "$tag" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
+              echo "Error: invalid release tag '$tag' (expected raw SemVer, no leading 'v')" >&2
+              exit 1
+            fi
+            version="$tag"
           else
             version="${version}+${sha}"
           fi

As per coding guidelines, "Tag-triggered release workflows must fail early when a tag violates repo policy" and "Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v."

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci_python.yml around lines 216 - 220, Add a raw-SemVer
guard when using inputs.ref_name for tag builds: in the block that checks if
inputs.ref_type == "tag" and sets version="${{ inputs.ref_name }}", validate
that inputs.ref_name matches a raw SemVer regex (e.g.
^[0-9]+\.[0-9]+\.[0-9]+(?:[-+][0-9A-Za-z.-]+)?$) and if it does not match, emit
an error and exit with non-zero status so the workflow fails early; keep the
existing behavior for non-tag refs where version is set to "${version}+${sha}"
and reference the variables ref_type, ref_name, version, and sha when
implementing the check.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci_node.yml:
- Around line 175-179: When building a tag release (when inputs.ref_type ==
"tag") validate inputs.ref_name is raw SemVer (no leading "v") before assigning
NEMO_FLOW_PACKAGE_VERSION: check inputs.ref_name against a strict SemVer regex
(e.g., major.minor.patch with optional prerelease/build) and if it fails, echo a
clear error and exit non‑zero to fail the workflow fast; only set version="${{
inputs.ref_name }}" (and export NEMO_FLOW_PACKAGE_VERSION) when the regex
passes, otherwise stop the job. Ensure this validation lives in the same
conditional branch that currently uses inputs.ref_type/inputs.ref_name and
affects the version variable and NEMO_FLOW_PACKAGE_VERSION export.

In @.github/workflows/ci_rust.yml:
- Around line 31-64: The job currently defines services.redis (and uses
redis_service_image) for every matrix entry, but Docker services are only
supported on Linux runners; split Redis tests into a separate Linux-only job
(e.g., "redis-tests") that uses runs-on/linux runner and includes services.redis
with redis_service_image and run_redis_tests: true in its matrix, and remove the
services.redis definition (and empty redis_service_image values) from the
cross-platform job so macOS and Windows matrix entries run without services;
ensure the original cross-platform job keeps its matrix for linux-amd64,
macos-arm64, windows-*, etc., but without services.redis and without relying on
run_redis_tests to start a service.

In @.github/workflows/ci.yaml:
- Around line 210-258: The CI gate currently allows DOCS_RESULT, RUST_RESULT,
GO_RESULT, NODE_RESULT, PYTHON_RESULT, and WEBASSEMBLY_RESULT to be "skipped"
via allow_success_or_skipped; change the run script to detect the publish flags
(publish_docs and publish_packages) and when publish_docs is true call
require_success for DOCS_RESULT, and when publish_packages is true call
require_success for the package producers (at minimum PYTHON_RESULT and
NODE_RESULT) instead of allow_success_or_skipped; keep allow_success_or_skipped
for those jobs only when the corresponding publish flag is false; update the
script logic around the require_success/allow_success_or_skipped calls (and use
the existing require_success and allow_success_or_skipped functions and the
DOCS_RESULT, PYTHON_RESULT, NODE_RESULT, publish_docs and publish_packages
variables) so deploy-docs/publish-python/publish-npm cannot proceed after a
skipped producer job.

---

Duplicate comments:
In @.github/workflows/ci_changes.yml:
- Around line 8-21: Add a new workflow_call input named default_branch and
update the paths comparison fallback logic so that when github.event.before is
the zero SHA you use origin/${{ inputs.default_branch }} instead of GITHUB_REF;
specifically add inputs.default_branch to the inputs block and change the base
used by the paths-filter step (or any step referencing github.event.before) to
fall back to origin/${{ inputs.default_branch }} to avoid self-diff
gating—ensure the caller passes default_branch into this reusable workflow.

In @.github/workflows/ci_python.yml:
- Around line 216-220: Add a raw-SemVer guard when using inputs.ref_name for tag
builds: in the block that checks if inputs.ref_type == "tag" and sets
version="${{ inputs.ref_name }}", validate that inputs.ref_name matches a raw
SemVer regex (e.g. ^[0-9]+\.[0-9]+\.[0-9]+(?:[-+][0-9A-Za-z.-]+)?$) and if it
does not match, emit an error and exit with non-zero status so the workflow
fails early; keep the existing behavior for non-tag refs where version is set to
"${version}+${sha}" and reference the variables ref_type, ref_name, version, and
sha when implementing the check.

In @.github/workflows/ci_wasm.yml:
- Around line 154-158: When inputs.ref_type equals "tag" validate
inputs.ref_name matches a raw SemVer (no leading "v") before assigning version:
check inputs.ref_name against a SemVer regex (e.g. major.minor.patch with
optional prerelease/build) and if it does not match, print an error mentioning
inputs.ref_name and exit non‑zero to abort the workflow; if it matches, assign
version="${{ inputs.ref_name }}". Use the same variables shown (inputs.ref_type,
inputs.ref_name, version, sha) and perform the check only in the tag branch so
non‑tag builds keep the existing version derivation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: bc2cf35a-7c9d-4500-a4f2-83a4261e0d86

📥 Commits

Reviewing files that changed from the base of the PR and between 09fb72b and b24edb3.

📒 Files selected for processing (9)
  • .github/workflows/ci.yaml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_go.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_wasm.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_wasm.yml
{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_wasm.yml
{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_wasm.yml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .github/workflows/ci_go.yml
  • .github/workflows/ci_rust.yml
  • .github/workflows/ci_node.yml
  • .github/workflows/ci_docs.yml
  • .github/workflows/ci_changes.yml
  • .github/workflows/ci_python.yml
  • .github/workflows/ci_check.yml
  • .github/workflows/ci.yaml
  • .github/workflows/ci_wasm.yml

Comment thread .github/workflows/ci_node.yml
Comment thread .github/workflows/ci_rust.yml
Comment thread .github/workflows/ci.yaml
coderabbitai[bot]
coderabbitai Bot reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 213-214: The job ci_required is granting unnecessary repository
read scope via the permissions: contents: read entry; remove that key (or
replace it with an empty permissions: {} mapping) in the ci_required job so the
job runs with no token scopes (minimum permissions) instead of granting
contents: read. Locate the permissions block under the ci_required job and
either delete the permissions: contents: read stanza or set permissions: {}.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: faf7f173-7147-465f-a2f3-7f28b6699b89

📥 Commits

Reviewing files that changed from the base of the PR and between b24edb3 and ecf4b9d.

📒 Files selected for processing (2)
  • .github/workflows/ci.yaml
  • .github/workflows/ci_changes.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

  • .github/workflows/ci_changes.yml
  • .github/workflows/ci.yaml
{.github/workflows/**/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Keep CI workflow package name references consistent with local package configurations

Files:

  • .github/workflows/ci_changes.yml
  • .github/workflows/ci.yaml
{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

  • .github/workflows/ci_changes.yml
  • .github/workflows/ci.yaml
{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

  • .github/workflows/ci_changes.yml
  • .github/workflows/ci.yaml
🔇 Additional comments (2)
.github/workflows/ci_changes.yml (1)

72-95: Comparison-base fallback is correctly hardened.

Line 88 and Line 93 now consistently fall back to origin/${DEFAULT_BRANCH}, which avoids self-diff/empty-diff behavior on first-push and missing-PR-info paths.

.github/workflows/ci.yaml (1)

46-58: Release-tag validation is placed in the right early gate.

Running format validation in prepare prevents invalid tags from reaching publish stages and keeps release policy enforcement centralized.

Comment thread .github/workflows/ci.yaml
@willkill07
Require CI producers for publish gates
88272e3 
Signed-off-by: Will Killian <wkillian@nvidia.com>
@willkill07 willkill07 merged commit 6b04c28 into NVIDIA:main May 3, 2026
52 checks passed
@willkill07 willkill07 deleted the wkk_split-ci-workflows branch May 3, 2026 04:55
@willkill07 willkill07 added this to the 0.2.0 milestone May 3, 2026
@willkill07 willkill07 added the Maintenance CI or Build or general repository maintenance label May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@willkill07 willkill07

Labels

Maintenance CI or Build or general repository maintenance size:XL PR is extra large

Projects

None yet

Milestone

0.2

Development

Successfully merging this pull request may close these issues.

1 participant

@willkill07