Skip to content

ci: reduce PR feedback loop with targeted caching #1294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeremyeder merged 8 commits into from
Apr 17, 2026
Merged

ci: reduce PR feedback loop with targeted caching #1294

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fe136df
docs: add CI improvements design spec
Apr 11, 2026
7ad405b
docs: add CI improvements implementation plan
Apr 11, 2026
b7a1d6f
ci(unit-tests): use pipx for junit2html instead of pip install
Apr 11, 2026
5dc32d9
ci(lint): consolidate golangci-lint to single pass with test tags
Apr 11, 2026
2c7d1dd
ci(e2e): add Docker BuildKit layer caching to image builds
Apr 11, 2026
a00a1c0
ci(e2e): cache kind binary between runs
Apr 11, 2026
7c9a714
fix: pin all action versions to commit SHAs and add permissions block
Apr 17, 2026
e12e42f
fix: update Vale to v3.14.1 and pin docs-lint actions to SHAs
Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/docs-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,18 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
Comment on lines +16 to +19
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add explicit least-privilege permissions for this workflow.

This workflow does not scope GITHUB_TOKEN permissions explicitly. Add a minimal permissions block (contents: read) at workflow or job level.

Proposed minimal permission scope 
 name: Docs Lint
 
 on:
   pull_request:
     paths:
       - 'docs/**'
+
+permissions:
+  contents: read
 
 jobs:
   lint:
     name: Lint Documentation
As per coding guidelines, "Pin action versions to SHA. Verify secrets are not exposed and permissions are scoped."
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs-lint.yml around lines 16 - 19, Add an explicit
least-privilege permissions block for the workflow (or specific job) so
GITHUB_TOKEN is scoped; update the workflow containing uses: actions/checkout
and uses: actions/setup-node to include a permissions: block with at minimum
contents: read at the top-level of the workflow or inside the job that runs
these actions to ensure the token cannot write by default.

with:
node-version: '22'
cache: 'npm'
cache-dependency-path: docs/package-lock.json

- name: Install Vale
run: |
curl -sfL https://github.com/errata-ai/vale/releases/download/v3.12.1/vale_3.12.1_Linux_64-bit.tar.gz | tar xz -C /usr/local/bin vale
curl -sfL https://github.com/errata-ai/vale/releases/download/v3.14.1/vale_3.14.1_Linux_64-bit.tar.gz | tar xz -C /usr/local/bin vale
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

fd -type f -name "docs-lint.yml" .github/workflows/

Repository: ambient-code/platform

Length of output: 235

🏁 Script executed:

cat -n .github/workflows/docs-lint.yml | sed -n '20,35p'

Repository: ambient-code/platform

Length of output: 640

🌐 Web query:

Vale errata-ai releases checksum SHA verification GitHub

💡 Result:

Vale (from Errata AI) provides SHA-256 checksums for verifying downloaded release binaries on GitHub at https://github.com/errata-ai/vale/releases. Each release includes a vale_{version}_checksums.txt file listing SHA-256 hashes for all platform-specific archives (e.g., Linux, macOS, Windows tar.gz/zip files). To verify: 1. Download the desired release assets from a tag page, e.g., https://github.com/errata-ai/vale/releases/tag/v3.13.1 2. Download vale_3.13.1_checksums.txt 3. Run: sha256sum -c vale_3.13.1_checksums.txt (Linux/macOS) or equivalent on Windows (e.g., certutil -hashfile). Releases are GPG-signed commits (e.g., key ID B44A6E0381723797). Official docs recommend binary downloads but do not explicitly detail checksum verification steps; it follows standard GitHub practices. No separate PGP-signed binaries or Cosign noted.

Citations:

Add checksum verification for Vale binary.

curl | tar downloads and extracts without integrity validation. Vale releases include SHA-256 checksums at vale_3.14.1_checksums.txt—use them to verify the archive before extraction.

Recommended pattern 
     - name: Install Vale
       run: |
-        curl -sfL https://github.com/errata-ai/vale/releases/download/v3.14.1/vale_3.14.1_Linux_64-bit.tar.gz | tar xz -C /usr/local/bin vale
+        VALE_VERSION="3.14.1"
+        VALE_TGZ="/tmp/vale_${VALE_VERSION}_Linux_64-bit.tar.gz"
+        VALE_URL="https://github.com/errata-ai/vale/releases/download/v${VALE_VERSION}/vale_${VALE_VERSION}_Linux_64-bit.tar.gz"
+        curl -fsSL -o "${VALE_TGZ}" "${VALE_URL}"
+        curl -fsSL "https://github.com/errata-ai/vale/releases/download/v${VALE_VERSION}/vale_${VALE_VERSION}_checksums.txt" | grep "Linux_64-bit.tar.gz" | sha256sum -c -
+        tar -xzf "${VALE_TGZ}" -C /usr/local/bin vale
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
curl -sfL https://github.com/errata-ai/vale/releases/download/v3.14.1/vale_3.14.1_Linux_64-bit.tar.gz | tar xz -C /usr/local/bin vale
VALE_VERSION="3.14.1"
VALE_TGZ="/tmp/vale_${VALE_VERSION}_Linux_64-bit.tar.gz"
VALE_URL="https://github.com/errata-ai/vale/releases/download/v${VALE_VERSION}/vale_${VALE_VERSION}_Linux_64-bit.tar.gz"
curl -fsSL -o "${VALE_TGZ}" "${VALE_URL}"
curl -fsSL "https://github.com/errata-ai/vale/releases/download/v${VALE_VERSION}/vale_${VALE_VERSION}_checksums.txt" | grep "Linux_64-bit.tar.gz" | sha256sum -c -
tar -xzf "${VALE_TGZ}" -C /usr/local/bin vale
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs-lint.yml at line 27, The workflow step that runs
"curl -sfL
https://github.com/errata-ai/vale/releases/download/v3.14.1/vale_3.14.1_Linux_64-bit.tar.gz
| tar xz -C /usr/local/bin vale" lacks integrity checks; change it to first
download both the archive and the corresponding checksum file
"vale_3.14.1_checksums.txt", compute/verify the SHA-256 checksum (e.g., with
sha256sum -c or by comparing sha256sum output) against the expected entry in the
checksum file, and only call tar xz -C /usr/local/bin vale after the checksum
verification succeeds, failing the job if the checksum does not match.


- name: Install npm tools
run: npm install -g markdownlint-cli2 cspell
Expand Down
165 changes: 102 additions & 63 deletions .github/workflows/e2e.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ on:
push:
branches: [ main ]

env:
KIND_VERSION: "v0.27.0"

permissions:
contents: read
actions: write

concurrency:
group: e2e-tests-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Expand All @@ -26,12 +33,12 @@ jobs:
claude-runner: ${{ steps.filter.outputs.claude-runner }}
steps:
- name: Checkout PR code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Check for component changes
uses: dorny/paths-filter@v4
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
id: filter
with:
filters: |
Expand All @@ -54,12 +61,12 @@ jobs:

steps:
- name: Checkout PR code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Cleanup Diskspace
uses: kubeflow/pipelines/.github/actions/github-disk-cleanup@master
uses: kubeflow/pipelines/.github/actions/github-disk-cleanup@ab1231a5c32c688bcb62314e467011b586aee796 # master
if: (!cancelled())

- name: Validate AGENTS.md symlink
Expand All @@ -72,7 +79,7 @@ jobs:
echo "✅ AGENTS.md symlink is valid"

- name: Set up Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
with:
node-version: '20'
cache: 'npm'
Expand All @@ -83,74 +90,106 @@ jobs:
run: npm ci

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
with:
driver-opts: network=host

- name: Build component images from PR code
- name: Build or pull frontend image
if: needs.detect-changes.outputs.frontend == 'true'
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: components/frontend
file: components/frontend/Dockerfile
load: true
tags: quay.io/ambient_code/vteam_frontend:e2e-test
cache-from: |
type=gha,scope=frontend-amd64
type=gha,scope=e2e-frontend
cache-to: type=gha,mode=max,scope=e2e-frontend

- name: Pull frontend latest (unchanged)
if: needs.detect-changes.outputs.frontend != 'true'
run: |
echo "======================================"
echo "Building images from PR code..."
echo "PR #${{ github.event.pull_request.number }}"
echo "SHA: ${{ github.event.pull_request.head.sha }}"
echo "======================================"
docker pull quay.io/ambient_code/vteam_frontend:latest
docker tag quay.io/ambient_code/vteam_frontend:latest quay.io/ambient_code/vteam_frontend:e2e-test

# Build frontend image (if changed or use latest)
if [ "${{ needs.detect-changes.outputs.frontend }}" == "true" ]; then
echo "Building frontend (changed)..."
docker build -t quay.io/ambient_code/vteam_frontend:e2e-test \
-f components/frontend/Dockerfile \
components/frontend
else
echo "Frontend unchanged, pulling latest..."
docker pull quay.io/ambient_code/vteam_frontend:latest
docker tag quay.io/ambient_code/vteam_frontend:latest quay.io/ambient_code/vteam_frontend:e2e-test
fi
- name: Build or pull backend image
if: needs.detect-changes.outputs.backend == 'true'
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: components/backend
file: components/backend/Dockerfile
load: true
tags: quay.io/ambient_code/vteam_backend:e2e-test
cache-from: |
type=gha,scope=backend-amd64
type=gha,scope=e2e-backend
cache-to: type=gha,mode=max,scope=e2e-backend

# Build backend image (if changed or use latest)
if [ "${{ needs.detect-changes.outputs.backend }}" == "true" ]; then
echo "Building backend (changed)..."
docker build -t quay.io/ambient_code/vteam_backend:e2e-test \
-f components/backend/Dockerfile \
components/backend
else
echo "Backend unchanged, pulling latest..."
docker pull quay.io/ambient_code/vteam_backend:latest
docker tag quay.io/ambient_code/vteam_backend:latest quay.io/ambient_code/vteam_backend:e2e-test
fi
- name: Pull backend latest (unchanged)
if: needs.detect-changes.outputs.backend != 'true'
run: |
docker pull quay.io/ambient_code/vteam_backend:latest
docker tag quay.io/ambient_code/vteam_backend:latest quay.io/ambient_code/vteam_backend:e2e-test

# Build operator image (if changed or use latest)
if [ "${{ needs.detect-changes.outputs.operator }}" == "true" ]; then
echo "Building operator (changed)..."
docker build -t quay.io/ambient_code/vteam_operator:e2e-test \
-f components/operator/Dockerfile \
components/operator
else
echo "Operator unchanged, pulling latest..."
docker pull quay.io/ambient_code/vteam_operator:latest
docker tag quay.io/ambient_code/vteam_operator:latest quay.io/ambient_code/vteam_operator:e2e-test
fi
- name: Build or pull operator image
if: needs.detect-changes.outputs.operator == 'true'
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: components/operator
file: components/operator/Dockerfile
load: true
tags: quay.io/ambient_code/vteam_operator:e2e-test
cache-from: |
type=gha,scope=operator-amd64
type=gha,scope=e2e-operator
cache-to: type=gha,mode=max,scope=e2e-operator

# Build ambient-runner image (if changed or use latest)
if [ "${{ needs.detect-changes.outputs.claude-runner }}" == "true" ]; then
echo "Building ambient-runner (changed)..."
docker build -t quay.io/ambient_code/vteam_claude_runner:e2e-test \
components/runners/ambient-runner
else
echo "Claude-runner unchanged, pulling latest..."
docker pull quay.io/ambient_code/vteam_claude_runner:latest
docker tag quay.io/ambient_code/vteam_claude_runner:latest quay.io/ambient_code/vteam_claude_runner:e2e-test
fi
- name: Pull operator latest (unchanged)
if: needs.detect-changes.outputs.operator != 'true'
run: |
docker pull quay.io/ambient_code/vteam_operator:latest
docker tag quay.io/ambient_code/vteam_operator:latest quay.io/ambient_code/vteam_operator:e2e-test

echo ""
echo "✅ All images ready"
docker images | grep e2e-test
- name: Build or pull ambient-runner image
if: needs.detect-changes.outputs.claude-runner == 'true'
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
with:
context: components/runners
file: components/runners/ambient-runner/Dockerfile
load: true
tags: quay.io/ambient_code/vteam_claude_runner:e2e-test
cache-from: |
type=gha,scope=ambient-runner-amd64
type=gha,scope=e2e-ambient-runner
cache-to: type=gha,mode=max,scope=e2e-ambient-runner

- name: Pull ambient-runner latest (unchanged)
if: needs.detect-changes.outputs.claude-runner != 'true'
run: |
docker pull quay.io/ambient_code/vteam_claude_runner:latest
docker tag quay.io/ambient_code/vteam_claude_runner:latest quay.io/ambient_code/vteam_claude_runner:e2e-test

- name: Show built images
run: docker images | grep e2e-test

- name: Cache kind binary
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: ~/k8s-tools/kind
key: kind-${{ runner.os }}-${{ env.KIND_VERSION }}

- name: Install kind
run: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.27.0/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
mkdir -p ~/k8s-tools
if [[ ! -f ~/k8s-tools/kind ]]; then
echo "Downloading kind $KIND_VERSION..."
curl -sLo ~/k8s-tools/kind "https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64"
chmod +x ~/k8s-tools/kind
else
echo "Using cached kind"
fi
sudo cp ~/k8s-tools/kind /usr/local/bin/kind
kind version

- name: Setup kind cluster
Expand Down Expand Up @@ -194,7 +233,7 @@ jobs:

- name: Upload test results
if: failure()
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: cypress-screenshots-pr-${{ github.event.pull_request.number }}
path: e2e/cypress/screenshots
Expand All @@ -203,7 +242,7 @@ jobs:

- name: Upload test videos
if: failure()
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: cypress-videos-pr-${{ github.event.pull_request.number }}
path: e2e/cypress/videos
Expand Down
41 changes: 17 additions & 24 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ jobs:
cli: ${{ steps.filter.outputs.cli }}
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Detect changed components
uses: dorny/paths-filter@v4
uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
id: filter
with:
filters: |
Expand Down Expand Up @@ -80,10 +80,10 @@ jobs:
name: Frontend Lint and Type Check
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
with:
node-version-file: 'components/frontend/package.json'
cache: 'npm'
Expand Down Expand Up @@ -116,10 +116,10 @@ jobs:
name: Go Lint - Backend
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version-file: 'components/backend/go.mod'
cache-dependency-path: 'components/backend/go.sum'
Expand All @@ -141,15 +141,8 @@ jobs:
cd components/backend
go vet ./...

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
with:
version: latest
working-directory: components/backend
args: --timeout=5m

- name: Run golangci-lint (test build tags)
uses: golangci/golangci-lint-action@v9
- name: Run golangci-lint (all build tags)
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
version: latest
working-directory: components/backend
Expand All @@ -162,10 +155,10 @@ jobs:
name: Go Lint - Operator
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version-file: 'components/operator/go.mod'
cache-dependency-path: 'components/operator/go.sum'
Expand All @@ -188,7 +181,7 @@ jobs:
go vet ./...

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
version: latest
working-directory: components/operator
Expand All @@ -201,10 +194,10 @@ jobs:
name: Go Lint - API Server
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version-file: 'components/ambient-api-server/go.mod'
cache-dependency-path: 'components/ambient-api-server/go.sum'
Expand All @@ -227,7 +220,7 @@ jobs:
go vet ./...

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
version: latest
working-directory: components/ambient-api-server
Expand All @@ -240,10 +233,10 @@ jobs:
name: Go Lint - CLI
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version-file: 'components/ambient-cli/go.mod'
cache-dependency-path: 'components/ambient-cli/go.sum'
Expand All @@ -266,7 +259,7 @@ jobs:
go vet ./...

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
version: latest
working-directory: components/ambient-cli
Expand Down
Loading