Skip to content

ci: add new reusable workflow #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 26, 2025
Merged

ci: add new reusable workflow #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
23 changes: 23 additions & 0 deletions .github/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
fail-on-severity: 'low'
allow-licenses:
- 'BSD-2-Clause'
- 'BSD-3-Clause'
- 'BSD-3-Clause-Clear'
- 'BSD-2-Clause-Views'
- 'MIT'
- 'Apache-2.0'
- 'ISC'
- 'BlueOak-1.0.0'
- '0BSD'
- 'Python-2.0'
- 'LGPL-3.0'
- 'MPL-2.0'
fail-on-scopes:
- 'runtime'
- 'development'
- 'unknown'
license-check: true
vulnerability-check: true
allow-dependencies-licenses:
- 'pkg:pypi/PyGithub@2.2.0'
- 'pkg:pypi/psycopg2-binary'
206 changes: 0 additions & 206 deletions .github/workflows/build_upload_whl.yml
View file
Open in desktop

This file was deleted.

18 changes: 18 additions & 0 deletions .github/workflows/check_code_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Check Code Standard

on:
pull_request:
types: [opened, synchronize]

jobs:
run_check_standard:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
uses: intel/mfd/.github/workflows/check_code_standard.yml@main
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
12 changes: 12 additions & 0 deletions .github/workflows/check_pr_format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Title + Commit Validation

on:
pull_request:
types: [opened, synchronize]

jobs:
validate_pr_format:
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
Comment on lines +9 to +12

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, a permissions block should be explicitly added to the workflow or the relevant job to limit the GitHub token’s permissions. Since the job appears to only validate PR format (not make changes), it likely only needs read access. The most secure approach is to set the permissions at the workflow root, applying to all jobs by default. If the job or called workflow requires specific permissions, these can be set later, but the least privilege is contents: read. The fix only involves adding a permissions block after the workflow’s name line.

Suggested changeset 1
.github/workflows/check_pr_format.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_pr_format.yml b/.github/workflows/check_pr_format.yml
--- a/.github/workflows/check_pr_format.yml
+++ b/.github/workflows/check_pr_format.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Title + Commit Validation
 
 on:
EOF
@@ -1,3 +1,5 @@
permissions:
contents: read
name: Title + Commit Validation

on:
Copilot is powered by AI and may make mistakes. Always verify output.
9 changes: 9 additions & 0 deletions .github/workflows/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: Dependency Review

on:
pull_request:
types: [opened, synchronize]

jobs:
dependency_review:
uses: intel/mfd/.github/workflows/dependency_review.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, add a permissions block, either at the workflow root or under the specific job (dependency_review). Since this workflow’s job simply uses another workflow and likely needs only minimal permissions associated with dependency review (primarily contents: read), it’s best to add the most restrictive set possible. Modify .github/workflows/dependency_review.yml to include a permissions block at the root level, granting only the minimal necessary permissions (usually contents: read). This can be inserted after the name: field and before the on: field to apply to the whole workflow (recommended), unless deeper inspection of the reusable workflow indicates the need for additional privileges.

Suggested changeset 1
.github/workflows/dependency_review.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
--- a/.github/workflows/dependency_review.yml
+++ b/.github/workflows/dependency_review.yml
@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Dependency Review
 
 on:
EOF
@@ -1,3 +1,5 @@
permissions:
contents: read
name: Dependency Review

on:
Copilot is powered by AI and may make mistakes. Always verify output.
21 changes: 21 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: CI Build

on:
push:
branches:
- main

jobs:
build_whl:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
uses: intel/mfd/.github/workflows/main.yml@main
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.repository }}
BRANCH_NAME: ${{ github.ref_name }}
PYTHON_VERSION: ${{ matrix.python_version }}
PROJECT_NAME: 'mfd-const'
28 changes: 10 additions & 18 deletions .github/workflows/manual_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,33 +1,25 @@
name: CI BUILD - RELEASE MODE
name: CI Build - Release Mode

on:
workflow_dispatch:

jobs:
build_upload_whl:
strategy:
fail-fast: false
matrix:
include:
- name: python-version-3-10
python_version: '3.10'
push_tag: false
upload_package: false
continue-on-error: true
- name: python-version-3-13
python_version: '3.13'
push_tag: true
upload_package: true
continue-on-error: true
uses: ./.github/workflows/build_upload_whl.yml
- python_version: '3.10'
release_steps: true
- python_version: '3.13'
release_steps: false
uses: intel/mfd/.github/workflows/manual_release.yml@main
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.repository }}
BRANCH_NAME: ${{ github.ref_name }}
PYTHON_VERSION: ${{ matrix.python_version }}
PUSH_TAG: ${{ matrix.push_tag }}
RELEASE_BUILD: true
UPLOAD_PACKAGE: ${{ matrix.upload_package }}
GIT_USER: 'mfd-intel-bot'
GIT_EMAIL: 'mfd_intel_bot@intel.com'
PROJECT_NAME: 'mfd-const'
PROJECT_NAME: 'mfd-const'
RELEASE_STEPS: ${{ matrix.release_steps }}
20 changes: 20 additions & 0 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Dev Build

on:
pull_request:
types: [opened, synchronize]

jobs:
build_whl:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
uses: intel/mfd/.github/workflows/pull_request.yml@main
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
PYTHON_VERSION: ${{ matrix.python_version }}
PROJECT_NAME: 'mfd-const'
Loading
Loading