Skip to content

feat: update .gitignore and add flaky.yml workflow #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ssdeanx merged 2 commits into from
Jan 7, 2026
Merged

feat: update .gitignore and add flaky.yml workflow #75

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3c588e5
feat: update .gitignore and add flaky.yml workflow
ssdeanx Jan 7, 2026
91f37ff
Potential fix for code scanning alert no. 1681: Workflow does not con…
Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .github/workflows/flaky.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
on:
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow is missing a 'name' field at the top level. Adding a descriptive name like 'name: Flaky Test Detection' would make the workflow easier to identify in the GitHub Actions UI.

Copilot uses AI. Check for mistakes.
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop
Comment on lines +1 to +9
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Add a descriptive workflow name.

The workflow is missing a top-level name field. Add one for better visibility in the GitHub Actions UI.

🔎 Proposed addition 
+name: Flaky Test Detection and Reporting
+
 on:
   push:

As per coding guidelines, always start with a descriptive name for the workflow.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop
name: Flaky Test Detection and Reporting
on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop
🤖 Prompt for AI Agents 
In @.github/workflows/flaky.yml around lines 1 - 9, Add a top-level name field
to the GitHub Actions workflow so it displays a descriptive title in the Actions
UI; update the YAML in the workflow (the document that currently starts with
"on:") by inserting a "name: <Descriptive Workflow Name>" line at the very top
(e.g., "name: Flaky Test Suite" or similar), keeping it above the existing "on:"
block.


permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Comment on lines +15 to +16
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Add a descriptive job name.

The job is missing a name field. While not strictly required, it improves readability in the Actions UI.

🔎 Proposed addition 
 jobs:
   test:
+    name: Run Tests and Upload Results
     runs-on: ubuntu-latest

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In @.github/workflows/flaky.yml around lines 15 - 16, The GitHub Actions job
keyed as "test" currently only has "runs-on: ubuntu-latest"; add a descriptive
"name" field to the job mapping (e.g., name: "Run Tests" or similar) so the job
displays a meaningful title in the Actions UI; update the job block that
contains the "test" key and "runs-on" to include the new "name" property at the
same indentation level.


steps:
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'Run Tests' step is missing a checkout action before it. Without checking out the repository code first using 'actions/checkout@v4', the tests will have no code to run against.

Suggested change
steps:
steps:
- name: Check out repository
uses: actions/checkout@v4

Copilot uses AI. Check for mistakes.
- name: Run Tests
Comment on lines +15 to +19
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Consider adding an explicit checkout step before running tests and uploading results.

This job runs on ubuntu-latest without checking out the repo, so it won’t see your test code or JUnit XML files. Add a - uses: actions/checkout@v4 step before Run Tests so the workflow has access to the repository contents.

run: ...
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'run' command contains placeholder text '...' which will cause the workflow to fail. This needs to be replaced with the actual test command (e.g., 'npm test', 'pytest', or whatever test runner is used in this repository).

Suggested change
run: ...
run: echo "No tests are configured for this workflow yet."

Copilot uses AI. Check for mistakes.

- name: Upload Test Results to Trunk.io
if: ${{ !cancelled() }} # Upload the results even if the tests fail
continue-on-error: true # don't fail this job if the upload fails
uses: trunk-io/analytics-uploader@main
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Pin the analytics-uploader action to a specific version or commit for supply-chain safety.

Using @main will automatically pull in any future changes to trunk-io/analytics-uploader, including potentially breaking or malicious ones. Please pin this to a tagged release (e.g. @vX) or, ideally, a specific commit SHA to keep the workflow deterministic and auditable.

Suggested implementation:

      - name: Upload Test Results to Trunk.io
        if: ${{ !cancelled() }} # Upload the results even if the tests fail
        continue-on-error: true # don't fail this job if the upload fails
        # Pin to a specific version or commit for supply-chain safety.
        # Replace `vX.Y.Z` with the desired tagged release or a specific commit SHA.
        uses: trunk-io/analytics-uploader@vX.Y.Z
        with:
          junit-paths: "**/*.xml"
          org-slug: deanmachines
          token: ${{ secrets.TRUNK_API_TOKEN }}
  1. Decide on the exact ref to pin to:
    • Prefer a tagged release, e.g. trunk-io/analytics-uploader@v1, @v1.2.3.
    • For maximum determinism, use a full commit SHA, e.g. @0123456789abcdef0123456789abcdef01234567.
  2. Update vX.Y.Z in the uses: line to that chosen tag or SHA.
  3. Optionally, document the chosen version/commit in a comment (e.g., link to the release or commit on GitHub) to aid future audits and upgrades.

with:
junit-paths: "**/*.xml"
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Narrow the JUnit glob pattern to avoid picking up unrelated XML files.

**/*.xml will include non-test XML files (configs, reports from other tools, etc.), which can lead to noisy or misclassified results in Trunk. If you know the directory structure, consider a more specific glob (e.g. reports/**/junit-*.xml or **/test-results/**/*.xml) to target only JUnit outputs.

Suggested implementation:

      - name: Upload Test Results to Trunk.io
        if: ${{ !cancelled() }} # Upload the results even if the tests fail
        continue-on-error: true # don't fail this job if the upload fails
        uses: trunk-io/analytics-uploader@main
        with:
          # Restrict to typical test result locations to avoid unrelated XML files
          junit-paths: |
            **/test-results/**/*.xml
            **/junit/**/*.xml
          org-slug: deanmachines
          token: ${{ secrets.TRUNK_API_TOKEN }}

If your project uses a different directory layout for JUnit outputs (e.g. reports/junit/*.xml, build/test-results/test/*.xml, or target/surefire-reports/*.xml), update the junit-paths entries accordingly to match those actual paths. The key is to:

  1. Point only at directories where JUnit reports are written.
  2. Avoid root-level or generic **/*.xml patterns that include config or tool output XML.

org-slug: deanmachines
token: ${{ secrets.TRUNK_API_TOKEN }}
Comment thread Fixed
Comment on lines +22 to +29
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Security and reliability concerns with the upload step.

This step has multiple issues already flagged by previous reviewers:

  1. Security risk: Using @main for the action reference means any changes pushed to the main branch will automatically be pulled into your workflow, including potentially malicious code
  2. Overly broad pattern: The **/*.xml pattern will match any XML file in the repository, not just JUnit test results, potentially uploading configuration files or other unrelated XML

Additionally, without the checkout step (see previous comment), this step will find no files to upload.

🔎 Recommended fixes

1. Pin the action to a specific version:

-        uses: trunk-io/analytics-uploader@main
+        uses: trunk-io/analytics-uploader@v1  # or a specific commit SHA

2. Narrow the JUnit paths pattern:

         with:
-          junit-paths: "**/*.xml"
+          junit-paths: |
+            **/test-results/**/*.xml
+            **/junit/**/*.xml
           org-slug: deanmachines

Adjust the paths to match your actual test output directories.

As per coding guidelines, always specify a secure version (tag or SHA) for actions and use specific paths for file patterns.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Upload Test Results to Trunk.io
if: ${{ !cancelled() }} # Upload the results even if the tests fail
continue-on-error: true # don't fail this job if the upload fails
uses: trunk-io/analytics-uploader@main
with:
junit-paths: "**/*.xml"
org-slug: deanmachines
token: ${{ secrets.TRUNK_API_TOKEN }}
- name: Upload Test Results to Trunk.io
if: ${{ !cancelled() }} # Upload the results even if the tests fail
continue-on-error: true # don't fail this job if the upload fails
uses: trunk-io/analytics-uploader@v1 # or a specific commit SHA
with:
junit-paths: |
**/test-results/**/*.xml
**/junit/**/*.xml
org-slug: deanmachines
token: ${{ secrets.TRUNK_API_TOKEN }}
🤖 Prompt for AI Agents 
In @.github/workflows/flaky.yml around lines 22 - 29, The "Upload Test Results
to Trunk.io" workflow step is insecure and too broad: replace the uses reference
trunk-io/analytics-uploader@main with a pinned tag or commit SHA (do not use
@main), narrow the junit-paths pattern to the actual test output directory(s)
instead of "**/*.xml" (e.g., your CI test-report folder), and ensure a prior
checkout action (actions/checkout@vX or pinned SHA) runs so the uploader can
find files; update the step name or inputs accordingly to reflect these changes.

2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ opnapi.json
openapi.json

# GitHub Actions
.github/workflows/**.yml

Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This change introduces an unnecessary blank line. To keep the .gitignore file clean and concise, it's better to remove this line entirely rather than replacing it with a blank one.

.github/workflows/**.yaml
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Extension mismatch between ignore pattern and workflow file.

The ignore pattern targets .yaml files, but the workflow file being added in this PR is named flaky.yml (with .yml extension). This mismatch means:

  • If the intent is to ignore workflow files, this pattern won't work for flaky.yml
  • The workflow file will be tracked by Git despite this ignore rule

Consider one of these solutions:

  1. Rename the workflow file to flaky.yaml to match this pattern
  2. Change the pattern back to .github/workflows/**.yml to match the workflow file
  3. Use a pattern that covers both extensions: .github/workflows/**/*.{yml,yaml}
🔎 Recommended fix to ignore both extensions 
-.github/workflows/**.yaml
+.github/workflows/**/*.{yml,yaml}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.github/workflows/**.yaml
.github/workflows/**/*.yml
.github/workflows/**/*.yaml
Suggested change
.github/workflows/**.yaml
.github/workflows/*.yml
.github/workflows/*.yaml
🤖 Prompt for AI Agents 
In @.gitignore at line 131, The .gitignore pattern ".github/workflows/**.yaml"
doesn’t match the new workflow file "flaky.yml", so Git will still track it;
update the ignore to cover the actual file or rename the file: either rename
"flaky.yml" to "flaky.yaml", or change the .gitignore entry to
".github/workflows/**.yml", or better replace it with a pattern that matches
both extensions like ".github/workflows/**/*.{yml,yaml}" so both ".yml" and
".yaml" workflow files are ignored.

.github/actions/**/node_modules/
.github/actions/**/dist/
Expand Down
Loading