ci: restructure workflows to match org ruleset contract#36
ci: restructure workflows to match org ruleset contract#36Nelson Spence (Fieldnote-Echo) merged 4 commits intomainfrom
Conversation
Split test matrix into test-run + test aggregator. Split lint into lint/typecheck/security. Add quality-gate aggregator. CodeQL job key analyze → codeql, drop matrix. Scorecard → thin caller. Release → centralized build. Delete local _build-reusable.yml. Required checks: test, lint, typecheck, security, codeql, semgrep, quality-gate Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
✅ Grippy Review — PASSScore: 88/100 | Findings: 5 Delta: 5 new Off-diff findings (3)🟡 MEDIUM: Aggregator jobs rely on matrix result propagation logic📁 The new 'test' and 'quality-gate' aggregator jobs check that upstream matrix jobs have passed by reading their result using Suggestion: Ensure all upstream jobs ( 🔵 LOW: No explicit error messages for which required job failed in quality-gate aggregator📁 The 'quality-gate' job loops over results of required jobs and fails if any job did not succeed, but the error message only reports which result failed as a variable, not which specific job (by name) was at fault. This could make troubleshooting more difficult, especially as the number of required jobs grows. Suggestion: Enhance the loop logic in 'quality-gate' to print both the job name and its result-either via a bash associative array or individual checks-to provide more informative error output. 🔵 LOW: Test aggregator job does not produce or propagate artifacts📁 The 'test' aggregator job only checks the matrix result but does not aggregate test reports, code coverage, or other artifacts. If downstream jobs or branch protections depend on these artifacts, this pattern could create gaps. Suggestion: If other systems or team processes expect test artifacts (logs, coverage, etc.) to be published at the aggregator job level, update the job to collect and upload them from dependencies. Commit: 3f52372 |
There was a problem hiding this comment.
Pull request overview
This PR restructures the repository’s GitHub Actions workflows to comply with an org ruleset “required check name” contract, while centralizing some workflows into Project-Navi/.github.
Changes:
- Split the test matrix into a non-required
test-runjob plus a requiredtestaggregator job, and added aquality-gateaggregator. - Split quality checks into separate required jobs:
lint(ruff),typecheck(mypy), andsecurity(bandit + pip-audit). - Simplified CodeQL to a single required
codeqljob and migrated Scorecard/Release to centralized reusable workflows.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tests.yml | Adds required-check aggregators (test, quality-gate) and splits lint/typecheck/security into distinct jobs. |
| .github/workflows/codeql.yml | Renames job to codeql and removes the language matrix to stabilize the required check name. |
| .github/workflows/scorecard.yml | Replaces the local Scorecard implementation with a pinned reusable workflow call. |
| .github/workflows/release.yml | Switches release build to a pinned reusable workflow call and passes package metadata. |
| .github/workflows/_build-reusable.yml | Deletes the local reusable build workflow in favor of the centralized version. |
project-navi-bot
left a comment
project-navi-bot
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by project-navi-bot.
Summary
test-run+testaggregatorlint(ruff),typecheck(mypy),security(bandit + pip-audit)quality-gateaggregatoranalyze→codeql, dropped matrixProject-Navi/.github_build-reusable.yml@6c4c2d8f_build-reusable.ymlCheck name contract (Python tier)
Test plan
testaggregator passes when matrix passesquality-gatepasses when all required jobs pass🤖 Generated with Claude Code