diff --git a/.github/workflows/auto-changelog.yml b/.github/workflows/auto-changelog.yml index 957d2b78..da99c075 100644 --- a/.github/workflows/auto-changelog.yml +++ b/.github/workflows/auto-changelog.yml @@ -1,20 +1,25 @@ name: Auto Changelog (Release Drafter) on: - push: + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] branches: [ main ] release: types: [published] concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true jobs: update-draft: runs-on: ubuntu-latest + if: ${{ github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main') }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Draft Release uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97 # v6 env: diff --git a/.github/workflows/auto-versioning.yml b/.github/workflows/auto-versioning.yml index 27db0695..48a44ee2 100644 --- a/.github/workflows/auto-versioning.yml +++ b/.github/workflows/auto-versioning.yml @@ -8,11 +8,13 @@ name: Auto Versioning and Release # ⚠️ Major version bumps are intentionally disabled in automation to prevent accidents. on: - push: + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] branches: [ main ] concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: false # Don't cancel in-progress releases permissions: @@ -21,11 +23,13 @@ permissions: jobs: version: runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Calculate Semantic Version id: semver diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index df84999a..dbd071f7 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -1,22 +1,13 @@ name: Go Benchmark on: - push: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' - pull_request: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: true env: @@ -31,6 +22,7 @@ jobs: benchmark: name: Performance Regression Check runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} # Grant write permissions for storing benchmark results (only used on push via step condition) # Note: GitHub Actions doesn't support dynamic expressions in permissions block permissions: @@ -38,6 +30,8 @@ jobs: deployments: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 @@ -52,7 +46,7 @@ jobs: - name: Store Benchmark Result # Only store results on pushes to main - PRs just run benchmarks without storage # This avoids gh-pages branch errors and permission issues on fork PRs - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main' # Security: Pinned to full SHA for supply chain security uses: benchmark-action/github-action-benchmark@4e0b38bc48375986542b13c0d8976b7b80c60c00 # v1 with: diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml index 51003f79..705d162c 100644 --- a/.github/workflows/codecov-upload.yml +++ b/.github/workflows/codecov-upload.yml @@ -1,21 +1,12 @@ -name: Upload Coverage to Codecov (Push only) +name: Upload Coverage to Codecov on: - push: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' - pull_request: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true env: @@ -31,11 +22,13 @@ jobs: name: Backend Codecov Upload runs-on: ubuntu-latest timeout-minutes: 15 + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 @@ -63,11 +56,13 @@ jobs: name: Frontend Codecov Upload runs-on: ubuntu-latest timeout-minutes: 15 + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4d057519..6fa77034 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,23 +1,14 @@ name: CodeQL - Analyze on: - push: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' - pull_request: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] schedule: - cron: '0 3 * * 1' concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true env: @@ -35,7 +26,8 @@ jobs: name: CodeQL analysis (${{ matrix.language }}) runs-on: ubuntu-latest # Skip forked PRs where CHARON_TOKEN lacks security-events permissions - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false + if: >- + (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success') permissions: contents: read security-events: write @@ -48,6 +40,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Initialize CodeQL uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4 diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index c46d6302..ececd962 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -3,12 +3,8 @@ name: Docker Lint on: push: branches: [ main, development, 'feature/**', 'hotfix/**' ] - paths: - - 'Dockerfile' pull_request: branches: [ main, development, 'feature/**', 'hotfix/**' ] - paths: - - 'Dockerfile' concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} diff --git a/.github/workflows/docs-to-issues.yml b/.github/workflows/docs-to-issues.yml index 51743eb4..5356c609 100644 --- a/.github/workflows/docs-to-issues.yml +++ b/.github/workflows/docs-to-issues.yml @@ -1,16 +1,9 @@ name: Convert Docs to Issues on: - push: - branches: - - main - - development - - feature/** - paths: - - 'docs/issues/**/*.md' - - '!docs/issues/created/**' - - '!docs/issues/_TEMPLATE.md' - - '!docs/issues/README.md' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] # Allow manual trigger workflow_dispatch: @@ -26,7 +19,7 @@ on: type: string concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: false env: @@ -41,13 +34,14 @@ jobs: convert-docs: name: Convert Markdown to Issues runs-on: ubuntu-latest - if: github.actor != 'github-actions[bot]' + if: github.actor != 'github-actions[bot]' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success') steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -60,10 +54,13 @@ jobs: - name: Detect changed files id: changes uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + COMMIT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }} with: script: | const fs = require('fs'); const path = require('path'); + const commitSha = process.env.COMMIT_SHA || context.sha; // Manual file specification const manualFile = '${{ github.event.inputs.file_path }}'; @@ -81,7 +78,7 @@ jobs: const { data: commit } = await github.rest.repos.getCommit({ owner: context.repo.owner, repo: context.repo.repo, - ref: context.sha + ref: commitSha }); const changedFiles = (commit.files || []) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 50966716..59744172 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,20 +1,9 @@ name: Deploy Documentation to GitHub Pages on: - push: - branches: - - '**' - paths: - - 'docs/**' - - 'README.md' - - '.github/workflows/docs.yml' - pull_request: - branches: - - '**' - paths: - - 'docs/**' - - 'README.md' - - '.github/workflows/docs.yml' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] workflow_dispatch: # Allow manual trigger # Sets permissions to allow deployment to GitHub Pages @@ -25,7 +14,7 @@ permissions: # Allow only one concurrent deployment concurrency: - group: "pages-${{ github.event_name }}-${{ github.ref }}" + group: "pages-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}" cancel-in-progress: false env: @@ -36,6 +25,7 @@ jobs: name: Build Documentation runs-on: ubuntu-latest timeout-minutes: 10 + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} env: REPO_NAME: ${{ github.event.repository.name }} @@ -43,6 +33,8 @@ jobs: # Step 1: Get the code - name: 📥 Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} # Step 2: Set up Node.js (for building any JS-based doc tools) - name: 🔧 Set up Node.js @@ -366,7 +358,9 @@ jobs: deploy: name: Deploy to GitHub Pages - if: github.ref == 'refs/heads/main' + if: >- + (github.event_name == 'workflow_run' && github.event.workflow_run.head_branch == 'main') || + (github.event_name != 'workflow_run' && github.ref == 'refs/heads/main') environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/dry-run-history-rewrite.yml b/.github/workflows/dry-run-history-rewrite.yml index 3bfe2772..0d7d338d 100644 --- a/.github/workflows/dry-run-history-rewrite.yml +++ b/.github/workflows/dry-run-history-rewrite.yml @@ -1,16 +1,15 @@ name: History Rewrite Dry-Run on: - push: - branches: [main, development, 'feature/**', 'hotfix/**'] - pull_request: - types: [opened, synchronize, reopened] + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] schedule: - cron: '0 2 * * *' # daily at 02:00 UTC workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true permissions: @@ -20,11 +19,13 @@ jobs: preview-history: name: Dry-run preview for history rewrite runs-on: ubuntu-latest + if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Debug git info run: | diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml index 8a7a7b06..1dc4a191 100644 --- a/.github/workflows/e2e-tests-split.yml +++ b/.github/workflows/e2e-tests-split.yml @@ -16,23 +16,6 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - push: - - branches: [main, development, 'feature/**', 'hotfix/**'] - paths: - - 'frontend/**' - - 'backend/**' - - 'tests/**' - - 'playwright.config.js' - - '.github/workflows/e2e-tests-split.yml' - pull_request: - branches: [main, development, 'feature/**', 'hotfix/**'] - paths: - - 'frontend/**' - - 'backend/**' - - 'tests/**' - - 'playwright.config.js' - - '.github/workflows/e2e-tests-split.yml' workflow_dispatch: inputs: browser: @@ -67,7 +50,7 @@ env: CI_LOG_LEVEL: 'verbose' concurrency: - group: e2e-split-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: e2e-split-${{ github.workflow }}-${{ github.event.workflow_run.pull_requests[0].number || github.event.pull_request.number || github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true jobs: @@ -75,11 +58,14 @@ jobs: build: name: Build Application runs-on: ubuntu-latest + if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} outputs: image_digest: ${{ steps.build-image.outputs.digest }} steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 @@ -154,6 +140,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -312,6 +300,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -478,6 +468,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -656,6 +648,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -811,6 +805,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -974,6 +970,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 diff --git a/.github/workflows/history-rewrite-tests.yml b/.github/workflows/history-rewrite-tests.yml index 5f5506a9..ceca9d97 100644 --- a/.github/workflows/history-rewrite-tests.yml +++ b/.github/workflows/history-rewrite-tests.yml @@ -1,31 +1,24 @@ name: History Rewrite Tests on: - push: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' - pull_request: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true jobs: test: runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout with full history uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Install dependencies run: | diff --git a/.github/workflows/propagate-changes.yml b/.github/workflows/propagate-changes.yml index 3831fa24..97c832d0 100644 --- a/.github/workflows/propagate-changes.yml +++ b/.github/workflows/propagate-changes.yml @@ -1,13 +1,13 @@ name: Propagate Changes Between Branches on: - push: - branches: - - main - - development + workflow_run: + workflows: ["Docker Build, Publish & Test"] + types: [completed] + branches: [ main, development ] concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} cancel-in-progress: false env: @@ -22,7 +22,10 @@ jobs: propagate: name: Create PR to synchronize branches runs-on: ubuntu-latest - if: github.actor != 'github-actions[bot]' && github.event.pusher != null + if: >- + github.actor != 'github-actions[bot]' && + github.event.workflow_run.conclusion == 'success' && + (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'development') steps: - name: Set up Node (for github-script) uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 @@ -31,24 +34,27 @@ jobs: - name: Propagate Changes uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + CURRENT_BRANCH: ${{ github.event.workflow_run.head_branch || github.ref_name }} + CURRENT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }} with: script: | - const currentBranch = context.ref.replace('refs/heads/', ''); + const currentBranch = process.env.CURRENT_BRANCH || context.ref.replace('refs/heads/', ''); let excludedBranch = null; // Loop Prevention: Identify if this commit is from a merged PR try { - const associatedPRs = await github.rest.repos.listPullRequestsAssociatedWithCommit({ + const associatedPRs = await github.rest.repos.listPullRequestsAssociatedWithCommit({ owner: context.repo.owner, repo: context.repo.repo, - commit_sha: context.sha, + commit_sha: process.env.CURRENT_SHA || context.sha, }); // If the commit comes from a PR, we identify the source branch // so we don't try to merge changes back into it immediately. if (associatedPRs.data.length > 0) { excludedBranch = associatedPRs.data[0].head.ref; - core.info(`Commit ${context.sha} is associated with PR #${associatedPRs.data[0].number} coming from '${excludedBranch}'. This branch will be excluded from propagation to prevent loops.`); + core.info(`Commit ${process.env.CURRENT_SHA || context.sha} is associated with PR #${associatedPRs.data[0].number} coming from '${excludedBranch}'. This branch will be excluded from propagation to prevent loops.`); } } catch (err) { core.warning(`Failed to check associated PRs: ${err.message}`); @@ -197,6 +203,6 @@ jobs: await createPR('development', targetBranch); } } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }} diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 15087c37..ed8b009a 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -4,21 +4,9 @@ on: workflow_run: workflows: ["Docker Build, Publish & Test"] types: [completed] - push: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' - pull_request: - branches: - - main - - development - - 'feature/**' - - 'hotfix/**' concurrency: - group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref_name }} + group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }} cancel-in-progress: true permissions: @@ -34,8 +22,11 @@ jobs: backend-quality: name: Backend (Go) runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 @@ -75,7 +66,7 @@ jobs: echo '```' >> $GITHUB_STEP_SUMMARY fi - # Codecov upload moved to `codecov-upload.yml` which is push-only. + # Codecov upload moved to `codecov-upload.yml` (Docker Build-gated). - name: Run golangci-lint @@ -135,10 +126,12 @@ jobs: frontend-quality: name: Frontend (React) runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Repo health check run: | @@ -154,15 +147,24 @@ jobs: - name: Check if frontend was modified in PR id: check-frontend run: | - if [ "${{ github.event_name }}" = "push" ]; then + EVENT_NAME="${{ github.event.workflow_run.event || github.event_name }}" + BASE_REF="${{ github.event.workflow_run.pull_requests[0].base.ref || github.event.pull_request.base.ref }}" + + if [ "$EVENT_NAME" = "push" ]; then echo "frontend_changed=true" >> $GITHUB_OUTPUT exit 0 fi # Try to fetch the PR base ref. This may fail for forked PRs or other cases. - git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 || true + if [ -n "$BASE_REF" ]; then + git fetch origin "$BASE_REF" --depth=1 || true + fi # Compute changed files against the PR base ref, fallback to origin/main, then fallback to last 10 commits - CHANGED=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD 2>/dev/null || echo "") + if [ -n "$BASE_REF" ]; then + CHANGED=$(git diff --name-only "origin/${BASE_REF}"...HEAD 2>/dev/null || echo "") + else + CHANGED="" + fi echo "Changed files (base ref):\n$CHANGED" if [ -z "$CHANGED" ]; then @@ -186,13 +188,13 @@ jobs: - name: Install dependencies working-directory: frontend - if: ${{ github.event_name == 'push' || steps.check-frontend.outputs.frontend_changed == 'true' }} + if: ${{ github.event.workflow_run.event == 'push' || steps.check-frontend.outputs.frontend_changed == 'true' }} run: npm ci - name: Run frontend tests and coverage id: frontend-tests working-directory: ${{ github.workspace }} - if: ${{ github.event_name == 'push' || steps.check-frontend.outputs.frontend_changed == 'true' }} + if: ${{ github.event.workflow_run.event == 'push' || steps.check-frontend.outputs.frontend_changed == 'true' }} run: | bash scripts/frontend-test-coverage.sh 2>&1 | tee frontend/test-output.txt exit ${PIPESTATUS[0]} @@ -218,7 +220,7 @@ jobs: echo '```' >> $GITHUB_STEP_SUMMARY fi - # Codecov upload moved to `codecov-upload.yml` which is push-only. + # Codecov upload moved to `codecov-upload.yml` (Docker Build-gated). diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml index 3932cca7..d3acad45 100644 --- a/.github/workflows/security-pr.yml +++ b/.github/workflows/security-pr.yml @@ -9,10 +9,6 @@ on: types: - completed branches: [main, development, 'feature/**', 'hotfix/**'] - push: - branches: [main, development, 'feature/**', 'hotfix/**'] - pull_request: - branches: [main, development, 'feature/**', 'hotfix/**'] workflow_dispatch: inputs: @@ -33,8 +29,6 @@ jobs: # Run for: manual dispatch, PR builds, or any push builds from docker-build if: >- github.event_name == 'workflow_dispatch' || - github.event_name == 'push' || - github.event_name == 'pull_request' || ((github.event.workflow_run.event == 'pull_request' || github.event.workflow_run.event == 'push') && github.event.workflow_run.conclusion == 'success') @@ -48,6 +42,8 @@ jobs: - name: Checkout repository # actions/checkout v4.2.2 uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 + with: + ref: ${{ github.event.workflow_run.head_sha || github.sha }} - name: Extract PR number from workflow_run id: pr-info