ci: enhance GitHub Actions workflows with security and performance improvements #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…provements Add comprehensive workflow enhancements across all 11 GitHub Actions workflows: Security improvements: - Add input sanitization to coverage comment script - Add security validation for fork PR workflows - Implement proper error handling across all workflows Performance improvements: - Add concurrency controls to prevent queue backlog and save CI minutes - Add pip/npm caching for faster builds - Remove redundant inline chmod commands (rely on git-tracked executable bits) Maintainability improvements: - Add coverage-comment.yml demonstrating fork PR coverage pattern - Add comprehensive workflow documentation (README.md) with all 11 workflows - Add GitHub step summaries for better Actions UI experience - Add timeout-minutes to all jobs for safety - Expand E2E test path filters to catch all .github/scripts changes Files changed: - New: .github/workflows/coverage-comment.yml (fork PR coverage pattern) - New: .github/workflows/README.md (comprehensive workflow docs) - New: .github/scripts/generate_coverage_comment.py (secure coverage comments) - Modified: All 10 existing workflows with concurrency, timeouts, caching 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Chris Hambridge <chambrid@redhat.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Address 3 failing workflows identified in PR feedback: - ci.yml: Add --system flag to uv pip install for repomap validation (fixes externally-managed-environment error in GitHub Actions runner) - pr-review.yml: Fix grep exit codes with proper error handling (resolves failures with set -euo pipefail when grep finds no matches) - validate.yml: Remove npm cache option (no package-lock.json exists for global npm package installation) These changes ensure CI workflows execute successfully in GitHub Actions environment while maintaining proper error handling and bash strict mode. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Chris Hambridge <chambrid@redhat.com>
Add comprehensive inline documentation for customizing CodeQL workflow in template repository context. Users need clear guidance on adapting security scanning for their specific language stacks. Changes: - Add inline customization guide to security.yml with 3-step process - Document all supported CodeQL languages (10 languages) - Explain continue-on-error usage for templates vs production apps - Add 'TEMPLATE:' markers for user customization points - Create new 'CodeQL Customization Pattern' section in workflows README - Include example configurations for common tech stacks (FastAPI, React+Node, etc.) - Add path filter customization guidance for different languages - Document common CodeQL troubleshooting scenarios Fixes CodeQL JavaScript failure while preserving template value for projects that DO use JavaScript/TypeScript. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Chris Hambridge <chambrid@redhat.com>
Fix multiple CI failures: 1. PR Auto-Review (fork PR support): - Change trigger from pull_request to pull_request_target - Enables posting comments on PRs from forks - Secure: fetches PR branch without checking out (no code execution) - Uses pr-branch ref for git diff analysis - Adds explicit --repo flag to gh commands - Fixes 'Resource not accessible by integration' error 2. Markdown linting (workflows README.md): - Change bold text to proper h5 headings (Steps 1,2,3) - Add blank lines around fenced code blocks - Rename duplicate 'Common Issues' to 'Troubleshooting CodeQL' - Fixes MD036, MD031, MD024 errors 3. Repomap validation: - Update .repomap.txt with new files from workflow enhancements - Includes generate_coverage_comment.py, update-repomap.sh - Includes src/core/security.py and tests/ structure Fixes: - auto-review workflow (fork PR permissions) - lint-markdown workflow (7 linting errors) - repomap-validation workflow (outdated map) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Chris Hambridge <chambrid@redhat.com>
jeremyeder
reviewed
Jan 22, 2026
|
|
||
| ```yaml | ||
| codeql: | ||
| continue-on-error: true # Allows workflow to succeed even if language has no code |
Collaborator
There was a problem hiding this comment.
like test repos or config repos.
jeremyeder
reviewed
Jan 22, 2026
.github/workflows/README.md
Outdated
|
|
||
| #### Customization for YOUR Project | ||
|
|
||
| **Step 1: Update Language Matrix** |
Collaborator
There was a problem hiding this comment.
linter is upset, please have that resolved
Collaborator
|
this repo needs to have its own setup https://github.com/ambient-code/reference/actions/runs/21215510424/job/61035381538?pr=24 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add comprehensive workflow enhancements across all 11 GitHub Actions workflows:
Security improvements:
Performance improvements:
Maintainability improvements:
Files changed: