feat(ci): add centralized reusable CI/CD workflows for the reqstool org#29
Merged
Conversation
Implements reqstool/reqstool.github.io#33. Adds 10 reusable workflows organized by language under .github/workflows/: - common/: check-release, release, release-preview, publish-to-docker - java/: publish-to-maven, publish-to-gradle (target: portal|central) - python/: publish-to-python, publish-to-python-test - typescript/: publish-to-npm, publish-to-vscode All publish workflows support a dry-run input for CI-safe validation without uploading to external registries. release-preview.yml computes the next version via git-cliff and optionally cross-checks it against the calling repo's build tool via a version-command input. Adds tests/ mirroring the workflow directory structure (1:1 file mapping) with act-compatible test workflows and JSON event fixtures for failure-path testing of check-release.yml. Adds ci.yml that runs actionlint, zizmor, yamllint, and act-based behavioral tests on any change to .github/workflows/** or tests/**. Adds .github/cliff.toml as the org-wide default changelog config. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…typescript Adds reusable build and lint workflows alongside the existing publish/release workflows, completing the org-wide CI/CD centralization. New workflows: - java/lint.yml — mvn clean validate; java-version input - java/build-maven.yml — mvn clean verify; java-version input - java/build-gradle.yml — ./gradlew clean build; java-version input - python/lint.yml — black + flake8; package-manager: hatch|poetry input - python/build-hatch.yml — hatch pytest + build; coverage-source input - python/build-poetry.yml — poetry install + pytest + build; install-self-as-plugin input for plugin e2e tests - typescript/lint.yml — npm ci + lint + format; node-version input - typescript/build.yml — npm ci + test + build; use-xvfb and dependency-version/install-command inputs for VS Code extension builds Adds 1:1 test files in tests/ for all new workflows (actionlint-validated; act execution requires a real project checkout so ci.yml skips act for build/lint tests). Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
Centralizes the identical Antora build + GitHub Pages deploy workflows from reqstool-java-annotations and reqstool-java-maven-plugin. Inputs: node-version (default 24), antora-playbook (default docs/antora-playbook.yml). Callers pass permissions: pages: write, id-token: write. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
jimisola
changed the title
- check-release: replace [[ != glob ]] with case statement (SC2193)
- release, release-preview, ci: group multiple >> redirects into
{ ... } >> file blocks (SC2129)
- build-poetry: replace ls dist/*.whl with find (SC2012)
- publish-to-vscode: replace ls *.vsix with find -maxdepth 1 (SC2012, SC2035)
Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
act was showing a Docker image selection prompt and receiving EOF when run non-interactively, causing all test jobs to fail. Pre-creating ~/.config/act/actrc with node:20-bullseye-slim (sufficient for shell-only workflows) resolves this. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
act's --input flag only works for workflow_dispatch events; for workflow_call the inputs must be embedded in the event JSON payload under an 'inputs' key. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
act does not propagate with: inputs into nested workflow_call, causing false failures. release-preview also uses curl which is absent from the micro image. Both are validated by actionlint; end-to-end testing happens in the per-repo migration PRs. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
…mat script Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
3 tasks
Addresses CodeQL findings — all jobs only read the repository, so contents: read is the correct minimal permission. Signed-off-by: Jimisola Laursen <jimisola@jimisola.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements reqstool/reqstool.github.io#33 — centralize all GitHub Actions CI/CD workflows so individual repos only maintain thin callers.
Adds 15 reusable workflows organized by language under
.github/workflows/:common/check-release— validates tag format (semver|pep440|maven) and release branch constraint (main,hotfix/*,release/*)release— validates version, generates changelog via git-cliff, creates draft GitHub Release;dry-runinput for safe testingrelease-preview— read-only workflow_dispatch preview: next version, draft notes, commit list, optional build-tool version cross-checkpublish-to-docker— registry-agnostic GHCR publish with semver tag matrix;dry-runbuilds without pushingpublish-to-github-pages— Antora build + GitHub Pages deployjava/lint—mvn clean validatebuild-maven—mvn clean verifybuild-gradle—./gradlew clean buildpublish-to-maven— Maven Central with GPG signing;dry-runrunsmvn packageonlypublish-to-gradle— Gradle Plugin Portal or Maven Central viatarget: portal|centralinput;dry-runruns./gradlew buildpython/lint— black + flake8;package-manager: hatch|poetryinputbuild-hatch— hatch pytest + build;coverage-sourceinputbuild-poetry— poetry pytest + build;install-self-as-plugininput for plugin e2e testspublish-to-python— PyPI via OIDC trusted publishing,attestations: true;dry-runruns twine checkpublish-to-python-test— Test PyPI;dry-runruns twine checktypescript/lint—npm run lint+npm run formatbuild— npm test + build;use-xvfbinput for VS Code extension tests;dependency-version/dependency-install-commandinputs for bundled tool pinningpublish-to-npm— scoped npm publish;dry-runuses--dry-runpublish-to-vscode— Open VSX Registry via HaaLeo action;dry-runmode; genericdependency-version/dependency-nameinputsAlso adds:
.github/cliff.toml— org-wide default changelog config (per-repo overrides viacliff-configinput)tests/— 1:1 mirror of workflow directory with act-compatible test workflows and JSON event fixtures for failure-path testing ofcheck-releaseci.yml— runsactionlint,zizmor,yamllint, andact-based behavioral tests on any change to.github/workflows/**ortests/**Closes
reqstool/reqstool.github.io#33 (Phase 1 — centralized workflows)
Test plan
ci.ymltriggers on this PR and passes lint + check-release matrixreqstool-vscodemigration PR as first end-to-end smoke test