Skip to content

chore(workflows): adopt centralized stubs from petry-projects/.github#93

Merged
don-petry merged 1 commit into
mainfrom
chore/adopt-centralized-workflow-stubs
Apr 8, 2026
Merged

chore(workflows): adopt centralized stubs from petry-projects/.github#93
don-petry merged 1 commit into
mainfrom
chore/adopt-centralized-workflow-stubs

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Summary

Replaces inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to the org-level reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1.

Why

Future updates to the standard propagate automatically without per-repo PRs, and drift is caught by the org-wide compliance audit (petry-projects/.github#89).

See petry-projects/.github#87 (build reusables), petry-projects/.github#88 (pin to v1, document tier model), petry-projects/.github#89 (audit drift detection).

Test plan

  • actionlint clean
  • CI on this branch — workflows should run via the reusables exactly as before

🤖 Generated with Claude Code

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 8, 2026 03:41
@coderabbitai

coderabbitai Bot commented Apr 8, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3fb844c4-7595-4606-97cb-e943a7858971

📥 Commits

Reviewing files that changed from the base of the PR and between 8f3c67a and 93bbf3f.

📒 Files selected for processing (5)
  • .github/workflows/claude.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/dependabot-rebase.yml
  • .github/workflows/dependency-audit.yml
  • .github/workflows/feature-ideation.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/adopt-centralized-workflow-stubs

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Apr 8, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
7 Security Hotspots

See analysis details on SonarQube Cloud

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates this repo’s GitHub Actions workflows to be “thin caller stubs” that delegate to the organization’s centralized reusable workflows in petry-projects/.github (pinned at @v1), reducing workflow drift and making future updates propagate automatically.

Changes:

  • Replace inline workflow implementations with uses: petry-projects/.github/.github/workflows/*-reusable.yml@v1 caller stubs.
  • Standardize workflow headers/instructions and align callers with the org-level workflow standards.
  • Simplify workflow logic in-repo (dependency audit + Dependabot automation now fully delegated).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/feature-ideation.yml Converts to thin caller stub for org reusable; updates inputs and adds repo-specific project_context hook.
.github/workflows/dependency-audit.yml Replaces in-repo ecosystem detection/audit jobs with a single reusable-workflow call.
.github/workflows/dependabot-rebase.yml Delegates Dependabot “update and merge” serialization to org reusable workflow.
.github/workflows/dependabot-automerge.yml Delegates Dependabot auto-approve/auto-merge logic to org reusable workflow.
.github/workflows/claude.yml Pins Claude Code workflow to org reusable at @v1 and documents required secrets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +85 to +87
TODO: Replace this with a description of the project and its market.
Example: "ProjectX is a [type of product] for [target user]. Competitors
include A, B, C. Key emerging trends in this space: X, Y, Z."

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

project_context is currently a TODO/example placeholder. As-is, the scheduled ideation run will generate generic/incorrect proposals for this repository. Replace this placeholder with this repo’s actual project context (you can likely restore the previous Broodly description) so the reusable workflow has meaningful input.

Suggested change
TODO: Replace this with a description of the project and its market.
Example: "ProjectX is a [type of product] for [target user]. Competitors
include A, B, C. Key emerging trends in this space: X, Y, Z."
Broodly is a product and engineering platform focused on helping teams design, build, and ship modern web applications with strong automation, maintainability, and developer experience.
Its primary users are founders, product teams, and software engineers who want to move quickly without sacrificing quality, documentation, or delivery discipline.
Research should consider competitors and adjacent solutions such as GitHub-native engineering workflows, AI-assisted developer tooling, low-code/internal platform tools, and modern SaaS product-building frameworks.
Mary should look for opportunities around AI-enabled product ideation, planning, implementation workflows, collaboration, and repository-driven automation that would make Broodly more differentiated and useful.

Copilot uses AI. Check for mistakes.
Comment on lines 16 to +33
@@ -20,199 +29,5 @@ permissions:
contents: read

jobs:
detect:
name: Detect ecosystems
runs-on: ubuntu-latest
outputs:
npm: ${{ steps.check.outputs.npm }}
pnpm: ${{ steps.check.outputs.pnpm }}
gomod: ${{ steps.check.outputs.gomod }}
cargo: ${{ steps.check.outputs.cargo }}
pip: ${{ steps.check.outputs.pip }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Detect package ecosystems
id: check
run: |
# npm — look for package-lock.json anywhere (excluding node_modules)
if find . -name 'package-lock.json' -not -path '*/node_modules/*' | grep -q .; then
echo "npm=true" >> "$GITHUB_OUTPUT"
else
echo "npm=false" >> "$GITHUB_OUTPUT"
fi

# pnpm — look for pnpm-lock.yaml anywhere
if find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' | grep -q .; then
echo "pnpm=true" >> "$GITHUB_OUTPUT"
else
echo "pnpm=false" >> "$GITHUB_OUTPUT"
fi

# Go modules — detect via go.mod (not go.sum, which may not exist)
if find . -name 'go.mod' -not -path '*/vendor/*' | grep -q .; then
echo "gomod=true" >> "$GITHUB_OUTPUT"
else
echo "gomod=false" >> "$GITHUB_OUTPUT"
fi

# Cargo — detect via Cargo.toml anywhere (lockfile may not exist for libraries)
if find . -name 'Cargo.toml' -not -path '*/target/*' | grep -q .; then
echo "cargo=true" >> "$GITHUB_OUTPUT"
else
echo "cargo=false" >> "$GITHUB_OUTPUT"
fi

# Python — detect pyproject.toml or requirements.txt anywhere
if find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q . || \
find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q .; then
echo "pip=true" >> "$GITHUB_OUTPUT"
else
echo "pip=false" >> "$GITHUB_OUTPUT"
fi

audit-npm:
name: npm audit
needs: detect
if: needs.detect.outputs.npm == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "lts/*"

- name: Audit npm dependencies
run: |
# Audit each package-lock.json found in the repo
status=0
while IFS= read -r dir; do
echo "::group::npm audit $dir"
if ! (cd "$dir" && npm audit --audit-level=low); then
status=1
fi
echo "::endgroup::"
done < <(find . -name 'package-lock.json' -not -path '*/node_modules/*' -exec dirname {} \;)
exit $status

audit-pnpm:
name: pnpm audit
needs: detect
if: needs.detect.outputs.pnpm == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "lts/*"

- name: Audit pnpm dependencies
run: |
# Audit each pnpm-lock.yaml found in the repo
status=0
while IFS= read -r dir; do
echo "::group::pnpm audit $dir"
if ! (cd "$dir" && pnpm audit --audit-level low); then
status=1
fi
echo "::endgroup::"
done < <(find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' -exec dirname {} \;)
exit $status

audit-go:
name: govulncheck
needs: detect
if: needs.detect.outputs.gomod == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
with:
go-version: "stable"

- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

- name: Audit Go dependencies
run: |
status=0
while IFS= read -r dir; do
echo "::group::govulncheck $dir"
if ! (cd "$dir" && govulncheck ./...); then
status=1
fi
echo "::endgroup::"
done < <(find . -name 'go.mod' -not -path '*/vendor/*' -exec dirname {} \;)
exit $status

audit-cargo:
name: cargo audit
needs: detect
if: needs.detect.outputs.cargo == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install Rust stable toolchain
run: rustup toolchain install stable --profile minimal

- name: Install cargo-audit
run: cargo install cargo-audit@0.22.1 --locked

- name: Audit Cargo dependencies
run: |
# cargo audit operates on Cargo.lock at workspace root
# For workspaces, a single audit at root covers all crates
status=0
while IFS= read -r dir; do
echo "::group::cargo audit $dir"
if ! (cd "$dir" && cargo generate-lockfile 2>/dev/null; cargo audit); then
status=1
fi
echo "::endgroup::"
done < <(find . -name 'Cargo.toml' -not -path '*/target/*' -exec dirname {} \; | sort -u)
exit $status

audit-pip:
name: pip-audit
needs: detect
if: needs.detect.outputs.pip == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.x"

- name: Install pip-audit
run: pip install pip-audit==2.9.0

- name: Audit Python dependencies
run: |
status=0
# Audit each Python project found in the repo
while IFS= read -r dir; do
echo "::group::pip-audit $dir"
if [ -f "$dir/pyproject.toml" ]; then
if ! pip-audit "$dir"; then
status=1
fi
elif [ -f "$dir/requirements.txt" ]; then
if ! pip-audit -r "$dir/requirements.txt"; then
status=1
fi
fi
echo "::endgroup::"
done < <(
{
find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \;
find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \;
} | sort -u
)
exit $status
dependency-audit:
uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment says to add the required status check dependency-audit / Detect ecosystems, but this thin-caller job doesn’t set name: Detect ecosystems (it will show as Dependency audit / dependency-audit). Either set the job name to match the documented required check (and any existing branch protection), or update the documentation to reflect the actual check name produced by this workflow.

Copilot uses AI. Check for mistakes.
# Copy to .github/workflows/dependency-audit.yml
# ─────────────────────────────────────────────────────────────────────────────
# SOURCE OF TRUTH: petry-projects/.github/standards/workflows/dependency-audit.yml
# Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym

Copilot AI Apr 8, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The standards link anchor looks truncated: it ends with ...dependency-auditym (missing the trailing l), so the reference likely 404s. Update the anchor to the correct ...#5-dependency-audit-dependency-audityml.

Suggested change
# Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym
# Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-audityml

Copilot uses AI. Check for mistakes.
@don-petry don-petry merged commit 4765926 into main Apr 8, 2026
19 of 22 checks passed
@don-petry don-petry deleted the chore/adopt-centralized-workflow-stubs branch April 8, 2026 03:46
don-petry added a commit that referenced this pull request Jun 18, 2026
…#93)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 19, 2026
…#93)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 21, 2026
…#93)

Replace inline copies of standardized workflows with the canonical
thin caller stubs from petry-projects/.github/standards/workflows/.
Each stub delegates to a versioned reusable workflow at
petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so
future updates to the standard propagate automatically and drift is
caught by the org-wide compliance audit.

See petry-projects/.github#87, #88, #89 for context.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants