Pin Kotlin for workflow script execution on CI

[leonard84]

Problem

The Kotlin versions preinstalled on the GitHub runner images (2.3.20 and newer) cannot execute our workflow scripts with the kotlin CLI: resolving extension functions from @file:Imported scripts is broken, see KT-86352. This breaks the check_yaml_consistency jobs and the regenerate-all-workflows job, which execute the *.main.kts scripts on the runner. Generation via Gradle is unaffected, as it uses the legacy scripting host.

Work-around

• Add a local composite action .github/actions/install-pinned-kotlin that downloads Kotlin 2.3.10 (last unaffected version), validates its sha256 against the official release checksum, and prepends it to the PATH.
• Run it before any workflow script execution on a runner: in the generated consistency check jobs via a shared commonConsistencyCheckJobConfig (which also centralizes the previously duplicated DEFAULT_CONSISTENCY_CHECK_JOB_CONFIG.copy(...) blocks), and in the check_all_workflow_yaml_consistency job.

Verified locally by executing the scripts with the pinned 2.3.10 CLI: no KT-86352 failure, and the output is byte-identical to the Gradle-generated YAML.

Revert plan

Revert this commit once KT-86352 is resolved and the runner images ship a fixed Kotlin version.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a composite action to install pinned Kotlin 2.3.10 (verified by SHA-256) and integrates that step into multiple workflow YAML-regeneration jobs while consolidating consistency-check job configuration into a shared commonConsistencyCheckJobConfig.

Changes

KT-86352 Kotlin Compiler Pinning and Workflow Configuration

Layer / File(s)	Summary
Pinned Kotlin installation action .github/actions/install-pinned-kotlin/action.yml	New composite GitHub Action that downloads Kotlin 2.3.10, verifies via pinned SHA-256 checksum, extracts to runner temp, and prepends kotlinc/bin to GITHUB_PATH.
Shared workflow configuration hub .github/workflows/common.main.kts	Adds imports for checkout version inference, defines InstallPinnedKotlin local action and installPinnedKotlin() job helper; updates commonConsistencyCheckJobConfig to infer checkoutActionVersion and include the pinned Kotlin step via additionalSteps.
Branches and PRs workflow integration .github/workflows/branches-and-prs.main.kts, .github/workflows/branches-and-prs.yaml	Switches to commonConsistencyCheckJobConfig, removes prior imports, and inserts the pinned Kotlin installation step before YAML regeneration in both consistency-check jobs.
CodeQL analysis workflow integration .github/workflows/codeql-analysis.main.kts, .github/workflows/codeql-analysis.yaml	Switches to commonConsistencyCheckJobConfig, removes prior imports, and inserts the pinned Kotlin installation step before YAML regeneration.
Docs PR workflow integration .github/workflows/docs-pr.main.kts, .github/workflows/docs-pr.yaml	Switches to commonConsistencyCheckJobConfig, removes prior imports, and inserts the pinned Kotlin installation step before YAML regeneration.
Release workflow integration .github/workflows/release.main.kts, .github/workflows/release.yaml	Switches to commonConsistencyCheckJobConfig, removes prior imports, and inserts the pinned Kotlin installation step before YAML regeneration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• spockframework/spock#2319: Modifies the same workflow consistency-check configuration wiring (checkoutActionVersion / InferFromClasspath) in the same set of workflows.

Suggested reviewers

• Vampire
• AndreasTu

Poem

🐰 I nibble logs and checksums under moonlight,
I pin Kotlin safe and snug, a tiny sight.
Workflows hum, YAMLs regenerate true,
With SHA-256 and a hop—CI says woohoo! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: pinning Kotlin for workflow script execution on CI, which directly addresses the KT-86352 issue affecting workflow script execution.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the problem (KT-86352), the work-around implementation, verification steps, and revert plan.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 zizmor (1.25.2)

.github/workflows/codeql-analysis.yaml

INFO zizmor: 🌈 zizmor v1.25.2
fatal: no audit was performed
'template-injection' audit failed on file://.github/workflows/codeql-analysis.yaml

Caused by:
0: error in 'template-injection' audit
1: failed to locate subfeature 'Subfeature { after: 101, fragment: Regex(Regex("matrix\.variant\s+==\s+'5\.0'\s+\&\&\s+'11'\s+\|\|\s+'8'")) }' in feature ''./gradlew --stacktrace --no-build-cache testClasses "-Dvariant=${{ matrix.variant }}" "-DjavaVersion=${{ matrix.variant == ''5.0'' && ''11'' || ''8'' }}"''

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.18%. Comparing base (7313c19) to head (0ef6432).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #2373   +/-   ##
=========================================
  Coverage     82.18%   82.18%           
  Complexity     4832     4832           
=========================================
  Files           473      473           
  Lines         15051    15051           
  Branches       1912     1912           
=========================================
  Hits          12369    12369           
  Misses         1991     1991           
  Partials        691      691           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (1)

.github/actions/install-pinned-kotlin/action.yml (1)

15-15: ⚡ Quick win

Harden download step against transient network failures.

Line 15 currently performs a single curl attempt without retries/time bounds, so temporary GitHub/network hiccups can fail the whole consistency-check pipeline even though checksum validation is correct.

Proposed diff

-        curl --fail --silent --show-error --location --output "$RUNNER_TEMP/kotlin-compiler.zip" "https://github.com/JetBrains/kotlin/releases/download/v2.3.10/kotlin-compiler-2.3.10.zip"
+        curl --fail --silent --show-error --location \
+          --retry 5 --retry-all-errors --retry-delay 2 \
+          --connect-timeout 20 --max-time 300 \
+          --output "$RUNNER_TEMP/kotlin-compiler.zip" \
+          "https://github.com/JetBrains/kotlin/releases/download/v2.3.10/kotlin-compiler-2.3.10.zip"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/install-pinned-kotlin/action.yml at line 15, Replace the
single, non-retriable curl invocation that writes to
"$RUNNER_TEMP/kotlin-compiler.zip" and fetches the kotlin-compiler URL with a
hardened download that retries transient failures and enforces timeouts: add
curl retry flags (e.g. --retry, --retry-delay, --retry-connrefused), a
per-request timeout (--max-time or --connect-timeout), and keep
--fail/--silent/--show-error/--location, or wrap curl in a small retry loop that
re-attempts the same command up to N times with exponential backoff and exits
non-zero if all attempts fail; target the existing curl invocation string to
implement this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/actions/install-pinned-kotlin/action.yml:
- Line 15: Replace the single, non-retriable curl invocation that writes to
"$RUNNER_TEMP/kotlin-compiler.zip" and fetches the kotlin-compiler URL with a
hardened download that retries transient failures and enforces timeouts: add
curl retry flags (e.g. --retry, --retry-delay, --retry-connrefused), a
per-request timeout (--max-time or --connect-timeout), and keep
--fail/--silent/--show-error/--location, or wrap curl in a small retry loop that
re-attempts the same command up to N times with exponential backoff and exits
non-zero if all attempts fail; target the existing curl invocation string to
implement this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 876b3388-31ba-4729-9c24-63ba47eb32b8

📥 Commits

Reviewing files that changed from the base of the PR and between 8be10cd and 0ef6432.

📒 Files selected for processing (10)

• .github/actions/install-pinned-kotlin/action.yml
• .github/workflows/branches-and-prs.main.kts
• .github/workflows/branches-and-prs.yaml
• .github/workflows/codeql-analysis.main.kts
• .github/workflows/codeql-analysis.yaml
• .github/workflows/common.main.kts
• .github/workflows/docs-pr.main.kts
• .github/workflows/docs-pr.yaml
• .github/workflows/release.main.kts
• .github/workflows/release.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• .github/workflows/codeql-analysis.yaml
• .github/workflows/common.main.kts
• .github/workflows/branches-and-prs.main.kts
• .github/workflows/docs-pr.yaml
• .github/workflows/release.main.kts
• .github/workflows/docs-pr.main.kts

[testlens-app]

🔎 No tests executed 🔎

🏷️ Commit: 0ef6432
▶️ Tests: 0 executed
⚪️ Checks: 33/33 completed

---

Learn more about TestLens at testlens.app.