From f058d7cd440405ae149b6e792b73d125c28cc193 Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Fri, 20 Feb 2026 16:03:07 -0800 Subject: [PATCH] Combine workflow CI checks into single multi-job workflow Merges the two separate action workflows (block-workflow-yaml.yml and validate-agentic-workflows.yml) into a single validate-agentic-workflows-pr.yml with two jobs: check-forbidden-files runs first, then compile-workflows runs only if the file check passes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/block-workflow-yaml.yml | 64 --------- .../validate-agentic-workflows-pr.yml | 125 ++++++++++++++++++ .../workflows/validate-agentic-workflows.yml | 71 ---------- 3 files changed, 125 insertions(+), 135 deletions(-) delete mode 100644 .github/workflows/block-workflow-yaml.yml create mode 100644 .github/workflows/validate-agentic-workflows-pr.yml delete mode 100644 .github/workflows/validate-agentic-workflows.yml diff --git a/.github/workflows/block-workflow-yaml.yml b/.github/workflows/block-workflow-yaml.yml deleted file mode 100644 index 25844308..00000000 --- a/.github/workflows/block-workflow-yaml.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: Block Forbidden Workflow Contribution Files - -on: - pull_request: - branches: [staged] - types: [opened, synchronize, reopened] - paths: - - "workflows/**" - -permissions: - contents: read - pull-requests: write - -jobs: - check-forbidden-files: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Check for forbidden files in workflows/ - id: check - run: | - # Check for YAML/lock files in workflows/ and any .github/ modifications - forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \ - 'workflows/**/*.yml' \ - 'workflows/**/*.yaml' \ - 'workflows/**/*.lock.yml' \ - '.github/*' \ - '.github/**') - - if [ -n "$forbidden" ]; then - echo "❌ Forbidden files detected:" - echo "$forbidden" - echo "files<> "$GITHUB_OUTPUT" - echo "$forbidden" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - exit 1 - else - echo "✅ No forbidden files found in workflows/" - fi - - - name: Comment on PR - if: failure() - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: workflow-forbidden-files - message: | - ## 🚫 Forbidden files in `workflows/` - - Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**: - - Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code - - `.github/` modifications — workflow contributions must not modify repository configuration - - **Files that must be removed:** - ``` - ${{ steps.check.outputs.files }} - ``` - - Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`. - - Please remove these files and push again. diff --git a/.github/workflows/validate-agentic-workflows-pr.yml b/.github/workflows/validate-agentic-workflows-pr.yml new file mode 100644 index 00000000..5f5ff281 --- /dev/null +++ b/.github/workflows/validate-agentic-workflows-pr.yml @@ -0,0 +1,125 @@ +name: Validate Agentic Workflow Contributions + +on: + pull_request: + branches: [staged] + types: [opened, synchronize, reopened] + paths: + - "workflows/**" + +permissions: + contents: read + pull-requests: write + +jobs: + check-forbidden-files: + name: Block forbidden files + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for forbidden files + id: check + run: | + # Check for YAML/lock files in workflows/ and any .github/ modifications + forbidden=$(git diff --name-only --diff-filter=ACM origin/${{ github.base_ref }}...HEAD -- \ + 'workflows/**/*.yml' \ + 'workflows/**/*.yaml' \ + 'workflows/**/*.lock.yml' \ + '.github/*' \ + '.github/**') + + if [ -n "$forbidden" ]; then + echo "❌ Forbidden files detected:" + echo "$forbidden" + echo "files<> "$GITHUB_OUTPUT" + echo "$forbidden" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + exit 1 + else + echo "✅ No forbidden files found" + fi + + - name: Comment on PR + if: failure() + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: workflow-forbidden-files + message: | + ## 🚫 Forbidden files in `workflows/` + + Only `.md` markdown files are accepted in the `workflows/` directory. The following are **not allowed**: + - Compiled workflow files (`.yml`, `.yaml`, `.lock.yml`) — could contain untrusted Actions code + - `.github/` modifications — workflow contributions must not modify repository configuration + + **Files that must be removed:** + ``` + ${{ steps.check.outputs.files }} + ``` + + Contributors provide the workflow **source** (`.md`) only. Compilation happens downstream via `gh aw compile`. + + Please remove these files and push again. + + compile-workflows: + name: Compile and validate + needs: check-forbidden-files + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install gh-aw CLI + uses: github/gh-aw/actions/setup-cli@main + + - name: Compile workflow files + id: compile + run: | + exit_code=0 + found=0 + + # Find all .md files directly in workflows/ + for workflow_file in workflows/*.md; do + [ -f "$workflow_file" ] || continue + + found=$((found + 1)) + echo "::group::Compiling $workflow_file" + if gh aw compile --validate "$workflow_file"; then + echo "✅ $workflow_file compiled successfully" + else + echo "❌ $workflow_file failed to compile" + exit_code=1 + fi + echo "::endgroup::" + done + + if [ "$found" -eq 0 ]; then + echo "No workflow .md files found to validate." + else + echo "Validated $found workflow file(s)." + fi + + echo "status=$( [ $exit_code -eq 0 ] && echo success || echo failure )" >> "$GITHUB_OUTPUT" + exit $exit_code + + - name: Comment on PR if compilation failed + if: failure() + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: workflow-validation + message: | + ## ❌ Agentic Workflow compilation failed + + One or more workflow files in `workflows/` failed to compile with `gh aw compile --validate`. + + Please fix the errors and push again. You can test locally with: + + ```bash + gh extension install github/gh-aw + gh aw compile --validate .md + ``` + + See the [Agentic Workflows documentation](https://github.github.com/gh-aw) for help. diff --git a/.github/workflows/validate-agentic-workflows.yml b/.github/workflows/validate-agentic-workflows.yml deleted file mode 100644 index 9cdab41d..00000000 --- a/.github/workflows/validate-agentic-workflows.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Validate Agentic Workflows - -on: - pull_request: - branches: [staged] - types: [opened, synchronize, reopened] - paths: - - "workflows/**" - -permissions: - contents: read - pull-requests: write - -jobs: - validate-workflows: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install gh-aw CLI - uses: github/gh-aw/actions/setup-cli@main - - - name: Find and compile workflow files - id: compile - run: | - exit_code=0 - found=0 - - # Find all .md files directly in workflows/ - for workflow_file in workflows/*.md; do - [ -f "$workflow_file" ] || continue - - found=$((found + 1)) - echo "::group::Compiling $workflow_file" - if gh aw compile --validate "$workflow_file"; then - echo "✅ $workflow_file compiled successfully" - else - echo "❌ $workflow_file failed to compile" - exit_code=1 - fi - echo "::endgroup::" - done - - if [ "$found" -eq 0 ]; then - echo "No workflow .md files found to validate." - else - echo "Validated $found workflow file(s)." - fi - - echo "status=$( [ $exit_code -eq 0 ] && echo success || echo failure )" >> "$GITHUB_OUTPUT" - exit $exit_code - - - name: Comment on PR if compilation failed - if: failure() - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: workflow-validation - message: | - ## ❌ Agentic Workflow compilation failed - - One or more workflow files in `workflows/` failed to compile with `gh aw compile --validate`. - - Please fix the errors and push again. You can test locally with: - - ```bash - gh extension install github/gh-aw - gh aw compile --validate .md - ``` - - See the [Agentic Workflows documentation](https://github.github.com/gh-aw) for help.