Skip to content

CI CD Workflows

BenJule edited this page May 31, 2026 · 2 revisions

CI/CD Workflows

All workflow files live in .github/workflows/. This page documents every workflow — what triggers it, what it does, and what it produces.


Overview

Pull Request ──► ci-pull-request.yml  (Debian + Fedora build)
                 security-*.yml       (CodeQL, Scorecard, Dependency Review)
                 automation-*.yml     (labels, release notes, project)

master push  ──► (no build — only tag pushes trigger release)

Nightly      ──► cd-nightly.yml       (02:00 UTC, all platforms)
                 └── cd-packages.yml  (reusable)
                 └── _build-core.yml  (reusable)

Release tag  ──► cd-release.yml       (all platforms + deploy)
                 └── cd-packages.yml
                 └── cd-deploy-*.yml  (APT, AUR, Homebrew, winget, Flatpak)

CI Workflows (Pull Requests)

ci-pull-request.yml — PR Build

Trigger: Every pull request to master

Jobs:

Job Name Runner Output
detect Detect affected platforms ubuntu-24.04 platform matrix
build_debian Linux / Debian trixie .deb ubuntu-24.04 + debian:trixie container .deb artifact
build_fedora Linux / Fedora 42 .rpm ubuntu-24.04 + fedora:42 container .rpm artifact

Required for merge: Detect affected platforms and Linux / Debian trixie .deb must pass.

Artifact naming: BambuStudio_debian-trixie_deb_<version>_PR<number>


ci-build-linux.yml — Linux Build Matrix

Trigger: Pull requests, push to master

Builds on multiple Ubuntu versions and ARM64. Uses reusable workflows _build-deps.yml, _build-core.yml, and _build-cached.yml.

Platform Architecture
Ubuntu 22.04 x64
Ubuntu 24.04 x64
Ubuntu 24.04 ARM arm64

ci-build-macos.yml — macOS Build Matrix

Trigger: Pull requests, push to master

Platform Variant
macOS 15 Intel x86_64
macOS 15 ARM Universal arm64 + x86_64

CD Workflows (Delivery)

cd-nightly.yml — Nightly Pre-Release

Trigger: Schedule 0 2 * * * (02:00 UTC), push to develop branch, manual dispatch

What it does:

  1. Detects whether C++ sources changed (on push trigger — skips if only docs/CI changed)
  2. Calls cd-packages.yml to build all distribution packages
  3. Creates a signed git tag: nightly-YYYYMMDD-<sha>
  4. Publishes a GitHub pre-release with all artifacts
  5. Cleans up old nightly releases (keeps last 14)

Artifacts produced:

  • Debian trixie .deb
  • Fedora 42 .rpm
  • Ubuntu 22.04 AppImage + .deb
  • Ubuntu 24.04 AppImage + .deb

cd-packages.yml — Build Distribution Packages

Trigger: Called by cd-nightly.yml, cd-release.yml, or manual dispatch

Inputs:

Input Default Description
retention-days 14 Artifact retention
skip-debian false Skip Debian trixie build
skip-fedora false Skip Fedora 42 build
skip-ubuntu false Skip Ubuntu self-hosted builds

Jobs:

Job Runner Notes
build_debian ubuntu-24.04 + debian:trixie Uses ccache (see below)
build_fedora ubuntu-24.04 + fedora:42 continue-on-error: false
build_selfhosted [self-hosted, pve05-ubuntu22] etc. continue-on-error: true

ccache in Debian Build

The Debian job uses ccache to accelerate rebuilds:

  1. Installs ccache, adds /usr/lib/ccache to PATH
  2. Restores a persistent cache keyed on all src/**/*.{cpp,c,h,hpp} hashes
  3. Runs the build (./BuildLinux.sh -sfr + BuildLinuxImage.sh)
  4. Saves the cache only on build success and only when no prior cache existed

Impact: Cold build ~60 min → cache hit ~5–10 min.


cd-release.yml — Full Release

Trigger: Push of a tag matching v[0-9]*.[0-9]*.[0-9]*.[0-9]*-dev, or manual dispatch

What it does:

  1. Determines release tag (from pushed tag or auto-computed)
  2. Calls cd-packages.yml for all platforms
  3. Builds Windows (x64, ARM64) and macOS (Intel, Universal) via ci-build.yml
  4. Uploads all artifacts to the GitHub Release
  5. Triggers deployment workflows (see below)

cd-release-candidate.yml — Release Candidate

Trigger: Manual dispatch

Builds the same artifact set as cd-release.yml but publishes as a pre-release RC. Used for testing before tagging a production release.


Deploy Workflows (Post-Release)

These run after a release is published and deploy packages to distribution channels.

Workflow Channel Secret Required
cd-deploy-apt.yml APT repository (apt.s3-dev.ovh) S3 credentials
cd-deploy-aur.yml AUR (bambu-studio-bin) AUR_SSH_PRIVATE_KEY
cd-deploy-homebrew.yml Homebrew tap HOMEBREW_TAP_TOKEN
cd-deploy-winget.yml Windows Package Manager WINGET_TOKEN
cd-deploy-flatpak.yml Flathub Flatpak submission token

Security Workflows

security-codeql.yml — CodeQL Analysis

Trigger: Push to master, pull requests, weekly schedule (Monday 04:00 UTC)

Scans C/C++ and JavaScript with the security-extended query suite. Results appear in Security → Code scanning.


security-scorecard.yml — OpenSSF Scorecard

Trigger: Push to master, weekly schedule

Runs the OpenSSF Scorecard and publishes results. Current badge:

OpenSSF Scorecard


security-dependency-review.yml — Dependency Review

Trigger: Every pull request

Required status check — must pass before merge. Detects newly introduced vulnerable dependencies.


Automation Workflows

Workflow Trigger Action
automation-label-prs.yml PR open/edit Labels PRs based on changed paths
automation-label-issues.yml Issue open Labels issues based on content
automation-assign-project.yml PR/issue open Adds to GitHub Project board
automation-release-notes.yml PR merge Drafts release notes entry

Reusable Workflows

Workflow Description
_build-deps.yml Build and cache C++ dependencies
_build-core.yml Build BambuStudio binary
_build-cached.yml Build with deps cache check

Concurrency

Workflow Group cancel-in-progress
ci-pull-request.yml pr-build-<PR#> Yes (on new push)
cd-packages.yml <workflow>-packages-<ref> Only on PR events
cd-nightly.yml nightly No
cd-release.yml <workflow>-<ref> No

Warning

After merging a PR, cancel the still-running PR build manually. GitHub does not auto-cancel in-progress builds on merge.

gh run cancel <run-id>

Harden Runner

All jobs use step-security/harden-runner with egress-policy: audit. This logs all outbound network connections and can be promoted to block for stricter enforcement.

All uses: references are pinned to full commit SHAs with version comments, e.g.:

uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6

Clone this wiki locally