ci: consolidate and improve GitHub Actions workflows

- Merge test_accuracy.yml and test_precommit.yml into pre_commit.yml
- Add concurrency control to prevent duplicate workflow runs
- Unify security scans to handle both PRs and scheduled runs
- Move permissions to workflow level with job-level overrides
- Standardize YAML formatting and schedule cron times
- Use YAML anchors to reduce duplication in pre_commit.yml
- Update deprecated set-output syntax to use GITHUB_OUTPUT
- Simplify CodeQL matrix by moving build-mode to step level
- Pin uv version to 0.9.27 for reproducibility
- Add blank lines between steps for improved readability
- Replace regex-match action with native bash

Signed-off-by: mramotowski <maciej.ramotowski@intel.com>

Author: mramotowski

.github/workflows/codeql.yml

@@ -2,11 +2,13 @@ name: "CodeQL Scan"
 
 on:
   push:
-    branches: ["master"]
+    branches:
+      - "master"
   pull_request:
-    branches: ["master"]
+    branches:
+      - "master"
   schedule:
-    - cron: "37 3 * * 0"
+    - cron: "0 2 * * 0"
 
 permissions: {} # No permissions by default on workflow level
 
@@ -16,18 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write # required to publish sarif
-
     strategy:
       fail-fast: false
       matrix:
         include:
           - language: actions
-            build-mode: none
           - language: python
-            build-mode: none
-
     steps:
-      - name: Checkout repository
+      - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
@@ -37,7 +35,7 @@ jobs:
         uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
+          build-mode: none
           queries: security-extended
 
       - name: Perform CodeQL Analysis

.github/workflows/collect-sbom-library.yaml

@@ -2,10 +2,10 @@ name: Collect Library Licenses
 
 on:
   schedule:
-    - cron: "0 2 * * 1" # Weekly on Monday
+    - cron: "0 2 * * 0"
   workflow_dispatch:
 
-permissions: {}
+permissions: {} # No permissions by default on workflow level
 
 jobs:
   collect-licenses:

.github/workflows/docs.yml

@@ -1,40 +1,47 @@
 name: Build Docs
-permissions: {} # No permissions by default on workflow level
 
 on:
   workflow_dispatch: # run on request (no need for PR)
   push:
     branches:
       - master
 
+permissions: {} # No permissions by default on workflow level
+
 jobs:
   Build-Docs:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - name: Checkout repository
+      - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Set up Python
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version-file: ".python-version"
+
       - name: Install uv
         uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        with:
+          version: "0.9.27"
+
       - name: Install dependencies
         run: |
           uv sync --locked --extra docs
+
       - name: Build Docs
-        run: |
-          cd docs
-          uv run make html
+        working-directory: docs
+        run: uv run make html
+
       - name: Branch name
         id: branch_name
-        shell: bash
         run: |
-          echo ::set-output name=SOURCE_NAME::${GITHUB_REF#refs/*/}
+          echo "SOURCE_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+
       - name: Create gh-pages branch
         env:
           SOURCE: ${{steps.branch_name.outputs.SOURCE_NAME}}
@@ -67,6 +74,7 @@ jobs:
           else
             echo "Branch gh-pages already exists"
           fi
+
       - name: Commit docs to gh-pages branch
         env:
           RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
@@ -88,6 +96,7 @@ jobs:
           git add ./latest "$RELEASE_VERSION"
           git add index.html
           git commit -m "Update documentation" -a || true
+
       - name: Push changes
         uses: ad-m/github-push-action@57116acb309081ee57864270b0e3c4cedbe45452
         with:

.github/workflows/pr-labeler.yml

@@ -4,10 +4,12 @@
 #####
 
 name: "Pull Request Labeler"
-permissions: {} # No permissions by default on workflow level
+
 on:
   - pull_request_target # zizmor: ignore[dangerous-triggers]
 
+permissions: {} # No permissions by default on workflow level
+
 jobs:
   labeler:
     permissions:

.github/workflows/pre_commit.yml

@@ -1,54 +1,123 @@
 name: Pre-Commit Checks
-permissions: {} # No permissions by default on workflow level
 
 on:
-  push:
+  pull_request:
+  merge_group:
     branches:
       - master
-  pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
   workflow_dispatch: # run on request (no need for PR)
 
+permissions: {} # No permissions by default on workflow level
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  Code-Quality-Checks:
-    runs-on: ubuntu-24.04
+  code_quality_checks:
+    runs-on: ubuntu-latest
     steps:
-      - name: CHECKOUT REPOSITORY
+      - &checkout
+        name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Set up Python
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version-file: ".python-version"
+
       - name: Install uv
         uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        with:
+          enable-cache: false
+          version: "0.9.27"
+
       - name: Install dependencies
-        run: |
-          uv sync --locked --all-extras
+        run: uv sync --locked --all-extras
+
       - name: Run pre-commit checks
-        run: |
-          uvx pre-commit run --all-files
-  Unit-Tests:
-    runs-on: ubuntu-24.04
+        run: uvx pre-commit run --all-files
+
+  accuracy-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - "ubuntu-latest"
+          - "windows-latest"
+        python-version:
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+    runs-on: ${{ matrix.os }}
     steps:
-      - name: CHECKOUT REPOSITORY
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-      - name: Set up Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
-        with:
-          python-version-file: ".python-version"
-      - name: Install uv
+      - *checkout
+
+      - &matrix-setup-uv
+        name: Install uv
         uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
-      - name: Install dependencies
-        run: |
-          uv sync --locked --extra tests
+        with:
+          enable-cache: false
+          python-version: ${{ matrix.python-version }}
+          version: "0.9.27"
+
+      - &install-dependencies
+        name: Install dependencies
+        run: uv sync --locked --extra tests --extra-index-url https://download.pytorch.org/whl/cpu
+
+      - name: Prepare test data
+        run: uv run python tests/accuracy/download_models.py -d data -j tests/accuracy/public_scope.json -l
+
+      - name: Run Python Test
+        run: uv run pytest --data=./data tests/accuracy/test_accuracy.py
+
+  unit-functional-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - "ubuntu-24.04"
+          - "windows-2022"
+        python-version:
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+    name: unit & functional tests (${{ matrix.os }}, Python ${{ matrix.python-version }})
+    runs-on: ${{ matrix.os }}
+    steps:
+      - *checkout
+
+      - *matrix-setup-uv
+
+      - *install-dependencies
+
       - name: Run python unit tests
+        run: uv run pytest tests/unit --cov
+
+      - name: Prepare test data
         run: |
-          uv run pytest tests/unit --cov
+          uv run python tests/accuracy/download_models.py -d data -j tests/precommit/public_scope.json -l
+
+      - name: Run test
+        run: |
+          uv run pytest --data=./data tests/functional
+
+  pre-commit-result:
+    runs-on: ubuntu-latest
+    needs:
+      - accuracy-tests
+      - code_quality_checks
+      - unit-functional-tests
+    if: always()
+    steps:
+      - name: All tests ok
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+
+      - name: Some tests failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1

.github/workflows/publish.yaml

@@ -12,27 +12,30 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Set up Python
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version-file: ".python-version"
+
       - name: Install pypa/build
-        run: |
-          uv sync --locked
+        run: uv sync --locked
+
       - name: Build sdist
-        run: |
-          uv build --sdist
+        run: uv build --sdist
+
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: artifact-sdist
           path: dist/*.tar.gz
+
       - name: Build wheel
-        run: |
-          uv build --wheel
+        run: uv build --wheel
+
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: artifact-wheel
@@ -53,13 +56,19 @@ jobs:
           path: dist
           pattern: artifact-*
           merge-multiple: true
+
       # to determine where to publish the package distribution to PyPI or TestPyPI
       - name: Check tag
         id: check-tag
-        uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2.0.2
-        with:
-          text: ${{ github.ref }}
-          regex: '^refs/tags/[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)+(\.[0-9]+rc[0-9]+|rc[0-9]+)?$'
+        env:
+          GITHUB_REF: ${{ github.ref }}
+        run: |
+          if [[ "${GITHUB_REF}" =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)+(\.[0-9]+rc[0-9]+|rc[0-9]+)?$ ]]; then
+            echo "match=${GITHUB_REF}" >> $GITHUB_OUTPUT
+          else
+            echo "match=" >> $GITHUB_OUTPUT
+          fi
+
       - name: Upload package distributions to github
         if: ${{ steps.check-tag.outputs.match != '' }}
         uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # 2.11.3
@@ -69,9 +78,11 @@ jobs:
           tag: ${{ github.ref }}
           overwrite: true
           file_glob: true
+
       - name: Publish package distributions to PyPI
         if: ${{ steps.check-tag.outputs.match != '' }}
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+
       - name: Publish package distributions to TestPyPI
         if: ${{ steps.check-tag.outputs.match == '' }}
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0

.github/workflows/renovate-config-validator.yml

@@ -17,8 +17,7 @@ on:
     paths:
       - ".github/renovate.json5"
 
-permissions:
-  contents: read
+permissions: {} # No permissions by default on workflow level
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
@@ -27,8 +26,10 @@ concurrency:
 jobs:
   validate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - name: Checkout configuration
+      - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false