ci: reduce duplication

rjaegers · web-flow · commit 2f143c5ed976 · 2026-02-26T11:39:41.000+01:00
diff --git a/.github/workflows/build-push-test.yml b/.github/workflows/build-push-test.yml
@@ -0,0 +1,55 @@
+---
+name: Build, Push & Test
+
+on:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  build-push-base:
+    name: Build → Push → Test (🍨 base)
+    uses: ./.github/workflows/wc-build-push-test.yml
+    permissions: &build-push-test-permissions
+      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
+      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
+      attestations: write # is needed by actions/attest-build-provenance to push attestations
+      contents: write # is needed by anchore/sbom-action for artifact uploads
+      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
+      packages: write # is needed to push image manifest when using GitHub Container Registry
+      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
+    with:
+      dockerfile: .devcontainer/base/Dockerfile
+      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
+      image-name: ${{ github.repository }}-base
+      integration-test-file: test/base/integration-tests.bats
+      integration-test-podman: true
+
+  build-push-flavors:
+    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
+    needs: build-push-base
+    strategy:
+      matrix:
+        flavor: [cpp, rust]
+    uses: ./.github/workflows/wc-build-push-test.yml
+    secrets:
+      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
+      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
+      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
+      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
+    permissions: *build-push-test-permissions
+    with:
+      acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }}
+      acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
+      build-args: |
+        BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }}
+      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
+      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
+      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
+      image-name: ${{ github.repository }}-${{ matrix.flavor }}
+      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
+      integration-test-podman: true
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -13,9 +13,9 @@ concurrency:
 permissions: {}
 
 jobs:
-  build-push-base:
-    name: Build → Push → Test (🍨 base)
-    uses: ./.github/workflows/wc-build-push-test.yml
+  build-push-test:
+    name: Build → Push → Test
+    uses: ./.github/workflows/build-push-test.yml
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
@@ -24,43 +24,6 @@ jobs:
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
       packages: write # is needed to push image manifest when using GitHub Container Registry
       pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      dockerfile: .devcontainer/base/Dockerfile
-      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
-      image-name: ${{ github.repository }}-base
-      integration-test-file: test/base/integration-tests.bats
-
-  build-push-flavors:
-    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
-    needs: build-push-base
-    strategy:
-      matrix:
-        flavor: [cpp, rust]
-    uses: ./.github/workflows/wc-build-push-test.yml
-    secrets:
-      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
-      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
-      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
-      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
-    permissions:
-      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
-      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
-      attestations: write # is needed by actions/attest-build-provenance to push attestations
-      contents: write # is needed by anchore/sbom-action for artifact uploads
-      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
-      packages: write # is needed to push image manifest when using GitHub Container Registry
-      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      acceptance-test-path: ${{ (github.actor != 'dependabot[bot]' && matrix.flavor == 'cpp') && 'test/cpp/features' || '' }}
-      acceptance-test-devcontainer-file: .devcontainer/${{ matrix.flavor }}-test/devcontainer.json
-      build-args: |
-        BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }}
-      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
-      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
-      enable-edge-tag: ${{ github.event_name == 'merge_group' }}
-      image-name: ${{ github.repository }}-${{ matrix.flavor }}
-      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      integration-test-podman: true
 
   dependency-review:
     name: 🔍 Dependency Review
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -13,9 +13,9 @@ concurrency:
 permissions: {}
 
 jobs:
-  build-push-base:
-    name: Build → Push → Test (🍨 base)
-    uses: ./.github/workflows/wc-build-push-test.yml
+  build-push-test:
+    name: Build → Push → Test
+    uses: ./.github/workflows/build-push-test.yml
     permissions:
       actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
       artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
@@ -24,40 +24,6 @@ jobs:
       id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
       packages: write # is needed to push image manifest when using GitHub Container Registry
       pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      dockerfile: .devcontainer/base/Dockerfile
-      image-name: ${{ github.repository }}-base
-      integration-test-file: test/base/integration-tests.bats
-
-  build-push-flavors:
-    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
-    needs: build-push-base
-    strategy:
-      matrix:
-        flavor: [cpp, rust]
-    uses: ./.github/workflows/wc-build-push-test.yml
-    secrets:
-      TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
-      TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
-      TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
-      TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
-    permissions:
-      actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
-      artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
-      attestations: write # is needed by actions/attest-build-provenance to push attestations
-      contents: write # is needed by anchore/sbom-action for artifact uploads
-      id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
-      packages: write # is needed to push image manifest when using GitHub Container Registry
-      pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
-    with:
-      build-args: |
-        BASE_IMAGE=${{ needs.build-push-base.outputs.fully-qualified-image-name }}@${{ needs.build-push-base.outputs.digest }}
-      devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
-      dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
-      image-name: ${{ github.repository }}-${{ matrix.flavor }}
-      integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
-      acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
-      test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
 
   apply-release-notes-template:
     name: 📝 Apply Release Template
@@ -96,7 +62,7 @@ jobs:
       # Please note that this is an overly broad scope, but GitHub does not
       # currently provide a more fine-grained permission for release modification.
       contents: write # is needed to modify a release
-    needs: [build-push-base, build-push-flavors, apply-release-notes-template]
+    needs: [build-push-test, apply-release-notes-template]
     env:
       CONTAINER_FLAVOR: ${{ matrix.flavor }}
       REF_NAME: ${{ github.ref_name }}
