philips-software · Ron (rjaegers) · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 16, 2025
@@ -14,7 +14,7 @@ permissions: {}
 
 jobs:
   build-push-test:
-    name: 🛠️ Build → Push → Test (🍨 ${{ matrix.flavor }})
+    name: Build → Push → Test (🍨 ${{ matrix.flavor }})
     strategy:
       matrix:
         flavor: [cpp, rust]

@@ -9,36 +9,53 @@ on:
         required: true
         type: string
       image-name:
-        description: "Name of the Docker image to build, without registry or tag. E.g. 'my-image' or 'my-org/my-image'"
+        description: >-
+          Name of the Docker image to build, without registry or tag.
+
+          Examples:
+            'my-image'
+            'my-org/my-image'
         required: true
         type: string
       devcontainer-metadata-file:
-        description: "Path to a JSON file containing devcontainer metadata to add as a label to the built image"
+        description: >-
+          Path to a JSON file containing devcontainer metadata to add as a label to the built image.
+
+          Examples:
+            '.devcontainer/devcontainer-metadata.json'
+            '.devcontainer/<flavor>/devcontainer-metadata.json'
         required: false
         type: string
       registry:
-        description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry"
+        description: >-
+          Docker registry to push built containers to.
+          `DOCKER_REGISTRY_USERNAME` and `DOCKER_REGISTRY_PASSWORD` secrets must be set if not using GitHub Container Registry (ghcr.io).
         required: false
         type: string
         default: "ghcr.io"
       build-test-runner-labels:
         description: >-
-          JSON object passed to fromJson to become the build matrix. Example:
-          '["ubuntu-latest", "ubuntu-24.04-arm"]'
+          JSON array used to select multi-architecture runners for build and test jobs.
+          Must be valid JSON.
+
+          Examples:
+            '["ubuntu-latest"]'
+            '["ubuntu-latest", "ubuntu-24.04-arm"]'
+            '[["self-hosted", "linux", "x86_64"], ["self-hosted", "linux", "arm64"]]'
         required: false
         type: string
         default: '["ubuntu-latest", "ubuntu-24.04-arm"]'
       runner-labels:
         description: >-
-          Single runner label OR JSON array of runner labels for non-build jobs.
+          JSON array used to select the default linux runner for non-build jobs.
+          Must be valid JSON.
+
           Examples:
-            ubuntu-latest
             '["ubuntu-latest"]'
             '["self-hosted", "linux", "x86_64"]'
-          Provide a valid JSON array (starting with '[') to use multiple labels; any other value is treated as a single label string.
         required: false
         type: string
-        default: ubuntu-latest
+        default: '["ubuntu-latest"]'
       integration-test-file:
         description: "Path to the BATS test file to run for integration tests"
         required: false
@@ -94,19 +111,20 @@ jobs:
   integration-test:
     name: 🧪
     if: ${{ inputs.integration-test-file }}
-    strategy:
-      matrix:
-        runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }}
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
     permissions:
       contents: read
+    secrets:
+      DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
+      DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
     with:
+      build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
       fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
       image-basename: ${{ needs.build-push.outputs.image-basename }}
       image-digest: ${{ needs.build-push.outputs.digest }}
+      registry: ${{ inputs.registry }}
       test-file: ${{ inputs.integration-test-file }}
-      runner-labels: ${{ matrix.runner }}
 
   acceptance-test:
     name: 🏗️

@@ -57,10 +57,10 @@ jobs:
       runner-labels: ${{ inputs.runner-labels }}
 
   build-push:
-    name: ${{ matrix.runner }}
+    name: Build (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }})
     strategy:
       matrix:
-        runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }}
+        runner: ${{ fromJson(inputs.build-test-runner-labels) }}
     runs-on: ${{ matrix.runner }}
     needs: sanitize-image-name
     permissions:
@@ -137,9 +137,7 @@ jobs:
 
   merge-image:
     name: 🔗 Merge Image
-    # Support either a plain single label (e.g. ubuntu-latest) OR a JSON array of labels.
-    # If the input starts & ends with brackets we attempt JSON parsing; otherwise we pass the raw string.
-    runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
+    runs-on: ${{ fromJson(inputs.runner-labels) }}
     needs:
       - build-push
       - sanitize-image-name
@@ -159,9 +157,6 @@ jobs:
         with:
           disable-sudo: true
           egress-policy: audit
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           path: ${{ runner.temp }}/digests

@@ -5,17 +5,17 @@ on:
   workflow_call:
     inputs:
       runner-labels:
-        description: "Runner to use for the job, will be passed to `runs-on`"
+        description: "JSON array of runner labels (default [\"ubuntu-latest\"]). Must be valid JSON."
         required: false
         type: string
-        default: ubuntu-latest
+        default: '["ubuntu-latest"]'
 
 permissions: {}
 
 jobs:
   dependency-review:
     name: Review
-    runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
+    runs-on: ${{ fromJson(inputs.runner-labels) }}
     permissions:
       contents: read
       pull-requests: write

@@ -16,27 +16,27 @@ on:
       test-file:
         required: true
         type: string
-      runner-labels:
-        description: "Runner to use for the job, will be passed to `runs-on`"
+      build-test-runner-labels:
         required: true
         type: string
       registry:
-        description: "Docker registry to push built containers to, DOCKER_REGISTRY_USERNAME and DOCKER_REGISTRY_PASSWORD secrets must be set if not using GitHub Container Registry"
-        required: false
+        required: true
         type: string
-        default: "ghcr.io"
     secrets:
       DOCKER_REGISTRY_USERNAME:
-        required: false
+        required: true
       DOCKER_REGISTRY_PASSWORD:
-        required: false
+        required: true
 
 permissions: {}
 
 jobs:
   run-test:
-    name: 🧪 Integration Test
-    runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
+    name: Integration Test (${{ (startsWith(toJson(matrix.runner), '[') && endsWith(toJson(matrix.runner), ']')) && join(fromJson(matrix.runner), ', ') || matrix.runner }})
+    strategy:
+      matrix:
+        runner: ${{ fromJson(inputs.build-test-runner-labels) }}
+    runs-on: ${{ matrix.runner }}
     container:
       image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }}
       credentials:

@@ -29,7 +29,7 @@ permissions: {}
 jobs:
   sanitize:
     name: Sanitize Image Name
-    runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
+    runs-on: ${{ fromJson(inputs.runner-labels) }}
     outputs:
       image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
       image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}