Align CI workflows with images-workbench#8
Merged
Conversation
ianpittwood
force-pushed
the
update-ci-workflows
branch
from
eb9c5af to
ddd074d
Compare
Align CI with the images-workbench pattern: split PR validation into its own workflow that delegates production and session matrix builds to posit-dev/images-shared reusable workflows, and replace the inline production build job with bakery-build-native.yml. Adds pre-commit config to back the new lint job. Development-version builds are intentionally omitted - this repo does not produce dev images. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The bakery-build-native reusable workflow does not support the GCP workload-identity auth and gcloud Docker config needed to push images to Google Artifact Registry, so the build job has to stay inline here. Triggers, concurrency, and the ci meta-job remain aligned with the images-workbench production workflow; PR validation lives in pr.yml, so the pull_request trigger is dropped to avoid duplicate builds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror images-workbench's CI tooling: register the
ubuntu-latest-{4x,8x} self-hosted runner labels so actionlint accepts
the production build matrix; copy the dependabot config (weekly grouped
GitHub Actions updates) and the zizmor unpinned-uses policy (@main
allowed only for posit-dev/images-shared, hash-pin everywhere else).
Also quote $GITHUB_OUTPUT in the matrix output step (shellcheck SC2086)
and apply trailing-whitespace autofixes to existing goss.yaml files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ianpittwood
force-pushed
the
update-ci-workflows
branch
from
448a27e to
7c70baa
Compare
ianpittwood
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+17
to
+20
| needs: | ||
| - lint | ||
| - production | ||
| - zizmor |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr.ymlmatching the images-workbench pattern:lint(pre-commit),Productionjobs delegating toposit-dev/images-shared/.github/workflows/bakery-build-pr.yml@main, plusZizmorand analls-greenCImeta-job. Development-version builds are intentionally omitted — this repo does not produce dev images.production.ymltriggers (workflow_dispatch+ weeklyschedule+push: main, nopull_request), concurrency, and theCImeta-job (pinnedalls-green, Slack notification on main) with images-workbench. Thebuildmatrix stays inline because GAR pushes need workload-identity auth andgcloud auth configure-docker, which aren't supported by the sharedbakery-build-native.ymlreusable workflow..pre-commit-config.yaml,.github/actionlint.yaml(registersubuntu-latest-{4x,8x}self-hosted runner labels),.github/dependabot.yml, and.github/zizmor.yml, all copied from images-workbench.\$GITHUB_OUTPUTin the matrix step.Test plan
Lint,Production,Session,Zizmor, and theCIalls-green checkProductionworkflow matrix builds and pushes to GHCR + GCP Artifact Registry (workload-identity auth)workflow_dispatchagainstmainpushes; against other refs builds without pushingposit-dev/images-sharedaction ref that isn't hash-pinned🤖 Generated with Claude Code