From 8cf81398ad0a6fb884c30e7be03b69b74d811f22 Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 04:23:12 +0000 Subject: [PATCH 1/6] Update pr-labeler workflow to use ubuntu-slim runner --- .github/workflows/pr-labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml index eea641cc3..0f69dff11 100644 --- a/.github/workflows/pr-labeler.yaml +++ b/.github/workflows/pr-labeler.yaml @@ -48,7 +48,7 @@ jobs: label-pr-size: if: github.repository_owner == 'quantumlib' name: Update PR size labels - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim timeout-minutes: 5 permissions: contents: read From 55f6916c77c1205856d2ed1ec9c5073ed44ba408 Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 04:28:10 +0000 Subject: [PATCH 2/6] Most jobs don't need full git history Remove `depth: 0` from `actions/checkout` jobs that don't need it. --- .github/workflows/ci.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dc4072b6f..3df281d8c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -102,8 +102,6 @@ jobs: steps: - name: Check out a copy of the git repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - name: Run hadolint on Dockerfiles continue-on-error: ${{inputs.soft-linting == 'true'}} @@ -124,8 +122,6 @@ jobs: steps: - name: Check out a copy of the git repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - name: Install problem matcher run: echo '::add-matcher::.github/problem-matchers/shellcheck.json' @@ -147,8 +143,6 @@ jobs: steps: - name: Check out a copy of the git repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - name: Install yamllint run: | @@ -172,8 +166,6 @@ jobs: steps: - name: Check out a copy of the git repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - name: Install Buildifier uses: jbajic/setup-buildifier@c558ee05c6f74ab5753ff794516750b4aadac296 # v1 @@ -196,8 +188,6 @@ jobs: steps: - name: Check out a copy of the git repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - name: Run actionlint continue-on-error: ${{inputs.soft-linting == 'true'}} From d7e802123f90ee41c4378924536835802d78693d Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 04:33:07 +0000 Subject: [PATCH 3/6] Remove Scorecard debugging upload we never used --- .github/workflows/scorecard-scanner.yaml | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml index b8deea7c4..11d4410dd 100644 --- a/.github/workflows/scorecard-scanner.yaml +++ b/.github/workflows/scorecard-scanner.yaml @@ -32,11 +32,6 @@ on: # Allow manual invocation. workflow_dispatch: - inputs: - debug: - description: 'Run with debugging options' - type: boolean - default: true concurrency: # Cancel any previously-started but still active runs on the same branch. @@ -73,19 +68,10 @@ jobs: - name: Upload results to code-scanning dashboard # yamllint disable rule:line-length - uses: github/codeql-action/upload-sarif@ba454b8ab46733eb6145342877cd148270bb77ab # codeql-bundle-v2.23.5 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: sarif_file: scorecard-results.sarif - - if: github.event.inputs.debug == true || runner.debug == true - name: Upload results as artifacts to the workflow Summary page - # yamllint disable rule:line-length - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: Scorecard SARIF file - path: scorecard-results.sarif - retention-days: 5 - # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having # steps that use "run:". To print to the summary, we need to use another job. write-summary: From 8edae6d9636c6b33187ef099a4b2fb21e272cdd5 Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 05:07:45 +0000 Subject: [PATCH 4/6] Run yamllint directly, not via a find-pipe There's little to be gained in efficiency by prefiltering the files passed to yamllint. Skip running `find ... | xargs`. --- .github/workflows/ci.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3df281d8c..8f9b323a2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -153,10 +153,7 @@ jobs: continue-on-error: ${{inputs.soft-linting == 'true'}} run: | echo "::add-matcher::.github/problem-matchers/yamllint.json" - # shellcheck disable=SC2038 - find . -not -path '*.github/workflows/*' \ - '(' -name '*.yaml' -o -name '*.yml' ')' | \ - xargs yamllint -f github + yamllint -f github . CITATION.cff bazel-lint: name: Bazel build lint checks From 03ef0f1d78351364c744117cf0b19b211a11355c Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 05:10:09 +0000 Subject: [PATCH 5/6] Run buildifier directly, not via a find-pipe There's little to be gained in efficiency by prefiltering the files passed to buildifier. Skip running `find ... | xargs`. --- .github/workflows/ci.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8f9b323a2..92eb086d0 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -173,9 +173,7 @@ jobs: continue-on-error: ${{inputs.soft-linting == 'true'}} run: | echo '::add-matcher::.github/problem-matchers/buildifier.json' - # shellcheck disable=SC2038 - find . -name 'BUILD' -o -name '*.bzl' -o -name 'WORKSPACE' | \ - xargs buildifier -mode=diff -lint=warn + buildifier -mode=diff -lint=warn -r . action-lint: name: GitHub Actions lint checks From f4f91971e002dd5af27c7d27f10e408af5636711 Mon Sep 17 00:00:00 2001 From: mhucka Date: Wed, 8 Apr 2026 05:30:03 +0000 Subject: [PATCH 6/6] Run hadolint directly, not via a find-pipe Finding the Dockerfiles can be done more efficiently than running a find and xargs pipeline. --- .github/workflows/ci.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 92eb086d0..878817142 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -106,13 +106,15 @@ jobs: - name: Run hadolint on Dockerfiles continue-on-error: ${{inputs.soft-linting == 'true'}} env: - hadolint_version: 'sha256:e9dbf5113239ef2bf696d20c8f28d3019a47c26a38c98b89344d3e2846c4d5f8' + sha: 'sha256:e9dbf5113239ef2bf696d20c8f28d3019a47c26a38c98b89344d3e2846c4d5f8' run: | echo '::add-matcher::.github/problem-matchers/hadolint.json' - find . -name Dockerfile -print0 | \ - xargs -0 -r docker run --rm -i -v "${PWD}:/app" -w /app \ - --entrypoint /bin/hadolint \ - ghcr.io/hadolint/hadolint@${{env.hadolint_version}} + shopt -s globstar + files=(**/Dockerfile*) + if [[ ${#files[@]} -gt 0 ]]; then + docker run --rm -v "${PWD}:/app" -w /app \ + ghcr.io/hadolint/hadolint@${{env.sha}} /bin/hadolint "${files[@]}" + fi shell-lint: name: Shell script lint checks