revert(ci): remove PR checks orchestrator, restore independent workflows

sjnims · claude · sjnims · commit 418cee816582 · 2025-12-07T22:29:02.000-05:00
The orchestrator approach (pr-checks.yml) was causing issues with workflow execution. This reverts to the simpler independent workflow model where each workflow triggers directly on pull_request events with path filters. Changes: - Remove pr-checks.yml orchestrator - Restore markdownlint.yml to direct pull_request trigger - Restore links.yml to direct pull_request trigger - Restore component-validation.yml to direct pull_request trigger - Restore version-check.yml to direct pull_request trigger - Restore validate-workflows.yml to direct pull_request trigger - Restore claude-pr-review.yml to direct pull_request trigger - Update CLAUDE.md to reflect simplified CI/CD structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
@@ -1,12 +1,15 @@
 name: Claude Automated PR Review
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
+  # Using pull_request (not pull_request_target) for security:
+  # - pull_request_target exposes secrets to fork PRs, creating exfiltration risk
+  # - For fork PRs needing review, maintainers can manually @claude via claude.yml
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
 
 # Cancel any in-progress review for the same PR when new commits are pushed
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
@@ -17,7 +20,6 @@ jobs:
       github.actor != 'claude[bot]' &&
       github.event.pull_request.draft == false
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
@@ -35,12 +37,8 @@ jobs:
         with:
           node-version: "20"
 
-      - name: Cache npm packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: ~/.npm
-          key: npm-markdownlint-${{ runner.os }}
-          restore-keys: npm-markdownlint-
+      - name: Install markdownlint-cli
+        run: npm install -g markdownlint-cli
 
       - name: Review PR with Claude
         uses: anthropics/claude-code-action@6337623ebba10cf8c8214b507993f8062fd4ccfb # v1.0.22
@@ -58,7 +56,7 @@ jobs:
 
             ## Instructions
             1. Get the PR diff to understand what changed
-            2. If any `.md` files were changed, run `npx markdownlint-cli --config .markdownlint.json <files>` to check for style issues
+            2. If any `.md` files were changed, run `markdownlint --config .markdownlint.json <files>` to check for style issues
             3. Review the changes against the criteria below
             4. Post a summary comment with your findings
 
@@ -70,8 +68,8 @@ jobs:
             - **Agents** (`agents/*.md`): Verify <example> blocks for triggering, appropriate tool restrictions.
             - **Hooks** (`hooks/hooks.json`): Validate event types and matcher patterns.
 
-            ### Markdown Quality
-            Run `npx markdownlint-cli --config .markdownlint.json` on changed `.md` files. Key rules enforced:
+            ### Markdown Quality (run markdownlint)
+            Run `markdownlint --config .markdownlint.json` on changed `.md` files. Key rules enforced:
             - ATX-style headers (`#` not underlines)
             - Dash-style lists (`-` not `*` or `+`)
             - 2-space indentation for nested lists
@@ -92,4 +90,4 @@ jobs:
             Be constructive and helpful. Focus on significant issues, not nitpicks.
             If the PR looks good, say so briefly - don't invent problems.
           claude_args: |
-            --allowedTools "Bash(gh pr:*),Bash(npx markdownlint-cli:*),Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment"
+            --allowedTools "Bash(gh pr:*),Bash(markdownlint:*),Read,Glob,Grep,mcp__github_inline_comment__create_inline_comment"
diff --git a/.github/workflows/component-validation.yml b/.github/workflows/component-validation.yml
@@ -1,12 +1,17 @@
 name: Plugin Component Validation
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
+  pull_request:
+    types: [opened, synchronize, ready_for_review]
+    paths:
+      - "plugins/plugin-dev/commands/**"
+      - "plugins/plugin-dev/skills/**"
+      - "plugins/plugin-dev/agents/**"
+      - "plugins/plugin-dev/hooks/**"
 
 # Cancel any in-progress validation for the same PR when new commits are pushed
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
@@ -17,7 +22,6 @@ jobs:
       github.actor != 'claude[bot]' &&
       github.event.pull_request.draft == false
     runs-on: ubuntu-latest
-    timeout-minutes: 15
     permissions:
       contents: read
       pull-requests: write
@@ -28,7 +32,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          fetch-depth: 1
+          fetch-depth: 0
 
       - name: Get changed plugin component files
         id: changed-files
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
@@ -1,9 +1,9 @@
 name: Check Links
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
-  # Standalone triggers
+  pull_request:
+    paths:
+      - '**.md'
   schedule:
     - cron: '0 0 * * 0'  # Weekly on Sunday at midnight UTC
   workflow_dispatch:
@@ -16,7 +16,6 @@ jobs:
   linkChecker:
     name: Check Markdown Links
     runs-on: ubuntu-latest
-    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -37,7 +36,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create Issue From File
-        if: failure() && github.event_name == 'schedule'
+        if: failure()
         uses: peter-evans/create-issue-from-file@fca9117c27cdc29c6c4db3b86c48e4115a786710 # v6
         with:
           title: Broken links detected
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
@@ -1,9 +1,9 @@
 name: Markdown Lint
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
-  # Standalone trigger for main branch pushes
+  pull_request:
+    paths:
+      - "**.md"
   push:
     branches:
       - main
@@ -18,7 +18,6 @@ jobs:
   lint:
     name: Lint Markdown Files
     runs-on: ubuntu-latest
-    timeout-minutes: 5
     steps:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml
@@ -1,9 +1,9 @@
 name: Validate Workflows
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
-  # Standalone trigger for main branch pushes
+  pull_request:
+    paths:
+      - '.github/workflows/**'
   push:
     branches:
       - main
@@ -18,7 +18,6 @@ jobs:
   actionlint:
     name: Lint GitHub Actions Workflows
     runs-on: ubuntu-latest
-    timeout-minutes: 5
     steps:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
@@ -1,10 +1,12 @@
 name: Version Consistency Check
 
 on:
-  # Reusable workflow - called by pr-checks.yml orchestrator
-  workflow_call:
-  # Manual trigger for pre-release checks
-  workflow_dispatch:
+  pull_request:
+    paths:
+      - "plugins/plugin-dev/.claude-plugin/plugin.json"
+      - ".claude-plugin/marketplace.json"
+      - "CLAUDE.md"
+  workflow_dispatch: # Manual trigger for pre-release checks
 
 # Cancel any in-progress check for the same PR when new commits are pushed
 concurrency:
@@ -18,7 +20,6 @@ jobs:
       github.actor != 'dependabot[bot]' &&
       github.actor != 'claude[bot]'
     runs-on: ubuntu-latest
-    timeout-minutes: 10
     permissions:
       contents: read
       id-token: write
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -169,24 +169,16 @@ Use these agents proactively after creating components:
 
 ## CI/CD
 
-### PR Checks Orchestrator
+### PR Workflows
 
-The `pr-checks.yml` workflow orchestrates all PR validation:
-
-- Detects changed files and runs only relevant checks
-- Provides single `All Checks Pass` status for branch protection
-- Runs checks in parallel for efficiency
-
-### Reusable Workflows (called by orchestrator)
-
-| Workflow | Trigger Condition | Purpose |
-|----------|-------------------|---------|
+| Workflow | Trigger | Purpose |
+|----------|---------|---------|
 | `markdownlint.yml` | `**.md` changed | Lint markdown files |
 | `links.yml` | `**.md` changed | Check for broken links |
-| `component-validation.yml` | `plugins/plugin-dev/**` changed | Validate plugin components |
+| `component-validation.yml` | Plugin components changed | Validate plugin components |
 | `version-check.yml` | Version files changed | Ensure version consistency |
 | `validate-workflows.yml` | `.github/workflows/**` changed | Lint GitHub Actions |
-| `claude-pr-review.yml` | Always (non-draft PRs) | AI-powered code review |
+| `claude-pr-review.yml` | All PRs (non-draft) | AI-powered code review |
 
 ### Other Workflows
 
