From d530c25bd33a3a27ceccd5dd95332beb05a146a7 Mon Sep 17 00:00:00 2001 From: Tomljenovic Marko Date: Tue, 10 Mar 2026 14:03:29 +0100 Subject: [PATCH 1/3] Add new label variable --- .github/workflows/bzlmod-lock-check.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/copyright.yml | 2 +- .github/workflows/cpp-coverage.yml | 2 +- .github/workflows/docs-cleanup.yml | 2 +- .github/workflows/docs-verify.yml | 2 +- .github/workflows/docs.yml | 4 +- .github/workflows/format.yml | 2 +- .github/workflows/license-check.yml | 2 +- .github/workflows/local_on_pr.yml | 2 +- .github/workflows/qnx-build.yml | 2 +- .github/workflows/required-approvals.yml | 2 +- .github/workflows/rust-coverage.yml | 2 +- .github/workflows/score-pr-checks.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/template-sync.yml | 2 +- .github/workflows/tests.yml | 2 +- README.md | 193 ++++++++++++----------- 18 files changed, 122 insertions(+), 107 deletions(-) diff --git a/.github/workflows/bzlmod-lock-check.yml b/.github/workflows/bzlmod-lock-check.yml index c0b6803..c6edb80 100644 --- a/.github/workflows/bzlmod-lock-check.yml +++ b/.github/workflows/bzlmod-lock-check.yml @@ -24,7 +24,7 @@ on: jobs: bzlmod-lock-check: - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b6878a5..092b917 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: security-events: write packages: read diff --git a/.github/workflows/copyright.yml b/.github/workflows/copyright.yml index 9e36b92..8070c5c 100644 --- a/.github/workflows/copyright.yml +++ b/.github/workflows/copyright.yml @@ -24,7 +24,7 @@ on: jobs: copyright-check: - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/cpp-coverage.yml b/.github/workflows/cpp-coverage.yml index 7f018e1..63868d8 100644 --- a/.github/workflows/cpp-coverage.yml +++ b/.github/workflows/cpp-coverage.yml @@ -63,7 +63,7 @@ permissions: jobs: coverage-report: name: C++ Coverage - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || inputs.runner-label }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || inputs.runner-label }} steps: - name: Checkout repository diff --git a/.github/workflows/docs-cleanup.yml b/.github/workflows/docs-cleanup.yml index ff88314..f6480c8 100644 --- a/.github/workflows/docs-cleanup.yml +++ b/.github/workflows/docs-cleanup.yml @@ -34,7 +34,7 @@ on: jobs: docs-cleanup: name: Cleanup old documentation - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pages: write contents: write diff --git a/.github/workflows/docs-verify.yml b/.github/workflows/docs-verify.yml index 3c7b5c8..48aca9f 100644 --- a/.github/workflows/docs-verify.yml +++ b/.github/workflows/docs-verify.yml @@ -32,7 +32,7 @@ env: jobs: docs-verify: name: Docs Verification - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} outputs: verification-result: ${{ steps.verify.outcome }} permissions: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f91506a..1df4454 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -48,7 +48,7 @@ env: jobs: docs-build: name: Build Documentation - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pull-requests: write contents: read @@ -169,7 +169,7 @@ jobs: docs-deploy: name: Deploy Documentation to GitHub Pages - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} needs: docs-build permissions: pages: write diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 8cd60a7..dc5b0db 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -23,7 +23,7 @@ on: jobs: format-check: - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index e668093..1962173 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -32,7 +32,7 @@ on: jobs: license-check: - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pull-requests: write issues: write diff --git a/.github/workflows/local_on_pr.yml b/.github/workflows/local_on_pr.yml index cd8714d..52106bd 100644 --- a/.github/workflows/local_on_pr.yml +++ b/.github/workflows/local_on_pr.yml @@ -20,7 +20,7 @@ jobs: self_test: name: πŸ”¬ Self Test - runs-on: ubuntu-latest + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: πŸ“₯ Check out uses: actions/checkout@v6 diff --git a/.github/workflows/qnx-build.yml b/.github/workflows/qnx-build.yml index b7482f8..1d00715 100644 --- a/.github/workflows/qnx-build.yml +++ b/.github/workflows/qnx-build.yml @@ -60,7 +60,7 @@ on: jobs: qnx-build: name: Build QNX target - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} environment: ${{ inputs.environment-name }} permissions: contents: read diff --git a/.github/workflows/required-approvals.yml b/.github/workflows/required-approvals.yml index 3a63f62..77eefd1 100644 --- a/.github/workflows/required-approvals.yml +++ b/.github/workflows/required-approvals.yml @@ -22,7 +22,7 @@ on: jobs: check-approvals: - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: id-token: write contents: read diff --git a/.github/workflows/rust-coverage.yml b/.github/workflows/rust-coverage.yml index 1e4212e..7dbcaa6 100644 --- a/.github/workflows/rust-coverage.yml +++ b/.github/workflows/rust-coverage.yml @@ -60,7 +60,7 @@ on: jobs: rust-coverage: name: Rust Coverage - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/score-pr-checks.yml b/.github/workflows/score-pr-checks.yml index 4daa87c..7ee7020 100644 --- a/.github/workflows/score-pr-checks.yml +++ b/.github/workflows/score-pr-checks.yml @@ -18,7 +18,7 @@ on: jobs: bazel-module-name-check: - runs-on: ubuntu-latest + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 96fda4a..ff4fef9 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -34,7 +34,7 @@ on: jobs: static-analysis: name: Static Code Analysis - runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/template-sync.yml b/.github/workflows/template-sync.yml index 6eb9c65..a03d040 100644 --- a/.github/workflows/template-sync.yml +++ b/.github/workflows/template-sync.yml @@ -30,7 +30,7 @@ on: jobs: repo-sync: - runs-on: ubuntu-latest + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: contents: write pull-requests: write diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ce0742c..120a0e2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -42,7 +42,7 @@ on: jobs: unit-tests: name: Test Execution - runs-on: ubuntu-latest + runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) diff --git a/README.md b/README.md index e61e1a0..3e794c6 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Reusable GitHub Actions Workflows This repository contains **reusable GitHub Actions workflows** designed to standardize CI/CD processes across multiple repositories -in `SCORE`. +in `SCORE`. These workflows integrate with **Bazel** and provide a consistent way to run **documentation builds, license checks, static analysis, tests, formatting checks and copyright verification** ## Available Workflows @@ -33,7 +33,7 @@ To use a reusable workflow, create a workflow file inside **your repository** (e ### **1. Documentation Build Workflow** **Usage Example** -```yaml +```yaml name: Documentation CI on: @@ -53,9 +53,9 @@ jobs: ``` This workflow: -βœ… Builds project documentation -βœ… Uploads it as an artifact -βœ… Deploys it to **GitHub Pages** on push to `main` +βœ… Builds project documentation +βœ… Uploads it as an artifact +βœ… Deploys it to **GitHub Pages** on push to `main` --- @@ -79,8 +79,8 @@ jobs: This workflow: -βœ… Cleans up old documentation versions from the `gh-pages` branch -βœ… Runs daily at 2am UTC +βœ… Cleans up old documentation versions from the `gh-pages` branch +βœ… Runs daily at 2am UTC --- @@ -102,16 +102,16 @@ jobs: repo-url: "${{ github.server_url }}/${{ github.repository }}" # optional, this is the default bazel-target: "run //:license-check" # optional, this is the default secrets: - dash-api-token: ${{ secrets.ECLIPSE_GITLAB_API_TOKEN }} # mandatory - the Eclispe DASH API token + dash-api-token: ${{ secrets.ECLIPSE_GITLAB_API_TOKEN }} # mandatory - the Eclispe DASH API token ``` This workflow: -βœ… Runs **DASH license compliance checks** for **Rust, C++, and Python** -βœ… Uses the **organization secret** `ECLIPSE_GITLAB_API_TOKEN` +βœ… Runs **DASH license compliance checks** for **Rust, C++, and Python** +βœ… Uses the **organization secret** `ECLIPSE_GITLAB_API_TOKEN` βœ… Comments results directly on the **Pull Request** -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `run //:license-check` --- @@ -136,11 +136,11 @@ jobs: bazel-args: "--@aspect_rules_lint//lint:fail_on_violation=true" # optional ``` -This workflow: -βœ… Runs **Clippy** via Bazel on the selected targets -βœ… Publishes **Clippy reports** as an artifact -βœ… Fails the job if Bazel fails or if any Clippy report is non-empty -βœ… Writes a summary to the GitHub job summary +This workflow: +βœ… Runs **Clippy** via Bazel on the selected targets +βœ… Publishes **Clippy reports** as an artifact +βœ… Fails the job if Bazel fails or if any Clippy report is non-empty +βœ… Writes a summary to the GitHub job summary Inputs: - `bazel-targets`: Bazel targets to build (default: `//...`) @@ -165,10 +165,10 @@ jobs: uses: eclipse-score/cicd-workflows/.github/workflows/tests.yml@main ``` -This workflow: -βœ… Runs **GoogleTest** for C++ -βœ… Runs **Rust Unit Tests** -βœ… Runs **pytest** for Python +This workflow: +βœ… Runs **GoogleTest** for C++ +βœ… Runs **Rust Unit Tests** +βœ… Runs **pytest** for Python --- @@ -194,10 +194,10 @@ jobs: coverage-artifact-name: "rust-coverage-html" ``` -This workflow: -βœ… Runs **Rust tests** with coverage instrumentation -βœ… Generates **coverage reports** via Bazel -βœ… Uploads the **HTML coverage report** as an artifact +This workflow: +βœ… Runs **Rust tests** with coverage instrumentation +βœ… Generates **coverage reports** via Bazel +βœ… Uploads the **HTML coverage report** as an artifact --- @@ -242,11 +242,11 @@ jobs: bazel-target: "run //:copyright-check" # optional, this is the default ``` -This workflow: +This workflow: βœ… Runs a **Bazel-based copyright** βœ… Ensures all source files have **Eclipse Foundation** headers -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `run //:copyright-check` --- @@ -268,19 +268,19 @@ jobs: bazel-target: "test //:format.check" # optional, this is the default ``` -This workflow: -βœ… Runs a **Bazel-based formatting check** (e.g., `buildifier`, `clang-format`, etc.) -βœ… Can be integrated into Pull Requests and Merge Queues +This workflow: +βœ… Runs a **Bazel-based formatting check** (e.g., `buildifier`, `clang-format`, etc.) +βœ… Can be integrated into Pull Requests and Merge Queues βœ… Ensures code adheres to formatting rules before merge -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `test //:format.check` --- ### **10. Required Approvals Workflow** -This workflow enforces **stricter CODEOWNERS checks** than GitHub’s defaults. -Normally, GitHub requires approval from *any one* codeowner when multiple are listed. +This workflow enforces **stricter CODEOWNERS checks** than GitHub’s defaults. +Normally, GitHub requires approval from *any one* codeowner when multiple are listed. With this workflow, you can enforce that **all required teams approve** (or set a minimum count). **Usage Example** @@ -305,17 +305,17 @@ jobs: # org_name: qorix-group ``` -**Defaults** -- `org_name`: `score` -- `min_approvals`: `1` -- `approval_mode`: `ALL` -- `require_all_approvals_latest_commit`: always `true` +**Defaults** +- `org_name`: `score` +- `min_approvals`: `1` +- `approval_mode`: `ALL` +- `require_all_approvals_latest_commit`: always `true` -**Key Features** -βœ… Enforces that *all relevant CODEOWNERS* approve (`ALL` mode) -βœ… Invalidates approvals on new commits (`require_all_approvals_latest_commit`) -βœ… Works with **org secrets** (e.g. `SCORE_BOT_PAT`) that must have `repo` + `read:org` scopes -βœ… Compatible with branch protection rules β†’ can be marked as **required** +**Key Features** +βœ… Enforces that *all relevant CODEOWNERS* approve (`ALL` mode) +βœ… Invalidates approvals on new commits (`require_all_approvals_latest_commit`) +βœ… Works with **org secrets** (e.g. `SCORE_BOT_PAT`) that must have `repo` + `read:org` scopes +βœ… Compatible with branch protection rules β†’ can be marked as **required** --- @@ -378,14 +378,14 @@ jobs: bazel-docs-verify-target: "//:docs_check" # optional, default shown ``` -**Defaults** -- `bazel-docs-verify-target`: `//:docs_check` +**Defaults** +- `bazel-docs-verify-target`: `//:docs_check` -**Key Features** -βœ… Verifies documentation builds successfully -βœ… Uses Bazel-based documentation checks -βœ… Provides verification result as output -βœ… Integrates with Bazel shared caching for performance +**Key Features** +βœ… Verifies documentation builds successfully +βœ… Uses Bazel-based documentation checks +βœ… Provides verification result as output +βœ… Integrates with Bazel shared caching for performance --- @@ -413,15 +413,15 @@ jobs: build-script: "bazel build //..." # optional, default shown ``` -**Defaults** -- `build-script`: `bazel build //...` +**Defaults** +- `build-script`: `bazel build //...` -**Key Features** -βœ… Scans C/C++ code for security vulnerabilities and bugs -βœ… Applies MISRA C++ coding standards -βœ… Uploads SARIF results as artifacts -βœ… Integrates with GitHub Security tab -βœ… Supports custom Bazel build commands +**Key Features** +βœ… Scans C/C++ code for security vulnerabilities and bugs +βœ… Applies MISRA C++ coding standards +βœ… Uploads SARIF results as artifacts +βœ… Integrates with GitHub Security tab +βœ… Supports custom Bazel build commands --- @@ -445,16 +445,16 @@ jobs: **No inputs required** -**Key Features** -βœ… Validates Bazel module names follow the pattern `^score_[[:lower:]_]+$` -βœ… Ensures module names start with `score_` -βœ… Allows only lowercase letters and underscores -βœ… Skips validation if no `MODULE.bazel` file exists +**Key Features** +βœ… Validates Bazel module names follow the pattern `^score_[[:lower:]_]+$` +βœ… Ensures module names start with `score_` +βœ… Allows only lowercase letters and underscores +βœ… Skips validation if no `MODULE.bazel` file exists -**Examples of valid module names:** -- `score_cli` -- `score_compose` -- `score_web_api` +**Examples of valid module names:** +- `score_cli` +- `score_compose` +- `score_web_api` --- @@ -483,17 +483,17 @@ jobs: SCORE_APPROVALS_PAT: ${{ secrets.SCORE_APPROVALS_PAT }} ``` -**Defaults** -- `pr_title`: `[Template Sync] Upstream template update` -- `pr_commit_msg`: `chore(template): upstream template update` -- `template_sync_ignore_file_path`: `.github/.templatesyncignore` +**Defaults** +- `pr_title`: `[Template Sync] Upstream template update` +- `pr_commit_msg`: `chore(template): upstream template update` +- `template_sync_ignore_file_path`: `.github/.templatesyncignore` -**Key Features** -βœ… Automatically creates PRs with template updates -βœ… Respects `.templatesyncignore` file to exclude specific files -βœ… Uses `SCORE_APPROVALS_PAT` secret for authentication -βœ… Configurable PR titles and commit messages -βœ… Can be triggered on schedule or manually +**Key Features** +βœ… Automatically creates PRs with template updates +βœ… Respects `.templatesyncignore` file to exclude specific files +βœ… Uses `SCORE_APPROVALS_PAT` secret for authentication +βœ… Configurable PR titles and commit messages +βœ… Can be triggered on schedule or manually > ℹ️ **Note:** This workflow requires the `SCORE_APPROVALS_PAT` secret with appropriate permissions to create pull requests. @@ -521,13 +521,13 @@ jobs: working-directory: . ``` -**Defaults** -- `working-directory`: `.` +**Defaults** +- `working-directory`: `.` -This workflow: -βœ… Fails if `MODULE.bazel.lock` is missing -βœ… Runs `bazel mod tidy` -βœ… Fails if `MODULE.bazel` or `MODULE.bazel.lock` changes after tidy +This workflow: +βœ… Fails if `MODULE.bazel.lock` is missing +βœ… Runs `bazel mod tidy` +βœ… Fails if `MODULE.bazel` or `MODULE.bazel.lock` changes after tidy --- @@ -565,8 +565,8 @@ This setup significantly reduces CI build time and improves reuse across differe ### **Summary** -βœ… **Standardized** CI/CD workflows across all projects -βœ… **Reusable & Maintainable** with centralized updates +βœ… **Standardized** CI/CD workflows across all projects +βœ… **Reusable & Maintainable** with centralized updates βœ… **Bazel-powered** for consistent testing & analysis ## πŸƒβ€β™‚οΈ Runner Selection Logic @@ -574,16 +574,31 @@ This setup significantly reduces CI build time and improves reuse across differe All workflows in this repository use the following logic for selecting the runner: ```yaml -runs-on: ${{ vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} +runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} ``` This means: -- If your repository defines a variable named `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). +- If your repository defines a variable named `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). This allows you to use **self-hosted runners** or any custom runner configuration. -- If `REPO_RUNNER_LABELS` is **not set**, the workflow will default to GitHub-hosted `ubuntu-latest`. +- If `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` is **not set**, the workflow will default to GitHub-hosted `ubuntu-latest`. -**Why?** +**Why?** This approach allows forked repositories or projects with special requirements to use their own runners, while everyone else gets a reliable default. -> ℹ️ **Tip:** To use a self-hosted runner, set the `REPO_RUNNER_LABELS` variable in your repository or organization settings to the label(s) of your runner. +> ℹ️ **Tip:** To use a self-hosted runner, set the `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` variable in your repository or organization settings to the label(s) of your runner. + +### Runner labels variable naming convention + +Since it is very likely the case that different workflows will need different runners of different sizes, oses and architectures to be cost efficiently using the runner infrastructure the variable that specifies the runner labels shall follow this naming convention: + +`runner_labels___` + +As of today following runner label variables are supported: + +- runner_labels_gh-ub_standard_x64 + - os: gh-ub - GitHub Ubuntu latest OS image + - size: standard - Maps to the specs of the "Ubuntu latest" GitHub hosted runner + - architecture: x64 - Maps to the architecture of the standard "Ubuntu latest" GitHub hosted runner. The value is taken from the [GitHub hosted runners reference page](https://docs.github.com/en/actions/reference/runners/github-hosted-runners) + +Due to this new naming convention the variable **REPO_RUNNER_LABELS is deprecated** and will be removed eventually! From 0502d1a43598f6c9b7e53041f903b95848a7c270 Mon Sep 17 00:00:00 2001 From: Tomljenovic Marko Date: Tue, 10 Mar 2026 14:18:10 +0100 Subject: [PATCH 2/3] Fixed new lines --- README.md | 210 +++++++++++++++++++++++++++--------------------------- 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/README.md b/README.md index 3e794c6..a54e9d1 100644 --- a/README.md +++ b/README.md @@ -1,29 +1,29 @@ # Reusable GitHub Actions Workflows This repository contains **reusable GitHub Actions workflows** designed to standardize CI/CD processes across multiple repositories -in `SCORE`. +in `SCORE`. These workflows integrate with **Bazel** and provide a consistent way to run **documentation builds, license checks, static analysis, tests, formatting checks and copyright verification** ## Available Workflows -| Workflow | Description | -|-------------------------|--------------------------------------------------------------------| -| **Documentation Build** | Builds project documentation and deploys it to GitHub Pages | -| **Documentation Cleanup** | Cleans up old documentation versions from the `gh-pages` branch | -| **License Check** | Verifies OSS licenses and compliance | -| **Static Code Analysis**| Runs Clang-Tidy, Clippy, Pylint, and other linters | -| **Tests** | Executes tests using GoogleTest, Rust test, or pytest | -| **Rust Coverage** | Computes Rust code coverage and uploads HTML reports | -| **C++ Coverage** | Computes C++ code coverage using LCOV and uploads HTML reports | -| **Formatting Check** | Verifies code formatting using Bazel-based tools | -| **Copyright Check** | Ensures all source files have the required copyright headers | -| **Required Approvals** | Enforces stricter CODEOWNERS rules for multi-team approvals | -| **QNX Build (Gated)** | Builds QNX Bazel targets with environment-gated secrets for forks | -| **Documentation Verification** | Verifies documentation builds correctly and uploads results | -| **CodeQL Scan** | Performs security and quality analysis using GitHub CodeQL | -| **SCORE PR Checks** | Validates Bazel module naming conventions in pull requests | -| **Bzlmod Lockfile Check** | Enforces `MODULE.bazel.lock` consistency via `bazel mod tidy` | -| **Template Sync** | Synchronizes repository with eclipse-score/module_template | +| Workflow | Description | +| ------------------------------ | ----------------------------------------------------------------- | +| **Documentation Build** | Builds project documentation and deploys it to GitHub Pages | +| **Documentation Cleanup** | Cleans up old documentation versions from the `gh-pages` branch | +| **License Check** | Verifies OSS licenses and compliance | +| **Static Code Analysis** | Runs Clang-Tidy, Clippy, Pylint, and other linters | +| **Tests** | Executes tests using GoogleTest, Rust test, or pytest | +| **Rust Coverage** | Computes Rust code coverage and uploads HTML reports | +| **C++ Coverage** | Computes C++ code coverage using LCOV and uploads HTML reports | +| **Formatting Check** | Verifies code formatting using Bazel-based tools | +| **Copyright Check** | Ensures all source files have the required copyright headers | +| **Required Approvals** | Enforces stricter CODEOWNERS rules for multi-team approvals | +| **QNX Build (Gated)** | Builds QNX Bazel targets with environment-gated secrets for forks | +| **Documentation Verification** | Verifies documentation builds correctly and uploads results | +| **CodeQL Scan** | Performs security and quality analysis using GitHub CodeQL | +| **SCORE PR Checks** | Validates Bazel module naming conventions in pull requests | +| **Bzlmod Lockfile Check** | Enforces `MODULE.bazel.lock` consistency via `bazel mod tidy` | +| **Template Sync** | Synchronizes repository with eclipse-score/module_template | --- @@ -33,7 +33,7 @@ To use a reusable workflow, create a workflow file inside **your repository** (e ### **1. Documentation Build Workflow** **Usage Example** -```yaml +```yaml name: Documentation CI on: @@ -53,9 +53,9 @@ jobs: ``` This workflow: -βœ… Builds project documentation -βœ… Uploads it as an artifact -βœ… Deploys it to **GitHub Pages** on push to `main` +βœ… Builds project documentation +βœ… Uploads it as an artifact +βœ… Deploys it to **GitHub Pages** on push to `main` --- @@ -79,8 +79,8 @@ jobs: This workflow: -βœ… Cleans up old documentation versions from the `gh-pages` branch -βœ… Runs daily at 2am UTC +βœ… Cleans up old documentation versions from the `gh-pages` branch +βœ… Runs daily at 2am UTC --- @@ -102,16 +102,16 @@ jobs: repo-url: "${{ github.server_url }}/${{ github.repository }}" # optional, this is the default bazel-target: "run //:license-check" # optional, this is the default secrets: - dash-api-token: ${{ secrets.ECLIPSE_GITLAB_API_TOKEN }} # mandatory - the Eclispe DASH API token + dash-api-token: ${{ secrets.ECLIPSE_GITLAB_API_TOKEN }} # mandatory - the Eclispe DASH API token ``` This workflow: -βœ… Runs **DASH license compliance checks** for **Rust, C++, and Python** -βœ… Uses the **organization secret** `ECLIPSE_GITLAB_API_TOKEN` +βœ… Runs **DASH license compliance checks** for **Rust, C++, and Python** +βœ… Uses the **organization secret** `ECLIPSE_GITLAB_API_TOKEN` βœ… Comments results directly on the **Pull Request** -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `run //:license-check` --- @@ -136,11 +136,11 @@ jobs: bazel-args: "--@aspect_rules_lint//lint:fail_on_violation=true" # optional ``` -This workflow: -βœ… Runs **Clippy** via Bazel on the selected targets -βœ… Publishes **Clippy reports** as an artifact -βœ… Fails the job if Bazel fails or if any Clippy report is non-empty -βœ… Writes a summary to the GitHub job summary +This workflow: +βœ… Runs **Clippy** via Bazel on the selected targets +βœ… Publishes **Clippy reports** as an artifact +βœ… Fails the job if Bazel fails or if any Clippy report is non-empty +βœ… Writes a summary to the GitHub job summary Inputs: - `bazel-targets`: Bazel targets to build (default: `//...`) @@ -165,10 +165,10 @@ jobs: uses: eclipse-score/cicd-workflows/.github/workflows/tests.yml@main ``` -This workflow: -βœ… Runs **GoogleTest** for C++ -βœ… Runs **Rust Unit Tests** -βœ… Runs **pytest** for Python +This workflow: +βœ… Runs **GoogleTest** for C++ +βœ… Runs **Rust Unit Tests** +βœ… Runs **pytest** for Python --- @@ -194,10 +194,10 @@ jobs: coverage-artifact-name: "rust-coverage-html" ``` -This workflow: -βœ… Runs **Rust tests** with coverage instrumentation -βœ… Generates **coverage reports** via Bazel -βœ… Uploads the **HTML coverage report** as an artifact +This workflow: +βœ… Runs **Rust tests** with coverage instrumentation +βœ… Generates **coverage reports** via Bazel +βœ… Uploads the **HTML coverage report** as an artifact --- @@ -242,11 +242,11 @@ jobs: bazel-target: "run //:copyright-check" # optional, this is the default ``` -This workflow: +This workflow: βœ… Runs a **Bazel-based copyright** βœ… Ensures all source files have **Eclipse Foundation** headers -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `run //:copyright-check` --- @@ -268,19 +268,19 @@ jobs: bazel-target: "test //:format.check" # optional, this is the default ``` -This workflow: -βœ… Runs a **Bazel-based formatting check** (e.g., `buildifier`, `clang-format`, etc.) -βœ… Can be integrated into Pull Requests and Merge Queues +This workflow: +βœ… Runs a **Bazel-based formatting check** (e.g., `buildifier`, `clang-format`, etc.) +βœ… Can be integrated into Pull Requests and Merge Queues βœ… Ensures code adheres to formatting rules before merge -> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. +> ℹ️ **Note:** You can override the Bazel command using the `bazel-target` input. > **Default:** `test //:format.check` --- ### **10. Required Approvals Workflow** -This workflow enforces **stricter CODEOWNERS checks** than GitHub’s defaults. -Normally, GitHub requires approval from *any one* codeowner when multiple are listed. +This workflow enforces **stricter CODEOWNERS checks** than GitHub’s defaults. +Normally, GitHub requires approval from *any one* codeowner when multiple are listed. With this workflow, you can enforce that **all required teams approve** (or set a minimum count). **Usage Example** @@ -305,17 +305,17 @@ jobs: # org_name: qorix-group ``` -**Defaults** -- `org_name`: `score` -- `min_approvals`: `1` -- `approval_mode`: `ALL` -- `require_all_approvals_latest_commit`: always `true` +**Defaults** +- `org_name`: `score` +- `min_approvals`: `1` +- `approval_mode`: `ALL` +- `require_all_approvals_latest_commit`: always `true` -**Key Features** -βœ… Enforces that *all relevant CODEOWNERS* approve (`ALL` mode) -βœ… Invalidates approvals on new commits (`require_all_approvals_latest_commit`) -βœ… Works with **org secrets** (e.g. `SCORE_BOT_PAT`) that must have `repo` + `read:org` scopes -βœ… Compatible with branch protection rules β†’ can be marked as **required** +**Key Features** +βœ… Enforces that *all relevant CODEOWNERS* approve (`ALL` mode) +βœ… Invalidates approvals on new commits (`require_all_approvals_latest_commit`) +βœ… Works with **org secrets** (e.g. `SCORE_BOT_PAT`) that must have `repo` + `read:org` scopes +βœ… Compatible with branch protection rules β†’ can be marked as **required** --- @@ -378,14 +378,14 @@ jobs: bazel-docs-verify-target: "//:docs_check" # optional, default shown ``` -**Defaults** -- `bazel-docs-verify-target`: `//:docs_check` +**Defaults** +- `bazel-docs-verify-target`: `//:docs_check` -**Key Features** -βœ… Verifies documentation builds successfully -βœ… Uses Bazel-based documentation checks -βœ… Provides verification result as output -βœ… Integrates with Bazel shared caching for performance +**Key Features** +βœ… Verifies documentation builds successfully +βœ… Uses Bazel-based documentation checks +βœ… Provides verification result as output +βœ… Integrates with Bazel shared caching for performance --- @@ -413,15 +413,15 @@ jobs: build-script: "bazel build //..." # optional, default shown ``` -**Defaults** -- `build-script`: `bazel build //...` +**Defaults** +- `build-script`: `bazel build //...` -**Key Features** -βœ… Scans C/C++ code for security vulnerabilities and bugs -βœ… Applies MISRA C++ coding standards -βœ… Uploads SARIF results as artifacts -βœ… Integrates with GitHub Security tab -βœ… Supports custom Bazel build commands +**Key Features** +βœ… Scans C/C++ code for security vulnerabilities and bugs +βœ… Applies MISRA C++ coding standards +βœ… Uploads SARIF results as artifacts +βœ… Integrates with GitHub Security tab +βœ… Supports custom Bazel build commands --- @@ -445,16 +445,16 @@ jobs: **No inputs required** -**Key Features** -βœ… Validates Bazel module names follow the pattern `^score_[[:lower:]_]+$` -βœ… Ensures module names start with `score_` -βœ… Allows only lowercase letters and underscores -βœ… Skips validation if no `MODULE.bazel` file exists +**Key Features** +βœ… Validates Bazel module names follow the pattern `^score_[[:lower:]_]+$` +βœ… Ensures module names start with `score_` +βœ… Allows only lowercase letters and underscores +βœ… Skips validation if no `MODULE.bazel` file exists -**Examples of valid module names:** -- `score_cli` -- `score_compose` -- `score_web_api` +**Examples of valid module names:** +- `score_cli` +- `score_compose` +- `score_web_api` --- @@ -483,17 +483,17 @@ jobs: SCORE_APPROVALS_PAT: ${{ secrets.SCORE_APPROVALS_PAT }} ``` -**Defaults** -- `pr_title`: `[Template Sync] Upstream template update` -- `pr_commit_msg`: `chore(template): upstream template update` -- `template_sync_ignore_file_path`: `.github/.templatesyncignore` +**Defaults** +- `pr_title`: `[Template Sync] Upstream template update` +- `pr_commit_msg`: `chore(template): upstream template update` +- `template_sync_ignore_file_path`: `.github/.templatesyncignore` -**Key Features** -βœ… Automatically creates PRs with template updates -βœ… Respects `.templatesyncignore` file to exclude specific files -βœ… Uses `SCORE_APPROVALS_PAT` secret for authentication -βœ… Configurable PR titles and commit messages -βœ… Can be triggered on schedule or manually +**Key Features** +βœ… Automatically creates PRs with template updates +βœ… Respects `.templatesyncignore` file to exclude specific files +βœ… Uses `SCORE_APPROVALS_PAT` secret for authentication +βœ… Configurable PR titles and commit messages +βœ… Can be triggered on schedule or manually > ℹ️ **Note:** This workflow requires the `SCORE_APPROVALS_PAT` secret with appropriate permissions to create pull requests. @@ -521,13 +521,13 @@ jobs: working-directory: . ``` -**Defaults** -- `working-directory`: `.` +**Defaults** +- `working-directory`: `.` -This workflow: -βœ… Fails if `MODULE.bazel.lock` is missing -βœ… Runs `bazel mod tidy` -βœ… Fails if `MODULE.bazel` or `MODULE.bazel.lock` changes after tidy +This workflow: +βœ… Fails if `MODULE.bazel.lock` is missing +βœ… Runs `bazel mod tidy` +βœ… Fails if `MODULE.bazel` or `MODULE.bazel.lock` changes after tidy --- @@ -565,8 +565,8 @@ This setup significantly reduces CI build time and improves reuse across differe ### **Summary** -βœ… **Standardized** CI/CD workflows across all projects -βœ… **Reusable & Maintainable** with centralized updates +βœ… **Standardized** CI/CD workflows across all projects +βœ… **Reusable & Maintainable** with centralized updates βœ… **Bazel-powered** for consistent testing & analysis ## πŸƒβ€β™‚οΈ Runner Selection Logic @@ -579,11 +579,11 @@ runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_label This means: -- If your repository defines a variable named `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). +- If your repository defines a variable named `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). This allows you to use **self-hosted runners** or any custom runner configuration. - If `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` is **not set**, the workflow will default to GitHub-hosted `ubuntu-latest`. -**Why?** +**Why?** This approach allows forked repositories or projects with special requirements to use their own runners, while everyone else gets a reliable default. > ℹ️ **Tip:** To use a self-hosted runner, set the `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` variable in your repository or organization settings to the label(s) of your runner. @@ -601,4 +601,4 @@ As of today following runner label variables are supported: - size: standard - Maps to the specs of the "Ubuntu latest" GitHub hosted runner - architecture: x64 - Maps to the architecture of the standard "Ubuntu latest" GitHub hosted runner. The value is taken from the [GitHub hosted runners reference page](https://docs.github.com/en/actions/reference/runners/github-hosted-runners) -Due to this new naming convention the variable **REPO_RUNNER_LABELS is deprecated** and will be removed eventually! +Due to this new naming convention the variable **REPO_RUNNER_LABELS is deprecated** and will be removed eventually! \ No newline at end of file From db9552253fd2d7712ef16777bd163865bd97a25c Mon Sep 17 00:00:00 2001 From: Tomljenovic Marko Date: Tue, 10 Mar 2026 15:41:30 +0100 Subject: [PATCH 3/3] Fix variable names --- .github/workflows/bzlmod-lock-check.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/copyright.yml | 2 +- .github/workflows/cpp-coverage.yml | 2 +- .github/workflows/docs-cleanup.yml | 2 +- .github/workflows/docs-verify.yml | 2 +- .github/workflows/docs.yml | 4 ++-- .github/workflows/format.yml | 2 +- .github/workflows/license-check.yml | 2 +- .github/workflows/local_on_pr.yml | 2 +- .github/workflows/qnx-build.yml | 2 +- .github/workflows/required-approvals.yml | 2 +- .github/workflows/rust-coverage.yml | 2 +- .github/workflows/score-pr-checks.yml | 2 +- .github/workflows/static-analysis.yml | 2 +- .github/workflows/template-sync.yml | 2 +- .github/workflows/tests.yml | 2 +- README.md | 12 ++++++------ 18 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/bzlmod-lock-check.yml b/.github/workflows/bzlmod-lock-check.yml index c6edb80..768e953 100644 --- a/.github/workflows/bzlmod-lock-check.yml +++ b/.github/workflows/bzlmod-lock-check.yml @@ -24,7 +24,7 @@ on: jobs: bzlmod-lock-check: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 092b917..d9fd1c2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,7 +23,7 @@ on: jobs: analyze: name: Analyze (${{ matrix.language }}) - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: security-events: write packages: read diff --git a/.github/workflows/copyright.yml b/.github/workflows/copyright.yml index 8070c5c..69a0750 100644 --- a/.github/workflows/copyright.yml +++ b/.github/workflows/copyright.yml @@ -24,7 +24,7 @@ on: jobs: copyright-check: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/cpp-coverage.yml b/.github/workflows/cpp-coverage.yml index 63868d8..07ae9b5 100644 --- a/.github/workflows/cpp-coverage.yml +++ b/.github/workflows/cpp-coverage.yml @@ -63,7 +63,7 @@ permissions: jobs: coverage-report: name: C++ Coverage - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || inputs.runner-label }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || inputs.runner-label }} steps: - name: Checkout repository diff --git a/.github/workflows/docs-cleanup.yml b/.github/workflows/docs-cleanup.yml index f6480c8..5bee025 100644 --- a/.github/workflows/docs-cleanup.yml +++ b/.github/workflows/docs-cleanup.yml @@ -34,7 +34,7 @@ on: jobs: docs-cleanup: name: Cleanup old documentation - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pages: write contents: write diff --git a/.github/workflows/docs-verify.yml b/.github/workflows/docs-verify.yml index 48aca9f..a323273 100644 --- a/.github/workflows/docs-verify.yml +++ b/.github/workflows/docs-verify.yml @@ -32,7 +32,7 @@ env: jobs: docs-verify: name: Docs Verification - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} outputs: verification-result: ${{ steps.verify.outcome }} permissions: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1df4454..53b80d1 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -48,7 +48,7 @@ env: jobs: docs-build: name: Build Documentation - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pull-requests: write contents: read @@ -169,7 +169,7 @@ jobs: docs-deploy: name: Deploy Documentation to GitHub Pages - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} needs: docs-build permissions: pages: write diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index dc5b0db..ef070c9 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -23,7 +23,7 @@ on: jobs: format-check: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index 1962173..6233ac8 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -32,7 +32,7 @@ on: jobs: license-check: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: pull-requests: write issues: write diff --git a/.github/workflows/local_on_pr.yml b/.github/workflows/local_on_pr.yml index 52106bd..a5e0a52 100644 --- a/.github/workflows/local_on_pr.yml +++ b/.github/workflows/local_on_pr.yml @@ -20,7 +20,7 @@ jobs: self_test: name: πŸ”¬ Self Test - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: πŸ“₯ Check out uses: actions/checkout@v6 diff --git a/.github/workflows/qnx-build.yml b/.github/workflows/qnx-build.yml index 1d00715..4e80022 100644 --- a/.github/workflows/qnx-build.yml +++ b/.github/workflows/qnx-build.yml @@ -60,7 +60,7 @@ on: jobs: qnx-build: name: Build QNX target - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} environment: ${{ inputs.environment-name }} permissions: contents: read diff --git a/.github/workflows/required-approvals.yml b/.github/workflows/required-approvals.yml index 77eefd1..96e4060 100644 --- a/.github/workflows/required-approvals.yml +++ b/.github/workflows/required-approvals.yml @@ -22,7 +22,7 @@ on: jobs: check-approvals: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: id-token: write contents: read diff --git a/.github/workflows/rust-coverage.yml b/.github/workflows/rust-coverage.yml index 7dbcaa6..3930ba5 100644 --- a/.github/workflows/rust-coverage.yml +++ b/.github/workflows/rust-coverage.yml @@ -60,7 +60,7 @@ on: jobs: rust-coverage: name: Rust Coverage - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/score-pr-checks.yml b/.github/workflows/score-pr-checks.yml index 7ee7020..79ec984 100644 --- a/.github/workflows/score-pr-checks.yml +++ b/.github/workflows/score-pr-checks.yml @@ -18,7 +18,7 @@ on: jobs: bazel-module-name-check: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index ff4fef9..8bf3701 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -34,7 +34,7 @@ on: jobs: static-analysis: name: Static Code Analysis - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository uses: actions/checkout@v4.2.2 diff --git a/.github/workflows/template-sync.yml b/.github/workflows/template-sync.yml index a03d040..5dde85a 100644 --- a/.github/workflows/template-sync.yml +++ b/.github/workflows/template-sync.yml @@ -30,7 +30,7 @@ on: jobs: repo-sync: - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} permissions: contents: write pull-requests: write diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 120a0e2..a0b6962 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -42,7 +42,7 @@ on: jobs: unit-tests: name: Test Execution - runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} + runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} steps: - name: Checkout repository (Handle all events) diff --git a/README.md b/README.md index a54e9d1..691db54 100644 --- a/README.md +++ b/README.md @@ -574,19 +574,19 @@ This setup significantly reduces CI build time and improves reuse across differe All workflows in this repository use the following logic for selecting the runner: ```yaml -runs-on: ${{ vars.runner_labels_gh-ub_standard_x64 && fromJSON(vars.runner_labels_gh-ub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} +runs-on: ${{ vars.runner_labels_ghub_standard_x64 && fromJSON(vars.runner_labels_ghub_standard_x64) || vars.REPO_RUNNER_LABELS && fromJSON(vars.REPO_RUNNER_LABELS) || 'ubuntu-latest' }} ``` This means: -- If your repository defines a variable named `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). +- If your repository defines a variable named `runner_labels_ghub_standard_x64` or `REPO_RUNNER_LABELS` (e.g., in repository or organization settings), its value will be used as the runner label(s). This allows you to use **self-hosted runners** or any custom runner configuration. -- If `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` is **not set**, the workflow will default to GitHub-hosted `ubuntu-latest`. +- If `runner_labels_ghub_standard_x64` or `REPO_RUNNER_LABELS` is **not set**, the workflow will default to GitHub-hosted `ubuntu-latest`. **Why?** This approach allows forked repositories or projects with special requirements to use their own runners, while everyone else gets a reliable default. -> ℹ️ **Tip:** To use a self-hosted runner, set the `runner_labels_gh-ub_standard_x64` or `REPO_RUNNER_LABELS` variable in your repository or organization settings to the label(s) of your runner. +> ℹ️ **Tip:** To use a self-hosted runner, set the `runner_labels_ghub_standard_x64` or `REPO_RUNNER_LABELS` variable in your repository or organization settings to the label(s) of your runner. ### Runner labels variable naming convention @@ -596,8 +596,8 @@ Since it is very likely the case that different workflows will need different ru As of today following runner label variables are supported: -- runner_labels_gh-ub_standard_x64 - - os: gh-ub - GitHub Ubuntu latest OS image +- runner_labels_ghub_standard_x64 + - os: ghub - GitHub Ubuntu latest OS image - size: standard - Maps to the specs of the "Ubuntu latest" GitHub hosted runner - architecture: x64 - Maps to the architecture of the standard "Ubuntu latest" GitHub hosted runner. The value is taken from the [GitHub hosted runners reference page](https://docs.github.com/en/actions/reference/runners/github-hosted-runners)