feat!: convert reusable workflows to composite actions #114
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
Move .github/workflows/updater.yml to updater/action.yml Move .github/workflows/danger.yml to danger/action.yml This preserves git history and makes the conversion diff clearer. Content will be modified in next commit to convert to composite actions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
vaind
force-pushed
the
feat/convert-workflows-to-composite-actions
branch
from
e27799e to
a1fa08e
Compare
Convert moved workflow files to proper composite action structure:
updater/action.yml:
- Convert workflow_call trigger to composite action metadata
- Flatten 3 jobs (cancel-previous-run, validate-inputs, update) into sequential steps
- Convert secrets.api-token to inputs.api-token
- Replace ${{ runner.temp }}/ghwf/... script paths with ${{ github.action_path }}/scripts/...
- Remove _workflow_version input (no longer needed with bundled scripts)
- Add proper shell declarations for all steps
- Update PR body reference to point to new action location
danger/action.yml:
- Convert workflow_call trigger to composite action metadata
- Remove _workflow_version input and wget script downloads
- Replace ${{ runner.temp }}/dangerfile.js with ${{ github.action_path }}/dangerfile.js
- Single job conversion to composite steps
- Add proper shell declaration for Docker step
Both actions now bundle scripts locally instead of downloading at runtime,
improving reliability and performance.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fix composite action issues identified in review:
1. updater/action.yml:
- Fix secrets.GITHUB_TOKEN reference to use inputs.api-token instead
- Composite actions cannot access secrets context directly
- GH_TOKEN now properly uses the api-token input parameter
2. danger/action.yml:
- Add volume mount for GitHub event file: --volume ${{ github.event_path }}:${{ github.event_path }}
- This ensures Danger has access to pull request context data
- Fixes 'Cannot read property pull_request of undefined' error
These changes resolve the CI test failures and address the security
concern raised by seer-by-sentry bot about incorrect secrets usage.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fix final issues in composite action conversion: 1. updater/action.yml: - Replace ssh-key parameter with token parameter in checkout steps - Composite actions receive GitHub tokens as inputs, not SSH keys - This fixes the 'Permission denied (publickey)' errors in CI 2. CHANGELOG.md: - Add changelog entry for the workflow-to-composite-actions conversion - Satisfies Danger JS changelog requirement This resolves all remaining CI failures and addresses both the review comments and the Danger JS requirements. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add minimal required permissions to address security alerts: .github/workflows/workflow-tests.yml: - contents: read (to read repository content) - pull-requests: write (updater creates/updates PRs) - issues: write (PRs are issues under the hood) .github/workflows/danger-workflow-tests.yml: - contents: read (to read repository content) - pull-requests: read (danger reads PR details) - issues: write (danger posts comments on PRs) This follows the principle of least privilege by explicitly limiting GITHUB_TOKEN permissions instead of using the broad default permissions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Cleanup workflow-tests.yml to address code quality issues: ✨ Improvements: - Move assertions to same job as action execution (faster feedback) - Clear job names that describe test scenarios - Replace cryptic bash regex with readable validation logic - Add informative error messages showing actual vs expected values - Use environment variables to make assertions more readable - Remove complex job dependencies and output passing 🎯 Benefits: - Tests fail faster with clearer error messages - Each test scenario is self-contained and isolated - Easier to understand what each test is validating - Simpler workflow structure without complex needs/outputs The tests now clearly separate 'PR creation' vs 'no-changes' scenarios and provide much better debugging information when they fail. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Apply same cleanup principles to danger-workflow-tests.yml: ✨ Improvements: - Move assertion to same job as action execution - Clear job name describing test purpose - Replace cryptic one-liner with readable validation logic - Add informative error messages with debugging hints - Use environment variables for better readability - Remove unnecessary job dependencies 🎯 Benefits: - Faster feedback on test failures - Self-contained test that's easier to understand - Better error messages explaining what might be wrong - Consistent structure with updater workflow tests The test now clearly validates that Danger runs successfully on PRs and provides helpful debugging information when it fails. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove unnecessary 'name: Checkout repository' from workflow steps. The actions/checkout@v4 action name is self-explanatory and doesn't need additional naming. This reduces visual noise and keeps the focus on the meaningful steps. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Move initial checkout step into both updater and danger composite actions to match behavior of original reusable workflows. Remove redundant checkout steps from test workflows since actions now handle this internally. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add complete examples showing how to migrate from reusable workflows to composite actions for both updater and danger workflows. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Create separate README files for updater and danger composite actions with complete documentation, examples, and migration guides. Update root README to link to the new documentation structure. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Replace local action paths with dynamic GitHub context variables to test actions as external consumers would use them. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Use pull-requests: write instead of issues: write since Danger posts PR comments, not issue comments. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Use contents: write for updater (needs to modify files) - Remove issues: write (not needed) - Fix github.repository syntax issue in uses field 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
GitHub Actions context variables don't work in the uses field. Added back checkout steps for local action execution. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Danger needs statuses: write to post commit status checks. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
vaind
force-pushed
the
feat/convert-workflows-to-composite-actions
branch
from
a512a12 to
51fe02b
Compare
The cancel-workflow-action needs actions: write permission to cancel previous workflow runs. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Use GitHub's built-in concurrency control instead of third-party action. This eliminates the need for actions: write permission and simplifies the action implementation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…ncy" This reverts commit fa5fc82.
Contributor
Author
|
@sentry review |
Document the specific GitHub permissions needed for each action based on testing experience to prevent API permission errors. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Include required permissions directly in the example workflow code for better visibility and easier copy-paste experience. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Use inputs.api-token instead of github.token in Danger Docker environment - Replace $UID with $(id -u) for better portability across shell environments These changes ensure token consistency and improve cross-platform compatibility. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Convert the
updateranddangerreusable workflows to composite actions to address script download reliability issues and simplify usage.Key Changes
.github/workflows/updater.ymland.github/workflows/danger.ymlwithupdater/action.ymlanddanger/action.ymlcomposite actions./updater,./danger)secrets.api-tokentoinputs.api-tokenfor the updater action_workflow_versionparameter no longer neededBreaking Changes
Before (reusable workflow):
After (composite action):
Benefits
Test Plan
Closes #113
🤖 Generated with Claude Code