chore: refactor Updatecli gha workflow & fix zizmor config file#1069
chore: refactor Updatecli gha workflow & fix zizmor config file#1069olblak merged 7 commits intoupdatecli:mainfrom
Conversation
Signed-off-by: Olivier Vernin <me@olblak.com>
Signed-off-by: Olivier Vernin <me@olblak.com>
Signed-off-by: Olivier Vernin <me@olblak.com>
olblak
changed the title
There was a problem hiding this comment.
Pull request overview
Refactors the Updatecli configuration/workflows to change pipeline labeling/filtering, consolidate policy values, and adjust zizmor configuration.
Changes:
- Migrate Updatecli policy values from
updatecli/values.d/*files intoupdatecli-compose.yaml. - Rename Updatecli pipeline labels (e.g.,
monitoring:enabled→monitor:active) and update workflow label filters accordingly. - Add a new “release” Updatecli workflow and loosen zizmor rule configuration.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| updatecli/values.d/npm.yaml | Removes NPM policy values file (intended move to compose inline values). |
| updatecli/values.d/nodejs.yaml | Removes Node.js policy values file (intended move to compose inline values). |
| updatecli/values.d/githubaction.yaml | Removes GitHub Actions policy values file (previously included digest config). |
| updatecli/updatecli.d/updatecli.yaml | Updates pipeline labels to new taxonomy (ecosystem, monitor, release). |
| updatecli-compose.yaml | Refactors policies to use inline values blocks and adds pipeline labels in compose. |
| .github/zizmor.yaml | Disables secrets-outside-env rule instead of using an allow-list. |
| .github/workflows/updatecli_update.yaml | Updates label selector to monitor:active. |
| .github/workflows/updatecli_release.yaml | Adds a new workflow intended for “release” labeled pipelines. |
| .github/workflows/updatecli.yaml | Removes release trigger from the main Updatecli workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Olivier Vernin <me@olblak.com>
Signed-off-by: Olivier Vernin <me@olblak.com>
Signed-off-by: Olivier Vernin <me@olblak.com>
Signed-off-by: Olivier Vernin <me@olblak.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Updatecli | ||
| on: | ||
| release: | ||
| workflow_dispatch: | ||
| schedule: | ||
| # Run at 12:00 every 14 days |
There was a problem hiding this comment.
Removing the on: release trigger means this repo will no longer run Updatecli automatically on GitHub Release events (and the new updatecli_release.yaml is not wired to release either). If Release events are still meant to drive updates, add an on: release trigger to the appropriate workflow (or document how repository_dispatch is fired from releases).
Description
Reorganise Updatecli workflow and labels to show meaningfull information on udash
Test
To test this pull request, you can run the following commands:
Additional Information
Tradeoff
Potential improvement