ci: create separate workflows for code-quality #8

pmarusz · 2025-10-14T08:33:20Z

No description provided.

Copilot

Pull Request Overview

This PR restructures GitHub Actions workflows by creating separate, focused workflows for different CI/CD purposes while removing the monolithic previous approach.

Separates concerns into dedicated workflows for testing, code quality checks, builds, and releases
Introduces reusable action for test environment preparation
Streamlines build and release processes with better parameter handling

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
`.github/workflows/run_tests.yml`	New workflow for unit and functional test execution with matrix strategy
`.github/workflows/pull_requests.yml`	Removed old pull request workflow
`.github/workflows/pull_request.yml`	New simplified pull request workflow for dev builds
`.github/workflows/publish_release.yml`	New workflow for handling release publishing
`.github/workflows/manual_release.yml`	Updated manual release workflow with new job structure
`.github/workflows/main.yml`	New main branch build workflow
`.github/workflows/dependency_review.yml`	New workflow for dependency security review
`.github/workflows/codeql.yml`	Simplified CodeQL workflow using reusable workflow
`.github/workflows/check_pr_format.yml`	New workflow for PR title and commit validation
`.github/workflows/check_code_standard.yml`	New workflow for code standard checks
`.github/workflows/build_upload_whl.yml`	Refactored build workflow with improved parameter handling
`.github/prepare_test_env/action.yml`	New reusable action for test environment setup
`.github/dependency_review.yml`	Configuration for dependency review settings
`.github/dependabot.yml`	New Dependabot configuration for dependency updates

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

.github/workflows/run_tests.yml

.github/workflows/build_upload_whl.yml

Signed-off-by: Maruszewski, Piotr <[email protected]>

.github/workflows/build_upload_whl.yml

+    name: ${{ inputs.JOB_NAME }}
    runs-on: ${{ inputs.RUNS_ON }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-tags: true
          fetch-depth: 0
-          path: ${{ inputs.SOURCE_PATH }}
          ref: ${{ inputs.BRANCH_NAME }}
+          repository: ${{ inputs.REPOSITORY_NAME }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ inputs.PYTHON_VERSION }}
          cache: 'pip'

-      - name: Version bumping
-        id: VERSION_BUMP
-        if: inputs.RELEASE_BUILD == true
-        env:
-          GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
-          GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
-          GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
-          GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
-        shell: bash
-        run: |
-          python -m pip install --upgrade pip
-          python -m venv bump_version
-          source bump_version/bin/activate
-          pip install python-semantic-release~=10.2
-          pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
-          pip install ./${{ inputs.SOURCE_PATH }}
-          mfd-create-config-files --project-dir ./${{ inputs.SOURCE_PATH }}
-          cd ${{ inputs.SOURCE_PATH }}
-          version_after_bump=$(semantic-release version --print | tail -n 1 | tr -d '\n')
-          version_from_tag=$(git describe --tags --abbrev=0 | tr -d '\n' | sed 's/^v//')
-          echo "Version after semantic-release bump is: ${version_after_bump}"
-          echo "Version from tag: ${version_from_tag}"
-          # Only check version equality if RELEASE_BUILD is true
-          if [ "${{ inputs.RELEASE_BUILD }}" == "true" ]; then
-            if [ "$version_after_bump" == "$version_from_tag" ]; then
-              echo "Version would not change: version_after_bump=${version_after_bump}, version_from_tag=${version_from_tag}"
-              exit 1
-            fi
-          fi
-          semantic-release version --no-push --no-vcs-release
-          cat pyproject.toml
-          echo "version_after_bump=v${version_after_bump}" >> $GITHUB_OUTPUT
-      - name: Create virtual environment for whl creation
-        shell: bash
+      - name: Show python version
+        run: python --version
+
+      - name: Run mfd-create-config-files
        run: |
-          python -m venv whl_creation
-          source whl_creation/bin/activate
-          pip install build==1.2.2.post1
-          cd ${{ inputs.SOURCE_PATH }}
-          ../whl_creation/bin/python -m build --wheel --outdir ../whl_creation/dist
-          ls -l ../whl_creation/dist
+          pip install -r requirements-dev.txt
+          pip install .
+          mfd-create-config-files --project-dir .

-      - name: Determine if unit and functional tests should run
-        id: test_check
-        shell: bash
+      - name: Check if bump version is expected
        run: |
-          REPO_NAME=$(echo "${{ inputs.PROJECT_NAME }}")
-          echo "Repository name extracted: $REPO_NAME"
+          if [ "${{ inputs.RELEASE_BUILD }}" = "false" ]; then
+            COMMIT_MSG=$(git log -1 --pretty=%B)

-          UNIT_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/unit/test_$(echo "${REPO_NAME}" | tr '-' '_')"
-          FUNC_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/system/test_$(echo "${REPO_NAME}" | tr '-' '_')"
-          if [ -d "$UNIT_TEST_DIR" ]; then
-            echo "Unit tests directory exists: $UNIT_TEST_DIR"
-            echo "run_unit_tests=true" >> $GITHUB_OUTPUT
-          else
-            echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
-            echo "run_unit_tests=false" >> $GITHUB_OUTPUT
-          fi
-          if [ -d "$FUNC_TEST_DIR" ]; then
-            echo "Functional tests directory exists: $FUNC_TEST_DIR"
-            echo "run_functional_tests=true" >> $GITHUB_OUTPUT
+            if echo "$COMMIT_MSG" | grep -Ei '^(docs|build|test|ci|refactor|perf|chore|revert):\s'; then
+              echo "CREATE_WHL=false" >> $GITHUB_ENV
+              echo "No version bump needed for commit message: $COMMIT_MSG, ending job"
+            else
+              echo "CREATE_WHL=true" >> $GITHUB_ENV
+              echo "Version bump needed for commit message: $COMMIT_MSG, continuing job"
+            fi
          else
-            echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
-            echo "run_functional_tests=false" >> $GITHUB_OUTPUT
+            echo "Skipping potential bump version check for release build"
+            echo "CREATE_WHL=true" >> $GITHUB_ENV
          fi

-      - name: Install dependencies for tests
-        if: steps.test_check.outputs.run_unit_tests == 'true' || steps.test_check.outputs.run_functional_tests == 'true'
-        shell: bash
-        run: |
-          python -m venv test_env
-          source test_env/bin/activate
-          python -m pip install -r "${{ inputs.SOURCE_PATH }}/requirements.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-test.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-dev.txt"
-          python -m pip install ./${{ inputs.SOURCE_PATH }}
+      - name: Run python-semantic-release without version bump - force patch bump
+        if: env.CREATE_WHL == 'false'
+        uses: python-semantic-release/[email protected]
+        with:
+          build: true
+          vcs_release: false
+          push: false
+          strict: true
+          force: patch

-      - name: Run unit tests if test directory exists
-        if: steps.test_check.outputs.run_unit_tests == 'true'
-        shell: bash
-        run: |
-          source test_env/bin/activate
-          mfd-unit-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
+      - name: Run python-semantic-release
+        if: env.CREATE_WHL == 'true'
+        uses: python-semantic-release/[email protected]
+        with:
+          build: true
+          vcs_release: false
+          push: false
+          strict: true

-      - name: Run functional tests if test directory exists
-        if: steps.test_check.outputs.run_functional_tests == 'true'
+      - name: Check if .whl is installable
        shell: bash
        run: |
-          source test_env/bin/activate
-          mfd-system-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
+          python -m pip install dist/*.whl
+
      - name: Publish package distributions to PyPI
-        if: ${{ inputs.RELEASE_BUILD == true && inputs.UPLOAD_PACKAGE == true }}
+        if: ${{ inputs.RELEASE_BUILD == true && inputs.RELEASE_STEPS == true }}
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
-          packages-dir: 'whl_creation/dist'
+          packages-dir: 'dist'
          password: ${{ secrets.PYPI_TOKEN }}

      - name: Publish comment how to build .whl
-        if: inputs.RELEASE_BUILD == false
+        if: inputs.RELEASE_BUILD == false && (github.event.pull_request != null && github.event.pull_request.head.repo.full_name == github.repository) # skip for forks
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GH_TOKEN }}
          script: |
            const prNumber = context.payload.pull_request.number;
            const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://github.com/${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";
-            await github.rest.issues.createComment({
+
+            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
-              body: commentBody
            });

-      - name: Push git tag after version bump
-        if: ${{ inputs.RELEASE_BUILD == true && inputs.PUSH_TAG == true }}
-        shell: bash
-        env:
-          GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
-          GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
-          GIT_COMMITTER_NAME: ${{ inputs.GIT_USER  }}
-          GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
-          version_after_bump: ${{ steps.VERSION_BUMP.outputs.version_after_bump }}
-        run: |
-          cd ${{ inputs.SOURCE_PATH }}
-          git push origin "${version_after_bump}"
+            const alreadyCommented = comments.some(comment => comment.body === commentBody);
+
+            if (!alreadyCommented) {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody
+              });


To resolve this issue, the workflow should explicitly specify the permissions block at the top level, or on relevant jobs, to restrict the default permissions of the GITHUB_TOKEN. For this particular workflow, we should set least-privilege permissions globally, and augment permissions for jobs/steps that require additional scopes.

Since the single job (build_whl) both checks out code (needs contents: read) and publishes pull request comments (needs pull-requests: write for actions/github-script), the safest fix is to put the following at the workflow root (before jobs:):

permissions: contents: read pull-requests: write

This solution provides only the privileges necessary and not more. The change should be made near the top, after name: and before on: or after on: (GitHub Actions supports both locations).

Summary of required changes:

Add a permissions block to .github/workflows/build_upload_whl.yml immediately after the workflow name and triggers (recommended after on:).

The block should grant contents: read and pull-requests: write (since the workflow publishes PR comments).

.github/workflows/check_code_standard.yml

+    strategy:
+      fail-fast: false
+      matrix:
+        python_version: ['3.10', '3.13']
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout this repository
+        uses: actions/checkout@v4
+        with:
+          path: current_repo
+      - uses: ./current_repo/.github/prepare_test_env
+        with:
+          PYTHON_VERSION: ${{ matrix.python_version }}
+      - name: Run mfd-code-standard
+        shell: bash
+        run: |
+          source ${{ github.workspace }}/${{ env.VIRTUALENV_PATH }}/*/activate
+          mfd-code-standard --project-dir ${{ github.workspace }}/${{ env.SOURCE_PATH }}


To fix this issue, you should explicitly declare a permissions block in the workflow YAML file to restrict the permissions granted to the GITHUB_TOKEN. Since the workflow steps shown only perform code checkout and code standard checking (no write actions such as deployments, issue or PR creation), the minimal required permission is likely contents: read. Add the following to the root of the workflow (after the name: and before the on: block for maximum clarity and coverage, meaning all jobs inherit these permissions unless otherwise overridden). No additional imports, methods, or formatting changes are required elsewhere; simply add the explicit permissions block.

.github/workflows/check_pr_format.yml

+    uses: intel/mfd/.github/workflows/check_pr_format.yml@main
+    with:
+      REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+      BRANCH_NAME: ${{ github.head_ref }}


To fix the problem, set a permissions block at either the workflow root or at the validate_pr_format job level. Since the only job in this workflow is a reusable workflow invocation, the best fix is to add a permissions key at the job level specifying minimal necessary permissions. If the reusable workflow only needs to read PR and branch information and does not use write operations, then contents: read is sufficient; if it requires writing to pull requests (e.g., posting comments/updates) then additionally specify pull-requests: write. The change should be applied within the validate_pr_format job in .github/workflows/check_pr_format.yml, right before or after the uses: line.

.github/workflows/dependency_review.yml

+
+jobs:
+  dependency_review:
+    uses: intel/mfd/.github/workflows/dependency_review.yml@main


The best way to fix this problem is to add a permissions: block to the workflow file .github/workflows/dependency_review.yml, at the root level (i.e., aligned with name: and on:). This will set explicit permissions for the GITHUB_TOKEN used by all jobs in the workflow unless overridden by the reusable workflow. In most cases for dependency review (read-only operations), contents: read is sufficient, but minimally you should set only the permissions required. This prevents the workflow from inheriting broad read-write privileges from the repository or organization.

File/region to change:

Add the permissions block after the name: and before on:, i.e., between lines 1 and 3.

What is needed:

Add the following lines:
permissions: contents: read
This sets the token's permissions for repository contents (the files in the repo) to read-only, which is generally sufficient for dependency review workflows.

.github/workflows/main.yml

+    strategy:
+      fail-fast: false
+      matrix:
+        python_version: ['3.10', '3.13']
+    if: github.actor != 'mfd-intel-bot'
+    uses: ./.github/workflows/build_upload_whl.yml
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+    with:
+      REPOSITORY_NAME: ${{ github.repository }}
+      BRANCH_NAME: ${{ github.ref_name }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+      RELEASE_BUILD: true
+      PROJECT_NAME: 'mfd-code-quality'


To fix the problem, add a permissions block at the root of the workflow file .github/workflows/main.yml to specify the required permissions for this workflow. Since most workflows need at least contents: read to check out code, this is a good minimal starting point. If the workflow or build_upload_whl.yml requires additional permissions (such as to publish packages, comment on pull requests, or write to the repository), these should be specified as narrowly as possible, but in the absence of that information we should set contents: read. Insert the block just below the workflow name: declaration and before on:.

.github/workflows/publish_release.yml

+    runs-on: ${{ inputs.RUNS_ON }}
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-tags: true
+        fetch-depth: 0
+        token: ${{ secrets.GH_TOKEN }}
+        ref: ${{ inputs.BRANCH_NAME }}
+        repository: ${{ inputs.REPOSITORY_NAME }}
+    - name: Run mfd-create-config-files
+      run: |
+        pip install -r requirements-dev.txt
+        pip install .
+        mfd-create-config-files --project-dir .
+    - name: Run python-semantic-release
+      id: semantic_release
+      uses: python-semantic-release/[email protected]
+      with:
+        build: false
+        vcs_release: true
+        push: true
+        commit: false
+        github_token: ${{ secrets.GH_TOKEN }}
+        strict: true
+        verbosity: 2
+    - name: Get old/new versions from semantic-release
+      run: |
+        echo "PREV_VERSION=${{ steps.semantic_release.outputs.previous_version }}" >> $GITHUB_ENV
+        echo "NEW_VERSION=${{ steps.semantic_release.outputs.version }}" >> $GITHUB_ENV
+    - name: Run mfd-delete-config-files
+      run: mfd-delete-config-files --project-dir .
+    - name: Update version in pyproject.toml
+      run: |
+        sed "s/$PREV_VERSION/$NEW_VERSION/" -i pyproject.toml
+    - name: Commit and push changes
+      run: |
+        git config --local user.email "[email protected]"
+        git config --local user.name "mfd-intel-bot"
+        git add pyproject.toml CHANGELOG.md
+        git commit -s -m "chore: Release v$NEW_VERSION"
+        git tag -f v$NEW_VERSION
+        git push origin ${{ inputs.BRANCH_NAME }} --force
+        git push origin v$NEW_VERSION --force


To resolve the issue, an explicit permissions block should be added to the workflow to specify the GITHUB_TOKEN scope for this job. This can be applied either at the root workflow level (for all jobs) or specifically for the push_release job (since there is only one job). As the job needs to push changes, create commits, tags, and interact with repository contents, it requires at least contents: write permission. If the workflow only pushes tags, releases, and to the branch, contents: write alone is minimally sufficient; further granularity (such as restricting to tags) is not available in GitHub Actions at the moment, so this is as least-privilege as possible for this scenario.
To implement this, add the following block:

permissions: contents: write

at the top level of the workflow (immediately after the name: or before/on line 23, for example).

.github/workflows/pull_request.yml

+    strategy:
+      fail-fast: false
+      matrix:
+        python_version: ['3.10', '3.13']
+    uses: ./.github/workflows/build_upload_whl.yml
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+    with:
+      REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+      BRANCH_NAME: ${{ github.head_ref }}
+      PYTHON_VERSION: ${{ matrix.python_version }}
+      PROJECT_NAME: 'mfd-code-quality'


To address the issue, add an explicit permissions block to the workflow. This can be set either at the root level (applies to all jobs lacking their own permissions stanza) or at the job level. Best practice is to add at root unless there’s a specific reason to restrict only certain jobs. Since the job likely needs read-only access to contents and possibly minimal rights for actions or pull-requests, the permissions block should specify the minimum required. Based on the job name ("Dev Build") and its configuration (building a wheel via a reusable workflow), there's no evidence it needs writable access, so start with contents: read. If you discover that the workflow pushes changes, uploads artifacts to the repo, or interacts with pull requests, you may add pull-requests: write as needed.

Change required:
In .github/workflows/pull_request.yml, add a permissions: stanza after the name: field and before on:. For most build/test workflows, start with:

permissions: contents: read

If you later determine it needs more, adjust accordingly.

.github/workflows/run_tests.yml

+    runs-on: "ubuntu-latest"
+    outputs:
+      run_unit_tests: ${{ steps.tests_path_existence.outputs.run_unit_tests }}
+      run_functional_tests: ${{ steps.tests_path_existence.outputs.run_functional_tests }}
+    steps:
+    - name: Checkout this repository
+      uses: actions/checkout@v4
+      with:
+        path: ${{ env.SOURCE_PATH }}
+    - name: Determine if unit and functional tests should run
+      id: tests_path_existence
+      shell: bash
+      run: |
+          UNIT_TEST_DIR="${{ env.SOURCE_PATH }}/tests/unit/test_$(echo "${{ env.PROJECT_NAME }}" | tr '-' '_')"
+          FUNC_TEST_DIR="${{ env.SOURCE_PATH }}/tests/system/test_$(echo "${{ env.PROJECT_NAME }}" | tr '-' '_')"
+
+          if [ -d "$UNIT_TEST_DIR" ]; then
+          echo "Unit tests directory exists: $UNIT_TEST_DIR"
+          echo "run_unit_tests=true" >> $GITHUB_OUTPUT
+          else
+          echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
+          echo "run_unit_tests=false" >> $GITHUB_OUTPUT
+          fi
+
+          if [ -d "$FUNC_TEST_DIR" ]; then
+          echo "Functional tests directory exists: $FUNC_TEST_DIR"
+          echo "run_functional_tests=true" >> $GITHUB_OUTPUT
+          else
+          echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
+          echo "run_functional_tests=false" >> $GITHUB_OUTPUT
+          fi
+
+  run_ft_tests:


To fix this issue, we must explicitly add a permissions block to the workflow. Since none of the jobs require write access to the repository or to pull requests or issues, the minimal permission set is contents: read. The best-practice approach is to set permissions: { contents: read } at the top/root level of the workflow (i.e., as a sibling to name, on, and env), so it will apply by default to all jobs unless a job overrides it.

To implement this, insert the following lines directly after the name (line 1), and before on (line 3):

permissions: contents: read

No additional methods, imports, or definitions are required.

.github/workflows/run_tests.yml

+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python_version: ['3.10', '3.13']
+    name: run_ft_tests_${{ matrix.os }}
+    needs: get_tests_to_run
+    if: ${{ needs.get_tests_to_run.outputs.run_functional_tests == 'true' }}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout this repository
+      uses: actions/checkout@v4
+      with:
+        path: current_repo
+    - uses: ./current_repo/.github/prepare_test_env
+      with:
+        PYTHON_VERSION: ${{ matrix.python_version }}
+    - name: Run Functional Tests
+      shell: bash
+      run: |
+        source ${{ env.VIRTUALENV_PATH }}/*/activate
+        pushd ${{ env.SOURCE_PATH }}
+        mfd-system-tests --project-dir .
+
+  run_ut_tests:


To fix the issue, we should add a permissions block to the workflow. Since none of the jobs require write access to repository resources, permissions can be set to the minimal recommended value: contents: read. This block should be placed at the root level of the workflow, so that it applies to all jobs by default, unless overridden. No other changes to the workflow logic or steps are required. Only the addition of a root-level permissions block is needed.

.github/workflows/run_tests.yml

+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python_version: ['3.10', '3.13']
+    name: run_ut_tests_${{ matrix.os }}
+    needs: get_tests_to_run
+    if: ${{ needs.get_tests_to_run.outputs.run_unit_tests == 'true' }}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Checkout this repository
+      uses: actions/checkout@v4
+      with:
+        path: current_repo
+    - uses: ./current_repo/.github/prepare_test_env
+      with:
+        PYTHON_VERSION: ${{ matrix.python_version }}
+    - name: Run Unit Tests
+      shell: bash
+      run: |
+        source ${{ env.VIRTUALENV_PATH }}/*/activate
+        python --version
+        pushd ${{ env.SOURCE_PATH }}
+        mfd-unit-tests-with-coverage --project-dir .
+
+    - name: Coveralls GitHub Action
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b #v2.3.6


To fix the issue, add a permissions: contents: read block at the root level of the workflow YAML file, immediately below the name: field (and above on:). This will apply minimal permissions to all jobs in the workflow, limiting what the generated GITHUB_TOKEN can do. No jobs in this workflow appear to need more than read access to the repo's contents, so this suffices. If any job needs broader permissions in the future, an explicit job-level override can be added.

Steps:

In .github/workflows/run_tests.yml, after the name: field and before on:, add:
permissions: contents: read

No new imports, definitions, or package installations are necessary.

mfd-intel-bot · 2025-10-14T08:38:38Z

We don't publish DEVs .whl.
To build .whl, run 'pip install git+https://github.com/intel/mfd-code-quality@update-workflow-new-pr'

Copilot

Pull Request Overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 4 comments.

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

.github/workflows/run_tests.yml

.github/workflows/check_code_standard.yml

.github/prepare_test_env/action.yml

.github/workflows/build_upload_whl.yml

Copilot AI review requested due to automatic review settings October 14, 2025 08:33

Copilot AI reviewed Oct 14, 2025

View reviewed changes

.github/workflows/run_tests.yml Show resolved Hide resolved

.github/workflows/run_tests.yml Show resolved Hide resolved

.github/workflows/build_upload_whl.yml Outdated Show resolved Hide resolved

.github/workflows/build_upload_whl.yml Show resolved Hide resolved

ci: create separate workflows for code-quality

e466d83

Signed-off-by: Maruszewski, Piotr <[email protected]>

pmarusz force-pushed the update-workflow-new-pr branch from bb45ccb to e466d83 Compare October 14, 2025 08:37

intel deleted a comment from mfd-intel-bot Oct 14, 2025

github-advanced-security bot found potential problems Oct 14, 2025

View reviewed changes

adrianlasota requested a review from Copilot October 14, 2025 10:18

Copilot AI reviewed Oct 14, 2025

View reviewed changes

.github/workflows/run_tests.yml Show resolved Hide resolved

.github/workflows/check_code_standard.yml Show resolved Hide resolved

.github/prepare_test_env/action.yml Show resolved Hide resolved

.github/workflows/build_upload_whl.yml Show resolved Hide resolved

adrianlasota approved these changes Oct 14, 2025

View reviewed changes

mchromin approved these changes Oct 14, 2025

View reviewed changes

mchromin merged commit fa06a44 into main Oct 14, 2025
17 checks passed

@@ -1,5 +1,7 @@
             name: Publish Release
+            permissions:
+              contents: write
             on:
               workflow_call:
                 secrets:
@@ -19,7 +21,6 @@
                     description: 'Branch name to checkout'
                     required: true
                     type: string
             jobs:
               push_release:
                 runs-on: ${{ inputs.RUNS_ON }}

@@ -1,5 +1,8 @@
             name: Run Tests (ut + ft)
+            permissions:
+              contents: read
             on:
               pull_request:
                 types: [opened, synchronize]

ci: create separate workflows for code-quality #8

ci: create separate workflows for code-quality #8

Uh oh!

Conversation

pmarusz commented Oct 14, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

mfd-intel-bot commented Oct 14, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants