Skip to content

DNM: switch shared-workflows branch to capture permissions usage patterns#2422

Draft
gforsyth wants to merge 1 commit into
rapidsai:mainfrom
gforsyth:check-credentials-used
Draft

DNM: switch shared-workflows branch to capture permissions usage patterns#2422
gforsyth wants to merge 1 commit into
rapidsai:mainfrom
gforsyth:check-credentials-used

Conversation

@gforsyth

@gforsyth gforsyth commented May 27, 2026

Copy link
Copy Markdown
Contributor

Running a quick test here to see if https://github.com/GitHubSecurityLab/actions-permissions work the way I think they do when using shared workflows.

@copy-pr-bot

copy-pr-bot Bot commented May 27, 2026

Copy link
Copy Markdown

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@gforsyth gforsyth added the DO NOT MERGE Hold off on merging; see PR for details label May 27, 2026
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 04ed9cc0-6347-495d-bd68-445dab68971a

📥 Commits

Reviewing files that changed from the base of the PR and between 2154b3a and 1b3bc52.

📒 Files selected for processing (4)
  • .github/workflows/build.yaml
  • .github/workflows/pr.yaml
  • .github/workflows/test.yaml
  • .github/workflows/trigger-breaking-change-alert.yaml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/trigger-breaking-change-alert.yaml

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated CI workflow references to use monitored shared workflows across build, test, docs, and release pipelines, standardizing reusable workflow usage to improve consistency and reliability of builds and tests triggered by PRs and releases.

Walkthrough

Replace all reusable-workflow uses: refs from @main to @monitor-shared-workflows in GitHub Actions workflows: PR, build, test, and the breaking-change-alert trigger. No other job logic or public declarations changed.

Changes

Shared workflow ref updates

Layer / File(s) Summary
PR workflow reusable refs
.github/workflows/pr.yaml
Updates uses: for pr-builder, changed-files, checks, conda C++/Python jobs, docs-build, wheel builds/tests, and devcontainer to @monitor-shared-workflows.
Build workflow reusable refs
.github/workflows/build.yaml
Updates uses: for python-build, upload-conda, docs-build, wheel-build-cpp/python, and wheel-publish jobs to @monitor-shared-workflows.
Test workflow reusable refs
.github/workflows/test.yaml
Updates uses: for cpp-tests, cpp-debug-tests, python-tests, and wheel-tests to @monitor-shared-workflows.
Breaking-change trigger ref
.github/workflows/trigger-breaking-change-alert.yaml
Updates the breaking-change-alert reusable uses: reference to @monitor-shared-workflows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

non-breaking, improvement

Suggested reviewers

  • bdice
  • KyleFromNVIDIA
  • jakirkham
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: switching shared-workflows references from @main to @monitor-shared-workflows branch to test permissions patterns.
Description check ✅ Passed The description is related to the changeset, explaining the purpose of testing shared-workflows permissions behavior with the actions-permissions tool.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@gforsyth gforsyth force-pushed the check-credentials-used branch from b5eba85 to 2738c82 Compare May 27, 2026 20:56
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@gforsyth gforsyth changed the title DNM: switch shared-workflows branch to capture credential usage patterns DNM: switch shared-workflows branch to capture permissions usage patterns May 27, 2026
@gforsyth gforsyth closed this May 28, 2026
@gforsyth gforsyth reopened this May 28, 2026
@github-project-automation github-project-automation Bot moved this from Done to In Progress in RMM Project Board May 28, 2026
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

2 similar comments
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr.yaml:
- Around line 11-19: The current workflow defines a standalone monitor job (job
name "monitor") but does not run the GitHubSecurityLab/actions-permissions step
inside the "pr-builder" job or inside any reusable workflows it calls, so
permission usage from pr-builder isn't captured; fix by adding the
actions-permissions step (uses:
GitHubSecurityLab/actions-permissions/monitor@...) with the same config as a
step inside the pr-builder job (and inside any reusable workflows that run in
that job) so each job reports its token/API usage, then rely on the
Advisor/artifacts aggregation flow to collect results rather than depending on a
single dedicated monitor job.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 860750a3-a6e7-4a09-8aee-9b478556ebab

📥 Commits

Reviewing files that changed from the base of the PR and between 2738c82 and 88d5181.

📒 Files selected for processing (1)
  • .github/workflows/pr.yaml

Comment thread .github/workflows/pr.yaml Outdated
@gforsyth gforsyth force-pushed the check-credentials-used branch from 88d5181 to 2738c82 Compare May 28, 2026 14:26
@gforsyth gforsyth closed this May 28, 2026
@github-project-automation github-project-automation Bot moved this from In Progress to Done in RMM Project Board May 28, 2026
@gforsyth gforsyth reopened this May 28, 2026
@github-project-automation github-project-automation Bot moved this from Done to In Progress in RMM Project Board May 28, 2026
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@gforsyth gforsyth closed this May 28, 2026
@github-project-automation github-project-automation Bot moved this from In Progress to Done in RMM Project Board May 28, 2026
@gforsyth gforsyth reopened this May 28, 2026
@github-project-automation github-project-automation Bot moved this from Done to In Progress in RMM Project Board May 28, 2026
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

1 similar comment
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@gforsyth gforsyth closed this May 28, 2026
@github-project-automation github-project-automation Bot moved this from In Progress to Done in RMM Project Board May 28, 2026
@gforsyth gforsyth reopened this May 28, 2026
@github-project-automation github-project-automation Bot moved this from Done to In Progress in RMM Project Board May 28, 2026
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@gforsyth gforsyth force-pushed the check-credentials-used branch from 2738c82 to 2154b3a Compare May 28, 2026 14:56
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

@gforsyth gforsyth force-pushed the check-credentials-used branch from 2154b3a to 1b3bc52 Compare May 28, 2026 15:00
@gforsyth

Copy link
Copy Markdown
Contributor Author

/ok to test

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

@jameslamb jameslamb added breaking Breaking change and removed breaking Breaking change labels Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

DO NOT MERGE Hold off on merging; see PR for details

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

2 participants