separating pipeline #718
separating pipeline #718
Conversation
…unnecessary exclusions in config
![hyperspace-insights[bot]](https://avatars.githubusercontent.com/u/2531208?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
This pull request has critical configuration issues in .github/workflows/ci-main.yml. The workflow was renamed and changed to "CodeQL Advanced" but still contains all the original CI jobs (build, integration-tests, sonarqube-scan, deploy-snapshot) while removing the environment variables they depend on (MAVEN_VERSION, SONARQ_TOKEN, GITHUB_TOKEN, cloud storage credentials). Additionally, several job conditions reference pull_request_target events that are no longer in the workflow triggers. These issues will cause immediate workflow failures when the CI jobs attempt to run.
PR Bot Information
Version: 1.17.30 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback
- Correlation ID:
18b8de20-f831-11f0-900d-2f929a99e504 - LLM:
anthropic--claude-4.5-sonnet - Event Trigger:
pull_request.opened
.github/workflows/ci-main.yml
Outdated
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
| name: "Waiting for PR approval as this workflow runs on pull_request_target" | ||
| if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' |
There was a problem hiding this comment.
Logic Error: Job condition references pull_request_target but workflow doesn't trigger on it
The requires-approval job checks for github.event_name == 'pull_request_target', but the workflow's on: trigger (lines 14-18) only includes push and schedule events—not pull_request_target. This job will always be skipped, and the name is misleading for a workflow that runs on push to main and scheduled.
Consider removing this job or updating the trigger to include pull_request_target events if approval is needed.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
.github/workflows/ci-main.yml
Outdated
| # the `language` matrix defined below to confirm you have the correct set of | ||
| # supported CodeQL languages. | ||
| # | ||
| name: "CodeQL Advanced" |
There was a problem hiding this comment.
Naming: Workflow name "CodeQL Advanced" doesn't match actual job content
The workflow is named "CodeQL Advanced" with template comments about CodeQL analysis, but it actually contains CI jobs (build, integration-tests, sonarqube-scan, deploy-snapshot) and no CodeQL analysis job. This is misleading and will confuse maintainers.
Consider renaming to "CI - Main Branch" or similar to reflect the actual purpose, or splitting CodeQL into a separate workflow.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
.github/workflows/ci-pr.yml
Outdated
| java-version: 17 | ||
| maven-version: ${{ env.MAVEN_VERSION }} | ||
| sonarq-token: ${{ env.SONARQ_TOKEN }} | ||
| github-token: ${{ env.GITHUB_TOKEN }} No newline at end of file |
There was a problem hiding this comment.
Bug: Missing newline at end of file
The file ends without a newline character after line 111. While this doesn't cause functional issues in YAML, it violates POSIX standards and many linters flag this.
Consider adding a newline at the end of the file.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
.github/workflows/ci-main.yml
Outdated
| sonarq-token: ${{ env.SONARQ_TOKEN }} | ||
| github-token: ${{ env.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Logic Error: Missing environment variables for SonarQube scan
The SonarQube scan job references ${{ env.SONARQ_TOKEN }} and ${{ env.GITHUB_TOKEN }} at lines 102-103, but these environment variables were removed from the workflow definition. This will cause the scan to fail or be skipped.
Consider adding back the required environment variables:
env:
SONARQ_TOKEN: ${{ secrets.SONARQ_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
| - name: Set up Maven ${{ env.MAVEN_VERSION }} | ||
| uses: stCarolas/setup-maven@v5 | ||
| with: | ||
| maven-version: ${{ env.MAVEN_VERSION }} |
There was a problem hiding this comment.
Logic Error: Missing MAVEN_VERSION for deploy-snapshot job
The deploy-snapshot job references ${{ env.MAVEN_VERSION }} at line 128, but this environment variable is not defined in the workflow. This will cause Maven setup to fail or use an unintended version.
Consider adding MAVEN_VERSION to the workflow's env section.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
.github/workflows/ci-main.yml
Outdated
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: [main] | ||
| pull_request_target: | ||
| branches: [main] | ||
| types: [reopened, synchronize, opened] | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '24 18 * * 2' |
There was a problem hiding this comment.
Logic Error: Missing all environment variables needed by CI jobs
The workflow name was changed to "CodeQL Advanced" but still contains build, integration-tests, and other CI jobs that require environment variables like MAVEN_VERSION, SONARQ_TOKEN, GITHUB_TOKEN, and cloud storage credentials. All these env variables were removed from the top of the file (previously defined in lines with AWS_S3_, AZURE_, GS_*, etc.), causing all downstream jobs to fail.
Consider either: (1) Restoring the env section with all required variables, or (2) Removing the CI jobs if this should be a CodeQL-only workflow.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
.github/workflows/ci-main.yml
Outdated
| requires-approval: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
| name: "Waiting for PR approval as this workflow runs on pull_request_target" | ||
| if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login != 'cap-java' | ||
| environment: pr-approval |
There was a problem hiding this comment.
Bug: Inconsistent event trigger check
The condition checks for pull_request_target but the workflow only triggers on push to main and schedule. Since this workflow never runs on pull_request_target events (per lines 15-18), this condition will always evaluate to false, making the requires-approval job redundant.
Consider removing this job entirely from ci-main.yml since it's a push/schedule workflow, not a PR workflow.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
|
|
||
| - name: Set Dry Run for Pull Request | ||
| if: github.event_name == 'pull_request' | ||
| if: github.event_name == 'pull_request_target' |
There was a problem hiding this comment.
Logic Error: Incorrect event type in conditional
This condition checks for pull_request but the ci-main.yml workflow doesn't trigger on any pull request events (only push and schedule per lines 15-18). Additionally, line 131 was changed from pull_request to pull_request_target for consistency, but since this workflow doesn't trigger on either event type, the DRY_RUN_PARAM will never be set.
Consider removing this step entirely from ci-main.yml since snapshots from push to main should deploy normally, not as dry runs.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
…t variable organization
…ne workflow for improved build and deployment processes
Separating CI Pipelines for Main and Pull Request Workflows
Changes
This pull request restructures the CI/CD workflows by splitting the monolithic pipeline into separate workflows for main branch, pull requests, and releases.
.github/workflows/ci-main.yml: Renamed and simplified to focus on main branch operations. Removed PR-specific triggers (pull_request_target) and workflow dispatch. Removed Blackduck scanning step. Updated deployment credentials to usesecretsdirectly instead of environment variables. Consolidated multi-line Maven command into a single line..github/workflows/ci-pr.yml: New file created specifically for pull request workflows. Contains all PR-specific logic including approval gates, build matrix for Java 17 and 21, integration tests across multiple configurations (build-version, latest-version, oss), SonarQube scanning, and build artifact management. Triggers onpull_request_targetandworkflow_dispatchevents..github/workflows/ci-pr-codeql.yml: Renamed with adjusted triggers. Removedpull_requesttrigger, keeping only scheduled scans and main branch pushes..github/workflows/ci-release.yml: Renamed without content changes, maintaining release-specific workflow logic..pipeline/config.yml: Updated Black Duck scan configuration to disable artifact installation (installArtifacts: false).pom.xml: Removedcds-feature-attachments-fsfrom the excluded artifacts list in the central publishing plugin configuration.samples/bookshop/pom.xml: Replaced parameterized${revision}version with hardcoded1.0.0-SNAPSHOT. Removed therevisionproperty definition from properties section.samples/bookshop/srv/pom.xml: Updated parent version from${revision}to hardcoded1.0.0-SNAPSHOT.