Add nightly CI workflow building against WLED main

[willmmiles]

Add a CI workflow to help keep out-of-tree usermods fresh. By default, does nightly build against WLED main, providing an early warning if a breaking change gets merged.

Template users are free to customize however they like, but we can start with encouraging good maintenance practices.

Fixes #5

Summary by CodeRabbit

• Chores
  • Added an automated build workflow to validate the project against WLED on pushes, pull requests, nightly schedules, and manual runs.
  • Introduced a CI build environment that includes the custom usermod for integration testing.
  • Enabled caching of PlatformIO packages to speed up repeated builds.

[coderabbitai]

Walkthrough

Adds a GitHub Actions workflow that builds this usermod against the upstream WLED repository on pushes, pull requests, nightly (04:00 UTC), and manual dispatch. The job checks out both repos, caches PlatformIO packages, installs PlatformIO, writes a platformio override enabling a ci env with the usermod, and runs the build.

Changes

CI Build Workflow

Layer / File(s)	Summary
Workflow triggers and CI job setup .github/workflows/build.yml	Workflow runs on push, pull request, nightly schedule (04:00 UTC), and manual dispatch. Single build job on ubuntu-latest checks out the usermod repository and the upstream wled/WLED repository into separate workspace paths.
Dependency caching and PlatformIO installation .github/workflows/build.yml	PlatformIO packages are cached at ~/.platformio with a restore key prefix pio-esp32- based on the WLED platformio.ini file. PlatformIO is installed via pip install platformio.
Build environment configuration and execution .github/workflows/build.yml	WLED/platformio_override.ini is generated to define a ci build environment that extends env:esp32dev and sets custom_usermods to the checked-out usermod directory. PlatformIO build is executed for the ci environment in the WLED directory.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a nightly CI workflow that builds against WLED main branch.
Linked Issues check	✅ Passed	The PR implements all coding requirements from issue #5: checks out wled/WLED, constructs platformio_override.ini with the usermod, and builds the project via nightly CI.
Out of Scope Changes check	✅ Passed	All changes are within scope: the workflow file adds the requested CI functionality with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch usermod-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

34-35: ⚡ Quick win

Consider pinning the Python version for reproducibility.

The workflow relies on the default Python version in ubuntu-latest, which could change over time. Explicitly setting up Python ensures consistent behavior across builds.

🐍 Proposed addition to pin Python version

+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
       - name: Install PlatformIO
         run: pip install platformio

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 34 - 35, The workflow currently
installs PlatformIO without pinning Python; update the GitHub Actions job by
adding a setup step before the "Install PlatformIO" step that uses
actions/setup-python (e.g., actions/setup-python@v4) and sets a fixed
python-version (like "3.11" or your chosen version), so the "Install PlatformIO"
run step (named "Install PlatformIO") executes on a pinned Python runtime for
reproducible builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 17: The workflow uses unpinned action references like
"actions/checkout@v6" (and the other unpinned "uses:" entries flagged) — pin
each external action to its specific commit SHA instead of a semantic tag to
prevent supply-chain risks; update the "uses: actions/checkout@v6" entry to
"uses: actions/checkout@<commit-sha>" and do the same for the other unpinned
actions, and add a comment preserving the original semantic version (e.g., "#
actions/checkout@v6.0.0") so reviewers know which release the SHA corresponds
to.
- Around line 16-25: Update the two checkout steps that use actions/checkout@v6
(the steps named "Checkout usermod" and "Checkout WLED") to explicitly set
persist-credentials: false; locate the steps that use "uses:
actions/checkout@v6" and add the key persist-credentials: false under their
with: block so the GitHub token is not written into .git/config and cannot be
leaked via artifacts or logs.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 34-35: The workflow currently installs PlatformIO without pinning
Python; update the GitHub Actions job by adding a setup step before the "Install
PlatformIO" step that uses actions/setup-python (e.g., actions/setup-python@v4)
and sets a fixed python-version (like "3.11" or your chosen version), so the
"Install PlatformIO" run step (named "Install PlatformIO") executes on a pinned
Python runtime for reproducible builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 79cd156f-00dd-4a91-b935-7cc05331aa9d

📥 Commits

Reviewing files that changed from the base of the PR and between 119a68a and 04d9778.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider pinning actions to SHA hashes for supply chain security.

The workflow uses semantic version tags (@v6, @v5) rather than pinned commit SHAs. While semantic versions are more maintainable and receive automatic security updates, pinning to SHAs provides immutable references that prevent potential supply chain attacks if a tag is moved or compromised.

For production workflows, consider pinning to specific commit SHAs with comments noting the version:

# actions/checkout@v6.0.0
uses: actions/checkout@f4320f289a07f...

Note: This is a security trade-off. Since this is a template workflow, semantic versions may be more user-friendly. Evaluate based on your security requirements.

As per static analysis hint from zizmor: unpinned action reference (unpinned-uses).

Also applies to: 22-22, 28-28

🧰 Tools

🪛 zizmor (1.25.2)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 17, The workflow uses unpinned action
references like "actions/checkout@v6" (and the other unpinned "uses:" entries
flagged) — pin each external action to its specific commit SHA instead of a
semantic tag to prevent supply-chain risks; update the "uses:
actions/checkout@v6" entry to "uses: actions/checkout@<commit-sha>" and do the
same for the other unpinned actions, and add a comment preserving the original
semantic version (e.g., "# actions/checkout@v6.0.0") so reviewers know which
release the SHA corresponds to.

[willmmiles]

Consider it considered. ;)

I think in this case we're better served to accept updates from upstream - in the context of smoke-test CI like this, I'm not too worried about supply chain attacks.

[coderabbitai]

@willmmiles — Totally fair! For a template smoke-test workflow where staying current with upstream matters more than supply-chain immutability, semantic version tags are the right call. Acknowledged and moving on. 🐇

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)

36-37: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin PlatformIO to a fixed version for reproducible builds.

pip install platformio will pull whatever is latest, which can change PlatformIO behavior over time. The latest stable PlatformIO Core is 6.1.19 (Feb 4, 2026); pin to it (e.g., pip install platformio==6.1.19) or restrict to a specific 6.1.x line.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 36 - 37, Update the "Install
PlatformIO" step so the pip invocation pins PlatformIO to a fixed version;
replace the current pip install command (the run command under the step named
"Install PlatformIO") with a pinned version like pip install platformio==6.1.19
(or restrict to a 6.1.x line) to ensure reproducible CI builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 36-37: Update the "Install PlatformIO" step so the pip invocation
pins PlatformIO to a fixed version; replace the current pip install command (the
run command under the step named "Install PlatformIO") with a pinned version
like pip install platformio==6.1.19 (or restrict to a 6.1.x line) to ensure
reproducible CI builds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 754bd667-a93c-4100-b67f-f09d4f8c9c9f

📥 Commits

Reviewing files that changed from the base of the PR and between 04d9778 and db2aa19.

📒 Files selected for processing (1)

• .github/workflows/build.yml