Skip to content

Add nightly CI workflow building against WLED main #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
willmmiles wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add nightly CI workflow building against WLED main #6

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
04d9778
Add nightly CI workflow building against WLED main
willmmiles May 27, 2026
db2aa19
CI: Opt out of persist-credentials
willmmiles May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Build against WLED

on:
push:
branches: ["**"]
pull_request:
schedule:
- cron: '0 4 * * *' # nightly at 04:00 UTC
workflow_dispatch:

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout usermod
uses: actions/checkout@v6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider pinning actions to SHA hashes for supply chain security.

The workflow uses semantic version tags (@v6, @v5) rather than pinned commit SHAs. While semantic versions are more maintainable and receive automatic security updates, pinning to SHAs provides immutable references that prevent potential supply chain attacks if a tag is moved or compromised.

For production workflows, consider pinning to specific commit SHAs with comments noting the version:

# actions/checkout@v6.0.0
uses: actions/checkout@f4320f289a07f...

Note: This is a security trade-off. Since this is a template workflow, semantic versions may be more user-friendly. Evaluate based on your security requirements.

As per static analysis hint from zizmor: unpinned action reference (unpinned-uses).

Also applies to: 22-22, 28-28

🧰 Tools
🪛 zizmor (1.25.2)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 17, The workflow uses unpinned action
references like "actions/checkout@v6" (and the other unpinned "uses:" entries
flagged) — pin each external action to its specific commit SHA instead of a
semantic tag to prevent supply-chain risks; update the "uses:
actions/checkout@v6" entry to "uses: actions/checkout@<commit-sha>" and do the
same for the other unpinned actions, and add a comment preserving the original
semantic version (e.g., "# actions/checkout@v6.0.0") so reviewers know which
release the SHA corresponds to.

Copy link
Copy Markdown
Member Author

@willmmiles willmmiles May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider it considered. ;)

I think in this case we're better served to accept updates from upstream - in the context of smoke-test CI like this, I'm not too worried about supply chain attacks.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@willmmiles — Totally fair! For a template smoke-test workflow where staying current with upstream matters more than supply-chain immutability, semantic version tags are the right call. Acknowledged and moving on. 🐇

with:
path: usermod
persist-credentials: false

- name: Checkout WLED
uses: actions/checkout@v6
with:
repository: wled/WLED
path: WLED
Comment thread
willmmiles marked this conversation as resolved.
persist-credentials: false

- name: Cache PlatformIO packages
uses: actions/cache@v5
with:
path: ~/.platformio
key: pio-esp32-${{ hashFiles('WLED/platformio.ini') }}
restore-keys: pio-esp32-

- name: Install PlatformIO
run: pip install platformio

- name: Configure usermod build
run: |
printf '[env:ci]\nextends = env:esp32dev\ncustom_usermods = file://${{ github.workspace }}/usermod\n' \
>> WLED/platformio_override.ini

- name: Build
run: platformio run -d WLED -e ci