Skip to content

ci: pin .github reusable workflows to @v1#80

Merged
lml2468 merged 1 commit into
mainfrom
ci/migrate-to-v1
Jun 8, 2026
Merged

ci: pin .github reusable workflows to @v1#80
lml2468 merged 1 commit into
mainfrom
ci/migrate-to-v1

Conversation

@lml2468

@lml2468 lml2468 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Migrate caller refs @main -> rolling @v1 now that Mininglamp-OSS/.github has governed versioning (v1.0.0 + rolling v1). Issue notification caller repointed to octo-issue-notify.yml@v1 (renamed from octo-issue-feed.yml). Files changed: 16.

@lml2468
ci: pin .github reusable workflows to @v1
053b092 
Migrate caller refs @main -> rolling @v1 (governed versioning), and repoint the
issue notification caller to octo-issue-notify.yml@v1 (renamed from
octo-issue-feed.yml). Part of the org-wide @v1 migration.
@lml2468 lml2468 requested a review from a team as a code owner June 8, 2026 11:03
@github-actions github-actions Bot added the size/S PR size: S label Jun 8, 2026
yujiawei
yujiawei approved these changes Jun 8, 2026
View reviewed changes

@yujiawei yujiawei left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review — PR #80 (octo-admin)

Summary

Mechanical CI hardening: repoints 16 reusable-workflow caller refs from the mutable @main branch to the governed rolling @v1 tag in Mininglamp-OSS/.github, and migrates the issue-notification caller from the legacy octo-issue-feed.yml to the canonical octo-issue-notify.yml@v1. 17 additions / 17 deletions, .github/workflows/** only. No application code touched.

Verification

  • v1 tag exists upstreamMininglamp-OSS/.github has both refs/tags/v1 (rolling) and refs/tags/v1.0.0.
  • All referenced reusable workflows resolve at @v1 — every one of the 16 caller targets is present in .github/workflows@v1 (auto-add-to-project, reusable-check-sprint, reusable-codeql, reusable-docker-lint, reusable-history-check, issue-welcome, reusable-pr-labeler, octo-ci-status, octo-issue-notify, octo-pr-result-notify, octo-pr-review-feed, reusable-pr-contributor-welcome, reusable-release-drafter, reusable-release-publish, reusable-stale, workflow-sanity).
  • Rename contract is compatibleocto-issue-feed.yml (.github/workflows/octo-issue-feed.yml, the caller) passes repo_name, issue_number, issue_title, issue_url, issue_author, event_action + secret OCTO_BOT_TOKEN. The renamed target octo-issue-notify.yml@v1 declares exactly these as required inputs/secret; remaining inputs (api_base_url, feed_group_id) and the TRIAGE_WEBHOOK_URL secret are optional with defaults. No missing-input failure.
  • No leftover @main refs — scanned every workflow on head SHA 053b092; zero remaining Mininglamp-OSS/.github/...@main references. Migration is complete and consistent.

Findings

No P0/P1 issues.

Nit (non-blocking)

  • Event-policy narrowing on the issue feed. The renamed octo-issue-notify.yml@v1 enforces an opened-only guard centrally (if action != 'opened': skip), narrowing the prior [opened, reopened] behavior. This is documented as intentional upstream. However, the caller octo-issue-feed.yml still subscribes to on: issues: types: [opened, reopened] (.github/workflows/octo-issue-feed.yml:4). Reopen events will now invoke the reusable workflow only to be silently skipped — harmless, but the reopened trigger is now dead weight and could be trimmed for clarity in a follow-up.

Informational

  • Pinning to the rolling @v1 tag (mutable) rather than an immutable commit SHA is a deliberate trade-off: it trusts the upstream governance to keep v1 non-breaking, in exchange for automatic patch uptake without per-repo bumps. This matches the stated org standard for this migration, so it is the right call here; flagging only so the supply-chain assumption is explicit.

Verdict

Mechanical, low-risk, and fully verified against the upstream @v1 contract. The single behavior change (issue-feed opened-only) is intended and documented. Approving.

Jerry-Xin
Jerry-Xin approved these changes Jun 8, 2026
View reviewed changes

@Jerry-Xin Jerry-Xin left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is in scope: it updates this repository’s GitHub Actions automation to use the governed shared workflow version line.

💬 Non-blocking

  • 🔵 Suggestion: .github/workflows/octo-issue-feed.yml:1 and the filename still use “Issue Feed” while the reusable workflow now points to octo-issue-notify.yml@v1 at .github/workflows/octo-issue-feed.yml:11. Consider renaming the local wrapper in a follow-up for consistency, if downstream references allow it.
  • 🔵 Suggestion: The PR title says “pin”, but @v1 is a rolling major-version ref rather than an immutable SHA. That matches the PR description, so this is not a blocker.

✅ Highlights

  • Verified all changed Mininglamp-OSS/.github reusable workflow references resolve at @v1.
  • Caller inputs, required secrets, and job permissions remain aligned with the reusable workflow contracts.
  • The issue notification rename from octo-issue-feed.yml@main to octo-issue-notify.yml@v1 is reflected correctly at .github/workflows/octo-issue-feed.yml:11.
  • No code, runtime behavior, or application security issues found in the changed surface.

@lml2468 lml2468 merged commit 2155bda into main Jun 8, 2026
22 of 23 checks passed
@lml2468 lml2468 deleted the ci/migrate-to-v1 branch June 8, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jerry-Xin Jerry-Xin Jerry-Xin approved these changes

@yujiawei yujiawei yujiawei approved these changes

Assignees

No one assigned

Labels

size/S PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lml2468 @Jerry-Xin @yujiawei