ci(.github/workflows): audit workflow self-references in paths#25288
Conversation
Three workflows besides deploy-docs.yaml (DOCS-124) self-reference in
their paths: triggers. Audit and either justify or remove per DOCS-129:
* docker-base.yaml: keep. Self-reference is PR-only and gated by
push: ${{ github.event_name != 'pull_request' }} on the build, so
PRs build the base image without publishing. Documented inline.
* docs-ci.yaml: remove. Self-reference fires the workflow but the
lint and fmt steps gate on tj-actions/changed-files matching
docs/** or **.md, so a workflow-only run no-ops. The self-trigger
was wasted runner minutes. actionlint and make lint/actions catch
YAML problems before merge regardless.
* dogfood.yaml: keep. Self-reference triggers image rebuild on push
to main (idempotent retag of rolling tags) and terraform apply
against dev.coder.com (no-op when dogfood/** and flake.* haven't
changed). The runtime cost validates the workflow itself end to
end. Documented inline.
Refs DOCS-121, DOCS-129.
|
/coder-agents-review |
There was a problem hiding this comment.
Clean audit. The decision table maps each workflow to its self-reference, the runtime effect, and the keep/remove decision. Implementation matches the table. Audit is exhaustive: all workflow files were checked for self-references. Single commit, single concern.
2 P3, 2 Nit. Both P3s are about comment accuracy; the code changes themselves are correct.
"'Edits to this workflow file alone would still trigger a run' and 'The self-reference was wasted runner time. Removed' cannot both be true." (Gon)
🤖 This review was automatically generated with Coder Agents.
Address DEREM-1..4 on #25288: * dogfood.yaml: correct "no-op" framing. Workflow-only pushes do create three new coderd_template versions on dev.coder.com (name = commit short SHA, message = commit title, content unchanged) and retag the rolling :latest, :22.04, :26.04, :nix image tags. Idempotent and bounded to the dogfood environment, but not a no-op. * docs-ci.yaml: rewrite the comment to describe what actually changed rather than the pre-PR behavior in present conditional tense. Also add a one-liner under pull_request: pointing at the push: comment so the rationale for the missing self-reference is visible from both trigger blocks. * docker-base.yaml: clarify "PR runs build but never publish" to "a PR builds the image but never publishes it". No behavior change; comment edits only. Refs DOCS-129.
|
/coder-agents-review |
There was a problem hiding this comment.
All four R1 findings addressed cleanly in b677ac5. Every reviewer verified every fix. The comment rewrites are accurate and well-structured.
2 new P3 on the rewritten dogfood.yaml comment, 1 reopened Nit on the PR title. The dogfood comment block landed two new factual issues: wrong tag names (DEREM-6) and missing push-vs-PR distinction (DEREM-7).
Nit on the PR title: ci(.github/workflows): audit workflow self-references in paths: has a trailing colon that reads truncated in git log --oneline. The squash-merge subject will show ...in paths: (#25288) with two colons. R1 dropped this as DEREM-5 ("commit messages are squashable"), but the PR title IS the squash subject, so that defense doesn't hold. Consider: ci(.github/workflows): audit workflow self-references in paths triggers.
"These sit at the same grammatical level in the sentence, so the 'on main' qualifier doesn't carry." (Hisoka)
🤖 This review was automatically generated with Coder Agents.
…vs main effects Address DEREM-6 and DEREM-7 on #25288: * DEREM-6: my rolling-tag list named ':latest, :22.04, :26.04, :nix'. There is no ':nix' tag on codercom/oss-dogfood; nix is the matrix entry name and publishes separately to codercom/oss-dogfood-nix:latest. I also missed codercom/oss-dogfood-vscode-coder:latest entirely. Replaced the list with an accurate per-repository enumeration of rolling tags. * DEREM-7: my comment described push-to-main effects (terraform apply, template-version creation, rolling tag retag) as if they applied to any workflow run. They don't. PR runs build images without pushing (depot/build-push-action's push: gated on refs/heads/main) and run terraform init + validate only (deploy_template's apply step gated the same way). Split the comment into a 'PRs' block and a 'Pushes to main' block so a maintainer reading either trigger gets the correct cost picture. No behavior change; comment edits only.
|
On the PR title nit (trailing colon would land as Fair point. The reviewer's defense in R1 ("commit messages are squashable") only holds for commit bodies, not the PR title that becomes the squash subject. Dropped the trailing colon: title is now I considered the suggested
Coder Agents on behalf of @nickvigilante. |
|
/coder-agents-review |
There was a problem hiding this comment.
All R2 findings addressed. The dogfood.yaml comment block is a genuine improvement: it splits PR and push-to-main effects cleanly, enumerates repositories and rolling tags accurately, and names the gating conditions. Two remaining items, both in the dogfood comment.
1 P3, 1 Nit. The P3 is another factual inaccuracy in the tag description (introduced by the DEREM-6 fix). The Nit is a single word choice.
"moved is the wrong word; these files change, they don't move." (Gon)
🤖 This review was automatically generated with Coder Agents.
…and verb Address coder-agents-review round 3 findings on PR #25288: - DEREM-9: the extra tag beyond rolling tags is per-branch (derived from `tj-actions/branch-names` current_branch, with `/`->`--` substitution), not per-SHA. On pushes to main the resulting tag is `codercom/oss-dogfood:main` (overwritten each push), not a short-SHA tag. - DEREM-10: "moved" carries a git-mv connotation. The comment describes content change, not a file move, so use "changed". _Coder Agents on behalf of @nickvigilante._
|
/coder-agents-review |
There was a problem hiding this comment.
All 10 findings from rounds 1-3 addressed. Netero R4 verified every claim in all three comment blocks against the workflow code: zero inaccuracies remain. CI green. Four reviewers independently verified every prior fix.
One Nit: "three image variants" undercounts (the 22.04 matrix entry builds two images). The detailed listing immediately below is correct.
10 findings raised across 4 rounds, 10 addressed. Responsive, thorough fixes throughout. The dogfood.yaml comment block went from a one-line "no-op" claim to a 22-line, fully-auditable description of both PR and push-to-main behavior, and every sentence in it checks out.
"Every comment in this PR answers the right question for the person reading it at 2 AM." (Leorio)
🤖 This review was automatically generated with Coder Agents.
…comment
Address coder-agents-review R4 DEREM-11 nit: "three image variants"
undercounts. The matrix has three entries (22.04, 26.04, nix), but
the 22.04 entry builds two images (`oss-dogfood` at line 134 and
`oss-dogfood-vscode-coder` at line 160). That's four distinct images
across three matrix entries.
Drop the count rather than enumerate ("four images across three
matrix entries"); the detailed listing immediately below already
names every repo and tag.
_Coder Agents on behalf of @nickvigilante._
|
/coder-agents-review |
There was a problem hiding this comment.
All 11 findings resolved. Netero and three panel reviewers found zero new issues. Every factual claim across all three comment blocks verified against the workflow code. CI green.
11 findings raised across 5 rounds (5 P3, 4 Nit, 2 Note/dropped), 11 addressed. Clean.
"I tried to build a case against this PR and couldn't." (Pariston)
🤖 This review was automatically generated with Coder Agents.
|
Security review (on behalf of @jdomeracki-coder, generated by Coder Agents) No blocking security issues. Observations:
The inline audit comments accurately reflect the runtime behavior and are a good addition for future reviewers. |
Three workflows besides
deploy-docs.yaml(DOCS-124, #25285) self-reference in theirpaths:triggers:docker-base.yaml,docs-ci.yaml,dogfood.yaml. This was flagged during review of #25285 (DEREM-1) as a bug class worth treating uniformly. This PR is the audit.Each self-reference is either justified inline or removed:
docker-base.yamlkeeps the self-reference. It's PR-only and gated bypush: ${{ github.event_name != 'pull_request' }}on thedepot/build-push-action, so PRs build the base image without publishing.docs-ci.yamldrops the self-reference. Thelintandfmtsteps gate ontj-actions/changed-filesmatchingdocs/**or**.md, so a workflow-only run no-ops.actionlintandmake lint/actionscatch YAML problems before merge regardless.dogfood.yamlkeeps the self-reference. PR runs build images without pushing and runterraform init+validateonly; pushes to main retag rolling tags oncodercom/oss-dogfood,oss-dogfood-vscode-coder, andoss-dogfood-nix, plusterraform applyagainst dev.coder.com which produces newcoderd_templateversions with unchanged content. Idempotent and bounded.Refs DOCS-121, DOCS-129.
Decision table
deploy-docs.yamldocker-base.yamldocs-ci.yamlif:dogfood.yamlCoder Agents on behalf of @nickvigilante.