ci: general improvments by Jafaral · Pull Request #549 · uniconproject/unicon

Jafaral · 2026-03-10T20:26:50Z

No description provided.

greptile-apps · 2026-03-10T20:29:35Z

Greptile Summary

This PR delivers a broad set of CI improvements across all five GitHub Actions workflow files, tightening reliability and correctness for the Unicon build/test/release pipeline.

Key improvements:

All jobs now have timeout-minutes guards, preventing runaway builds from blocking runners indefinitely
concurrency groups added to all workflows so redundant runs on the same ref are cancelled early (cancel-in-progress: false correctly preserved for CodeQL)
TestReport steps now carry if: always() and upload their output as artifacts, so test failures are captured and surfaced even when a preceding step fails
Third-party actions pinned to full commit SHAs (vmactions/freebsd-vm, jirutka/setup-alpine) — a good supply-chain hardening practice; core actions bumped to v6
apt cache paths narrowed to /var/cache/apt/archives/*.deb (no binary index pollution), with per-OS and per-arch keys preventing cross-platform cache contamination
A dedicated "Install git for checkout" step is added first in the Linux container job, resolving the ordering issue for minimal images (Rocky Linux, Oracle Linux) that lack git
CodeQL workflow now uses a controlled manual build step instead of Autobuild, giving the team full control over build flags; codeql-action upgraded to v4
Labeler migrated from an hourly cron schedule to pull_request_target events with actions/labeler@v5, proper least-privilege permissions, and sync-labels: false (preserving manually-applied labels as requested)

One issue found:

label.yml is missing create-labels: false — without it, actions/labeler@v5 will auto-create any label referenced in labeler.yml that doesn't already exist in the repository, which contradicts the developer's stated preference to manage labels exclusively through GitHub

Confidence Score: 4/5

This PR is safe to merge with one minor fix: add create-labels: false to the labeler workflow to match the developer's label-management preference.
The changes are well-structured CI improvements that resolve several previously identified issues (ordering of checkout vs. git install, apt cache path/key correctness, TestReport always-condition, CodeQL cancel-in-progress). The one new actionable issue — missing create-labels: false in label.yml — is low risk (labels can be deleted after the fact) but contradicts the developer's explicit requirement. All other logic is sound.
.github/workflows/label.yml — needs create-labels: false to prevent auto-creation of labels.

Important Files Changed

Filename	Overview
.github/labeler.yml	Migrated to labeler v5 syntax; renamed labels (iconx→uniconx, icont→unicont, iconc→uniconc, IPL→ipl); added new labels (runtime, udb, gui, ci); updated glob patterns to use `changed-files`/`any-glob-to-any-file` format.
.github/workflows/build.yml	Major improvements: concurrency group, timeout-minutes on all jobs, if: always() on TestReport/Summary steps, test report upload artifacts, apt cache added for Features/DebianPkg/Linux jobs (correct .deb-only path), dedicated git install step for containers, fail-fast: false on Linux matrix, action versions bumped to v6, third-party actions pinned to commit SHAs.
.github/workflows/codeql.yml	Added concurrency (cancel-in-progress: false, correct for security scans), timeout-minutes: 180, dependency installation step, manual build replacing Autobuild, and upgraded codeql-action to v4.
.github/workflows/label.yml	Migrated trigger from hourly cron to pull_request_target, upgraded to actions/labeler@v5, added minimal permissions, set sync-labels: false per developer preference; missing create-labels: false means new labels in labeler.yml will be auto-created on first run.
.github/workflows/packages.yml	Added concurrency group, timeout-minutes, apt cache for Ubuntu job using matrix.cfg.os in key (preventing version collision), and upgraded action versions.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push or PR event] --> CONC{Concurrency Group}
    CONC -->|cancel: true| B[build.yml]
    CONC -->|cancel: true| C[packages.yml]
    CONC -->|cancel: false| D[codeql.yml]

    B --> W[Windows timeout 45m]
    B --> M[macOS timeout 45m]
    B --> L[Linux matrix timeout 45m]
    B --> AL[Alpine multi-arch timeout 60m]
    B --> F[Features matrix timeout 45m]
    B --> FB[FreeBSD timeout 45m]
    B --> DP[DebianPkg timeout 45m]

    L --> GITINST[Install git in container]
    GITINST --> CHECKOUT_L[Checkout]
    CHECKOUT_L --> CACHE_L[Cache apt deb files]
    CACHE_L --> DEPS_L[Install dependencies]
    DEPS_L --> BUILD_L[Configure and Make]
    BUILD_L --> TEST_L[Test]
    TEST_L --> REPORT_L[TestReport - always]
    REPORT_L --> UPLOAD_L[Upload Artifact - always]

    D --> INSTALL_D[Install build deps]
    INSTALL_D --> INIT_D[Init CodeQL]
    INIT_D --> BUILD_D[Build]
    BUILD_D --> SCAN[Perform Analysis timeout 180m]

    PR_EVT[pull_request_target] --> LAB[Labeler v5\nsync-labels false]

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/label.yml
Line: 17-22

Comment:
**`create-labels: false` missing — labeler will auto-create new labels**

You mentioned in the discussion that you want to control labels from GitHub and don't want the action to create new labels. With `actions/labeler@v5`, the default is `create-labels: true`, meaning any label name defined in `labeler.yml` that doesn't already exist in the repository will be **automatically created** the first time the workflow runs — this includes all the newly renamed/added labels like `uniconx`, `unicont`, `uniconc`, `runtime`, `udb`, `gui`, `ipl`, and `ci`.

`sync-labels: false` only prevents removal of manually-applied labels; it does not prevent creation of missing ones. Add `create-labels: false` to keep full control over label lifecycle:

```suggestion
    - uses: actions/labeler@v5
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"
        sync-labels: false
        create-labels: false
```

With this in place, make sure all labels referenced in `labeler.yml` already exist in the repository before merging, otherwise the labeler will silently skip applying them.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: acbace0}

.github/workflows/codeql.yml

.github/workflows/label.yml

Jafaral · 2026-03-11T02:00:03Z

@greptile review

.github/workflows/label.yml

.github/workflows/build.yml

Jafaral · 2026-03-11T03:53:33Z

@greptile review

.github/workflows/build.yml

Jafaral · 2026-03-11T04:30:10Z

@greptile review

.github/workflows/codeql.yml

Jafaral · 2026-03-11T04:47:48Z

@greptile review

.github/workflows/packages.yml

Jafaral · 2026-03-11T05:27:59Z

@greptile review

.github/workflows/label.yml

Jafaral · 2026-03-14T18:59:51Z

@greptile review

Jafaral · 2026-03-14T19:13:31Z

@greptile review

.github/workflows/build.yml

Jafaral · 2026-03-14T19:41:55Z

@greptile review

.github/workflows/build.yml

@v4

- Add concurrency blocks with cancel-in-progress: true to avoid redundant runs - Add timeout-minutes to all build jobs - Test report steps now save upload the result as an artifact - Summary steps across all jobs now have if: always() so they execute even on failure - Add fail-fast: false to the Linux jobs so one failure doesn't cancel the rest - Update actions/checkout@v3 → @v4 in the Linux and Alpine jobs Signed-off-by: Jafar Al-Gharaibeh <to.jafar@gmail.com>

Jafaral · 2026-03-14T20:11:53Z

@greptile review

greptile-apps bot reviewed Mar 10, 2026

View reviewed changes

.github/workflows/codeql.yml Outdated Show resolved Hide resolved

.github/workflows/label.yml Outdated Show resolved Hide resolved

Jafaral force-pushed the ci-tweaks branch from d41df46 to c573e2b Compare March 10, 2026 23:59