Simplify CI/CD workflows

[kaumini]

No description provided.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 20f7e1df-67d6-43dd-abb0-2de7ed45e900

📥 Commits

Reviewing files that changed from the base of the PR and between 566246f and adcfd76.

📒 Files selected for processing (2)

• .github/workflows/release-vsix.yml
• .github/workflows/sync-main-with-releases.yml

---

📝 Walkthrough

Pull Request Summary: Simplify CI/CD Workflows

Overview

This PR simplifies and standardizes CI/CD workflows, composite actions, and related developer documentation. Changes reduce configuration surface area, switch to built-in GitHub tokens, add optional Google Chat threading for notifications, and improve submodule management guidance.

Key Changes

• General token/auth updates
  • Replaced various custom bot/token usages with the built-in github.token across multiple workflows and actions (e.g., cache, sync-with-releases, release/publish flows, and a package script that requests GitHub auth).
• Build workflow and action adjustments
  • .github/actions/build/action.yml now exposes only MI_AUTH_ORG and MI_AUTH_CLIENT_ID inputs and passes those to the build step; platform/stage-specific client IDs and similar inputs were removed.
  • .github/workflows/build.yml updated to supply the reduced set of build inputs.
• Release/publish workflow refinements
  • .github/workflows/publish-vsix.yml: hardcodes EXTENSION_NAME=micro-integrator, removes user extension/notify dispatch inputs, adds workflow-level permissions/env, and simplifies draft-promotion and notification steps (uses fixed Marketplace/OpenVSX URLs and github.token).
  • .github/workflows/release-vsix.yml: hardcodes mi=true when invoking the reusable build workflow, improves version extraction and thread-key handling, and consolidates chat API usage.
• Notification threading and composite action changes
  • Added optional threadKey/thread_key inputs to release, PR, and failure-notification composite actions; actions now conditionally include a Google Chat "thread" payload and append reply-option parameters when a thread key is supplied.
  • Removed exposed bot identity/token inputs from PR/release actions and use github-actions[bot]/github.token for git operations and API authentication.
  • Adjusted default for isPreRelease in the PR composite action to 'true'.
• Workflow permission and notification reorganizations
  • Several workflows gained explicit top-level permissions (contents, pull-requests, actions) and standardized chat secret usage to EDITOR_TEAM_CHAT_API where applicable.
  • .github/workflows/daily-build.yml restructured to produce separate Editor Team and MI Team success/failure notification jobs.
• Submodule management and developer docs
  • common/scripts/init-submodules.js: added --remote option to fetch the latest submodule revision when requested; default behavior keeps the repo-pinned revision (CI-aligned).
  • package.json: added init-submodules:remote script to run the new remote fetch option.
  • CONTRIBUTING.md and README.md updated to document the default pinned-submodule workflow, the new remote-init option, and the follow-up steps when submodule updates affect shared package metadata (including which artifacts to commit).
• Miscellaneous
  • .github/pull_request_template.md replaced with a structured PR template.
  • packages/mi-extension/scripts/download-ls.js: changed GitHub Authorization header logic to rely on GITHUB_TOKEN only.
  • Updated submodules/vscode-extensions gitlink to a newer commit.

Impact

• Reduces CI/CD configuration complexity and duplicated secrets usage.
• Standardizes authentication on github.token.
• Improves notification organization via optional Google Chat threading.
• Clarifies developer workflows for submodule updates and introduces an easy path to fetch the latest submodule state when desired.

Walkthrough

This PR reduces the build composite action to two inputs (MI_AUTH_ORG, MI_AUTH_CLIENT_ID) and updates the build workflow to pass only those. Publish and release VSIX workflows stop accepting extension/mi dispatch inputs, hardcode EXTENSION_NAME=micro-integrator and set mi=true, and extract numeric versions from the .vsix name. Notification actions gain optional thread-key inputs and conditional Google Chat thread payloads; several workflows add explicit permissions and switch to github.token. Submodule init is made optionally remote, an npm script was added, docs updated, and a submodule gitlink bump applied.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	No pull request description was provided, making it impossible to assess relevance to the changeset.	Add a description explaining the motivation for these CI/CD simplifications and their impact on the development workflow.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change—simplification of CI/CD workflows across multiple GitHub Actions and workflow files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/pull_request_template.md:
- Line 11: Remove the stray trailing ">" at the end of the heading string
"Summary of user stories addressed by this change" in the PR template so the
line reads without the extra character; locate that exact line in the pull
request template and delete the trailing ">" to prevent the typo appearing in
generated PR descriptions.
- Line 35: Update the insecure http link in the pull request template line
"Followed secure coding standards in
http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no" to
use HTTPS by replacing "http://" with "https://" so the template points to
"https://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6788379e-0061-4907-84b1-fba8d896cca9

📥 Commits

Reviewing files that changed from the base of the PR and between 509588f and 56485d6.

📒 Files selected for processing (6)

• .github/actions/build/action.yml
• .github/pull_request_template.md
• .github/workflows/build.yml
• .github/workflows/publish-vsix.yml
• .github/workflows/release-vsix.yml
• .github/workflows/sync-main-with-releases.yml

💤 Files with no reviewable changes (2)

• .github/actions/build/action.yml
• .github/workflows/build.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common/scripts/init-submodules.js`:
- Line 22: The change to the git submodule update call removed --remote which
pins submodules to the parent gitlink commit; update the invocation in
run('git', ['submodule', 'update', '--init']) to restore the previous behavior
or make CI intentional: either add back '--remote' to the git args used in the
run(...) call to auto-advance submodules to their remote tips, or keep the pin
but add a clear comment and update any CI workflows/scripts that relied on
auto-updating (search for run('git', ['submodule'...) and CI YAMLs) to ensure
they explicitly call git submodule update --init --remote where needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96b6cb91-fec7-4f1a-99b0-26115c2d92cd

📥 Commits

Reviewing files that changed from the base of the PR and between 56485d6 and 9bd7606.

📒 Files selected for processing (2)

• .github/pull_request_template.md
• common/scripts/init-submodules.js

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/pull_request_template.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 43: The package.json script "init-submodules" currently always passes
--remote which breaks the CI pinned-submodule contract; remove the --remote flag
from the "init-submodules" script so CI/prebuild uses the committed gitlinks,
and add a new script named "init-submodules:remote" that runs node
common/scripts/init-submodules.js with the --remote flag for local update
workflows; update any documentation or references to use
"init-submodules:remote" when remote behavior is intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c112aad-2679-484a-8698-0b0607125fbd

📥 Commits

Reviewing files that changed from the base of the PR and between 9bd7606 and 47b8996.

📒 Files selected for processing (4)

• CONTRIBUTING.md
• README.md
• common/scripts/init-submodules.js
• package.json

✅ Files skipped from review due to trivial changes (2)

• README.md
• CONTRIBUTING.md

🚧 Files skipped from review as they are similar to previous changes (1)

• common/scripts/init-submodules.js

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

.github/workflows/daily-build.yml (1)

15-61: 💤 Low value

Consider adding explicit permissions to the notification jobs.

These jobs use actions/download-artifact and the dailyBuildNotification composite action. Adding a minimal permissions block (e.g., contents: read) would follow least-privilege principles and address the static analysis warning.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/daily-build.yml around lines 15 - 61, Add explicit minimal
permissions to each notification job (NotifyEditorSuccess and NotifyMISuccess):
include a permissions block granting only what's needed (e.g., contents: read)
so both the use of actions/download-artifact@v4 and the
./.github/actions/dailyBuildNotification composite action follow least-privilege
rules; update the job definitions for NotifyEditorSuccess and NotifyMISuccess to
declare that permissions block.

Source: Linters/SAST tools

.github/workflows/release-vsix.yml (1)

20-22: 💤 Low value

Consider scoping permissions to job level.

Static analysis flags these workflow-level permissions as overly broad. Since contents: write and pull-requests: write are only needed by the Release job, moving them to that job's scope follows the principle of least privilege.

♻️ Suggested change

-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   Build:
     # ...
 
   Release:
     name: Release VSIX
     needs: Build
     timeout-minutes: 45
     runs-on: codebuild-wso2_vscode-extensions-${{ github.run_id }}-${{ github.run_attempt }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-vsix.yml around lines 20 - 22, The workflow
currently sets overly broad top-level permissions (contents: write,
pull-requests: write); remove those keys from the workflow-level permissions
block and add them only under the Release job's permissions (i.e., inside the
jobs->Release (or release) definition) as permissions: contents: write and
pull-requests: write so only the Release job receives those rights and the
workflow follows least-privilege.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-vsix.yml:
- Around line 67-71: The current extraction using file=$(ls
micro-integrator-[0-9]*.[0-9]*.[0-9]*.vsix) can yield multiple matches and break
subsequent logic; update the step that sets file/vsixName/numericVersion to
explicitly handle multiple matches by checking the glob results (e.g., expand
the pattern into an array), validate that exactly one match exists or
intentionally choose a deterministic one (first, latest by mtime, or fail with a
clear error), and then continue using the chosen filename for vsixName and
numericVersion so the pipeline behaves predictably; refer to the variables file,
vsixName and numericVersion when implementing the validation/selection logic.
- Around line 82-83: The JSON payload currently interpolates raw workflow
expressions into the "title" and "subtitle" strings which can break JSON; update
the "title" and "subtitle" fields to use toJSON() on each expression (e.g.,
steps.vsix.outputs.numericVersion, github.ref_name, github.actor) so values are
properly escaped, and adjust the surrounding string concatenation because
toJSON() returns a quoted string (remove or rework extra quotes/concatenation
accordingly) to produce valid JSON.

In @.github/workflows/sync-main-with-releases.yml:
- Line 103: Replace the outdated action reference actions/checkout@v2 with a
current major version (actions/checkout@v3 or `@v4`) in the sync-main workflow;
update the uses entry that currently reads actions/checkout@v2 to
actions/checkout@v3 (or `@v4`) so it matches the other job's checkout usage and
benefits from the newer Node runtime and fixes.

---

Nitpick comments:
In @.github/workflows/daily-build.yml:
- Around line 15-61: Add explicit minimal permissions to each notification job
(NotifyEditorSuccess and NotifyMISuccess): include a permissions block granting
only what's needed (e.g., contents: read) so both the use of
actions/download-artifact@v4 and the ./.github/actions/dailyBuildNotification
composite action follow least-privilege rules; update the job definitions for
NotifyEditorSuccess and NotifyMISuccess to declare that permissions block.

In @.github/workflows/release-vsix.yml:
- Around line 20-22: The workflow currently sets overly broad top-level
permissions (contents: write, pull-requests: write); remove those keys from the
workflow-level permissions block and add them only under the Release job's
permissions (i.e., inside the jobs->Release (or release) definition) as
permissions: contents: write and pull-requests: write so only the Release job
receives those rights and the workflow follows least-privilege.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 968340ff-715a-4169-9174-3de2553b1c92

📥 Commits

Reviewing files that changed from the base of the PR and between 47b8996 and 566246f.

⛔ Files ignored due to path filters (1)

• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• .github/actions/failure-notification/action.yml
• .github/actions/pr/action.yml
• .github/actions/release/action.yml
• .github/workflows/cache-cleanup.yml
• .github/workflows/daily-build.yml
• .github/workflows/publish-vsix.yml
• .github/workflows/release-vsix.yml
• .github/workflows/sync-main-with-releases.yml
• CONTRIBUTING.md
• README.md
• package.json
• packages/mi-extension/scripts/download-ls.js
• submodules/vscode-extensions

✅ Files skipped from review due to trivial changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• CONTRIBUTING.md