Skip to content

V10.5.5/service update#167

Open
gimlichael wants to merge 3 commits into
mainfrom
v10.5.5/service-update
Open

V10.5.5/service update#167
gimlichael wants to merge 3 commits into
mainfrom
v10.5.5/service-update

Conversation

@gimlichael

@gimlichael gimlichael commented Jun 21, 2026

Copy link
Copy Markdown
Member

TBD

@gimlichael
🐛 Fix deploy job gating when optional test matrices are skipped
1eda696 
Deploy was being skipped when optional test_mac matrix was disabled in workflow_dispatch,
due to skipped-ancestor propagation. Now explicitly gate deploy on direct dependency
success only, so both manual workflow runs trigger deployment regardless of macOS
test matrix configuration.
@gimlichael gimlichael self-assigned this Jun 21, 2026
@greptile-apps

greptile-apps Bot commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

This PR hardens the deploy job in the CI pipeline. The job's if condition is replaced with an explicit always() + per-job == 'success' expression so the condition is always evaluated (even when upstream jobs are skipped) rather than relying on GitHub Actions' implicit skip propagation. Permissions are tightened and the NuGet authentication mechanism is updated.

  • The deploy condition now explicitly requires build, pack, test_qualitygate, sonarcloud, codecov, and codeql to all be 'success'; the old guard was only github.event_name != 'pull_request'.
  • contents: write is downgraded to contents: read and id-token: write + actions: read are added, consistent with a move to OIDC-based trusted publishing on NuGet.org.
  • The NuGet secret passed to the reusable workflow changes from NUGET_TOKEN to NUGET_USER, paired with the new id-token: write permission — confirm that the NUGET_USER repository secret exists and that codebeltnet/jobs-nuget-push@v3 expects this input.

Confidence Score: 5/5

Safe to merge — changes are additive hardening with no functional regressions on the happy path.

The diff is limited to making the deploy gate explicit and tightening permissions. The logic change is self-consistent, and the main concerns (external-service blocking and stricter quality-gate requirements) were already raised and acknowledged in previous review threads. The only follow-up needed before running the deploy job in production is confirming the NUGET_USER repository secret is provisioned and that the v3 reusable workflow accepts it.

No files require special attention beyond confirming the NUGET_USER secret is configured in repository settings.

Important Files Changed

Filename Overview
.github/workflows/ci-pipeline.yml Deploy job updated: explicit always()+success-check condition, permissions tightened (contents: write→read, id-token:write added), and NuGet auth secret renamed from NUGET_TOKEN to NUGET_USER (OIDC migration).

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant BLD as build / pack
    participant TQ as test_qualitygate
    participant QG as sonarcloud / codecov / codeql
    participant DEP as deploy (call-nuget)
    participant NUG as NuGet Registry

    GH->>BLD: trigger (push, not PR)
    BLD-->>TQ: success
    TQ-->>QG: success (privileged run)
    Note over QG: if run-privileged-jobs == 'true'
    QG-->>DEP: "all == 'success'"
    Note over DEP: always() ensures condition evaluated even when upstream jobs were skipped
    DEP->>NUG: push package (OIDC: id-token + NUGET_USER)
    NUG-->>DEP: published
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant BLD as build / pack
    participant TQ as test_qualitygate
    participant QG as sonarcloud / codecov / codeql
    participant DEP as deploy (call-nuget)
    participant NUG as NuGet Registry

    GH->>BLD: trigger (push, not PR)
    BLD-->>TQ: success
    TQ-->>QG: success (privileged run)
    Note over QG: if run-privileged-jobs == 'true'
    QG-->>DEP: "all == 'success'"
    Note over DEP: always() ensures condition evaluated even when upstream jobs were skipped
    DEP->>NUG: push package (OIDC: id-token + NUGET_USER)
    NUG-->>DEP: published
Loading

Reviews (2): Last reviewed commit: "🔧 update permissions for actions and co..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 21, 2026
View reviewed changes
Comment thread .github/workflows/ci-pipeline.yml
Comment thread .github/workflows/ci-pipeline.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

@gimlichael gimlichael

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gimlichael