run musescore and audacity app builds automatically on every PR#97
run musescore and audacity app builds automatically on every PR#97kryksyh wants to merge 1 commit into
Conversation
📝 WalkthroughWalkthroughThe PR changes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr_dispatch.yml:
- Around line 3-5: The pull_request trigger in the workflow does not include a
trust gate, allowing untrusted forks to automatically dispatch builds. Add a
conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: ae782287-61d0-472c-8aec-90d9375fbd89
📒 Files selected for processing (2)
.github/pull_request_template.md.github/workflows/pr_dispatch.yml
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request: | ||
| types: [opened, reopened, synchronize, edited] |
There was a problem hiding this comment.
Add a trust gate for automatic PR-triggered builds.
Line 5 now runs this workflow on every PR update (including edited) without any trust check. That allows untrusted/fork PRs to automatically dispatch heavyweight builds, which can exhaust CI capacity and starve trusted builds.
Suggested hardening
jobs:
parse:
+ if: |
+ github.event.pull_request.head.repo.fork == false ||
+ contains(github.event.pull_request.labels.*.name, 'safe-to-test')
name: Configure🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 3 - 5, The pull_request
trigger in the workflow does not include a trust gate, allowing untrusted forks
to automatically dispatch builds. Add a conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.
There was a problem hiding this comment.
@igorkorsukov what do you think? I guess we are good, and if it is abused, we can tighten it.
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/pull_request_template.md:
- Around line 19-20: The pull request template text is inconsistent with the
actual fallback behavior in the PR dispatch workflow. Update the wording in the
pull request template so it matches the default matrix used by pr_dispatch.yml,
and make sure the guidance around removing the section clearly says what builds
will run when the block is omitted. Refer to the Consumer-app builds section in
the template and align it with the fallback logic used by pr_dispatch.yml so
contributors do not unintentionally request extra platforms.
In @.github/workflows/pr_dispatch.yml:
- Around line 15-16: The parse job in pr_dispatch.yml is triggering on edited
events even when only the PR title changes, which re-dispatches the same matrix
under the same concurrency key. Add a job-level condition on the parse job so it
only runs for edited actions when the pull_request body actually changed,
keeping the existing pull_request.body-based parsing behavior intact.
- Around line 107-111: The reusable workflow references in this workflow are
using mutable branch refs, which can change behavior without updates here.
Update the `uses` targets in `.github/workflows/pr_dispatch.yml` (including
`build_mu_linux` and the other reusable workflow calls in this file) to fixed
commit SHAs instead of `@main`, so the pipeline is pinned to an immutable
version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f2679ec1-4c90-4e8a-9576-d07f3c4cf299
📒 Files selected for processing (2)
.github/pull_request_template.md.github/workflows/pr_dispatch.yml
| Consumer-app builds run automatically for every PR. Edit the lines below to | ||
| override defaults; remove the section entirely to use defaults. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
The documented “default” no longer matches the workflow fallback.
Removing this block does not keep the new linux-only defaults: pr_dispatch.yml still falls back to linux_x64 macos windows_x64 for both apps when these lines are absent. As written, the template tells contributors to expand the build matrix unintentionally.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/pull_request_template.md around lines 19 - 20, The pull request
template text is inconsistent with the actual fallback behavior in the PR
dispatch workflow. Update the wording in the pull request template so it matches
the default matrix used by pr_dispatch.yml, and make sure the guidance around
removing the section clearly says what builds will run when the block is
omitted. Refer to the Consumer-app builds section in the template and align it
with the fallback logic used by pr_dispatch.yml so contributors do not
unintentionally request extra platforms.
| parse: | ||
| if: >- | ||
| github.event.issue.pull_request != null | ||
| && startsWith(github.event.comment.body, '/build') | ||
| && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | ||
| name: Configure |
There was a problem hiding this comment.
🚀 Performance & Scalability | 🟡 Minor | ⚡ Quick win
Skip edited runs that don't change the PR body.
parse only consumes pull_request.body, so title-only edits now cancel the in-flight build and dispatch the same matrix again under the same concurrency key. Add a job-level guard so edited only runs when the body changed.
Also applies to: 29-35
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 15 - 16, The parse job in
pr_dispatch.yml is triggering on edited events even when only the PR title
changes, which re-dispatches the same matrix under the same concurrency key. Add
a job-level condition on the parse job so it only runs for edited actions when
the pull_request body actually changed, keeping the existing
pull_request.body-based parsing behavior intact.
| build_mu_linux: | ||
| name: MuseScore Linux | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64') | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') | ||
| uses: musescore/MuseScore/.github/workflows/build_linux.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '--- pr_dispatch.yml around lines 95-120 ---\n'
sed -n '95,120p' .github/workflows/pr_dispatch.yml
printf '\n--- search for pinning/zizmor references ---\n'
rg -n "zizmor|pinning|commit SHA|sha" .github . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true
printf '\n--- list workflow files mentioning reusable workflow refs ---\n'
rg -n "uses: .*`@main`|uses: .*`@master`|uses: .*`@v`[0-9]|uses: .*@[0-9a-f]{7,}" .github/workflows || trueRepository: musescore/muse_framework
Length of output: 253
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate likely policy/config files and the workflow file.
git ls-files '.github/**' '*.md' '*zizmor*' '*security*' '*policy*' | sed -n '1,200p'
printf '\n--- workflow ref lines in .github/workflows/pr_dispatch.yml ---\n'
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'Repository: musescore/muse_framework
Length of output: 2192
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow file and any repo pinning guidance.
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'
printf '\n--- pinning guidance ---\n'
rg -n "zizmor|pinning|commit SHA|SHA|reusable workflow|workflow_call" .github *.md || trueRepository: musescore/muse_framework
Length of output: 202
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
path = Path('.github/workflows/pr_dispatch.yml')
lines = path.read_text().splitlines()
for i in range(100, 116):
if i <= len(lines):
print(f"{i}: {lines[i-1]}")
PY
printf '\n--- search for pinning / zizmor / reusable workflow guidance ---\n'
rg -n "zizmor|pinning|commit SHA|immutable SHA|reusable workflow|workflow_call|`@main`|`@master`|@[0-9a-f]{7,}" .github ./*.md ./*/*.md || true
printf '\n--- reusable workflow refs in .github/workflows ---\n'
python3 - <<'PY'
from pathlib import Path
import re
for path in Path('.github/workflows').glob('*.yml'):
text = path.read_text(errors='ignore')
if re.search(r'uses:\s+.*@(?:main|master|v\d|[0-9a-f]{7,40})', text):
print(f'FILE: {path}')
for i, line in enumerate(text.splitlines(), 1):
if 'uses:' in line and '@' in line:
print(f'{i}: {line}')
PYRepository: musescore/muse_framework
Length of output: 2618
Pin this reusable workflow to a commit SHA musescore/MuseScore/.github/workflows/build_linux.yml@main is mutable, so upstream changes can alter this pipeline without a PR here. Same applies to the other reusable workflow refs in this file.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 107 - 111, The reusable
workflow references in this workflow are using mutable branch refs, which can
change behavior without updates here. Update the `uses` targets in
`.github/workflows/pr_dispatch.yml` (including `build_mu_linux` and the other
reusable workflow calls in this file) to fixed commit SHAs instead of `@main`,
so the pipeline is pinned to an immutable version.
Source: Linters/SAST tools
2 participants
Enables consumer application build on every PR.
Build configuration
audacity: audacity/audacity/master
audacity platforms: linux_x64
musescore: musescore/MuseScore/main
musescore platforms: linux_x64