-
Notifications
You must be signed in to change notification settings - Fork 36
run musescore and audacity app builds automatically on every PR #97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,19 @@ | ||
| name: pr_dispatch | ||
| name: Applications Build | ||
|
|
||
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request: | ||
| types: [opened, reopened, synchronize, edited] | ||
|
Comment on lines
3
to
+5
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add a trust gate for automatic PR-triggered builds. Line 5 now runs this workflow on every PR update (including Suggested hardening jobs:
parse:
+ if: |
+ github.event.pull_request.head.repo.fork == false ||
+ contains(github.event.pull_request.labels.*.name, 'safe-to-test')
name: Configure🤖 Prompt for AI Agents
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @igorkorsukov what do you think? I guess we are good, and if it is abused, we can tighten it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
|
|
||
| permissions: | ||
| pull-requests: write | ||
| contents: read | ||
| statuses: write | ||
|
|
||
| concurrency: | ||
| group: pr-dispatch-${{ github.event.issue.number }} | ||
| group: pr-dispatch-${{ github.event.pull_request.number }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| parse: | ||
| if: >- | ||
| github.event.issue.pull_request != null | ||
| && startsWith(github.event.comment.body, '/build') | ||
| && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | ||
| name: Configure | ||
|
Comment on lines
15
to
+16
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🚀 Performance & Scalability | 🟡 Minor | ⚡ Quick win Skip
Also applies to: 29-35 🤖 Prompt for AI Agents |
||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| head_sha: ${{ steps.pr.outputs.head_sha }} | ||
|
|
@@ -31,19 +26,10 @@ jobs: | |
| mu_branch: ${{ steps.cfg.outputs.mu_branch }} | ||
| mu_platforms: ${{ steps.cfg.outputs.mu_platforms }} | ||
| steps: | ||
| - name: React with eyes | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh api -X POST \ | ||
| "repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions" \ | ||
| -f content=eyes | ||
| - name: Fetch PR | ||
| id: pr | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| pr_json=$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}") | ||
| pr_json=$(jq -c '.pull_request' "$GITHUB_EVENT_PATH") | ||
| head_sha=$(echo "$pr_json" | jq -r .head.sha) | ||
| echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT" | ||
| echo "$pr_json" | jq -r .body > /tmp/pr_body.txt | ||
|
|
@@ -84,28 +70,9 @@ jobs: | |
| echo "mu_branch=$mu_branch" | ||
| echo "mu_platforms=$mu_platforms" | ||
| } >> "$GITHUB_OUTPUT" | ||
| - name: Post pending statuses + run-link comment | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SHA: ${{ steps.pr.outputs.head_sha }} | ||
| AU_PLATFORMS: ${{ steps.cfg.outputs.au_platforms }} | ||
| MU_PLATFORMS: ${{ steps.cfg.outputs.mu_platforms }} | ||
| run: | | ||
| RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||
| post_pending() { | ||
| gh api -X POST "repos/${{ github.repository }}/statuses/$SHA" \ | ||
| -f state=pending -f context="$1" -f target_url="$RUN_URL" -f description="dispatched" | ||
| } | ||
| [[ "$AU_PLATFORMS" == *linux_x64* ]] && post_pending "build / Audacity Linux" | ||
| [[ "$AU_PLATFORMS" == *macos* ]] && post_pending "build / Audacity macOS" | ||
| [[ "$AU_PLATFORMS" == *windows_x64* ]] && post_pending "build / Audacity Windows" | ||
| [[ "$MU_PLATFORMS" =~ linux_(x64|arm64) ]] && post_pending "build / MuseScore Linux" | ||
| [[ "$MU_PLATFORMS" == *macos* ]] && post_pending "build / MuseScore macOS" | ||
| [[ "$MU_PLATFORMS" =~ windows_(x64|portable) ]] && post_pending "build / MuseScore Windows" | ||
| gh pr comment "${{ github.event.issue.number }}" --repo "${{ github.repository }}" \ | ||
| --body "Build dispatched: $RUN_URL" | ||
|
|
||
| build_au_linux: | ||
| name: Audacity Linux | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.au_platforms, 'linux_x64') | ||
| uses: audacity/audacity/.github/workflows/au4_build_linux.yml@master | ||
|
|
@@ -116,6 +83,7 @@ jobs: | |
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
|
|
||
| build_au_macos: | ||
| name: Audacity macOS | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.au_platforms, 'macos') | ||
| uses: audacity/audacity/.github/workflows/au4_build_macos.yml@master | ||
|
|
@@ -126,6 +94,7 @@ jobs: | |
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
|
|
||
| build_au_windows: | ||
| name: Audacity Windows | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.au_platforms, 'windows_x64') | ||
| uses: audacity/audacity/.github/workflows/au4_build_windows.yml@master | ||
|
|
@@ -136,18 +105,20 @@ jobs: | |
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
|
|
||
| build_mu_linux: | ||
| name: MuseScore Linux | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64') | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') | ||
| uses: musescore/MuseScore/.github/workflows/build_linux.yml@main | ||
|
Comment on lines
107
to
111
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '--- pr_dispatch.yml around lines 95-120 ---\n'
sed -n '95,120p' .github/workflows/pr_dispatch.yml
printf '\n--- search for pinning/zizmor references ---\n'
rg -n "zizmor|pinning|commit SHA|sha" .github . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true
printf '\n--- list workflow files mentioning reusable workflow refs ---\n'
rg -n "uses: .*`@main`|uses: .*`@master`|uses: .*`@v`[0-9]|uses: .*@[0-9a-f]{7,}" .github/workflows || trueRepository: musescore/muse_framework Length of output: 253 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Locate likely policy/config files and the workflow file.
git ls-files '.github/**' '*.md' '*zizmor*' '*security*' '*policy*' | sed -n '1,200p'
printf '\n--- workflow ref lines in .github/workflows/pr_dispatch.yml ---\n'
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'Repository: musescore/muse_framework Length of output: 2192 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect the workflow file and any repo pinning guidance.
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'
printf '\n--- pinning guidance ---\n'
rg -n "zizmor|pinning|commit SHA|SHA|reusable workflow|workflow_call" .github *.md || trueRepository: musescore/muse_framework Length of output: 202 🏁 Script executed: #!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
path = Path('.github/workflows/pr_dispatch.yml')
lines = path.read_text().splitlines()
for i in range(100, 116):
if i <= len(lines):
print(f"{i}: {lines[i-1]}")
PY
printf '\n--- search for pinning / zizmor / reusable workflow guidance ---\n'
rg -n "zizmor|pinning|commit SHA|immutable SHA|reusable workflow|workflow_call|`@main`|`@master`|@[0-9a-f]{7,}" .github ./*.md ./*/*.md || true
printf '\n--- reusable workflow refs in .github/workflows ---\n'
python3 - <<'PY'
from pathlib import Path
import re
for path in Path('.github/workflows').glob('*.yml'):
text = path.read_text(errors='ignore')
if re.search(r'uses:\s+.*@(?:main|master|v\d|[0-9a-f]{7,40})', text):
print(f'FILE: {path}')
for i, line in enumerate(text.splitlines(), 1):
if 'uses:' in line and '@' in line:
print(f'{i}: {line}')
PYRepository: musescore/muse_framework Length of output: 2618 Pin this reusable workflow to a commit SHA 🧰 Tools🪛 zizmor (1.26.1)[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| with: | ||
| app_repo: ${{ needs.parse.outputs.mu_owner }}/${{ needs.parse.outputs.mu_repo }} | ||
| app_ref: ${{ needs.parse.outputs.mu_branch }} | ||
| framework_repo: ${{ github.repository }} | ||
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
| platforms: ${{ needs.parse.outputs.mu_platforms }} | ||
| platforms: linux_x64 | ||
| build_mode: devel | ||
|
Comment on lines
107
to
118
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win Pass a Windows-only platform list after splitting the MuseScore jobs. Line 117 correctly narrows the Linux reusable workflow to Suggested fix outputs:
head_sha: ${{ steps.pr.outputs.head_sha }}
au_owner: ${{ steps.cfg.outputs.au_owner }}
au_repo: ${{ steps.cfg.outputs.au_repo }}
au_branch: ${{ steps.cfg.outputs.au_branch }}
au_platforms: ${{ steps.cfg.outputs.au_platforms }}
mu_owner: ${{ steps.cfg.outputs.mu_owner }}
mu_repo: ${{ steps.cfg.outputs.mu_repo }}
mu_branch: ${{ steps.cfg.outputs.mu_branch }}
mu_platforms: ${{ steps.cfg.outputs.mu_platforms }}
+ mu_windows_platforms: ${{ steps.cfg.outputs.mu_windows_platforms }}
...
mu_platforms=$(extract "musescore platforms")
[ -z "$mu_platforms" ] && mu_platforms="linux_x64 macos windows_x64"
+ mu_windows_platforms=$(
+ printf '%s\n' "$mu_platforms" | tr ' ' '\n' |
+ grep -E '^(windows_x64|windows_portable)$' |
+ paste -sd' ' - || true
+ )
read -r mu_owner mu_repo mu_branch < <(parse_combo "musescore" "$mu_combo" "musescore/MuseScore/main")
{
echo "mu_owner=$mu_owner"
echo "mu_repo=$mu_repo"
echo "mu_branch=$mu_branch"
echo "mu_platforms=$mu_platforms"
+ echo "mu_windows_platforms=$mu_windows_platforms"
} >> "$GITHUB_OUTPUT"
...
build_mu_windows:
name: MuseScore Windows
needs: parse
if: contains(needs.parse.outputs.mu_platforms, 'windows_x64') || contains(needs.parse.outputs.mu_platforms, 'windows_portable')
uses: musescore/MuseScore/.github/workflows/build_windows.yml@main
with:
...
- platforms: ${{ needs.parse.outputs.mu_platforms }}
+ platforms: ${{ needs.parse.outputs.mu_windows_platforms }}
build_mode: devel🧰 Tools🪛 zizmor (1.26.1)[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| build_mu_macos: | ||
| name: MuseScore macOS | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'macos') | ||
| uses: musescore/MuseScore/.github/workflows/build_macos.yml@main | ||
|
|
@@ -159,6 +130,7 @@ jobs: | |
| build_mode: devel | ||
|
|
||
| build_mu_windows: | ||
| name: MuseScore Windows | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'windows_x64') || contains(needs.parse.outputs.mu_platforms, 'windows_portable') | ||
| uses: musescore/MuseScore/.github/workflows/build_windows.yml@main | ||
|
|
@@ -169,39 +141,3 @@ jobs: | |
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
| platforms: ${{ needs.parse.outputs.mu_platforms }} | ||
| build_mode: devel | ||
|
|
||
| report: | ||
| needs: [parse, build_au_linux, build_au_macos, build_au_windows, build_mu_linux, build_mu_macos, build_mu_windows] | ||
| if: always() && needs.parse.result == 'success' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Forward final statuses to PR head | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SHA: ${{ needs.parse.outputs.head_sha }} | ||
| AU_LINUX: ${{ needs.build_au_linux.result }} | ||
| AU_MACOS: ${{ needs.build_au_macos.result }} | ||
| AU_WINDOWS: ${{ needs.build_au_windows.result }} | ||
| MU_LINUX: ${{ needs.build_mu_linux.result }} | ||
| MU_MACOS: ${{ needs.build_mu_macos.result }} | ||
| MU_WINDOWS: ${{ needs.build_mu_windows.result }} | ||
| run: | | ||
| RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||
| post() { | ||
| local context="$1" result="$2" state | ||
| case "$result" in | ||
| success) state=success ;; | ||
| skipped) return 0 ;; | ||
| cancelled) state=error ;; | ||
| *) state=failure ;; | ||
| esac | ||
| gh api -X POST "repos/${{ github.repository }}/statuses/$SHA" \ | ||
| -f state="$state" -f context="$context" -f target_url="$RUN_URL" \ | ||
| -f description="$context: $result" | ||
| } | ||
| post "build / Audacity Linux" "$AU_LINUX" | ||
| post "build / Audacity macOS" "$AU_MACOS" | ||
| post "build / Audacity Windows" "$AU_WINDOWS" | ||
| post "build / MuseScore Linux" "$MU_LINUX" | ||
| post "build / MuseScore macOS" "$MU_MACOS" | ||
| post "build / MuseScore Windows" "$MU_WINDOWS" | ||
Uh oh!
There was an error while loading. Please reload this page.