run musescore and audacity app builds automatically on every PR#97
run musescore and audacity app builds automatically on every PR#97kryksyh wants to merge 1 commit into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe PR changes Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr_dispatch.yml:
- Around line 3-5: The pull_request trigger in the workflow does not include a
trust gate, allowing untrusted forks to automatically dispatch builds. Add a
conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: ae782287-61d0-472c-8aec-90d9375fbd89
📒 Files selected for processing (2)
.github/pull_request_template.md.github/workflows/pr_dispatch.yml
| on: | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request: | ||
| types: [opened, reopened, synchronize, edited] |
There was a problem hiding this comment.
Add a trust gate for automatic PR-triggered builds.
Line 5 now runs this workflow on every PR update (including edited) without any trust check. That allows untrusted/fork PRs to automatically dispatch heavyweight builds, which can exhaust CI capacity and starve trusted builds.
Suggested hardening
jobs:
parse:
+ if: |
+ github.event.pull_request.head.repo.fork == false ||
+ contains(github.event.pull_request.labels.*.name, 'safe-to-test')
name: Configure🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 3 - 5, The pull_request
trigger in the workflow does not include a trust gate, allowing untrusted forks
to automatically dispatch builds. Add a conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.
There was a problem hiding this comment.
@igorkorsukov what do you think? I guess we are good, and if it is abused, we can tighten it.
There was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/pull_request_template.md:
- Around line 19-20: The pull request template text is inconsistent with the
actual fallback behavior in the PR dispatch workflow. Update the wording in the
pull request template so it matches the default matrix used by pr_dispatch.yml,
and make sure the guidance around removing the section clearly says what builds
will run when the block is omitted. Refer to the Consumer-app builds section in
the template and align it with the fallback logic used by pr_dispatch.yml so
contributors do not unintentionally request extra platforms.
In @.github/workflows/pr_dispatch.yml:
- Around line 15-16: The parse job in pr_dispatch.yml is triggering on edited
events even when only the PR title changes, which re-dispatches the same matrix
under the same concurrency key. Add a job-level condition on the parse job so it
only runs for edited actions when the pull_request body actually changed,
keeping the existing pull_request.body-based parsing behavior intact.
- Around line 107-111: The reusable workflow references in this workflow are
using mutable branch refs, which can change behavior without updates here.
Update the `uses` targets in `.github/workflows/pr_dispatch.yml` (including
`build_mu_linux` and the other reusable workflow calls in this file) to fixed
commit SHAs instead of `@main`, so the pipeline is pinned to an immutable
version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f2679ec1-4c90-4e8a-9576-d07f3c4cf299
📒 Files selected for processing (2)
.github/pull_request_template.md.github/workflows/pr_dispatch.yml
| parse: | ||
| if: >- | ||
| github.event.issue.pull_request != null | ||
| && startsWith(github.event.comment.body, '/build') | ||
| && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) | ||
| name: Configure |
There was a problem hiding this comment.
🚀 Performance & Scalability | 🟡 Minor | ⚡ Quick win
Skip edited runs that don't change the PR body.
parse only consumes pull_request.body, so title-only edits now cancel the in-flight build and dispatch the same matrix again under the same concurrency key. Add a job-level guard so edited only runs when the body changed.
Also applies to: 29-35
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 15 - 16, The parse job in
pr_dispatch.yml is triggering on edited events even when only the PR title
changes, which re-dispatches the same matrix under the same concurrency key. Add
a job-level condition on the parse job so it only runs for edited actions when
the pull_request body actually changed, keeping the existing
pull_request.body-based parsing behavior intact.
| build_mu_linux: | ||
| name: MuseScore Linux | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64') | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') | ||
| uses: musescore/MuseScore/.github/workflows/build_linux.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '--- pr_dispatch.yml around lines 95-120 ---\n'
sed -n '95,120p' .github/workflows/pr_dispatch.yml
printf '\n--- search for pinning/zizmor references ---\n'
rg -n "zizmor|pinning|commit SHA|sha" .github . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true
printf '\n--- list workflow files mentioning reusable workflow refs ---\n'
rg -n "uses: .*`@main`|uses: .*`@master`|uses: .*`@v`[0-9]|uses: .*@[0-9a-f]{7,}" .github/workflows || trueRepository: musescore/muse_framework
Length of output: 253
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate likely policy/config files and the workflow file.
git ls-files '.github/**' '*.md' '*zizmor*' '*security*' '*policy*' | sed -n '1,200p'
printf '\n--- workflow ref lines in .github/workflows/pr_dispatch.yml ---\n'
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'Repository: musescore/muse_framework
Length of output: 2192
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow file and any repo pinning guidance.
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'
printf '\n--- pinning guidance ---\n'
rg -n "zizmor|pinning|commit SHA|SHA|reusable workflow|workflow_call" .github *.md || trueRepository: musescore/muse_framework
Length of output: 202
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
path = Path('.github/workflows/pr_dispatch.yml')
lines = path.read_text().splitlines()
for i in range(100, 116):
if i <= len(lines):
print(f"{i}: {lines[i-1]}")
PY
printf '\n--- search for pinning / zizmor / reusable workflow guidance ---\n'
rg -n "zizmor|pinning|commit SHA|immutable SHA|reusable workflow|workflow_call|`@main`|`@master`|@[0-9a-f]{7,}" .github ./*.md ./*/*.md || true
printf '\n--- reusable workflow refs in .github/workflows ---\n'
python3 - <<'PY'
from pathlib import Path
import re
for path in Path('.github/workflows').glob('*.yml'):
text = path.read_text(errors='ignore')
if re.search(r'uses:\s+.*@(?:main|master|v\d|[0-9a-f]{7,40})', text):
print(f'FILE: {path}')
for i, line in enumerate(text.splitlines(), 1):
if 'uses:' in line and '@' in line:
print(f'{i}: {line}')
PYRepository: musescore/muse_framework
Length of output: 2618
Pin this reusable workflow to a commit SHA musescore/MuseScore/.github/workflows/build_linux.yml@main is mutable, so upstream changes can alter this pipeline without a PR here. Same applies to the other reusable workflow refs in this file.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 107 - 111, The reusable
workflow references in this workflow are using mutable branch refs, which can
change behavior without updates here. Update the `uses` targets in
`.github/workflows/pr_dispatch.yml` (including `build_mu_linux` and the other
reusable workflow calls in this file) to fixed commit SHAs instead of `@main`,
so the pipeline is pinned to an immutable version.
Source: Linters/SAST tools
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr_dispatch.yml:
- Around line 107-118: The Windows reusable workflow in build_mu_windows is
still receiving the unsplit mu_platforms value, so update parse to emit a
Windows-only platform output and wire build_mu_windows to that output instead of
the raw list. Keep build_mu_linux and the other split jobs using their dedicated
subsets, and locate the change around the parse job outputs plus the
build_mu_windows uses block in pr_dispatch.yml.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: b10c2bb2-ce60-4c22-a630-1388473ccfba
📒 Files selected for processing (2)
.github/pull_request_template.md.github/workflows/pr_dispatch.yml
| build_mu_linux: | ||
| name: MuseScore Linux | ||
| needs: parse | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64') | ||
| if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') | ||
| uses: musescore/MuseScore/.github/workflows/build_linux.yml@main | ||
| with: | ||
| app_repo: ${{ needs.parse.outputs.mu_owner }}/${{ needs.parse.outputs.mu_repo }} | ||
| app_ref: ${{ needs.parse.outputs.mu_branch }} | ||
| framework_repo: ${{ github.repository }} | ||
| framework_ref: ${{ needs.parse.outputs.head_sha }} | ||
| platforms: ${{ needs.parse.outputs.mu_platforms }} | ||
| platforms: linux_x64 | ||
| build_mode: devel |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Pass a Windows-only platform list after splitting the MuseScore jobs.
Line 117 correctly narrows the Linux reusable workflow to linux_x64, but build_mu_windows still receives the raw mu_platforms string. A PR requesting linux_x64 macos windows_x64 will now send non-Windows tokens into build_windows.yml, which breaks the new per-platform routing contract. Compute a dedicated Windows subset in parse and pass that output to the Windows job instead.
Suggested fix
outputs:
head_sha: ${{ steps.pr.outputs.head_sha }}
au_owner: ${{ steps.cfg.outputs.au_owner }}
au_repo: ${{ steps.cfg.outputs.au_repo }}
au_branch: ${{ steps.cfg.outputs.au_branch }}
au_platforms: ${{ steps.cfg.outputs.au_platforms }}
mu_owner: ${{ steps.cfg.outputs.mu_owner }}
mu_repo: ${{ steps.cfg.outputs.mu_repo }}
mu_branch: ${{ steps.cfg.outputs.mu_branch }}
mu_platforms: ${{ steps.cfg.outputs.mu_platforms }}
+ mu_windows_platforms: ${{ steps.cfg.outputs.mu_windows_platforms }}
...
mu_platforms=$(extract "musescore platforms")
[ -z "$mu_platforms" ] && mu_platforms="linux_x64 macos windows_x64"
+ mu_windows_platforms=$(
+ printf '%s\n' "$mu_platforms" | tr ' ' '\n' |
+ grep -E '^(windows_x64|windows_portable)$' |
+ paste -sd' ' - || true
+ )
read -r mu_owner mu_repo mu_branch < <(parse_combo "musescore" "$mu_combo" "musescore/MuseScore/main")
{
echo "mu_owner=$mu_owner"
echo "mu_repo=$mu_repo"
echo "mu_branch=$mu_branch"
echo "mu_platforms=$mu_platforms"
+ echo "mu_windows_platforms=$mu_windows_platforms"
} >> "$GITHUB_OUTPUT"
...
build_mu_windows:
name: MuseScore Windows
needs: parse
if: contains(needs.parse.outputs.mu_platforms, 'windows_x64') || contains(needs.parse.outputs.mu_platforms, 'windows_portable')
uses: musescore/MuseScore/.github/workflows/build_windows.yml@main
with:
...
- platforms: ${{ needs.parse.outputs.mu_platforms }}
+ platforms: ${{ needs.parse.outputs.mu_windows_platforms }}
build_mode: devel🧰 Tools
🪛 zizmor (1.26.1)
[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr_dispatch.yml around lines 107 - 118, The Windows
reusable workflow in build_mu_windows is still receiving the unsplit
mu_platforms value, so update parse to emit a Windows-only platform output and
wire build_mu_windows to that output instead of the raw list. Keep
build_mu_linux and the other split jobs using their dedicated subsets, and
locate the change around the parse job outputs plus the build_mu_windows uses
block in pr_dispatch.yml.
Enables consumer application build on every PR.
Build configuration
audacity: audacity/audacity/master
audacity platforms: linux_x64
musescore: musescore/MuseScore/main
musescore platforms: linux_x64
Summary by CodeRabbit
New Features
Bug Fixes