Skip to content

run musescore and audacity app builds automatically on every PR#97

Open
kryksyh wants to merge 1 commit into
musescore:mainfrom
kryksyh:main
Open

run musescore and audacity app builds automatically on every PR#97
kryksyh wants to merge 1 commit into
musescore:mainfrom
kryksyh:main

Conversation

@kryksyh

@kryksyh kryksyh commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Enables consumer application build on every PR.

  • I signed the CLA as username:
  • The title of the PR describes the problem it addresses.
  • Each commit's message describes its purpose and effects, and references the issue it resolves. If changes are extensive, there is a sequence of easily reviewable commits.
  • The code in the PR follows the coding rules.
  • I understand all aspects of the code I'm contributing and I'm able to explain it if requested.
  • The code compiles and runs on my machine, preferably after each commit individually. I have manually tested and verified that my changes fulfil their intended purpose.
  • No prior attempts to resolve this problem exist, or if they do, I listed them in my PR description and described how I avoided repeating past mistakes.
  • There are no unnecessary changes.
  • I created a unit test or vtest to verify the changes I made (if applicable).

Build configuration

audacity: audacity/audacity/master
audacity platforms: linux_x64
musescore: musescore/MuseScore/main
musescore platforms: linux_x64

Summary by CodeRabbit

  • New Features

    • Consumer-app builds now run automatically for every pull request.
    • Default platform guidance was updated to match the current build targets.
  • Bug Fixes

    • Removed the need to manually comment to start a build.
    • Improved PR build handling so results are triggered directly from PR updates.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 658ebab1-8f89-4b25-94f4-c44682dd4064

📥 Commits

Reviewing files that changed from the base of the PR and between 39e3a5c and e5958cb.

📒 Files selected for processing (2)
  • .github/pull_request_template.md
  • .github/workflows/pr_dispatch.yml
✅ Files skipped from review due to trivial changes (1)
  • .github/pull_request_template.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/pr_dispatch.yml

📝 Walkthrough

Walkthrough

The PR changes pr_dispatch.yml from an issue_comment trigger to pull_request events for opened, reopened, synchronize, and edited. It reads PR data from GITHUB_EVENT_PATH, removes pending-status and build-dispatch steps, removes the final report job, adds explicit job names, updates MuseScore routing, and revises the PR template to describe automatic consumer-app builds.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: automatic MuseScore and Audacity app builds on every PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr_dispatch.yml:
- Around line 3-5: The pull_request trigger in the workflow does not include a
trust gate, allowing untrusted forks to automatically dispatch builds. Add a
conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ae782287-61d0-472c-8aec-90d9375fbd89

📥 Commits

Reviewing files that changed from the base of the PR and between 5a48cf5 and 0c74e96.

📒 Files selected for processing (2)
  • .github/pull_request_template.md
  • .github/workflows/pr_dispatch.yml

Comment on lines 3 to +5
on:
issue_comment:
types: [created]
pull_request:
types: [opened, reopened, synchronize, edited]

@coderabbitai coderabbitai Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a trust gate for automatic PR-triggered builds.

Line 5 now runs this workflow on every PR update (including edited) without any trust check. That allows untrusted/fork PRs to automatically dispatch heavyweight builds, which can exhaust CI capacity and starve trusted builds.

Suggested hardening
 jobs:
   parse:
+    if: |
+      github.event.pull_request.head.repo.fork == false ||
+      contains(github.event.pull_request.labels.*.name, 'safe-to-test')
     name: Configure
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr_dispatch.yml around lines 3 - 5, The pull_request
trigger in the workflow does not include a trust gate, allowing untrusted forks
to automatically dispatch builds. Add a conditional check (typically using `if:
github.event.pull_request.head.repo.full_name == github.repository`) at the job
level to ensure that only PRs from the main repository trigger the heavyweight
build dispatch, preventing fork PRs from consuming CI capacity.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@igorkorsukov what do you think? I guess we are good, and if it is abused, we can tighten it.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/pull_request_template.md:
- Around line 19-20: The pull request template text is inconsistent with the
actual fallback behavior in the PR dispatch workflow. Update the wording in the
pull request template so it matches the default matrix used by pr_dispatch.yml,
and make sure the guidance around removing the section clearly says what builds
will run when the block is omitted. Refer to the Consumer-app builds section in
the template and align it with the fallback logic used by pr_dispatch.yml so
contributors do not unintentionally request extra platforms.

In @.github/workflows/pr_dispatch.yml:
- Around line 15-16: The parse job in pr_dispatch.yml is triggering on edited
events even when only the PR title changes, which re-dispatches the same matrix
under the same concurrency key. Add a job-level condition on the parse job so it
only runs for edited actions when the pull_request body actually changed,
keeping the existing pull_request.body-based parsing behavior intact.
- Around line 107-111: The reusable workflow references in this workflow are
using mutable branch refs, which can change behavior without updates here.
Update the `uses` targets in `.github/workflows/pr_dispatch.yml` (including
`build_mu_linux` and the other reusable workflow calls in this file) to fixed
commit SHAs instead of `@main`, so the pipeline is pinned to an immutable
version.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f2679ec1-4c90-4e8a-9576-d07f3c4cf299

📥 Commits

Reviewing files that changed from the base of the PR and between 0c74e96 and 560a707.

📒 Files selected for processing (2)
  • .github/pull_request_template.md
  • .github/workflows/pr_dispatch.yml

Comment thread .github/pull_request_template.md
Comment on lines 15 to +16
parse:
if: >-
github.event.issue.pull_request != null
&& startsWith(github.event.comment.body, '/build')
&& contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
name: Configure

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🟡 Minor | ⚡ Quick win

Skip edited runs that don't change the PR body.

parse only consumes pull_request.body, so title-only edits now cancel the in-flight build and dispatch the same matrix again under the same concurrency key. Add a job-level guard so edited only runs when the body changed.

Also applies to: 29-35

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr_dispatch.yml around lines 15 - 16, The parse job in
pr_dispatch.yml is triggering on edited events even when only the PR title
changes, which re-dispatches the same matrix under the same concurrency key. Add
a job-level condition on the parse job so it only runs for edited actions when
the pull_request body actually changed, keeping the existing
pull_request.body-based parsing behavior intact.

Comment on lines 107 to 111
build_mu_linux:
name: MuseScore Linux
needs: parse
if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64')
if: contains(needs.parse.outputs.mu_platforms, 'linux_x64')
uses: musescore/MuseScore/.github/workflows/build_linux.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '--- pr_dispatch.yml around lines 95-120 ---\n'
sed -n '95,120p' .github/workflows/pr_dispatch.yml

printf '\n--- search for pinning/zizmor references ---\n'
rg -n "zizmor|pinning|commit SHA|sha" .github . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

printf '\n--- list workflow files mentioning reusable workflow refs ---\n'
rg -n "uses: .*`@main`|uses: .*`@master`|uses: .*`@v`[0-9]|uses: .*@[0-9a-f]{7,}" .github/workflows || true

Repository: musescore/muse_framework

Length of output: 253


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate likely policy/config files and the workflow file.
git ls-files '.github/**' '*.md' '*zizmor*' '*security*' '*policy*' | sed -n '1,200p'

printf '\n--- workflow ref lines in .github/workflows/pr_dispatch.yml ---\n'
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'

Repository: musescore/muse_framework

Length of output: 2192


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and any repo pinning guidance.
nl -ba .github/workflows/pr_dispatch.yml | sed -n '100,115p'
printf '\n--- pinning guidance ---\n'
rg -n "zizmor|pinning|commit SHA|SHA|reusable workflow|workflow_call" .github *.md || true

Repository: musescore/muse_framework

Length of output: 202


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path

path = Path('.github/workflows/pr_dispatch.yml')
lines = path.read_text().splitlines()
for i in range(100, 116):
    if i <= len(lines):
        print(f"{i}: {lines[i-1]}")
PY

printf '\n--- search for pinning / zizmor / reusable workflow guidance ---\n'
rg -n "zizmor|pinning|commit SHA|immutable SHA|reusable workflow|workflow_call|`@main`|`@master`|@[0-9a-f]{7,}" .github ./*.md ./*/*.md || true

printf '\n--- reusable workflow refs in .github/workflows ---\n'
python3 - <<'PY'
from pathlib import Path
import re

for path in Path('.github/workflows').glob('*.yml'):
    text = path.read_text(errors='ignore')
    if re.search(r'uses:\s+.*@(?:main|master|v\d|[0-9a-f]{7,40})', text):
        print(f'FILE: {path}')
        for i, line in enumerate(text.splitlines(), 1):
            if 'uses:' in line and '@' in line:
                print(f'{i}: {line}')
PY

Repository: musescore/muse_framework

Length of output: 2618


Pin this reusable workflow to a commit SHA musescore/MuseScore/.github/workflows/build_linux.yml@main is mutable, so upstream changes can alter this pipeline without a PR here. Same applies to the other reusable workflow refs in this file.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr_dispatch.yml around lines 107 - 111, The reusable
workflow references in this workflow are using mutable branch refs, which can
change behavior without updates here. Update the `uses` targets in
`.github/workflows/pr_dispatch.yml` (including `build_mu_linux` and the other
reusable workflow calls in this file) to fixed commit SHAs instead of `@main`,
so the pipeline is pinned to an immutable version.

Source: Linters/SAST tools

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr_dispatch.yml:
- Around line 107-118: The Windows reusable workflow in build_mu_windows is
still receiving the unsplit mu_platforms value, so update parse to emit a
Windows-only platform output and wire build_mu_windows to that output instead of
the raw list. Keep build_mu_linux and the other split jobs using their dedicated
subsets, and locate the change around the parse job outputs plus the
build_mu_windows uses block in pr_dispatch.yml.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b10c2bb2-ce60-4c22-a630-1388473ccfba

📥 Commits

Reviewing files that changed from the base of the PR and between 560a707 and 39e3a5c.

📒 Files selected for processing (2)
  • .github/pull_request_template.md
  • .github/workflows/pr_dispatch.yml

Comment on lines 107 to 118
build_mu_linux:
name: MuseScore Linux
needs: parse
if: contains(needs.parse.outputs.mu_platforms, 'linux_x64') || contains(needs.parse.outputs.mu_platforms, 'linux_arm64')
if: contains(needs.parse.outputs.mu_platforms, 'linux_x64')
uses: musescore/MuseScore/.github/workflows/build_linux.yml@main
with:
app_repo: ${{ needs.parse.outputs.mu_owner }}/${{ needs.parse.outputs.mu_repo }}
app_ref: ${{ needs.parse.outputs.mu_branch }}
framework_repo: ${{ github.repository }}
framework_ref: ${{ needs.parse.outputs.head_sha }}
platforms: ${{ needs.parse.outputs.mu_platforms }}
platforms: linux_x64
build_mode: devel

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Pass a Windows-only platform list after splitting the MuseScore jobs.

Line 117 correctly narrows the Linux reusable workflow to linux_x64, but build_mu_windows still receives the raw mu_platforms string. A PR requesting linux_x64 macos windows_x64 will now send non-Windows tokens into build_windows.yml, which breaks the new per-platform routing contract. Compute a dedicated Windows subset in parse and pass that output to the Windows job instead.

Suggested fix
     outputs:
       head_sha: ${{ steps.pr.outputs.head_sha }}
       au_owner: ${{ steps.cfg.outputs.au_owner }}
       au_repo: ${{ steps.cfg.outputs.au_repo }}
       au_branch: ${{ steps.cfg.outputs.au_branch }}
       au_platforms: ${{ steps.cfg.outputs.au_platforms }}
       mu_owner: ${{ steps.cfg.outputs.mu_owner }}
       mu_repo: ${{ steps.cfg.outputs.mu_repo }}
       mu_branch: ${{ steps.cfg.outputs.mu_branch }}
       mu_platforms: ${{ steps.cfg.outputs.mu_platforms }}
+      mu_windows_platforms: ${{ steps.cfg.outputs.mu_windows_platforms }}
...
           mu_platforms=$(extract "musescore platforms")
           [ -z "$mu_platforms" ] && mu_platforms="linux_x64 macos windows_x64"
+          mu_windows_platforms=$(
+            printf '%s\n' "$mu_platforms" | tr ' ' '\n' |
+              grep -E '^(windows_x64|windows_portable)$' |
+              paste -sd' ' - || true
+          )
           read -r mu_owner mu_repo mu_branch < <(parse_combo "musescore" "$mu_combo" "musescore/MuseScore/main")
           {
             echo "mu_owner=$mu_owner"
             echo "mu_repo=$mu_repo"
             echo "mu_branch=$mu_branch"
             echo "mu_platforms=$mu_platforms"
+            echo "mu_windows_platforms=$mu_windows_platforms"
           } >> "$GITHUB_OUTPUT"
...
   build_mu_windows:
     name: MuseScore Windows
     needs: parse
     if: contains(needs.parse.outputs.mu_platforms, 'windows_x64') || contains(needs.parse.outputs.mu_platforms, 'windows_portable')
     uses: musescore/MuseScore/.github/workflows/build_windows.yml@main
     with:
...
-      platforms: ${{ needs.parse.outputs.mu_platforms }}
+      platforms: ${{ needs.parse.outputs.mu_windows_platforms }}
       build_mode: devel
🧰 Tools
🪛 zizmor (1.26.1)

[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr_dispatch.yml around lines 107 - 118, The Windows
reusable workflow in build_mu_windows is still receiving the unsplit
mu_platforms value, so update parse to emit a Windows-only platform output and
wire build_mu_windows to that output instead of the raw list. Keep
build_mu_linux and the other split jobs using their dedicated subsets, and
locate the change around the parse job outputs plus the build_mu_windows uses
block in pr_dispatch.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants