From 3373154b405d679112aa50dbb474ae4b2ae49ffe Mon Sep 17 00:00:00 2001 From: Matiss Janis Aboltins Date: Sun, 19 Apr 2026 22:22:49 +0100 Subject: [PATCH] Refactor CI workflows to use shared setup job (#7551) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [AI] Run setup once per workflow and fan out via needs Add a prep `setup` job at the top of `check.yml` and `build.yml`, and make every other job in those workflows declare `needs: setup`. The composite action in `.github/actions/setup` caches `node_modules` keyed on `yarn.lock`. When that hash changes (dep-bump PRs, master after a merge), the cache is cold and every fan-out job races to run `yarn --immutable` in parallel — one wins the cache save, the rest do redundant work. Serialising through a single `setup` job warms the cache once so downstream jobs restore instantly and skip yarn install via the existing `if: steps.cache.outputs.cache-hit != 'true'` guard. No changes to the composite action or cache keys. `e2e-test.yml` is intentionally left alone. * [AI] Harden setup jobs and add release note Address zizmor code-scanning findings on the new `setup` jobs added in the previous commit: - Scope `permissions: contents: read` so the job no longer inherits workflow-default write permissions. - Pass `persist-credentials: false` to `actions/checkout` so the GitHub token isn't left on disk for later steps that don't need it. Add `upcoming-release-notes/7551.md` to satisfy the release-notes PR check. * [AI] Disable credential persistence on build.yml checkouts Each of `api`, `crdt`, `web`, `cli`, `server` in build.yml does `actions/checkout` (which writes the GitHub token into `.git/config`) and then uploads build artifacts in the same job. Zizmor flags this as "credential persistence through GitHub Actions artifacts" because a misconfigured upload path could capture `.git/config` and leak the token. None of these jobs push or write to git, so drop the credential persistence via `persist-credentials: false` on the checkout. * [AI] Disable credential persistence on check.yml checkouts None of the jobs in check.yml (`constraints`, `lint`, `typecheck`, `validate-cli`, `test`, `migrations`) push or write to git, so pass `persist-credentials: false` to their `actions/checkout` calls to resolve the zizmor "credential persistence" finding. Mirrors the fix just applied to build.yml. --------- Co-authored-by: Claude --- .github/workflows/build.yml | 28 ++++++++++++++++++++++++++++ .github/workflows/check.yml | 30 ++++++++++++++++++++++++++++++ upcoming-release-notes/7551.md | 6 ++++++ 3 files changed, 64 insertions(+) create mode 100644 upcoming-release-notes/7551.md diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 15e2d5d163..a1adddafc2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,10 +19,26 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: + setup: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Set up environment + uses: ./.github/actions/setup + with: + download-translations: 'false' + api: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -45,9 +61,12 @@ jobs: path: api-stats.json crdt: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -70,9 +89,12 @@ jobs: path: crdt-stats.json web: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup - name: Build Web @@ -89,9 +111,12 @@ jobs: path: packages/desktop-client/build-stats cli: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -114,9 +139,12 @@ jobs: path: cli-stats.json server: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 139dc28a0d..3d3ea32799 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -12,10 +12,25 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: + setup: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Set up environment + uses: ./.github/actions/setup + with: + download-translations: 'false' constraints: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -23,9 +38,12 @@ jobs: - name: Check dependency version consistency run: yarn constraints lint: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -33,9 +51,12 @@ jobs: - name: Lint run: yarn lint typecheck: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -43,9 +64,12 @@ jobs: - name: Typecheck run: yarn typecheck validate-cli: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -55,9 +79,12 @@ jobs: - name: Check that the built CLI works run: node packages/sync-server/build/bin/actual-server.js --version test: + needs: setup runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: @@ -75,10 +102,13 @@ jobs: - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 migrations: + needs: setup if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up environment uses: ./.github/actions/setup with: diff --git a/upcoming-release-notes/7551.md b/upcoming-release-notes/7551.md new file mode 100644 index 0000000000..f175b29399 --- /dev/null +++ b/upcoming-release-notes/7551.md @@ -0,0 +1,6 @@ +--- +category: Maintenance +authors: [actualbudget] +--- + +Share the CI dependency install across `check.yml` and `build.yml` jobs via a single upstream `setup` job to cut redundant `yarn install` runs on cache-cold workflow runs.