Skip to content

refactor: use ExpressionBuilder for all if expressions in maintenance_workflow.go #26116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 3 commits into from
Apr 14, 2026
Merged

refactor: use ExpressionBuilder for all if expressions in maintenance_workflow.go #26116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2d4658d
refactor: use ExpressionBuilder for all if expressions in maintenance…
Copilot Apr 14, 2026
b640e59
refactor: clarify buildNotForkAndScheduled comment per code review
Copilot Apr 14, 2026
5929552
refactor: remove zizmor-scan job from maintenance workflow
Copilot Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 6 additions & 30 deletions .github/workflows/agentics-maintenance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ permissions: {}

jobs:
close-expired-entities:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
runs-on: ubuntu-slim
permissions:
discussions: write
Expand Down Expand Up @@ -187,7 +187,7 @@ jobs:
await main();

apply_safe_outputs:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }}
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && (!(github.event.repository.fork)) }}
runs-on: ubuntu-slim
permissions:
actions: read
Expand Down Expand Up @@ -232,7 +232,7 @@ jobs:
await main();

create_labels:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && !github.event.repository.fork }}
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && (!(github.event.repository.fork)) }}
runs-on: ubuntu-slim
permissions:
contents: read
Expand Down Expand Up @@ -280,7 +280,7 @@ jobs:
await main();

validate_workflows:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && !github.event.repository.fork }}
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && (!(github.event.repository.fork)) }}
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -328,7 +328,7 @@ jobs:
await main();

compile-workflows:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
runs-on: ubuntu-slim
permissions:
contents: read
Expand Down Expand Up @@ -367,32 +367,8 @@ jobs:
const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs');
await main();

zizmor-scan:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
runs-on: ubuntu-slim
needs: compile-workflows
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Setup Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
cache: true

- name: Build gh-aw
run: make build

- name: Run zizmor security scanner
run: |
./gh-aw compile --zizmor --verbose
echo "✓ Zizmor security scan completed"

secret-validation:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
runs-on: ubuntu-slim
permissions:
contents: read
Expand Down
63 changes: 33 additions & 30 deletions pkg/workflow/maintenance_workflow.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ permissions: {}

jobs:
close-expired-entities:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
runs-on: ` + runsOnValue + `
permissions:
discussions: write
Expand Down Expand Up @@ -434,7 +434,7 @@ jobs:
// Add apply_safe_outputs job for workflow_dispatch with operation == 'safe_outputs'
yaml.WriteString(`
apply_safe_outputs:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }}
if: ${{ ` + RenderCondition(buildDispatchOperationCondition("safe_outputs")) + ` }}
runs-on: ` + runsOnValue + `
permissions:
actions: read
Expand Down Expand Up @@ -482,7 +482,7 @@ jobs:
// Add create_labels job for workflow_dispatch with operation == 'create_labels'
yaml.WriteString(`
create_labels:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && !github.event.repository.fork }}
if: ${{ ` + RenderCondition(buildDispatchOperationCondition("create_labels")) + ` }}
runs-on: ` + runsOnValue + `
permissions:
contents: read
Expand Down Expand Up @@ -529,7 +529,7 @@ jobs:
validateRunsOnValue := FormatRunsOn(configuredRunsOn, "ubuntu-latest")
yaml.WriteString(`
validate_workflows:
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && !github.event.repository.fork }}
if: ${{ ` + RenderCondition(buildDispatchOperationCondition("validate")) + ` }}
runs-on: ` + validateRunsOnValue + `
permissions:
contents: read
Expand Down Expand Up @@ -579,7 +579,7 @@ jobs:
// Add compile-workflows job
yaml.WriteString(`
compile-workflows:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
Comment on lines 579 to +582
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment above this dev-mode block still mentions adding a zizmor-scan job, but that job has been removed. Please update the comment to reflect the current jobs included in dev mode (e.g., compile-workflows / secret-validation) so future readers aren’t misled.

Copilot uses AI. Check for mistakes.
runs-on: ` + runsOnValue + `
permissions:
contents: read
Expand Down Expand Up @@ -615,32 +615,8 @@ jobs:
const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs');
await main();

zizmor-scan:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
runs-on: ` + runsOnValue + `
needs: compile-workflows
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Setup Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
cache: true

- name: Build gh-aw
run: make build

- name: Run zizmor security scanner
run: |
./gh-aw compile --zizmor --verbose
echo "✓ Zizmor security scan completed"

secret-validation:
if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
runs-on: ` + runsOnValue + `
permissions:
contents: read
Expand Down Expand Up @@ -753,6 +729,33 @@ func buildNotForkAndScheduledOrOperation(operation string) ConditionNode {
)
}

// buildNotForkAndScheduled creates a condition for jobs that should run on any
// non-dispatch event (e.g. schedule, push) or on workflow_dispatch with an empty
// operation, and never on forks.
// Condition: !fork && (event_name != 'workflow_dispatch' || operation == "")
func buildNotForkAndScheduled() ConditionNode {
return BuildAnd(
buildNotForkCondition(),
buildNotDispatchOrEmptyOperation(),
)
}

// buildDispatchOperationCondition creates a condition for jobs that should run
// only when a specific workflow_dispatch operation is selected and not a fork.
// Condition: dispatch && operation == op && !fork
func buildDispatchOperationCondition(operation string) ConditionNode {
return BuildAnd(
BuildAnd(
BuildEventTypeEquals("workflow_dispatch"),
BuildEquals(
BuildPropertyAccess("github.event.inputs.operation"),
BuildStringLiteral(operation),
),
),
buildNotForkCondition(),
)
}

// buildRunOperationCondition creates the condition for the unified run_operation
// job that handles all dispatch operations except the ones with dedicated jobs.
// Condition: dispatch && operation != ” && operation != each excluded && !fork.
Expand Down
2 changes: 1 addition & 1 deletion pkg/workflow/maintenance_workflow_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ func TestGenerateMaintenanceWorkflow_OperationJobConditions(t *testing.T) {
const runOpSectionSearchRange = 500

// Jobs that should be disabled when any non-dedicated operation is set (cleanup-cache-memory has its own dedicated operation)
disabledJobs := []string{"close-expired-entities:", "compile-workflows:", "secret-validation:", "zizmor-scan:"}
disabledJobs := []string{"close-expired-entities:", "compile-workflows:", "secret-validation:"}
for _, job := range disabledJobs {
// Find the if: condition for each job
jobIdx := strings.Index(yaml, "\n "+job)
Expand Down
Loading