Implement Conan lockfiles in CI/CD workflows for reproducible builds with workflow-specific auto-commit

[Copilot]

All CI/CD workflows now generate and use Conan lockfiles to ensure reproducible builds by pinning exact dependency versions and revisions across all environments. Lockfiles are automatically committed back to the repository with workflow-specific conditions.

Changes

• 9 workflow files updated: Added --lockfile-out=conan.lock to all conan install, conan create, and conan build commands

  • benchmark.yml, conan-package.yml, lint-tidier.yml, npm-package.yml, unit-test.yml, update-translation.yml
  • cura-installer-{linux,macos,windows}.yml

• Workflow-specific auto-commit logic: Added stefanzweifer/git-auto-commit-action@v5 with different conditions per workflow type:

  • Most workflows: Commit lockfiles on push to main/master branches
  • Package creation workflow (conan-package.yml): Commit lockfiles on push to release branches/tags only (NOT main/master)
  • Conditional logic prevents commits during PR validation
  • Prevents commit noise during development while maintaining lockfiles for releases

• README documentation: Added comprehensive lockfile section covering:

  • Benefits (reproducibility, traceability, strict dependency resolution)
  • Automatic conan.lock loading behavior in Conan 2.x
  • Workflow-specific auto-commit behavior
  • Permissions requirements (contents: write for calling workflows)
  • Maintenance commands (conan lock add, --lockfile-partial mode)
  • Adoption workflow (lockfile auto-generated and committed on first CI run)

Auto-Commit Logic

Package Creation (conan-package.yml)

- name: Commit lockfile
  if: github.event_name == 'push' && (github.ref_type == 'tag' || (github.ref_type == 'branch' && github.ref_name != 'main' && github.ref_name != 'master'))
  uses: stefanzweifel/git-auto-commit-action@v5
  with:
    file_pattern: conan.lock
    commit_message: "Update Conan lockfile"
    status_options: --untracked-files=no

Commits on release branches and tags, preventing frequent commits on main/master.

Other Workflows

- name: Commit lockfile
  if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
  uses: stefanzweifel/git-auto-commit-action@v5
  with:
    file_pattern: conan.lock
    commit_message: "Update Conan lockfile"
    status_options: --untracked-files=no

Commits on main/master for regular development workflows.

Example

# Before
- run: conan install . --build=missing --update

# After  
- run: conan install . --build=missing --update --lockfile-out=conan.lock

- name: Commit lockfile
  if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
  uses: stefanzweifel/git-auto-commit-action@v5
  with:
    file_pattern: conan.lock
    commit_message: "Update Conan lockfile"
    status_options: --untracked-files=no

How It Works

1. Conan 2 automatically loads conan.lock if present (no --lockfile flag needed)
2. First CI run creates the lockfile; subsequent runs update it
3. Lockfiles are automatically committed based on workflow type:
   • Test/build workflows commit on push to main/master
   • Package creation commits on release branches/tags
4. On PRs, lockfiles are generated but not committed

Each repository using these workflows will automatically maintain up-to-date lockfiles in version control for full reproducibility. Repositories can override lockfile behavior via conan_extra_args workflow input (e.g., --lockfile-partial for development branches).

Note: Calling workflows must have contents: write permission for auto-commit functionality.

Original prompt

Make sure that our CI CD flows use conan lock files. Investigate best-practices for conan lock files in the industry, in such flows and update all relevant GitHub Actions for this.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[jellespijker]

@copilot continue with my request to make sure that on a push (or merge) the conan lock file is created

[Copilot]

@copilot continue with my request to make sure that on a push (or merge) the conan lock file is created

Done! Added automatic commit of lockfiles on push/merge to main/master branches across all 9 workflows. The lockfiles will now be:

1. Generated during CI runs with --lockfile-out=conan.lock
2. Automatically committed back to the repository when workflows run on push events to main/master
3. Skipped on PR builds to avoid creating commits during pull request validation

Commit: b85b4ba

[jellespijker]

@copilot only do the auto commit on package creation when merged to another branch. Or when a release tag is created.

[Copilot]

@copilot only do the auto commit on package creation when merged to another branch. Or when a release tag is created.

Updated! The conan-package.yml workflow now only commits lockfiles on:

1. Push to release branches (any branch except main/master)
2. Push of release tags

Other workflows (unit-test, benchmark, etc.) still commit on main/master as they're for regular development. This prevents excessive lockfile commits on main while ensuring release branches and tags have committed lockfiles.

Commit: f724342