V10.y.z/fork support

[gimlichael]

This pull request updates the .github/workflows/ci-pipeline.yml workflow to improve handling of pull requests from forks and to centralize workflow variable management. The main changes include adding an initialization job to set workflow variables, updating job dependencies, and restricting privileged jobs to only run for trusted (non-fork) pull requests.

Workflow improvements:

• Added an init job that calculates and outputs key workflow variables, such as whether the PR is from a fork, whether privileged jobs should run, and build configuration options. Other jobs now use these outputs for configuration.
• Updated job dependencies so that all main jobs (build, pack, test_linux, test_windows, sonarcloud, codecov, codeql) depend on the new init job, ensuring consistent variable usage across jobs. [1] [2] [3] [4] [5]

Security and privileged job control:

• Added conditions to privileged jobs (sonarcloud, codecov, codeql) so they only run if the PR is not from a fork, enhancing security and preventing secrets exposure. [1] [2]

Configuration management:

• Centralized the assignment of strong-name-key-filename and build-switches to use values determined by the init job, rather than hardcoding them in each job.
• Ensured that all jobs use the correct build switches and artifact download patterns, maintaining consistency in the build and test process.

These changes make the CI pipeline more robust, secure, and easier to maintain, especially when handling contributions from external forks.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[qodo-code-review]

Review Summary by Qodo

Add fork detection and privileged job control to CI pipeline

✨ Enhancement

Walkthroughs

Description

• Add init job to centralize workflow variable calculation
• Detect fork PRs and conditionally run privileged jobs
• Use dynamic build switches based on fork status
• Update all job dependencies to include init job

Diagram

flowchart LR
  init["init job<br/>Calculate variables"]
  build["build job"]
  pack["pack job"]
  test_linux["test_linux job"]
  test_windows["test_windows job"]
  sonarcloud["sonarcloud job<br/>Privileged"]
  codecov["codecov job<br/>Privileged"]
  codeql["codeql job<br/>Privileged"]
  
  init -- "is-fork-pr<br/>run-privileged-jobs<br/>build-switches" --> build
  init --> pack
  init --> test_linux
  init --> test_windows
  init --> sonarcloud
  init --> codecov
  init --> codeql
  build --> pack
  build --> test_linux
  build --> test_windows
  test_linux --> sonarcloud
  test_windows --> sonarcloud
  test_linux --> codecov
  test_windows --> codecov
  test_linux --> codeql
  test_windows --> codeql

Loading

File Changes

1. .github/workflows/ci-pipeline.yml ✨ Enhancement +41/-10

Implement fork detection and privileged job gating

• Added new init job that detects fork PRs and calculates workflow variables
• Outputs is-fork-pr, run-privileged-jobs, strong-name-key-filename, and build-switches
 based on PR source
• Updated build job to use dynamic strong-name-key-filename and build-switches from init
 outputs
• Added init as dependency for all jobs (pack, test_linux, test_windows, sonarcloud,
 codecov, codeql)
• Added conditional if statements to privileged jobs (sonarcloud, codecov, codeql) to only
 run when run-privileged-jobs is true
• Removed hardcoded comments and fixed formatting inconsistencies

.github/workflows/ci-pipeline.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

ⓘ The new review experience is currently in Beta. Learn more

[Copilot]

Pull request overview

This PR updates the GitHub Actions CI workflow to better support pull requests from forks by centralizing workflow variable calculation in a dedicated init job and gating privileged jobs (that typically rely on secrets) so they only run for trusted (non-fork) PRs.

Changes:

• Added an init job that computes fork/privileged-job flags and build-related variables and exposes them as job outputs.
• Updated build, pack, and test jobs to depend on init and consume its outputs for consistent configuration.
• Restricted privileged jobs (sonarcloud, codecov, codeql) to only run when init indicates privileged jobs are allowed.

[Copilot]

The job-level condition uses needs.init.outputs.run-privileged-jobs, but output names containing hyphens cannot be accessed via dot-notation in GitHub Actions expressions. Use bracket notation for this output key or rename it (and update all references).

[Copilot]

The job outputs use names with hyphens (e.g., is-fork-pr, run-privileged-jobs). In GitHub Actions expressions, dot-notation property access does not support hyphens, so steps.vars.outputs.is-fork-pr / steps.vars.outputs.run-privileged-jobs will not evaluate correctly. Rename these outputs to use underscores (e.g., is_fork_pr) or access them via bracket notation (e.g., steps.vars.outputs['is-fork-pr']) consistently.

[Copilot]

needs.init.outputs.strong-name-key-filename and needs.init.outputs.build-switches use dot-notation to access output names containing hyphens. This will be parsed incorrectly in GitHub Actions expressions. Use bracket notation (e.g., needs.init.outputs['strong-name-key-filename']) or rename the init outputs to not include hyphens and update all references.

[Copilot]

The job-level condition uses needs.init.outputs.run-privileged-jobs, but run-privileged-jobs contains hyphens and cannot be accessed via dot-notation in GitHub Actions expressions. Use bracket notation (e.g., needs.init.outputs['run-privileged-jobs'] == 'true') or rename the output key and update all if: conditions accordingly.

[Copilot]

The job-level condition uses needs.init.outputs.run-privileged-jobs, but output names containing hyphens cannot be accessed via dot-notation in GitHub Actions expressions. Use bracket notation for this output key or rename it (and update all references).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.33%. Comparing base (d951e64) to head (52e6f4e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #25   +/-   ##
=======================================
  Coverage   83.33%   83.33%           
=======================================
  Files          19       19           
  Lines         666      666           
  Branches       51       51           
=======================================
  Hits          555      555           
  Misses        110      110           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud