ci: Comprehensive GitHub Actions improvements#13813
ci: Comprehensive GitHub Actions improvements#13813HTRamsey wants to merge 1 commit intomavlink:masterfrom
Conversation
github-actions
bot
added
github_actions
There was a problem hiding this comment.
Pull request overview
This is a comprehensive GitHub Actions infrastructure overhaul focused on security, performance, and maintainability improvements for the QGroundControl CI/CD pipeline.
Key Changes:
- Security: AWS OIDC authentication, SBOM attestations, harden-runner, CodeQL/zizmor scanning, action version standardization (@v6)
- Performance: CPM package lock caching (cache only on dependency changes), ARM64 ccache support, GStreamer workflow consolidation (614→98 lines), retry wrappers for network failures
- New Capabilities: GStreamer build-from-source workflows for all platforms, performance metrics tracking, MAVLink benchmarks, JUnit XML test output with GitHub annotations
Reviewed changes
Copilot reviewed 64 out of 65 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
tools/setup/read-config.sh |
Added --github-output mode for CI integration |
tools/setup/install-python.sh |
New unified Python environment setup with uv support |
tools/setup/install-qt-*.{sh,ps1} |
Skip reinstallation if aqtinstall exists (venv optimization) |
tools/setup/install-dependencies-windows.ps1 |
ARM64 GStreamer support via ZIP archives |
tools/setup/gstreamer/build-gstreamer-*.{sh,ps1} |
New cross-platform GStreamer build scripts |
package-lock.cmake |
CPM dependency lock file for stable caching |
cmake/presets/*.json |
Consolidated presets, downgraded version 6→5, added ARM64 variants |
test/**/UnitTest.* |
JUnit XML output support |
test/MAVLink/MAVLinkBenchmark.* |
New MAVLink performance benchmarks |
src/pch.h |
Optimized precompiled headers |
.github/workflows/*.yml |
Security hardening, performance tracking, consolidation |
.github/actions/build-setup/ |
New composite action consolidating setup steps |
.github/actions/gstreamer/ |
Comprehensive GStreamer build action |
.github/actions/cache/ |
ARM64 ccache, CPM lock-based caching |
.github/actions/aws-upload/ |
OIDC authentication support |
tools/README.md |
Condensed documentation |
.pre-commit-config.yaml |
Added zizmor security scanning |
| @@ -1,37 +1,25 @@ | |||
| { | |||
| "version": 6, | |||
| "version": 5, | |||
There was a problem hiding this comment.
Downgrading CMake presets from version 6 to version 5 may lose features. CMake 3.25 (specified in cmakeMinimumRequired) supports preset version 5, but newer CMake versions support version 6 with additional features. Verify that no version 6-specific features are needed, or document why the downgrade is necessary.
.github/actions/cache/action.yml
Outdated
| key: ${{ github.workflow }}-cpm-modules-${{ hashFiles('**/CMakeLists.txt', '**/*.cmake') }} | ||
| restore-keys: ${{ github.workflow }}-cpm-modules- | ||
| key: ${{ github.workflow }}-cpm-${{ hashFiles('package-lock.cmake') }} | ||
| restore-keys: ${{ github.workflow }}-cpm- |
There was a problem hiding this comment.
The cache key now depends only on package-lock.cmake instead of all CMakeLists.txt and .cmake files. This is a significant improvement for cache hit rates, but ensure that the CPM lock file is properly updated when dependencies change. Consider adding a CI check or pre-commit hook to verify package-lock.cmake is in sync with dependency declarations.
| restore-keys: ${{ github.workflow }}-cpm- |
| wait-for-builds: | ||
| name: Wait for Platform Builds | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| outputs: | ||
| new_release: ${{ steps.release.outputs.new_release }} | ||
| version: ${{ steps.release.outputs.version }} | ||
| timeout-minutes: 180 | ||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@v2 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 'lts/*' | ||
|
|
||
| - name: Run semantic-release | ||
| id: release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| ./tools/release.sh --install | ||
|
|
||
| # Capture semantic-release output | ||
| set +e | ||
| OUTPUT=$(./tools/release.sh --run 2>&1) | ||
| EXIT_CODE=$? | ||
| echo "$OUTPUT" | ||
| set -e | ||
|
|
||
| # Check if a new release was created | ||
| if echo "$OUTPUT" | grep -q "Published release"; then | ||
| VERSION=$(printf '%s\n' "$OUTPUT" | sed -n 's/.*Published release \([0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p' | head -n1) | ||
| echo "new_release=true" >> $GITHUB_OUTPUT | ||
| echo "version=$VERSION" >> $GITHUB_OUTPUT | ||
| echo "New release: v$VERSION" | ||
| else | ||
| echo "new_release=false" >> $GITHUB_OUTPUT | ||
| echo "No new release" | ||
| fi | ||
|
|
||
| wait-for-builds: | ||
| name: Wait for Platform Builds | ||
| needs: semantic-release | ||
| if: needs.semantic-release.outputs.new_release == 'true' | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 180 | ||
|
|
||
| steps: | ||
| - name: Wait for builds to complete | ||
| uses: int128/wait-for-workflows-action@v1 | ||
| with: |
There was a problem hiding this comment.
The release workflow no longer validates that semantic-release created a new release before waiting for builds. This means the workflow will wait for builds even if no release was created. Consider adding a check to skip the wait-for-builds step if the tag doesn't trigger any platform builds, or document that this is intentional for manual tag pushes.
HTRamsey
force-pushed
the
ci/github-actions-improvements
branch
3 times, most recently
from
8343711 to
79e6cdf
Compare
HTRamsey
force-pushed
the
ci/github-actions-improvements
branch
from
4188458 to
2ce72c7
Compare
1 participant
Summary
Major CI/CD infrastructure improvements focused on security, performance, and maintainability.
Security Hardening
Performance Optimization
New Capabilities
Consolidation
Documentation
Test Plan
Migration Notes
AWS OIDC (optional): Once AWS IAM role is configured, add
AWS_ROLE_ARNsecret. Current static credentials continue working.CPM lock update: Run
cmake --build build --target cpm-update-package-lockwhen dependencies change.