👻 fixing the actions for real this time

[shawn-hurley]

Summary by CodeRabbit

• Chores
  • Updated internal build pipeline configuration to improve workflow coordination and image tagging logic across multiple build jobs.
  • Enhanced repository settings to exclude sensitive files from version control.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request reconfigures GitHub Actions workflows to centralize tag computation. A new tag output is added to the compute-deps-refs job, which downstream jobs (generic-external-provider-build and analyzer-windows-build) now depend on and consume. Additionally, java-provider-image-build switches from using direct event references to client payload references for tag determination, and .gitignore adds an entry to exclude .secrets files.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow dependencies and outputs .github/workflows/image-build.yaml	Added new tag output to compute-deps-refs job that computes TAG from branch reference with "latest" default. Updated generic-external-provider-build and analyzer-windows-build to depend on compute-deps-refs and use needs.compute-deps-refs.outputs.tag for image tagging and build arguments. Removed pre_build_cmd from matrix usage.
Event reference changes .github/workflows/java-provider-image-build.yaml	Replaced github.event.ref with github.event.client_payload.ref for determining image tags. Uses needs.compute-deps-refs.outputs.java-bundle-tag for extra-args.
Git ignore configuration .gitignore	Added comment header and ignore entry for .secrets file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Attention areas:
  • Verify that the tag output computation logic in compute-deps-refs correctly handles branch references and defaults
  • Confirm that downstream jobs properly receive and use the tag from needs.compute-deps-refs.outputs.tag
  • Validate the shift from github.event.ref to github.event.client_payload.ref doesn't break existing trigger behavior

Possibly related PRs

• konveyor/analyzer-lsp#1022: Modifies the same workflows (java-provider-image-build.yaml) and compute-deps-refs job to change how image tags and java_bundle_tag are computed and propagated.

Suggested reviewers

• jmle
• pranavgaikwad
• aufi

Poem

🐰 The workflows now speak in unified tongue,
Tags flow from a single source, cleanly sprung!
Dependencies map with clarity divine,
Each builder knows where to find the line—
Config harmonized, our pipelines aligned! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is vague and non-descriptive, using informal language ('for real this time') that doesn't convey meaningful information about the actual changes made to the GitHub workflows.	Revise the title to clearly describe the main changes, such as 'Refactor GitHub Actions workflows to use computed dependency tags' or 'Fix image build workflow to reference computed tags from compute-deps-refs job'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/image-build.yaml (1)

17-17: Consider removing the unused tag environment variable.

The tag environment variable defined at line 17 appears to be unused; the new compute-deps-refs job output has replaced its role. Removing it would clarify that tag computation is now centralized. As a note: the bash string substitution on line 29 uses GITHUB_REF_NAME rather than github.ref, which could unexpectedly substitute "main" within branch names like "main-dev" (though this is unlikely in practice and maintains consistency with the old approach).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4e7bdd and adfdc3e.

📒 Files selected for processing (3)

• .github/workflows/image-build.yaml (3 hunks)
• .github/workflows/java-provider-image-build.yaml (2 hunks)
• .gitignore (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-10-22T21:43:47.223Z

Learnt from: jmle
Repo: konveyor/analyzer-lsp PR: 934
File: .github/workflows/image-build.yaml:64-64
Timestamp: 2025-10-22T21:43:47.223Z
Learning: In .github/workflows/image-build.yaml, using ${{ matrix.images.extra-args }} is valid: GitHub Actions allows hyphenated keys with dot notation, there is no '-' operator, and missing properties evaluate to an empty string (no fallback needed).

Applied to files:

• .github/workflows/image-build.yaml

📚 Learning: 2025-12-02T02:57:09.802Z

Learnt from: tsanders-rh
Repo: konveyor/analyzer-lsp PR: 1004
File: external-providers/java-external-provider/go.mod:49-50
Timestamp: 2025-12-02T02:57:09.802Z
Learning: In the konveyor/analyzer-lsp monorepo, all external providers (java-external-provider, dotnet-external-provider, generic-external-provider) include a `replace github.com/konveyor/analyzer-lsp => ../../` (or `../..`) directive in their go.mod files. This replace directive is the established pattern for local development within the monorepo and allows providers to reference the local analyzer-lsp module. When providers are built outside the repository, the versioned dependency declared in the require block is used instead.

Applied to files:

• .github/workflows/image-build.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: build-all-providers (generic, generic-provider, external-providers/generic-external-provider/Dock...
• GitHub Check: build-all-providers (c-sharp, c-sharp-provider, Dockerfile, konveyor/c-sharp-analyzer-provider, f...
• GitHub Check: build-all-providers (yq, yq-provider, external-providers/yq-external-provider/Dockerfile, true)
• GitHub Check: build-all-providers (java, java-provider, external-providers/java-external-provider/Dockerfile, J...
• GitHub Check: test (ubuntu-latest, linux, amd64)
• GitHub Check: test (macos-latest, darwin, arm64)
• GitHub Check: test (ubuntu-latest, linux, arm64)
• GitHub Check: test (macos-latest, darwin, amd64)
• GitHub Check: test (windows-latest, windows, amd64)
• GitHub Check: benchmark (macos-latest, mac)
• GitHub Check: benchmark (ubuntu-latest, linux)
• GitHub Check: benchmark (windows-latest, windows)

🔇 Additional comments (4)

.gitignore (1)

37-39: LGTM!

Adding .secrets for Act integration is a standard practice. No concerns.

.github/workflows/image-build.yaml (2)

20-31: Centralized tag computation via compute-deps-refs output looks good.

The new tag output complements the existing java-bundle-tag output, and downstream jobs now reference needs.compute-deps-refs.outputs.tag instead of local environment variables, which improves consistency and clarity.

---

72-90: Dependency graph correctly updated for downstream jobs.

Both generic-external-provider-build and analyzer-windows-build now depend on compute-deps-refs to access the centralized tag output. The job ordering ensures the computed tag is available before downstream use.

.github/workflows/java-provider-image-build.yaml (1)

16-17: Verify that rebuild-java-provider dispatchers provide required client_payload fields.

This workflow switched from github.event.ref to github.event.client_payload.ref and github.event.client_payload.ref_name. Repository dispatch events require callers to explicitly include these fields in the client-payload JSON. If upstream dispatchers omit client_payload.ref or client_payload.ref_name, the tag determination silently falls back to "latest" (line 17), masking dispatcher errors.

Verify:

1. All workflows triggering the rebuild-java-provider event include client_payload.ref and client_payload.ref_name in their dispatch payload
2. The ref field format matches expectations (e.g., refs/heads/main vs branch name only)
3. Line 29's use of client_payload.ref receives valid values from all callers