Skip to content

chore: normalize GitHub Actions triggers#128

Merged
MusaMisto merged 1 commit into
mainfrom
chore/remove-pr-triggers-add-dispatch-main
Jul 9, 2026
Merged

chore: normalize GitHub Actions triggers#128
MusaMisto merged 1 commit into
mainfrom
chore/remove-pr-triggers-add-dispatch-main

Conversation

@MusaMisto

Copy link
Copy Markdown
Member

Normalizes GitHub Actions workflow triggers on main.

Changes:

  • removes pull / pull_request / pull_request_target triggers;
  • ensures workflow_dispatch: exists;
  • preserves existing push configuration, including push.branches.

This intentionally does not alter deployment environments, jobs, steps, or push branch lists.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

What changed:

  • Normalized several GitHub Actions workflows by adding workflow_dispatch to make them manually runnable.
  • Kept existing workflow_call/push behavior intact where present; changes are mostly YAML reflow/formatting of descriptions, expressions, and env wiring.
  • No job logic, deploy steps, branch filters, or artifact/signing behavior was changed.

Risk level: risk:low

Security-sensitive areas touched:

  • CI/CD and release workflows only.
  • Secret/credential wiring in workflows for Google Play, App Store Connect, Helm deployments, and Cloudflare-related actions.
  • No secret values changed, but these paths should be reviewed carefully because they control release/deploy access.

Test coverage impact:

  • No code/test coverage impact.
  • Validation is limited to workflow syntax/behavior review; no runtime changes expected beyond manual dispatch availability.

Deployment / rollback / operational concerns:

  • Main operational change is manual triggering of workflows via GitHub UI/API.
  • No migration required.
  • Rollback is straightforward: revert the workflow YAML changes.
  • Since release/deploy workflows now accept manual dispatch, operators should ensure permissions and runbooks reflect the new invocation path.

Walkthrough

Ten reusable GitHub Actions workflow files are updated to add workflow_dispatch triggers alongside existing workflow_call interfaces, enabling manual execution. All other changes are formatting-only: input/secret descriptions, step names, cache keys, if: conditions, and env/with: expressions are reflowed across multiple lines with no change to underlying logic, defaults, types, or secret references.

Changes

Workflow trigger and formatting updates

Layer / File(s) Summary
Android build workflow
.github/workflows/android-build.yml
Adds workflow_dispatch; reflows input descriptions, setup-node/jetifier env wiring, and Google Play upload inputs.
Flutter Android build workflow
.github/workflows/flutter-android-build.yml
Adds workflow_dispatch; reflows descriptions, install step name, artifact path, and release env/upload wiring.
Flutter iOS build workflow
.github/workflows/flutter-ios-build.yml
Adds workflow_dispatch; reflows descriptions, cache key, artifact path, and App Store key env wiring.
iOS build workflow
.github/workflows/ios-build.yml
Removes a stray leading character; adds workflow_dispatch; reflows numerous descriptions and cache/env expressions.
Generic chart Helm workflow
.github/workflows/generic-chart-helm.yml
Adds workflow_dispatch; reflows descriptions and job if-conditions/with-expressions.
Generic gateway Helm workflow
.github/workflows/generic-gateway-helm-template.yml
Adds workflow_dispatch; reflows descriptions and nuget/build/gateway-onboard conditions.
Helm deploy values workflow
.github/workflows/helm-deploy-values.yml
Adds workflow_dispatch; reflows several input descriptions.
Next.js Cloudflare Worker workflow
.github/workflows/next-cloudflare-worker.yaml
Adds workflow_dispatch; reflows descriptions, cache key, route expression, and summary title.
Reusable service CI/CD workflow
.github/workflows/reusable-service-cicd.yml
Adds workflow_dispatch; reflows numerous descriptions and nuget/gateway/deploy/tag conditions.
Vite Cloudflare Worker workflow
.github/workflows/vite-cloudflare-worker.yml
Reflows install_args and Cloudflare secret descriptions.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

  • simplify9/.github#24: Builds on the same helm-deploy-values.yml reusable workflow now updated with workflow_dispatch.
  • simplify9/.github#57: Introduced generic-gateway-helm-template.yml, which this PR extends with workflow_dispatch and reflow.
  • simplify9/.github#90: Introduced the Android Google Play upload flow whose inputs are reflowed here.

Suggested labels: infra, risk:high

Suggested reviewers: omarghatasheh, samerzughul

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main workflow trigger change in the changeset.
Description check ✅ Passed The description is related to the workflow trigger updates and formatting changes, though some details are broader than the diff.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/android-build.yml (1)

250-258: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Missing concurrency: block on the build job.

The release_with_environment job also lacks concurrency controls. The companion flutter-android-build.yml has concurrency: on both jobs (lines 216–218, 600–602). Without it, concurrent pushes or manual dispatches to the same ref run in parallel, wasting runner minutes and potentially corrupting shared Gradle caches.

🔒 Suggested addition
   build:
     name: Build
     runs-on: ${{ inputs.ubuntu-runner }}
+    concurrency:
+      group: ${{ github.workflow }}-android-build-${{ github.ref }}
+      cancel-in-progress: true
     env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-build.yml around lines 250 - 258, The build
workflow jobs are missing concurrency control, so concurrent runs on the same
ref can overlap and interfere with shared caches. Add a concurrency block to
both the build job and the release_with_environment job in the Android workflow,
matching the pattern already used in flutter-android-build.yml; use the job
names and ref-based grouping consistently so only one run per ref proceeds at a
time, with in-progress cancellation enabled as appropriate.

Source: Linters/SAST tools

.github/workflows/ios-build.yml (1)

311-311: 🚀 Performance & Scalability | 🟠 Major | ⚡ Quick win

Add a concurrency block to the build job.

The build job runs on macOS (expensive runners) and has no concurrency limit. With workflow_dispatch now enabled, overlapping manual runs waste macOS minutes. The flutter-ios-build.yml workflow already has concurrency on both its build and release jobs — this file should be consistent. zizmor also flagged this (lines 57-306).

🔒️ Suggested concurrency block
   build:
     name: Build
     runs-on: ${{ inputs.macos-runner }}
+    concurrency:
+      group: ${{ github.workflow }}-ios-build-${{ github.ref }}
+      cancel-in-progress: true
     outputs:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ios-build.yml at line 311, Add a concurrency block to the
build job in the iOS workflow so overlapping runs are cancelled/serialized like
in flutter-ios-build.yml. Update the build job definition to include job-level
concurrency, using the build job identifier and a workflow-specific group key so
manual workflow_dispatch runs don’t consume multiple macOS runners at once.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/android-build.yml:
- Line 245: The manual trigger in the android build workflow is missing
workflow_dispatch inputs, so jobs like the build and publish steps will see
empty inputs.* values instead of the defaults used by workflow_call. Mirror the
existing workflow_call input definitions under workflow_dispatch.inputs in the
same workflow configuration so manual runs expose the same parameters and
defaults, and make sure the jobs that reference inputs.app-id,
inputs.version-prefix, inputs.play-track, and inputs.gradle-task continue to
receive valid values.

In @.github/workflows/flutter-android-build.yml:
- Line 208: The workflow_dispatch trigger in the flutter-android-build workflow
is missing inputs, so manual runs won’t populate values used by jobs like
app-id, flutter-version, version-prefix, and play-track. Add a
workflow_dispatch.inputs block that mirrors the existing workflow_call.inputs in
this workflow, or add a guard in the relevant job definitions to skip execution
when required inputs are empty.

In @.github/workflows/flutter-ios-build.yml:
- Line 187: The flutter iOS build workflow now supports workflow_dispatch, so
add a top-level permissions block to the workflow with least-privilege access
instead of relying on default token scopes. Update the workflow definition to
explicitly set the minimum needed permissions, using the existing job steps
(such as checkout and TestFlight upload) to confirm that read-only repository
access is sufficient.

In @.github/workflows/ios-build.yml:
- Line 306: The iOS workflow now supports manual dispatch, but it lacks an
explicit top-level permissions block and may inherit broader default token
access. Add a least-privilege permissions section to the workflow in
ios-build.yml, aligned with the workflow’s actual needs, and keep the change
near the workflow_dispatch configuration so the security intent is clear.

In @.github/workflows/next-cloudflare-worker.yaml:
- Around line 106-113: The workflow is missing the same input definitions under
workflow_dispatch.inputs that are already declared in workflow_call.inputs.
Mirror the full inputs block in the workflow_dispatch section, including
project_name, environment, cloudflare_api_token, and cloudflare_account_id, so
the reusable workflow and manual dispatch resolve the same values. Use the
existing workflow_call.inputs block as the source of truth and ensure the
dispatch trigger references the same input names throughout the deploy job and
concurrency key.

In @.github/workflows/reusable-service-cicd.yml:
- Line 495: The manual trigger is defined without any inputs, so
`workflow_dispatch` runs hit the `chart-name` validation with an empty value and
fail. Update the reusable workflow’s `workflow_dispatch` block to declare the
same required input(s) used by the validation, especially `chart-name`, or
remove the manual trigger if it is not intended. Keep the trigger and the
validation in sync so the workflow entrypoint can be used safely.

In @.github/workflows/vite-cloudflare-worker.yml:
- Around line 103-110: The manual trigger is missing the same inputs that
jobs.deploy already consumes, so workflow_dispatch should mirror the
workflow_call inputs. Add the full inputs block under workflow_dispatch using
the same names, types, defaults, and descriptions for project_name, environment,
route, and the other existing inputs so manual runs resolve inputs.* correctly.
Keep the definitions aligned with the current workflow_call.inputs section to
avoid empty-string deployments.

---

Outside diff comments:
In @.github/workflows/android-build.yml:
- Around line 250-258: The build workflow jobs are missing concurrency control,
so concurrent runs on the same ref can overlap and interfere with shared caches.
Add a concurrency block to both the build job and the release_with_environment
job in the Android workflow, matching the pattern already used in
flutter-android-build.yml; use the job names and ref-based grouping consistently
so only one run per ref proceeds at a time, with in-progress cancellation
enabled as appropriate.

In @.github/workflows/ios-build.yml:
- Line 311: Add a concurrency block to the build job in the iOS workflow so
overlapping runs are cancelled/serialized like in flutter-ios-build.yml. Update
the build job definition to include job-level concurrency, using the build job
identifier and a workflow-specific group key so manual workflow_dispatch runs
don’t consume multiple macOS runners at once.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: simplify9/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: dca97950-3dce-4f7f-a748-f152c08f4b05

📥 Commits

Reviewing files that changed from the base of the PR and between 086c343 and 574edf9.

📒 Files selected for processing (10)
  • .github/workflows/android-build.yml
  • .github/workflows/flutter-android-build.yml
  • .github/workflows/flutter-ios-build.yml
  • .github/workflows/generic-chart-helm.yml
  • .github/workflows/generic-gateway-helm-template.yml
  • .github/workflows/helm-deploy-values.yml
  • .github/workflows/ios-build.yml
  • .github/workflows/next-cloudflare-worker.yaml
  • .github/workflows/reusable-service-cicd.yml
  • .github/workflows/vite-cloudflare-worker.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Treat GitHub Actions changes as supply-chain sensitive.

Check for:

  • Overbroad permissions
  • Missing explicit permissions blocks
  • Unpinned third-party actions
  • Unsafe pull_request_target usage
  • Secret exposure
  • Shell injection risks
  • Untrusted input used in scripts
  • Dangerous artifact upload/download behavior
  • Missing least-privilege permissions

Files:

  • .github/workflows/vite-cloudflare-worker.yml
  • .github/workflows/next-cloudflare-worker.yaml
  • .github/workflows/helm-deploy-values.yml
  • .github/workflows/flutter-android-build.yml
  • .github/workflows/android-build.yml
  • .github/workflows/generic-chart-helm.yml
  • .github/workflows/ios-build.yml
  • .github/workflows/reusable-service-cicd.yml
  • .github/workflows/generic-gateway-helm-template.yml
  • .github/workflows/flutter-ios-build.yml
🪛 zizmor (1.26.1)
.github/workflows/android-build.yml

[warning] 56-245: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/ios-build.yml

[warning] 57-306: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🔇 Additional comments (14)
.github/workflows/reusable-service-cicd.yml (1)

249-250: LGTM!

Also applies to: 293-301, 323-326, 341-367, 387-410, 457-475, 589-590, 616-617, 927-928, 974-975, 1079-1080, 1180-1181, 1298-1299, 1310-1311, 1471-1472, 1512-1513

.github/workflows/android-build.yml (2)

93-206: LGTM!

Also applies to: 440-441, 453-454, 467-468, 477-478, 568-568, 769-770, 782-790


245-245: 🔒 Security & Privacy

No missing permissions block here
permissions: is already set at the workflow root to contents: read, so this workflow does not inherit the repository default token scope.

			> Likely an incorrect or invalid review comment.
.github/workflows/flutter-android-build.yml (2)

91-194: LGTM!

Also applies to: 280-281, 537-538, 651-652, 664-665


208-208: 🔒 Security & Privacy

No permissions block is missing .github/workflows/flutter-android-build.yml already declares permissions: contents: read.

			> Likely an incorrect or invalid review comment.
.github/workflows/generic-chart-helm.yml (1)

83-96: LGTM!

Also applies to: 131-132, 159-172, 207-208, 234-234, 337-338, 383-384, 412-413, 443-444, 564-565, 580-581, 667-668

.github/workflows/generic-gateway-helm-template.yml (1)

173-174: LGTM!

Also applies to: 367-380, 436-436, 533-534, 581-582, 612-613, 640-641, 707-708, 726-727, 738-743, 752-753, 841-842

.github/workflows/helm-deploy-values.yml (1)

48-49: LGTM!

Also applies to: 86-94, 108-109, 121-122, 152-160, 195-195

.github/workflows/next-cloudflare-worker.yaml (1)

58-60: LGTM!

Also applies to: 70-71, 81-82, 248-250, 301-302, 348-349

.github/workflows/vite-cloudflare-worker.yml (1)

53-55: LGTM!

.github/workflows/flutter-ios-build.yml (2)

187-187: 🩺 Stability & Availability

Verify workflow_dispatch can access workflow_call inputs.

workflow_dispatch: is added without its own inputs block. All inputs are defined under workflow_call. When triggered manually, confirm that workflow_call input defaults are still available as inputs.* — otherwise required inputs like macos-runner will be empty and the build will fail.


38-39: LGTM!

Also applies to: 67-74, 95-96, 111-118, 139-140, 161-162, 171-178, 240-241, 274-276, 514-515, 632-633, 654-655

.github/workflows/ios-build.yml (2)

306-306: 🩺 Stability & Availability

Verify workflow_dispatch can access workflow_call inputs.

workflow_dispatch: is added without its own inputs block. All inputs are defined under workflow_call. When triggered manually, confirm that workflow_call input defaults are still available as inputs.* — otherwise required inputs will be empty and the build will fail.


1-1: LGTM!

Also applies to: 78-85, 95-103, 123-124, 159-160, 192-193, 202-203, 220-221, 230-231, 247-254, 264-265, 291-292, 363-364, 486-494, 578-579, 591-592

description: Output AAB file uploaded and released
value: ${{ jobs.build.outputs.aab-file }}

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

workflow_dispatch: added without inputs: — manual runs will have empty inputs.*.

The jobs reference inputs.app-id, inputs.version-prefix, inputs.play-track, inputs.gradle-task, and many others throughout. workflow_call input defaults do not apply to workflow_dispatch triggers — they are separate input namespaces. A manual dispatch will produce empty strings for all inputs.*, causing the build to fail or behave unexpectedly.

Either mirror the workflow_call inputs under workflow_dispatch.inputs (so manual runs get a UI with defaults), or add a guard that skips jobs when critical inputs are empty.

🔧 Proposed fix: add `workflow_dispatch.inputs` mirroring `workflow_call.inputs`
   workflow_dispatch:
+    inputs:
+      app-id:
+        description: Application ID (e.g. com.example.app)
+        required: true
+        type: string
+      version-prefix:
+        description: Base version for VERSION_NAME (X.Y or X.Y.Z)
+        required: false
+        type: string
+        default: "1.0.0"
+      # … mirror all other workflow_call inputs with same defaults
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 56-245: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/android-build.yml at line 245, The manual trigger in the
android build workflow is missing workflow_dispatch inputs, so jobs like the
build and publish steps will see empty inputs.* values instead of the defaults
used by workflow_call. Mirror the existing workflow_call input definitions under
workflow_dispatch.inputs in the same workflow configuration so manual runs
expose the same parameters and defaults, and make sure the jobs that reference
inputs.app-id, inputs.version-prefix, inputs.play-track, and inputs.gradle-task
continue to receive valid values.

description: Output AAB file name uploaded and released
value: ${{ jobs.build.outputs.aab-file }}

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

workflow_dispatch: added without inputs: — manual runs will have empty inputs.*.

Same issue as android-build.yml: the jobs depend on inputs.app-id, inputs.flutter-version, inputs.version-prefix, inputs.play-track, and many others. workflow_call input defaults do not apply to workflow_dispatch triggers. Manual dispatch will run with all inputs empty, causing build failures or unexpected behavior.

Add workflow_dispatch.inputs mirroring workflow_call.inputs, or add a guard that skips jobs when critical inputs are empty.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/flutter-android-build.yml at line 208, The
workflow_dispatch trigger in the flutter-android-build workflow is missing
inputs, so manual runs won’t populate values used by jobs like app-id,
flutter-version, version-prefix, and play-track. Add a workflow_dispatch.inputs
block that mirrors the existing workflow_call.inputs in this workflow, or add a
guard in the relevant job definitions to skip execution when required inputs are
empty.

description: Output IPA file name uploaded and released
value: ${{ jobs.build.outputs.ipa-file }}

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block.

This workflow now has workflow_dispatch:, enabling direct manual triggering without a caller workflow that might scope token permissions. Without a top-level permissions: block, the workflow inherits default token permissions, which may be overly broad. Add a least-privilege block (e.g., contents: read is sufficient for checkout; the TestFlight upload uses secrets, not token scopes).

As per path instructions, check for "Missing explicit permissions blocks" and "Missing least-privilege permissions" in .github/workflows/** files.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/flutter-ios-build.yml at line 187, The flutter iOS build
workflow now supports workflow_dispatch, so add a top-level permissions block to
the workflow with least-privilege access instead of relying on default token
scopes. Update the workflow definition to explicitly set the minimum needed
permissions, using the existing job steps (such as checkout and TestFlight
upload) to confirm that read-only repository access is sufficient.

Source: Path instructions

description: IPA file name uploaded and released
value: ${{ jobs.build.outputs.ipa-file }}

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block.

Same concern as flutter-ios-build.yml: adding workflow_dispatch: enables direct manual triggering. Without a top-level permissions: block, the workflow inherits potentially broad default token permissions. Add a least-privilege block appropriate for the workflow's needs.

As per path instructions, check for "Missing explicit permissions blocks" and "Missing least-privilege permissions" in .github/workflows/** files.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 57-306: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ios-build.yml at line 306, The iOS workflow now supports
manual dispatch, but it lacks an explicit top-level permissions block and may
inherit broader default token access. Add a least-privilege permissions section
to the workflow in ios-build.yml, aligned with the workflow’s actual needs, and
keep the change near the workflow_dispatch configuration so the security intent
is clear.

Source: Path instructions

Comment on lines +106 to +113
description: Cloudflare API token with Workers + DNS permissions as
needed
required: true
cloudflare_account_id:
description: Cloudflare Account ID
required: true

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Extract the workflow_call inputs section for mirroring under workflow_dispatch
sed -n '/^on:/,/^jobs:/p' .github/workflows/next-cloudflare-worker.yaml | sed -n '/workflow_call:/,/workflow_dispatch:/p'

Repository: simplify9/.github

Length of output: 2465


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/next-cloudflare-worker.yaml"

echo "== file outline =="
ast-grep outline "$FILE" --view expanded || true

echo
echo "== relevant workflow excerpt =="
sed -n '1,260p' "$FILE" | cat -n

echo
echo "== references to inputs / github.event.inputs / workflow_dispatch =="
rg -n '\b(inputs\.[A-Za-z0-9_]+|github\.event\.inputs\.[A-Za-z0-9_]+|workflow_dispatch:|workflow_call:)' "$FILE"

Repository: simplify9/.github

Length of output: 13955


🌐 Web query:

GitHub Actions workflow_dispatch without inputs inputs context empty strings documentation

💡 Result:

In GitHub Actions, the workflow_dispatch trigger treats omitted or unset optional inputs as empty strings ("") within the workflow context [1]. Currently, there is no native, reliable way to distinguish between an input that was explicitly set to an empty string and an input that was not provided by the user, as both result in an empty string value [2][1][3]. If an input has a defined default value, that default is used when the input is omitted [1][4]. If an input is required, the user must provide a value [5]. Because of this limitation, if you need to detect whether a user intentionally provided an empty value versus simply omitting the input, common workarounds include: 1. Flag-based detection: Add an additional boolean input (e.g., input_provided: true) to your workflow_dispatch configuration that the user must toggle when they wish to provide an input [1]. 2. Comparison with default: If your input has a default value, you can check if the provided input value is equal to that default. If it is different, the user explicitly provided a value (even if that value was an empty string) [1]. For conditional logic based on these inputs, you can check for non-empty strings in your workflow steps or job conditions using the following syntax [6][1]: if: github.event.inputs.your_input_name!= '' Avoid using the ${{ }} syntax inside the if condition itself, as it is unnecessary and can sometimes cause evaluation issues [6].

Citations:


Mirror the full workflow_call.inputs block under workflow_dispatch.inputs
Manual runs need the same inputs; otherwise inputs.project_name, inputs.environment, and the rest resolve blank, which breaks the deploy command and collapses the concurrency key to deploy--.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/next-cloudflare-worker.yaml around lines 106 - 113, The
workflow is missing the same input definitions under workflow_dispatch.inputs
that are already declared in workflow_call.inputs. Mirror the full inputs block
in the workflow_dispatch section, including project_name, environment,
cloudflare_api_token, and cloudflare_account_id, so the reusable workflow and
manual dispatch resolve the same values. Use the existing workflow_call.inputs
block as the source of truth and ensure the dispatch trigger references the same
input names throughout the deploy job and concurrency key.

Source: Path instructions

value: ${{ jobs.ci.outputs.helm-chart }}

# Default to least privilege; each job escalates only what it needs.
workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Enumerate required workflow_call inputs lacking a default to gauge manual-dispatch breakage.
fd reusable-service-cicd.yml .github/workflows --exec cat -n {} \
  | sed -n '1,260p'

Repository: simplify9/.github

Length of output: 17044


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/reusable-service-cicd.yml"

# Show the trigger block and the full workflow_call input definitions.
sed -n '220,420p' "$file"
printf '\n--- workflow_dispatch vicinity ---\n'
grep -n -A20 -B5 '^  workflow_dispatch:' "$file" || true

Repository: simplify9/.github

Length of output: 7823


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/reusable-service-cicd.yml"

printf '--- chart-name usage ---\n'
grep -n 'chart-name' "$file"

printf '\n--- validation step vicinity ---\n'
sed -n '660,720p' "$file"

printf '\n--- any workflow_dispatch inputs block ---\n'
grep -n -A40 -B3 '^  workflow_dispatch:' "$file"

Repository: simplify9/.github

Length of output: 246


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/reusable-service-cicd.yml"

# Show the chart validation step and all chart-name references.
grep -n -A6 -B6 'Validate chart publish configuration' "$file" || true
printf '\n--- chart-name references ---\n'
grep -n 'chart-name' "$file"

Repository: simplify9/.github

Length of output: 2701


Add workflow_dispatch.inputs or remove the manual trigger.
workflow_dispatch has no inputs here, so manual runs reach the required chart-name validation with an empty value and fail immediately. Mirror the needed inputs under workflow_dispatch if manual runs are intended.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reusable-service-cicd.yml at line 495, The manual trigger
is defined without any inputs, so `workflow_dispatch` runs hit the `chart-name`
validation with an empty value and fail. Update the reusable workflow’s
`workflow_dispatch` block to declare the same required input(s) used by the
validation, especially `chart-name`, or remove the manual trigger if it is not
intended. Keep the trigger and the validation in sync so the workflow entrypoint
can be used safely.

Source: Path instructions

Comment on lines +103 to +110
description: Cloudflare API token with Workers + DNS permissions as
needed
required: true
cloudflare_account_id:
description: Cloudflare Account ID
required: true

workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Extract the workflow_call inputs section for mirroring under workflow_dispatch
sed -n '/^on:/,/^jobs:/p' .github/workflows/vite-cloudflare-worker.yml | sed -n '/workflow_call:/,/workflow_dispatch:/p'

Repository: simplify9/.github

Length of output: 2465


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around triggers and all input references
file=.github/workflows/vite-cloudflare-worker.yml
wc -l "$file"
sed -n '1,220p' "$file" | nl -ba | sed -n '1,220p'

printf '\n--- inputs references ---\n'
rg -n '\binputs\.' "$file"

printf '\n--- workflow_dispatch block ---\n'
sed -n '/workflow_dispatch:/,/^jobs:/p' "$file" | nl -ba

Repository: simplify9/.github

Length of output: 244


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=.github/workflows/vite-cloudflare-worker.yml

printf '--- file excerpt with line numbers ---\n'
awk '{printf "%4d  %s\n", NR, $0}' "$file" | sed -n '1,220p'

printf '\n--- inputs references ---\n'
rg -n '\binputs\.' "$file"

printf '\n--- workflow triggers ---\n'
awk '
  /^on:/ {p=1}
  p {print}
  /^jobs:/ {exit}
' "$file"

Repository: simplify9/.github

Length of output: 246


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=.github/workflows/vite-cloudflare-worker.yml

echo '--- file excerpt with line numbers ---'
python3 - <<'PY'
from pathlib import Path
p = Path(".github/workflows/vite-cloudflare-worker.yml")
for i, line in enumerate(p.read_text().splitlines(), 1):
    if i <= 240:
        print(f"{i:4d}  {line}")
PY

echo
echo '--- inputs references ---'
rg -n '\b(inputs|github\.event\.inputs)\b' "$file"

echo
echo '--- on: block ---'
sed -n '/^on:/,/^jobs:/p' "$file"

Repository: simplify9/.github

Length of output: 14933


🌐 Web query:

GitHub Actions workflow_dispatch inputs context empty strings when no inputs are defined workflow_call inputs separate manual dispatch docs

💡 Result:

In GitHub Actions, when an optional input is not provided for a workflow_dispatch event, it is treated as an empty string ("") [1][2]. Consequently, there is no inherent technical distinction between an unset optional input and an input explicitly set to an empty string [1][2]. To handle this behavior: 1. Detection Limitations: GitHub Actions initializes inputs to empty strings if no value is provided [1][3]. This makes it impossible to differentiate between a user leaving a field blank and a user passing an empty value [1][2]. 2. Workarounds: A common approach to detect if an input was intentionally set is to include a hidden "flag" or "trigger" input (e.g., a boolean) that the workflow can check to determine if the associated string input should be processed [2]. Alternatively, if an input has a default value, you can compare the provided input against that default, though this still does not solve the ambiguity of empty strings [2]. Regarding workflow_call and workflow_dispatch inputs: - Context Usage: Both event types provide access to their respective inputs via the inputs context [4][5]. The github.event.inputs context remains available for workflow_dispatch for backward compatibility [6][4][5]. - Unified Context: The inputs context is preferred as it preserves data types (such as booleans) rather than converting them to strings, whereas github.event.inputs treats everything as strings [6][5]. - Separate Definitions: GitHub Actions does not currently support "global" input definitions [7]. If a workflow needs to support both workflow_dispatch and workflow_call, you must explicitly define the required inputs under both triggers in the workflow file [7]. top_results: [1][2][6][4][5][7]

Citations:


Mirror the dispatch inputs. jobs.deploy reads inputs.project_name, inputs.environment, inputs.route, and other inputs.* values, but workflow_dispatch defines none of them. Manual runs will resolve those fields to empty strings and can deploy with invalid values. Duplicate the workflow_call.inputs block under workflow_dispatch with the same names, types, defaults, and descriptions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/vite-cloudflare-worker.yml around lines 103 - 110, The
manual trigger is missing the same inputs that jobs.deploy already consumes, so
workflow_dispatch should mirror the workflow_call inputs. Add the full inputs
block under workflow_dispatch using the same names, types, defaults, and
descriptions for project_name, environment, route, and the other existing inputs
so manual runs resolve inputs.* correctly. Keep the definitions aligned with the
current workflow_call.inputs section to avoid empty-string deployments.

Source: Path instructions

@MusaMisto
MusaMisto merged commit 3d22e59 into main Jul 9, 2026
2 checks passed
@MusaMisto
MusaMisto deleted the chore/remove-pr-triggers-add-dispatch-main branch July 9, 2026 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant