chore: normalize GitHub Actions triggers#128
Conversation
📝 WalkthroughWhat changed:
Risk level: risk:low Security-sensitive areas touched:
Test coverage impact:
Deployment / rollback / operational concerns:
WalkthroughTen reusable GitHub Actions workflow files are updated to add ChangesWorkflow trigger and formatting updates
Estimated code review effort: 2 (Simple) | ~15 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/android-build.yml (1)
250-258: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winMissing
concurrency:block on thebuildjob.The
release_with_environmentjob also lacks concurrency controls. The companionflutter-android-build.ymlhasconcurrency:on both jobs (lines 216–218, 600–602). Without it, concurrent pushes or manual dispatches to the same ref run in parallel, wasting runner minutes and potentially corrupting shared Gradle caches.🔒 Suggested addition
build: name: Build runs-on: ${{ inputs.ubuntu-runner }} + concurrency: + group: ${{ github.workflow }}-android-build-${{ github.ref }} + cancel-in-progress: true env:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/android-build.yml around lines 250 - 258, The build workflow jobs are missing concurrency control, so concurrent runs on the same ref can overlap and interfere with shared caches. Add a concurrency block to both the build job and the release_with_environment job in the Android workflow, matching the pattern already used in flutter-android-build.yml; use the job names and ref-based grouping consistently so only one run per ref proceeds at a time, with in-progress cancellation enabled as appropriate.Source: Linters/SAST tools
.github/workflows/ios-build.yml (1)
311-311: 🚀 Performance & Scalability | 🟠 Major | ⚡ Quick winAdd a
concurrencyblock to thebuildjob.The
buildjob runs on macOS (expensive runners) and has no concurrency limit. Withworkflow_dispatchnow enabled, overlapping manual runs waste macOS minutes. Theflutter-ios-build.ymlworkflow already has concurrency on both itsbuildandreleasejobs — this file should be consistent. zizmor also flagged this (lines 57-306).🔒️ Suggested concurrency block
build: name: Build runs-on: ${{ inputs.macos-runner }} + concurrency: + group: ${{ github.workflow }}-ios-build-${{ github.ref }} + cancel-in-progress: true outputs:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ios-build.yml at line 311, Add a concurrency block to the build job in the iOS workflow so overlapping runs are cancelled/serialized like in flutter-ios-build.yml. Update the build job definition to include job-level concurrency, using the build job identifier and a workflow-specific group key so manual workflow_dispatch runs don’t consume multiple macOS runners at once.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/android-build.yml:
- Line 245: The manual trigger in the android build workflow is missing
workflow_dispatch inputs, so jobs like the build and publish steps will see
empty inputs.* values instead of the defaults used by workflow_call. Mirror the
existing workflow_call input definitions under workflow_dispatch.inputs in the
same workflow configuration so manual runs expose the same parameters and
defaults, and make sure the jobs that reference inputs.app-id,
inputs.version-prefix, inputs.play-track, and inputs.gradle-task continue to
receive valid values.
In @.github/workflows/flutter-android-build.yml:
- Line 208: The workflow_dispatch trigger in the flutter-android-build workflow
is missing inputs, so manual runs won’t populate values used by jobs like
app-id, flutter-version, version-prefix, and play-track. Add a
workflow_dispatch.inputs block that mirrors the existing workflow_call.inputs in
this workflow, or add a guard in the relevant job definitions to skip execution
when required inputs are empty.
In @.github/workflows/flutter-ios-build.yml:
- Line 187: The flutter iOS build workflow now supports workflow_dispatch, so
add a top-level permissions block to the workflow with least-privilege access
instead of relying on default token scopes. Update the workflow definition to
explicitly set the minimum needed permissions, using the existing job steps
(such as checkout and TestFlight upload) to confirm that read-only repository
access is sufficient.
In @.github/workflows/ios-build.yml:
- Line 306: The iOS workflow now supports manual dispatch, but it lacks an
explicit top-level permissions block and may inherit broader default token
access. Add a least-privilege permissions section to the workflow in
ios-build.yml, aligned with the workflow’s actual needs, and keep the change
near the workflow_dispatch configuration so the security intent is clear.
In @.github/workflows/next-cloudflare-worker.yaml:
- Around line 106-113: The workflow is missing the same input definitions under
workflow_dispatch.inputs that are already declared in workflow_call.inputs.
Mirror the full inputs block in the workflow_dispatch section, including
project_name, environment, cloudflare_api_token, and cloudflare_account_id, so
the reusable workflow and manual dispatch resolve the same values. Use the
existing workflow_call.inputs block as the source of truth and ensure the
dispatch trigger references the same input names throughout the deploy job and
concurrency key.
In @.github/workflows/reusable-service-cicd.yml:
- Line 495: The manual trigger is defined without any inputs, so
`workflow_dispatch` runs hit the `chart-name` validation with an empty value and
fail. Update the reusable workflow’s `workflow_dispatch` block to declare the
same required input(s) used by the validation, especially `chart-name`, or
remove the manual trigger if it is not intended. Keep the trigger and the
validation in sync so the workflow entrypoint can be used safely.
In @.github/workflows/vite-cloudflare-worker.yml:
- Around line 103-110: The manual trigger is missing the same inputs that
jobs.deploy already consumes, so workflow_dispatch should mirror the
workflow_call inputs. Add the full inputs block under workflow_dispatch using
the same names, types, defaults, and descriptions for project_name, environment,
route, and the other existing inputs so manual runs resolve inputs.* correctly.
Keep the definitions aligned with the current workflow_call.inputs section to
avoid empty-string deployments.
---
Outside diff comments:
In @.github/workflows/android-build.yml:
- Around line 250-258: The build workflow jobs are missing concurrency control,
so concurrent runs on the same ref can overlap and interfere with shared caches.
Add a concurrency block to both the build job and the release_with_environment
job in the Android workflow, matching the pattern already used in
flutter-android-build.yml; use the job names and ref-based grouping consistently
so only one run per ref proceeds at a time, with in-progress cancellation
enabled as appropriate.
In @.github/workflows/ios-build.yml:
- Line 311: Add a concurrency block to the build job in the iOS workflow so
overlapping runs are cancelled/serialized like in flutter-ios-build.yml. Update
the build job definition to include job-level concurrency, using the build job
identifier and a workflow-specific group key so manual workflow_dispatch runs
don’t consume multiple macOS runners at once.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: simplify9/coderabbit/.coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: dca97950-3dce-4f7f-a748-f152c08f4b05
📒 Files selected for processing (10)
.github/workflows/android-build.yml.github/workflows/flutter-android-build.yml.github/workflows/flutter-ios-build.yml.github/workflows/generic-chart-helm.yml.github/workflows/generic-gateway-helm-template.yml.github/workflows/helm-deploy-values.yml.github/workflows/ios-build.yml.github/workflows/next-cloudflare-worker.yaml.github/workflows/reusable-service-cicd.yml.github/workflows/vite-cloudflare-worker.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**
⚙️ CodeRabbit configuration file
.github/workflows/**: Treat GitHub Actions changes as supply-chain sensitive.Check for:
- Overbroad permissions
- Missing explicit permissions blocks
- Unpinned third-party actions
- Unsafe pull_request_target usage
- Secret exposure
- Shell injection risks
- Untrusted input used in scripts
- Dangerous artifact upload/download behavior
- Missing least-privilege permissions
Files:
.github/workflows/vite-cloudflare-worker.yml.github/workflows/next-cloudflare-worker.yaml.github/workflows/helm-deploy-values.yml.github/workflows/flutter-android-build.yml.github/workflows/android-build.yml.github/workflows/generic-chart-helm.yml.github/workflows/ios-build.yml.github/workflows/reusable-service-cicd.yml.github/workflows/generic-gateway-helm-template.yml.github/workflows/flutter-ios-build.yml
🪛 zizmor (1.26.1)
.github/workflows/android-build.yml
[warning] 56-245: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
.github/workflows/ios-build.yml
[warning] 57-306: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🔇 Additional comments (14)
.github/workflows/reusable-service-cicd.yml (1)
249-250: LGTM!Also applies to: 293-301, 323-326, 341-367, 387-410, 457-475, 589-590, 616-617, 927-928, 974-975, 1079-1080, 1180-1181, 1298-1299, 1310-1311, 1471-1472, 1512-1513
.github/workflows/android-build.yml (2)
93-206: LGTM!Also applies to: 440-441, 453-454, 467-468, 477-478, 568-568, 769-770, 782-790
245-245: 🔒 Security & PrivacyNo missing permissions block here
permissions:is already set at the workflow root tocontents: read, so this workflow does not inherit the repository default token scope.> Likely an incorrect or invalid review comment..github/workflows/flutter-android-build.yml (2)
91-194: LGTM!Also applies to: 280-281, 537-538, 651-652, 664-665
208-208: 🔒 Security & PrivacyNo permissions block is missing
.github/workflows/flutter-android-build.ymlalready declarespermissions: contents: read.> Likely an incorrect or invalid review comment..github/workflows/generic-chart-helm.yml (1)
83-96: LGTM!Also applies to: 131-132, 159-172, 207-208, 234-234, 337-338, 383-384, 412-413, 443-444, 564-565, 580-581, 667-668
.github/workflows/generic-gateway-helm-template.yml (1)
173-174: LGTM!Also applies to: 367-380, 436-436, 533-534, 581-582, 612-613, 640-641, 707-708, 726-727, 738-743, 752-753, 841-842
.github/workflows/helm-deploy-values.yml (1)
48-49: LGTM!Also applies to: 86-94, 108-109, 121-122, 152-160, 195-195
.github/workflows/next-cloudflare-worker.yaml (1)
58-60: LGTM!Also applies to: 70-71, 81-82, 248-250, 301-302, 348-349
.github/workflows/vite-cloudflare-worker.yml (1)
53-55: LGTM!.github/workflows/flutter-ios-build.yml (2)
187-187: 🩺 Stability & AvailabilityVerify
workflow_dispatchcan accessworkflow_callinputs.
workflow_dispatch:is added without its owninputsblock. All inputs are defined underworkflow_call. When triggered manually, confirm thatworkflow_callinput defaults are still available asinputs.*— otherwise required inputs likemacos-runnerwill be empty and the build will fail.
38-39: LGTM!Also applies to: 67-74, 95-96, 111-118, 139-140, 161-162, 171-178, 240-241, 274-276, 514-515, 632-633, 654-655
.github/workflows/ios-build.yml (2)
306-306: 🩺 Stability & AvailabilityVerify
workflow_dispatchcan accessworkflow_callinputs.
workflow_dispatch:is added without its owninputsblock. All inputs are defined underworkflow_call. When triggered manually, confirm thatworkflow_callinput defaults are still available asinputs.*— otherwise required inputs will be empty and the build will fail.
1-1: LGTM!Also applies to: 78-85, 95-103, 123-124, 159-160, 192-193, 202-203, 220-221, 230-231, 247-254, 264-265, 291-292, 363-364, 486-494, 578-579, 591-592
| description: Output AAB file uploaded and released | ||
| value: ${{ jobs.build.outputs.aab-file }} | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift
workflow_dispatch: added without inputs: — manual runs will have empty inputs.*.
The jobs reference inputs.app-id, inputs.version-prefix, inputs.play-track, inputs.gradle-task, and many others throughout. workflow_call input defaults do not apply to workflow_dispatch triggers — they are separate input namespaces. A manual dispatch will produce empty strings for all inputs.*, causing the build to fail or behave unexpectedly.
Either mirror the workflow_call inputs under workflow_dispatch.inputs (so manual runs get a UI with defaults), or add a guard that skips jobs when critical inputs are empty.
🔧 Proposed fix: add `workflow_dispatch.inputs` mirroring `workflow_call.inputs`
workflow_dispatch:
+ inputs:
+ app-id:
+ description: Application ID (e.g. com.example.app)
+ required: true
+ type: string
+ version-prefix:
+ description: Base version for VERSION_NAME (X.Y or X.Y.Z)
+ required: false
+ type: string
+ default: "1.0.0"
+ # … mirror all other workflow_call inputs with same defaults🧰 Tools
🪛 zizmor (1.26.1)
[warning] 56-245: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/android-build.yml at line 245, The manual trigger in the
android build workflow is missing workflow_dispatch inputs, so jobs like the
build and publish steps will see empty inputs.* values instead of the defaults
used by workflow_call. Mirror the existing workflow_call input definitions under
workflow_dispatch.inputs in the same workflow configuration so manual runs
expose the same parameters and defaults, and make sure the jobs that reference
inputs.app-id, inputs.version-prefix, inputs.play-track, and inputs.gradle-task
continue to receive valid values.
| description: Output AAB file name uploaded and released | ||
| value: ${{ jobs.build.outputs.aab-file }} | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift
workflow_dispatch: added without inputs: — manual runs will have empty inputs.*.
Same issue as android-build.yml: the jobs depend on inputs.app-id, inputs.flutter-version, inputs.version-prefix, inputs.play-track, and many others. workflow_call input defaults do not apply to workflow_dispatch triggers. Manual dispatch will run with all inputs empty, causing build failures or unexpected behavior.
Add workflow_dispatch.inputs mirroring workflow_call.inputs, or add a guard that skips jobs when critical inputs are empty.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/flutter-android-build.yml at line 208, The
workflow_dispatch trigger in the flutter-android-build workflow is missing
inputs, so manual runs won’t populate values used by jobs like app-id,
flutter-version, version-prefix, and play-track. Add a workflow_dispatch.inputs
block that mirrors the existing workflow_call.inputs in this workflow, or add a
guard in the relevant job definitions to skip execution when required inputs are
empty.
| description: Output IPA file name uploaded and released | ||
| value: ${{ jobs.build.outputs.ipa-file }} | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add an explicit permissions: block.
This workflow now has workflow_dispatch:, enabling direct manual triggering without a caller workflow that might scope token permissions. Without a top-level permissions: block, the workflow inherits default token permissions, which may be overly broad. Add a least-privilege block (e.g., contents: read is sufficient for checkout; the TestFlight upload uses secrets, not token scopes).
As per path instructions, check for "Missing explicit permissions blocks" and "Missing least-privilege permissions" in .github/workflows/** files.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/flutter-ios-build.yml at line 187, The flutter iOS build
workflow now supports workflow_dispatch, so add a top-level permissions block to
the workflow with least-privilege access instead of relying on default token
scopes. Update the workflow definition to explicitly set the minimum needed
permissions, using the existing job steps (such as checkout and TestFlight
upload) to confirm that read-only repository access is sufficient.
Source: Path instructions
| description: IPA file name uploaded and released | ||
| value: ${{ jobs.build.outputs.ipa-file }} | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add an explicit permissions: block.
Same concern as flutter-ios-build.yml: adding workflow_dispatch: enables direct manual triggering. Without a top-level permissions: block, the workflow inherits potentially broad default token permissions. Add a least-privilege block appropriate for the workflow's needs.
As per path instructions, check for "Missing explicit permissions blocks" and "Missing least-privilege permissions" in .github/workflows/** files.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 57-306: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ios-build.yml at line 306, The iOS workflow now supports
manual dispatch, but it lacks an explicit top-level permissions block and may
inherit broader default token access. Add a least-privilege permissions section
to the workflow in ios-build.yml, aligned with the workflow’s actual needs, and
keep the change near the workflow_dispatch configuration so the security intent
is clear.
Source: Path instructions
| description: Cloudflare API token with Workers + DNS permissions as | ||
| needed | ||
| required: true | ||
| cloudflare_account_id: | ||
| description: Cloudflare Account ID | ||
| required: true | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Extract the workflow_call inputs section for mirroring under workflow_dispatch
sed -n '/^on:/,/^jobs:/p' .github/workflows/next-cloudflare-worker.yaml | sed -n '/workflow_call:/,/workflow_dispatch:/p'Repository: simplify9/.github
Length of output: 2465
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/next-cloudflare-worker.yaml"
echo "== file outline =="
ast-grep outline "$FILE" --view expanded || true
echo
echo "== relevant workflow excerpt =="
sed -n '1,260p' "$FILE" | cat -n
echo
echo "== references to inputs / github.event.inputs / workflow_dispatch =="
rg -n '\b(inputs\.[A-Za-z0-9_]+|github\.event\.inputs\.[A-Za-z0-9_]+|workflow_dispatch:|workflow_call:)' "$FILE"Repository: simplify9/.github
Length of output: 13955
🌐 Web query:
GitHub Actions workflow_dispatch without inputs inputs context empty strings documentation
💡 Result:
In GitHub Actions, the workflow_dispatch trigger treats omitted or unset optional inputs as empty strings ("") within the workflow context [1]. Currently, there is no native, reliable way to distinguish between an input that was explicitly set to an empty string and an input that was not provided by the user, as both result in an empty string value [2][1][3]. If an input has a defined default value, that default is used when the input is omitted [1][4]. If an input is required, the user must provide a value [5]. Because of this limitation, if you need to detect whether a user intentionally provided an empty value versus simply omitting the input, common workarounds include: 1. Flag-based detection: Add an additional boolean input (e.g., input_provided: true) to your workflow_dispatch configuration that the user must toggle when they wish to provide an input [1]. 2. Comparison with default: If your input has a default value, you can check if the provided input value is equal to that default. If it is different, the user explicitly provided a value (even if that value was an empty string) [1]. For conditional logic based on these inputs, you can check for non-empty strings in your workflow steps or job conditions using the following syntax [6][1]: if: github.event.inputs.your_input_name!= '' Avoid using the ${{ }} syntax inside the if condition itself, as it is unnecessary and can sometimes cause evaluation issues [6].
Citations:
- 1: https://www.codegenes.net/blog/how-to-check-if-an-optional-workflow-dispatch-input-is-set-or-not/
- 2: Impossible to detect unset inputs from inputs set as the empty string actions/toolkit#940
- 3: Differentiate between input parameter empty or not present actions/runner#924
- 4: https://docs.github.com/enterprise-cloud@latest/actions/using-workflows/workflow-syntax-for-github-actions
- 5: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
- 6: https://stackoverflow.com/questions/72379994/github-actions-check-empty-dispatch-input
Mirror the full workflow_call.inputs block under workflow_dispatch.inputs
Manual runs need the same inputs; otherwise inputs.project_name, inputs.environment, and the rest resolve blank, which breaks the deploy command and collapses the concurrency key to deploy--.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/next-cloudflare-worker.yaml around lines 106 - 113, The
workflow is missing the same input definitions under workflow_dispatch.inputs
that are already declared in workflow_call.inputs. Mirror the full inputs block
in the workflow_dispatch section, including project_name, environment,
cloudflare_api_token, and cloudflare_account_id, so the reusable workflow and
manual dispatch resolve the same values. Use the existing workflow_call.inputs
block as the source of truth and ensure the dispatch trigger references the same
input names throughout the deploy job and concurrency key.
Source: Path instructions
| value: ${{ jobs.ci.outputs.helm-chart }} | ||
|
|
||
| # Default to least privilege; each job escalates only what it needs. | ||
| workflow_dispatch: |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Enumerate required workflow_call inputs lacking a default to gauge manual-dispatch breakage.
fd reusable-service-cicd.yml .github/workflows --exec cat -n {} \
| sed -n '1,260p'Repository: simplify9/.github
Length of output: 17044
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/reusable-service-cicd.yml"
# Show the trigger block and the full workflow_call input definitions.
sed -n '220,420p' "$file"
printf '\n--- workflow_dispatch vicinity ---\n'
grep -n -A20 -B5 '^ workflow_dispatch:' "$file" || trueRepository: simplify9/.github
Length of output: 7823
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/reusable-service-cicd.yml"
printf '--- chart-name usage ---\n'
grep -n 'chart-name' "$file"
printf '\n--- validation step vicinity ---\n'
sed -n '660,720p' "$file"
printf '\n--- any workflow_dispatch inputs block ---\n'
grep -n -A40 -B3 '^ workflow_dispatch:' "$file"Repository: simplify9/.github
Length of output: 246
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/reusable-service-cicd.yml"
# Show the chart validation step and all chart-name references.
grep -n -A6 -B6 'Validate chart publish configuration' "$file" || true
printf '\n--- chart-name references ---\n'
grep -n 'chart-name' "$file"Repository: simplify9/.github
Length of output: 2701
Add workflow_dispatch.inputs or remove the manual trigger.
workflow_dispatch has no inputs here, so manual runs reach the required chart-name validation with an empty value and fail immediately. Mirror the needed inputs under workflow_dispatch if manual runs are intended.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/reusable-service-cicd.yml at line 495, The manual trigger
is defined without any inputs, so `workflow_dispatch` runs hit the `chart-name`
validation with an empty value and fail. Update the reusable workflow’s
`workflow_dispatch` block to declare the same required input(s) used by the
validation, especially `chart-name`, or remove the manual trigger if it is not
intended. Keep the trigger and the validation in sync so the workflow entrypoint
can be used safely.
Source: Path instructions
| description: Cloudflare API token with Workers + DNS permissions as | ||
| needed | ||
| required: true | ||
| cloudflare_account_id: | ||
| description: Cloudflare Account ID | ||
| required: true | ||
|
|
||
| workflow_dispatch: |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Extract the workflow_call inputs section for mirroring under workflow_dispatch
sed -n '/^on:/,/^jobs:/p' .github/workflows/vite-cloudflare-worker.yml | sed -n '/workflow_call:/,/workflow_dispatch:/p'Repository: simplify9/.github
Length of output: 2465
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around triggers and all input references
file=.github/workflows/vite-cloudflare-worker.yml
wc -l "$file"
sed -n '1,220p' "$file" | nl -ba | sed -n '1,220p'
printf '\n--- inputs references ---\n'
rg -n '\binputs\.' "$file"
printf '\n--- workflow_dispatch block ---\n'
sed -n '/workflow_dispatch:/,/^jobs:/p' "$file" | nl -baRepository: simplify9/.github
Length of output: 244
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=.github/workflows/vite-cloudflare-worker.yml
printf '--- file excerpt with line numbers ---\n'
awk '{printf "%4d %s\n", NR, $0}' "$file" | sed -n '1,220p'
printf '\n--- inputs references ---\n'
rg -n '\binputs\.' "$file"
printf '\n--- workflow triggers ---\n'
awk '
/^on:/ {p=1}
p {print}
/^jobs:/ {exit}
' "$file"Repository: simplify9/.github
Length of output: 246
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=.github/workflows/vite-cloudflare-worker.yml
echo '--- file excerpt with line numbers ---'
python3 - <<'PY'
from pathlib import Path
p = Path(".github/workflows/vite-cloudflare-worker.yml")
for i, line in enumerate(p.read_text().splitlines(), 1):
if i <= 240:
print(f"{i:4d} {line}")
PY
echo
echo '--- inputs references ---'
rg -n '\b(inputs|github\.event\.inputs)\b' "$file"
echo
echo '--- on: block ---'
sed -n '/^on:/,/^jobs:/p' "$file"Repository: simplify9/.github
Length of output: 14933
🌐 Web query:
GitHub Actions workflow_dispatch inputs context empty strings when no inputs are defined workflow_call inputs separate manual dispatch docs
💡 Result:
In GitHub Actions, when an optional input is not provided for a workflow_dispatch event, it is treated as an empty string ("") [1][2]. Consequently, there is no inherent technical distinction between an unset optional input and an input explicitly set to an empty string [1][2]. To handle this behavior: 1. Detection Limitations: GitHub Actions initializes inputs to empty strings if no value is provided [1][3]. This makes it impossible to differentiate between a user leaving a field blank and a user passing an empty value [1][2]. 2. Workarounds: A common approach to detect if an input was intentionally set is to include a hidden "flag" or "trigger" input (e.g., a boolean) that the workflow can check to determine if the associated string input should be processed [2]. Alternatively, if an input has a default value, you can compare the provided input against that default, though this still does not solve the ambiguity of empty strings [2]. Regarding workflow_call and workflow_dispatch inputs: - Context Usage: Both event types provide access to their respective inputs via the inputs context [4][5]. The github.event.inputs context remains available for workflow_dispatch for backward compatibility [6][4][5]. - Unified Context: The inputs context is preferred as it preserves data types (such as booleans) rather than converting them to strings, whereas github.event.inputs treats everything as strings [6][5]. - Separate Definitions: GitHub Actions does not currently support "global" input definitions [7]. If a workflow needs to support both workflow_dispatch and workflow_call, you must explicitly define the required inputs under both triggers in the workflow file [7]. top_results: [1][2][6][4][5][7]
Citations:
- 1: Impossible to detect unset inputs from inputs set as the empty string actions/toolkit#940
- 2: https://www.codegenes.net/blog/how-to-check-if-an-optional-workflow-dispatch-input-is-set-or-not/
- 3: Differentiate between input parameter empty or not present actions/runner#924
- 4: https://github.blog/changelog/2022-06-09-github-actions-inputs-unified-across-manual-and-reusable-workflows/
- 5: https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow
- 6: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
- 7: https://stackoverflow.com/questions/78675909/can-we-define-inputs-globally-across-different-triggers-in-github-workflows
Mirror the dispatch inputs. jobs.deploy reads inputs.project_name, inputs.environment, inputs.route, and other inputs.* values, but workflow_dispatch defines none of them. Manual runs will resolve those fields to empty strings and can deploy with invalid values. Duplicate the workflow_call.inputs block under workflow_dispatch with the same names, types, defaults, and descriptions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/vite-cloudflare-worker.yml around lines 103 - 110, The
manual trigger is missing the same inputs that jobs.deploy already consumes, so
workflow_dispatch should mirror the workflow_call inputs. Add the full inputs
block under workflow_dispatch using the same names, types, defaults, and
descriptions for project_name, environment, route, and the other existing inputs
so manual runs resolve inputs.* correctly. Keep the definitions aligned with the
current workflow_call.inputs section to avoid empty-string deployments.
Source: Path instructions
Normalizes GitHub Actions workflow triggers on
main.Changes:
workflow_dispatch:exists;pushconfiguration, includingpush.branches.This intentionally does not alter deployment environments, jobs, steps, or push branch lists.