Cleanup CI configs

[spoorcc]

Summary by CodeRabbit

• Chores
  • Reorganized CI to separate test and docs jobs and simplified workflows for faster orchestration.
  • Simplified security scanning to a single-language analysis and streamlined scorecard upload behavior.
• Documentation
  • Consolidated docs and landing-page build into a dedicated docs flow with a separate publish step to GitHub Pages.
• Chores
  • Updated workflow invocations and action versions for improved maintenance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@spoorcc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8a5fd9f and 181fdad.

📒 Files selected for processing (11)

• .github/workflows/build.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/dependency-review.yml
• .github/workflows/devcontainer.yml
• .github/workflows/docs.yml
• .github/workflows/python-publish.yml
• .github/workflows/release.yml
• .github/workflows/run.yml
• .github/workflows/scorecard.yml
• .github/workflows/test.yml
• action.yml

Walkthrough

GitHub Actions workflows were restructured: CI now orchestrates reusable test and docs workflows; docs workflow absorbs the landing-page job and landing-page.yml was removed; CodeQL and Scorecard workflows were simplified; test and docs workflows were converted to workflow_call.

Changes

Cohort / File(s)	Summary
Main CI Orchestration ​.github/workflows/ci.yml	Workflow renamed to "CI"; adds independent test and docs jobs that call reusable workflows and grant contents: read.
Documentation & Landing Page ​.github/workflows/docs.yml, ​.github/workflows/landing-page.yml	docs.yml trigger changed to workflow_call; landing-page build moved into a separate job inside docs.yml; landing-page.yml removed.
CodeQL Analysis ​.github/workflows/codeql-analysis.yml	Removed language matrix and autobuild; CodeQL init fixed to python only; removed multi-language config/comments.
Security Scorecard ​.github/workflows/scorecard.yml	Removed explicit contents/actions permissions and repo token guidance; updated checkout to v5; removed SARIF upload step and some publish-time options.
Test Workflow & Dependency Review ​.github/workflows/test.yml, ​.github/workflows/dependency-review.yml	test.yml triggers changed to workflow_call; dependency-review.yml bumped actions/checkout to v5.0.0 only.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Automate release & uploading artifacts #904 — Restructures .github/workflows/ci.yml to orchestrate reusable workflows (closely related CI orchestration changes).

Suggested labels

github_actions, development

Suggested reviewers

• ben-edna

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Cleanup CI configs' accurately describes the primary change: refactoring and simplifying GitHub Actions workflow configurations across multiple CI-related files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/codeql-analysis.yml (1)

50-51: Autobuild step is unnecessary for Python.

The autobuild step is typically a no-op for Python projects since Python doesn't require compilation. Consider removing it to simplify the workflow.

🔎 Proposed simplification

-    - name: Autobuild
-      uses: github/codeql-action/autobuild@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7
-
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7

.github/workflows/docs.yml (1)

27-29: Consider extracting duplicate installation steps.

The same pip install commands appear in both the docs job (lines 27-29) and the landing-page job (lines 51-53). Consider using a composite action or job output to avoid duplication.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2fd03dd and a55763e.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/docs.yml
• .github/workflows/landing-page.yml
• .github/workflows/scorecard.yml
• .github/workflows/test.yml

💤 Files with no reviewable changes (2)

• .github/workflows/landing-page.yml
• .github/workflows/scorecard.yml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-25T23:53:05.742Z

Learnt from: spoorcc
Repo: dfetch-org/dfetch PR: 861
File: .github/workflows/build.yml:120-125
Timestamp: 2025-12-25T23:53:05.742Z
Learning: When building macOS PKG installers with fpm in CI, account for the known issue (fpm #1996) where --prefix can be duplicated (e.g., /opt/dfetch becomes /opt/dfetch/opt/dfetch). In the workflow at .github/workflows/build.yml, verify install paths and PATH entries do not assume a single-prefix layout. Adjust packaging scripts or fpm arguments to normalize the final install location and update PATH references accordingly. Add a test step to validate the expected runtime paths after installation.

Applied to files:

• .github/workflows/test.yml
• .github/workflows/ci.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/docs.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: build / build (ubuntu-latest)
• GitHub Check: build / build (windows-latest)
• GitHub Check: Codacy Static Code Analysis
• GitHub Check: run / run (windows-latest, 3.10)
• GitHub Check: run / test-cygwin

🔇 Additional comments (8)

.github/workflows/codeql-analysis.yml (2)

48-48: LGTM: Python-only CodeQL analysis configured correctly.

The hardcoded Python language is appropriate for this Python project and simplifies the workflow.

---

50-51: Summary inconsistency detected.

The AI summary states "Removed the Autobuild step" but the autobuild step is still present in the code at lines 50-51.

.github/workflows/docs.yml (3)

4-4: LGTM: Workflow conversion to reusable pattern.

Converting to workflow_call correctly enables this workflow to be invoked by the CI orchestrator.

---

34-65: Consider job dependency between docs and landing-page.

The docs and landing-page jobs run independently in parallel. If the landing page depends on outputs from the docs job, add a needs: [docs] dependency to the landing-page job. If they are truly independent, the current configuration is optimal for parallel execution.

---

58-65: Verify action maintenance status and token permissions.

The commit hash c04b531c52b8f9d25c596bc6e6a7ddc116b2f3f8 correctly corresponds to v1.0.2. However:

• The action's repository has no commits since January 2023 (over 2 years old)
• There are 8 open issues in the repository
• Adoption is modest (16 stars)

Ensure the GH_DFETCH_ORG_DEPLOY token has appropriate scopes (at minimum public_repo for the public target repository dfetch-org/dfetch-org.github.io). Given the action's maintenance status, consider evaluating whether these open issues could impact your deployment workflow or if a more actively maintained alternative exists.

.github/workflows/test.yml (1)

4-4: LGTM: Workflow conversion to reusable pattern.

Converting to workflow_call correctly enables this workflow to be invoked by the CI orchestrator, aligning with the modular workflow restructuring.

.github/workflows/ci.yml (2)

40-48: LGTM: Clean orchestration of test and docs workflows.

The addition of test and docs jobs using workflow_call correctly implements the modular workflow pattern. Running them in parallel (no needs dependencies) is efficient and appropriate since they appear to be independent verification steps.

---

45-48: Verify permissions for landing-page publish operation.

The docs job has only contents: read permissions, but the landing-page job within docs.yml publishes to an external repository. This should work because the publish action uses a PAT token (secrets.GH_DFETCH_ORG_DEPLOY) which has its own permissions independent of the workflow permissions. However, verify that:

1. The token has not expired
2. The token has appropriate scopes for the target repository
3. The publish operation works as expected in CI runs

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a55763e and 8a5fd9f.

📒 Files selected for processing (3)

• .github/workflows/codeql-analysis.yml
• .github/workflows/dependency-review.yml
• .github/workflows/scorecard.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/codeql-analysis.yml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-25T23:53:05.742Z

Learnt from: spoorcc
Repo: dfetch-org/dfetch PR: 861
File: .github/workflows/build.yml:120-125
Timestamp: 2025-12-25T23:53:05.742Z
Learning: When building macOS PKG installers with fpm in CI, account for the known issue (fpm #1996) where --prefix can be duplicated (e.g., /opt/dfetch becomes /opt/dfetch/opt/dfetch). In the workflow at .github/workflows/build.yml, verify install paths and PATH entries do not assume a single-prefix layout. Adjust packaging scripts or fpm arguments to normalize the final install location and update PATH references accordingly. Add a test step to validate the expected runtime paths after installation.

Applied to files:

• .github/workflows/dependency-review.yml
• .github/workflows/scorecard.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Publish Python distribution 📦 to TestPyPI
• GitHub Check: build / build (macos-latest)
• GitHub Check: build / build (ubuntu-latest)
• GitHub Check: build / build (windows-latest)
• GitHub Check: Codacy Static Code Analysis
• GitHub Check: run / run (windows-latest, 3.11)
• GitHub Check: run / run (windows-latest, 3.10)
• GitHub Check: run / run (windows-latest, 3.9)
• GitHub Check: run / run (windows-latest, 3.13)
• GitHub Check: run / run (windows-latest, 3.14)
• GitHub Check: run / run (macos-latest, 3.9)
• GitHub Check: run / run (windows-latest, 3.12)
• GitHub Check: run / run (ubuntu-latest, 3.11)
• GitHub Check: test / test
• GitHub Check: run / test-cygwin
• GitHub Check: DevContainer Build & Test

🔇 Additional comments (1)

.github/workflows/scorecard.yml (1)

53-56: Inconsistency with AI summary regarding code-scanning upload.

The AI-generated summary states "Removed the entire 'Upload to code-scanning' step," but the code shows this step is still present and unchanged. This inconsistency suggests the summary may be inaccurate regarding this particular change. The upload-sarif step remains active in the workflow.