chore(workflows): use reusable actions for initialize and update

[nicomiguelino]

User description

Summary

• Replace inline build/deploy steps in initialize-app.yml and update-edge-app.yml with Screenly/edge-apps-actions
• Drop explicit build_system and deploy_from_dist inputs — the actions auto-detect via package.json
• Pass path: edge-apps/<app_name> to support the monorepo layout

Depends on

Screenly/edge-apps-actions#7 — must be merged and the v1 tag moved before this workflow reference is updated from @feat/add-path-input to @v1.

---

PR Type

Enhancement

---

Description

• Replace initialization workflow with reusable action

• Replace update workflow with reusable action

• Pass monorepo path and environment inputs

• Pin shared edge-app actions to v1

---

Diagram Walkthrough

flowchart LR
  init["initialize-app.yml"]
  upd["update-edge-app.yml"]
  shared["Screenly/edge-apps-actions@v1"]
  path["Monorepo path input"]
  config["Shared token and environment inputs"]
  init -- "delegates initialize" --> shared
  upd -- "delegates update" --> shared
  shared -- "targets app subdirectory" --> path
  shared -- "receives workflow context" --> config

Loading

File Walkthrough

Relevant files

Configuration changes

initialize-app.yml Switch initialization to reusable shared action                    .github/workflows/initialize-app.yml Use Screenly/edge-apps-actions/initialize@v1 Pass screenly_api_token, app name, title, and environment Add path as edge-apps/${{ inputs.edge_app_name }} Simplify workflow to shared initialization entrypoint +6/-70    update-edge-app.yml Switch update flow to reusable action                                        .github/workflows/update-edge-app.yml Use Screenly/edge-apps-actions/update@v1 Pass screenly_api_token, environment, and deletion flag Add monorepo-aware path for the target app Standardize update flow through shared action +6/-45

---

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit ef5e445)

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ❌ 7 - Not compliant Non-compliant requirements: Add documentation explaining how to extract cookies from Safari. Add documentation explaining how to extract cookies from Chrome. Add documentation explaining how to extract cookies from Firefox. Put this documentation under javascript-injectors.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Mutable third-party action reference: Both workflows now invoke Screenly/edge-apps-actions via @v1 while passing SCREENLY_API_TOKEN. Tags are mutable, so a retargeted tag or compromised upstream repository could change what code runs without any change in this repository. Pin these actions to a full commit SHA to make the workflow execution deterministic and reduce supply-chain risk.

⚡ Recommended focus areas for review Supply-chain risk Screenly/edge-apps-actions/initialize@v1 is pinned to a mutable tag instead of an immutable commit SHA. If that tag is retargeted or the upstream repository is compromised, this workflow will execute different code with access to SCREENLY_API_TOKEN. - uses: Screenly/edge-apps-actions/initialize@v1 with: screenly_api_token: ${{ secrets.SCREENLY_API_TOKEN }} edge_app_name: ${{ inputs.edge_app_name }} edge_app_title: ${{ inputs.edge_app_title }} environment: ${{ inputs.environment }} path: edge-apps/${{ inputs.edge_app_name }} Supply-chain risk Screenly/edge-apps-actions/update@v1 is pinned to a mutable tag instead of an immutable commit SHA. A retag or upstream compromise would let unreviewed code run in this job with SCREENLY_API_TOKEN. - uses: Screenly/edge-apps-actions/update@v1 with: screenly_api_token: ${{ secrets.SCREENLY_API_TOKEN }} environment: ${{ inputs.environment }} delete_missing_settings: ${{ inputs.delete_missing_settings }} path: edge-apps/${{ inputs.edge_app_name }}

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Pin reusable action revision uses points at a mutable feature branch, so a later push to feat/add-path-input can change what runs on master without any change in this repository. Pin the reusable action to an immutable commit SHA (or a trusted release tag) so the workflow stays reproducible and cannot pick up unreviewed code. .github/workflows/initialize-app.yml [41-47] -uses: Screenly/edge-apps-actions/initialize@feat/add-path-input +uses: Screenly/edge-apps-actions/initialize@<full-commit-sha> with: screenly_api_token: ${{ secrets.SCREENLY_API_TOKEN }} edge_app_name: ${{ inputs.edge_app_name }} edge_app_title: ${{ inputs.edge_app_title }} environment: ${{ inputs.environment }} path: edge-apps/${{ inputs.edge_app_name }} Suggestion importance[1-10]: 9 __ Why: uses references the mutable branch feat/add-path-input, which creates a real reproducibility and supply-chain risk for a workflow running on master. Pinning Screenly/edge-apps-actions/initialize to an immutable SHA is accurate and has high security value.	High

[Copilot]

Pull request overview

This PR refactors the manual Edge App deployment workflows to rely on reusable actions from Screenly/edge-apps-actions, simplifying the workflow inputs and standardizing deploy behavior for the monorepo’s edge-apps/<app_name> layout.

Changes:

• Replaced inline build/deploy logic in the Edge App workflows with Screenly/edge-apps-actions (initialize and update).
• Removed build_system and deploy_from_dist workflow inputs in favor of action auto-detection.
• Passed an explicit path: edge-apps/<edge_app_name> to support the monorepo directory structure.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/update-edge-app.yml	Switches Edge App update flow to Screenly/edge-apps-actions/update and removes inline build/deploy steps.
.github/workflows/initialize-app.yml	Switches Edge App initialization flow to Screenly/edge-apps-actions/initialize and removes inline create/deploy/instance steps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Persistent review updated to latest commit ef5e445

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.