feat!: remove inline run callback emission path#161
Merged
Conversation
Inline run:/shell: callbacks are no longer supported. The fields still parse so manifests are detected, but validation now rejects them with an actionable message pointing at the reusable workflow path. BREAKING CHANGE: manifests using run: or shell: on a callback are now rejected; provide a reusable workflow via workflow: instead. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
Every callback (validate, build, deploy) is now always emitted as a reusable-workflow uses: job, single or matrix. The inline run: emission branches, the writeInlineDeployBody/writeInlineRunBody/inlineEnvInputs helpers, the per-callback job-attribute emitters, and the inline-only passthrough step injectors are removed. CallbackInfo.Run and CallbackInfo.Shell are gone. BREAKING CHANGE: cascade no longer emits inline run: deploy/build/validate jobs; callbacks must be reusable workflows. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
Delete tests covering inline run: emission and per-callback job attributes, convert timeout/passthrough/env-gate fixtures to reusable workflow callbacks, and assert the new run:/shell: rejection messages. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
Remove generator-verification scenarios that asserted inline run: output, and convert rollback, validate, and build-failure scenarios to stage reusable workflow fixtures instead of inline run: callbacks. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
Remove inline run: callback examples and prose, add a migration note for moving inline scripts into reusable workflows, and regenerate the dogfood workflows from the workflow-only manifest. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
joshua-temple
added a commit
that referenced
this pull request
Jun 14, 2026
#162 (#163) * test(e2e): seed callback workflows before generation for validate and failing-rollback scenarios PR #161 removed the inline run callback emission path and converted two scenarios to reusable workflows, but staged the referenced workflow bodies only via a step commit.files, which lands after generation runs. The harness seeds callback stubs and runs generation once at setup, so validate.yaml was missing at generation time and the failing rollback deploy used the generic non-failing stub. PR #162 narrowed the transient classifier and surfaced both. Add a setup_workflows map on MultiStepScenario seeded into the setup commit before generation, and a validate workflow_call stub clause keyed on config.validate.workflow. Move the failing deploy-app.yaml into setup_workflows so the rollback re-deploy fails under the Rollback caller, and rely on the seeded validate stub so orchestrate.yaml generation emits the gate. Test-infra only; no product behavior change. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com> * test(e2e): fail rollback re-deploy via dispatch env not caller workflow name Inside a reusable workflow_call callback, $GITHUB_WORKFLOW is the callee's own name, not the caller's, on act and on real GitHub. The converted rollback scenario keyed its failing deploy on the caller name (Rollback*), which never matches, so the re-deploy always succeeded and the state-unchanged assertion broke. Both promote and rollback also dispatch via workflow_dispatch, so the event name cannot disambiguate either. Set CASCADE_E2E_ROLLBACK on the rollback dispatch only and key the deploy callback on it; act passes top-level env into the reusable callee. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com> --------- Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Inline
run:/shell:callbacks were a parallel, second-class emission path next to the reusable-workflow path. They were also an injection locus: the manifest script text was interpolated into a generatedrun:step. Maintaining two codepaths (inline cascade-owned step jobs vs reusableuses:jobs) doubled the surface for every generator feature.Fix
Remove the inline emission path entirely. Every callback (validate, build, deploy) is now always a reusable-workflow
uses:job, single or matrix. Config still parsesrun:/shell:so a stale manifest is detected, but validation rejects them with an actionable message.Exact rejection messages:
<callback>: inline run: callbacks are no longer supported; provide a reusable workflow via workflow: (see docs/security/hardening or the callback contract)<callback>: shell: is no longer supported; inline run callbacks were removed, provide a reusable workflow via workflow:<callback>: workflow is requiredBREAKING CHANGE
Manifests that set
run:orshell:on a callback are now rejected. Migrate by moving the script into a reusable workflow under.github/workflows/(on: workflow_call) and pointing the callback at it viaworkflow:. A migration note was added to the callback contract docs.Removed vs converted
promote.go,generator.go,rollback.go,hotfix.go; helperswriteInlineDeployBody,writeInlineRunBody,inlineEnvInputs; the per-callback job-attribute emitters (wholejob_attributes.go); inline-only passthrough step injectors;CallbackInfo.Run/.Shell.Verification
go build ./... && go test ./...: 1262 passed.go test -race ./internal/config/... ./internal/generate/...: pass, no races.golangci-lint run ./...: no issues (root and e2e module).go build ./... && go vet ./...: clean.