feat(gitlab): bring GitLab rhiza_validate to parity with GitHub Actions equivalent#952
feat(gitlab): bring GitLab rhiza_validate to parity with GitHub Actions equivalent#952
Conversation
…ck jobs and activate semgrep/license workflows Agent-Logs-Url: https://github.com/Jebel-Quant/rhiza/sessions/6b5a2c93-68c7-4b6d-9b6f-a27217939f53 Co-authored-by: tschm <2046079+tschm@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the GitLab CI configuration to match the richer “validate” workflow currently implemented in GitHub Actions, and wires previously orphaned Semgrep and license workflows into the main .gitlab-ci.yml pipeline.
Changes:
- Expanded
.gitlab/workflows/rhiza_validate.ymlwith security, scheduled pip-audit, and typecheck jobs. - Enhanced
.gitlab/workflows/rhiza_license.ymlto generate and publish aLICENSES.mdartifact. - Activated Semgrep and license workflow includes in
.gitlab-ci.ymland updated GitLab workflow documentation/comparison docs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
.gitlab/workflows/rhiza_validate.yml |
Adds security, scheduled pip-audit, and typecheck jobs to the GitLab validate workflow. |
.gitlab/workflows/rhiza_license.yml |
Generates LICENSES.md via pip-licenses and publishes it as an artifact. |
.gitlab-ci.yml |
Includes Semgrep and license workflow files so they actually run in pipelines. |
.gitlab/README.md |
Documents the added/activated GitLab workflows and updates section numbering. |
.gitlab/COMPARISON.md |
Updates the GitHub Actions vs GitLab CI mapping table to reflect the expanded validate coverage. |
| - `pip-audit` job only runs on scheduled pipelines | ||
|
|
||
| **Key Features:** | ||
| - Runs `make validate`, which fires the full hook chain (`pre-validate`, `rhiza-test`, `uvx rhiza validate .`, `post-validate`) | ||
| - Skips validation in the rhiza repository itself (handled internally by `make validate`) | ||
| - Runs `make security` (pip-audit + bandit) on push/MR | ||
| - Runs `uvx pip-audit` on scheduled pipelines for dependency vulnerability scanning |
There was a problem hiding this comment.
This section says the pip-audit job only runs on scheduled pipelines, but .gitlab/workflows/rhiza_validate.yml also enables it on CI_PIPELINE_SOURCE == "web". Either document the manual trigger path here or remove the web rule so the docs match behavior.
| - `pip-audit` job only runs on scheduled pipelines | |
| **Key Features:** | |
| - Runs `make validate`, which fires the full hook chain (`pre-validate`, `rhiza-test`, `uvx rhiza validate .`, `post-validate`) | |
| - Skips validation in the rhiza repository itself (handled internally by `make validate`) | |
| - Runs `make security` (pip-audit + bandit) on push/MR | |
| - Runs `uvx pip-audit` on scheduled pipelines for dependency vulnerability scanning | |
| - Dedicated `pip-audit` job runs on scheduled pipelines and manually triggered (`web`) pipelines | |
| **Key Features:** | |
| - Runs `make validate`, which fires the full hook chain (`pre-validate`, `rhiza-test`, `uvx rhiza validate .`, `post-validate`) | |
| - Skips validation in the rhiza repository itself (handled internally by `make validate`) | |
| - Runs `make security` (pip-audit + bandit) on push/MR | |
| - Runs `uvx pip-audit` on scheduled and manually triggered (`web`) pipelines for dependency vulnerability scanning |
| - LICENSES.md | ||
| when: always | ||
| expire_in: 30 days | ||
| rules: |
There was a problem hiding this comment.
This workflow's rules allow it to run on scheduled (and web) pipelines via $CI_COMMIT_BRANCH. The GitHub license job is skipped on schedule and workflow_dispatch; if parity is desired, add explicit skip rules for CI_PIPELINE_SOURCE == "schedule" (and likely "web") here, or update the documentation/parity claims accordingly.
| rules: | |
| rules: | |
| - if: '$CI_PIPELINE_SOURCE == "schedule"' | |
| when: never | |
| - if: '$CI_PIPELINE_SOURCE == "web"' | |
| when: never |
| # pip-audit runs only on scheduled pipelines. | ||
| # |
There was a problem hiding this comment.
The header comment says pip-audit runs only on scheduled pipelines, but the job rules also allow running on CI_PIPELINE_SOURCE == "web". Either remove the web rule or update the comment to reflect that pip-audit can be run from manually-triggered (web) pipelines too.
| # pip-audit runs only on scheduled pipelines. | |
| # | |
| # pip-audit runs on scheduled pipelines and on manually-triggered | |
| # (web) pipelines. |
| script: | ||
| - uvx pip-audit |
There was a problem hiding this comment.
validate:pip-audit runs uvx pip-audit without the CVE ignore that make security applies (Makefile security target passes --ignore-vuln CVE-2026-4539). This will make the scheduled/manual audit behave differently from the security job and may cause the audit job to fail when the security job passes. Consider invoking the same shared configuration (e.g., a make target or the same ignore flags) here.
| script: | |
| - uvx pip-audit | |
| variables: | |
| UV_EXTRA_INDEX_URL: "${UV_EXTRA_INDEX_URL}" | |
| script: | |
| - make security |
| - make security | ||
| rules: | ||
| - if: $CI_PIPELINE_SOURCE == "schedule" | ||
| when: never |
There was a problem hiding this comment.
For parity with the GitHub Actions workflow, validate:security currently skips scheduled pipelines but still runs on CI_PIPELINE_SOURCE == "web" (manual runs). In GitHub, the security job is explicitly skipped on workflow_dispatch. If parity is the goal, add a web skip rule here (or update the parity/docs statement accordingly).
| when: never | |
| when: never | |
| - if: $CI_PIPELINE_SOURCE == "web" | |
| when: never |
| - make typecheck | ||
| rules: | ||
| - if: $CI_PIPELINE_SOURCE == "schedule" | ||
| when: never |
There was a problem hiding this comment.
For parity with the GitHub Actions workflow, validate:typecheck currently skips scheduled pipelines but still runs on CI_PIPELINE_SOURCE == "web" (manual runs). In GitHub, the typecheck job is skipped on workflow_dispatch. If parity is the goal, add a web skip rule here (or update the parity/docs statement accordingly).
| when: never | |
| when: never | |
| - if: $CI_PIPELINE_SOURCE == "web" | |
| when: never |
| # Semgrep - Static analysis with numpy rules | ||
| - local: '.gitlab/workflows/rhiza_semgrep.yml' | ||
| rules: | ||
| - if: $CI_COMMIT_TAG | ||
| when: never | ||
| - if: $CI_PIPELINE_SOURCE == "merge_request_event" | ||
| - if: $CI_COMMIT_BRANCH | ||
|
|
||
| # License compliance - Check for copyleft dependencies | ||
| - local: '.gitlab/workflows/rhiza_license.yml' | ||
| rules: | ||
| - if: $CI_COMMIT_TAG | ||
| when: never | ||
| - if: $CI_PIPELINE_SOURCE == "merge_request_event" | ||
| - if: $CI_COMMIT_BRANCH |
There was a problem hiding this comment.
These includes will also apply on scheduled and web pipelines because the rules only check $CI_COMMIT_BRANCH / MR events. The GitHub equivalent skips semgrep/license on schedule and workflow_dispatch, and the new .gitlab/README.md trigger descriptions also omit schedule/manual for these workflows. Consider adding explicit schedule (and possibly web) when: never rules here to avoid running Semgrep/license on scheduled/manual pipelines.
Summary
The GitLab
rhiza_validate.ymlonly ranmake validate, while the GitHub Actions equivalent had 5 additional jobs. Two GitLab workflow files (rhiza_semgrep.yml,rhiza_license.yml) existed but were never wired into.gitlab-ci.yml.Changes
.gitlab/workflows/rhiza_validate.yml— Added three missing jobs mirroring GitHub Actions:validate:security—make security(pip-audit + bandit); skips on scheduled pipelinesvalidate:pip-audit—uvx pip-audit; runs only on scheduled/web-triggered pipelinesvalidate:typecheck—make typecheck(ty); skips on scheduled pipelines.gitlab/workflows/rhiza_license.yml— AddedLICENSES.mdgeneration viapip-licensesand uploads it as a 30-day artifact, matching the GitHub license job.gitlab-ci.yml— Activated previously orphanedrhiza_semgrep.ymlandrhiza_license.ymlincludes.gitlab/README.md— Added §4 Semgrep and §5 License workflow documentation; renumbered subsequent sections.gitlab/COMPARISON.md— Updated mapping table to accurately reflect full parity for all validate-related jobsTesting
make testpasses locallymake fmthas been runChecklist
make deptrypasses (no unused or missing dependencies)💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.