ci: repair invalid workflow syntax

[KooshaPari]

User description

Summary\n- Remove duplicate with blocks in workflow steps\n- Replace invalid job status expressions with needs results\n- Fix frontend coverage heredoc parsing\n- Move Pulumi secret check out of job-level if\n\n## Validation\n- ruby YAML load for affected workflows\n- actionlint fatal workflow validation with shellcheck/deprecated-action style warnings ignored\n- git diff --check\n\nCo-authored-by: Codex noreply@openai.com

Note

Medium Risk
Medium risk because it changes GitHub Actions trigger path filters and step/job conditionals (including Pulumi deploy gating), which could inadvertently skip or run CI/CD jobs unexpectedly.

Overview
Fixes multiple GitHub Actions workflow syntax/logic issues and reduces unnecessary runs by adding paths filters to the CI/CD Pipeline, Contracts & SDKs, and Comprehensive Test Validation workflows.

Repairs CI reporting/execution correctness by fixing the frontend coverage heredoc script output, updating the validation report to use needs.<job>.result for suite statuses, and adjusting the Pulumi iac-dev job to always start but skip only the Pulumi steps when PULUMI_ACCESS_TOKEN is not set.

^{Reviewed by Cursor Bugbot for commit d7d6884. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Fix workflow parsing and avoid unnecessary CI runs

What Changed

• Fixed GitHub Actions workflow syntax so CI, validation, and contract checks can run without parsing errors
• The validation report now shows the real result for each test suite
• Frontend coverage export now writes valid output again, keeping per-file coverage reporting available
• The Pulumi dev deploy job now skips only the deploy steps when no access token is set, instead of blocking the whole job
• Added path filters so broad CI workflows do not run on workflow-only changes

Impact

✅ Fewer broken CI runs
✅ Clearer test validation results
✅ Reliable frontend coverage reports

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@KooshaPari has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0bbf048a-2d53-410b-88bd-8033c2fade02

📥 Commits

Reviewing files that changed from the base of the PR and between bcf56fe and d7d6884.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/contracts.yml
• .github/workflows/test-validation.yml

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'pre_merge_checks', 'pr_validation'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files are updated to fix YAML configuration issues and refactor conditional logic. Changes include removing duplicated with: blocks in setup actions, rewriting frontend coverage script for clarity, and updating job status references to use the correct context variables.

Changes

Cohort / File(s)	Summary
Setup Action YAML Fixes .github/workflows/contracts.yml, .github/workflows/test-validation.yml	Remove invalid/duplicated with: keys from setup-python and setup-node steps while preserving intended configuration parameters.
Frontend Coverage & Security Gating .github/workflows/ci.yml	Refactor frontend coverage extraction script for improved clarity; migrate secret-based gating logic from job-level to step-level if: conditions using env.PULUMI_ACCESS_TOKEN.
Validation Report Status References .github/workflows/test-validation.yml	Update consolidated validation report table to reference job results via needs.<suite>.result instead of job.<suite>.status for accuracy across four test suites.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Workflows now hop with cleaner ways,
Duplicate keys removed from the maze,
Secrets secured at step-level height,
Status references pointing so right,
CI/CD pipelines running just right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: repair invalid workflow syntax' directly and clearly summarizes the main change—fixing workflow YAML syntax issues across multiple CI files.
Description check	✅ Passed	The description covers the key changes, validation approach, and includes risk assessment; however, it lacks the formal template structure with defined sections like Testing checklist and Related Issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/main-workflow-syntax

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/test-validation.yml (1)

193-222: ⚠️ Potential issue | 🟡 Minor

Quoted heredoc prevents $(date ...) from expanding.

cat > VALIDATION_REPORT.md << 'EOF' uses a quoted terminator, so shell command substitution is disabled and line 196 will be written to the report literally as $(date -u +'%Y-%m-%dT%H:%M:%SZ'). GitHub Actions ${{ … }} expressions are substituted before the shell runs, so those still work, but the timestamp won't. Pre-compute the date before the heredoc (or switch to unquoted EOF and escape the $s you want literal).

🐛 Proposed fix

       - name: Generate consolidated report
         run: |
+          TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
           cat > VALIDATION_REPORT.md << 'EOF'
           # Comprehensive Test Validation Report
 
-          - **Timestamp**: $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          - **Timestamp**: __TIMESTAMP__
           - **Commit**: ${{ github.sha }}
           - **Branch**: ${{ github.ref_name }}
@@
           EOF
+          sed -i "s|__TIMESTAMP__|${TIMESTAMP}|" VALIDATION_REPORT.md

Or simpler: drop the quotes on the terminator (<< EOF) — the ${{ … }} expressions are resolved by GHA before the shell sees the script, so they will still be substituted; just ensure nothing else inside relies on literal $.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-validation.yml around lines 193 - 222, The heredoc
uses a quoted terminator so command substitution is disabled: change the heredoc
invocation that writes to VALIDATION_REPORT.md (currently using `cat >
VALIDATION_REPORT.md << 'EOF'`) so the timestamp command expands — either remove
the single quotes and use an unquoted terminator (`<< EOF`) or precompute the
timestamp into a shell variable (e.g., TIMESTAMP="$(date -u
+'%Y-%m-%dT%H:%M:%SZ')" before the heredoc) and reference that variable inside
the heredoc; update the heredoc block that contains `$(date -u
+'%Y-%m-%dT%H:%M:%SZ')` accordingly so the final file contains a real timestamp.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 1417-1433: The step-level env that re-exports PULUMI_ACCESS_TOKEN
is redundant because the job-level env already exposes it; remove the inner env
block from the "Pulumi up (dev)" step (the step using pulumi/actions@v5) while
keeping the existing step-level if: env.PULUMI_ACCESS_TOKEN != '' gating intact
so the step still only runs when the token is present.

---

Outside diff comments:
In @.github/workflows/test-validation.yml:
- Around line 193-222: The heredoc uses a quoted terminator so command
substitution is disabled: change the heredoc invocation that writes to
VALIDATION_REPORT.md (currently using `cat > VALIDATION_REPORT.md << 'EOF'`) so
the timestamp command expands — either remove the single quotes and use an
unquoted terminator (`<< EOF`) or precompute the timestamp into a shell variable
(e.g., TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" before the heredoc) and
reference that variable inside the heredoc; update the heredoc block that
contains `$(date -u +'%Y-%m-%dT%H:%M:%SZ')` accordingly so the final file
contains a real timestamp.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d33ef12c-7c4f-4005-bee1-f82754a53dec

📥 Commits

Reviewing files that changed from the base of the PR and between ab5f80f and bcf56fe.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/contracts.yml
• .github/workflows/test-validation.yml

💤 Files with no reviewable changes (1)

• .github/workflows/contracts.yml

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Redundant step-level env for PULUMI_ACCESS_TOKEN.

Since PULUMI_ACCESS_TOKEN is already exposed at the job level (lines 1417-1418), steps inherit it automatically. The inner env: on the Pulumi step that re-exports ${{ env.PULUMI_ACCESS_TOKEN }} is redundant and can be removed to reduce surface area. The step-level if: env.PULUMI_ACCESS_TOKEN != '' gating itself is fine (the env context is available in step-level if).

♻️ Proposed simplification

     - name: Pulumi up (dev)
       if: env.PULUMI_ACCESS_TOKEN != ''
       uses: pulumi/actions@v5
-      env:
-        PULUMI_ACCESS_TOKEN: ${{ env.PULUMI_ACCESS_TOKEN }}
       with:
         command: up
         stack-name: dev
         work-dir: infra
         comment-on-pr: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 1417 - 1433, The step-level env that
re-exports PULUMI_ACCESS_TOKEN is redundant because the job-level env already
exposes it; remove the inner env block from the "Pulumi up (dev)" step (the step
using pulumi/actions@v5) while keeping the existing step-level if:
env.PULUMI_ACCESS_TOKEN != '' gating intact so the step still only runs when the
token is present.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This PR fixes GitHub Actions workflow syntax and correctness issues across three workflow files:

1. .github/workflows/ci.yml - Path-based triggers, coverage script cleanup, Pulumi deploy refactor
2. .github/workflows/contracts.yml - Path-based triggers, YAML syntax error fix
3. .github/workflows/test-validation.yml - Path-based triggers, YAML syntax error fixes, job status expression fixes

Key Changes

• Path filters: Added conditional triggering based on changed file paths to reduce unnecessary CI runs (new feature, works correctly)
• YAML syntax fixes: Removed duplicate with: keys that would cause workflow parsing failures (critical fixes)
• Job status: Changed from job.*.status to needs.*.result for correct dependent job status references
• Coverage script: Code formatting cleanup, no functional changes
• Pulumi deploy: Changed from job-level to step-level conditional gating (functionally equivalent)

Observations

• CodeRabbit review flagged a redundant env: block in the Pulumi step (it re-exports a job-level env var). Not critical but could be cleaned up (details)
• A heredoc timestamp issue in test-validation.yml (quoted 'EOF' prevents $(date) expansion) exists in the base code but is outside the scope of this PR's changes
• No Rust code changes, so clippy/fmt checks don't apply
• No security concerns: no hardcoded secrets, proper env var usage

Test Validation

• PR author validated changes with actionlint, ruby YAML load, and git diff --check
• All changes are self-contained to workflow configuration

Files Reviewed (3 files)

• .github/workflows/ci.yml
• .github/workflows/contracts.yml
• .github/workflows/test-validation.yml

---

_{Reviewed by ling-2.6-1t-20260423:free · 1,680,505 tokens}

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn