Partition GH Actions SDK Jobs into Sub Jobs#52411
Merged
nagilson merged 22 commits intodotnet:mainfrom Jan 13, 2026
Merged
Conversation
- Reduces the scopes of the job that have write permission by eliminating any script calls and passing artifacts instead to the other sub jobs. - Moves to v6 of checkout tasks to prevent .git copy - Blocks persistent credentials on checkout - Enforces only known owners can trigger workflows - Separates blocks into reusable components for commenting on PRs, checking out, etc
its like the same length of code
we could point to the sdk repo root with @main. using the local PR one would defeat the point. anyways I cant commit this to main until it works so let's not do that for now.
Thanks @/mmitche
mmitche
approved these changes
Jan 12, 2026
This was referenced Jan 12, 2026
Member
Author
|
/ba-g the existing failures are due to template engine SSL issues. |
This was referenced Jan 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Review
This PR has already been reviewed in https://dev.azure.com/dnceng/internal/_git/dotnet-sdk/pullrequest/56422 and other places. Please feel free to confirm the change list is the same but note that we already have approval from 3+ people.
This improves upon 3 actions which are currently disabled in the repo until this is merged, and we have already confirmed the fix plan in public as this PR.
Testing:
I've tested the actions in nagilson/sdk-private which is a private copy of the SDK repo.
There, I was able to demonstrate these tasks work:
Update XLF

Fix Completions

Update Static Web Assets
This has never been used once since it was created to my knowledge. I've looped in the owning team and they are aware of the changes.
Accomplishes
We don't remove the call to build.sh or use build.sh from main because a user could still inject MS Build logic to modify build behavior, and we must build the local copy because we need to run the tests/target to fix the intended problem the action is trying to resolve (test snapshots or xlf.)
Moves to v6 of checkout tasks to prevent .git/config from having any tokens, although persist-token is set to false. This is the simpler remedy applied to the update-static-web-assets action.
Blocks persistent credentials on checkout and empties environment variables to prevent scripts from taking tokens.
Enforces contributor authority for comments, which is now needed to trigger the workflow in a PR to prevent non-contributors from trying to trigger the action on a malicious PR.
Only pushes if the expected file types are changed per the action.
❗ Review Note:
There is plenty of duplicated logic in these workflows. However, the amount of overhead to pass arguments to a "sub-action" is quite substantial - to the point where the code ends up being about the same size. While it's good to reduce duplicated areas that will need modification, most of the logic is quite simple and replaceable via ctrl-f.
The exception to that is the logic to decide if we should commit or not by looking if the files changed are only of the expected extensions. (E.g.
/updatexlfshould only change.xlffiles - otherwise we should block the change.)What I've done is make a sub-action, but I don't use it yet because we don't want to rely on the user's forked copy of the action. Instead, we will point to
dotnet/sdk ... @mainto call the sub action. It's not possible to write that and have the workflow work until it's already been merged, so after this is merged I'll delete the code and call the sub action.