Merge lint.yml into the existing build workflows

[omeritzics]

PR Type

Enhancement

---

Description

• Consolidate lint workflow into existing build workflows

• Add linting and formatting steps to CI, nightly, and release pipelines

• Update checkout actions with GITHUB_TOKEN for authentication

• Change CI permissions from read to write for auto-commit capability

---

Diagram Walkthrough

flowchart LR
  lint["lint.yml<br/>Standalone Workflow"]
  ci["ci.yml"]
  nightly["nightly.yml"]
  release["release.yml"]
  lint -- "merge" --> ci
  lint -- "merge" --> nightly
  lint -- "merge" --> release
  ci -- "add token" --> checkout1["Checkout with Token"]
  nightly -- "add token" --> checkout2["Checkout with Token"]
  release -- "add token" --> checkout3["Checkout with Token"]

Loading

File Walkthrough

Relevant files

Configuration changes

ci.yml Integrate linting workflow into CI pipeline                            .github/workflows/ci.yml Changed contents permission from read to write Added GITHUB_TOKEN to checkout step Integrated auto-fix linting, formatting, and auto-commit steps Separated signing config stripping into dedicated step +17/-2    lint.yml Delete standalone lint workflow                                                    .github/workflows/lint.yml Removed entire workflow file as functionality merged into other workflows +0/-38    nightly.yml Integrate linting workflow into nightly pipeline                  .github/workflows/nightly.yml Added GITHUB_TOKEN to checkout step Integrated install dependencies, auto-fix linting, formatting, and auto-commit steps +16/-0    release.yml Integrate linting workflow into release pipeline                  .github/workflows/release.yml Added GITHUB_TOKEN to checkout step Integrated install dependencies, auto-fix linting, formatting, and auto-commit steps +17/-0

---

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• .github/workflows/lint.yml

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Excessive token permissions Description: The workflow elevates contents: write and then uses secrets.GITHUB_TOKEN with a third-party auto-commit action (stefanzweifel/git-auto-commit-action@v5, similarly added in nightly.yml and release.yml) to push changes back to the repo, which can be abused to modify repository contents if this workflow can be triggered in untrusted contexts (e.g., PRs from forks or attacker-controlled branches) or if the referenced action/tag is compromised. ci.yml [10-58] Referred Code permissions: contents: write steps: - name: Free Disk Space uses: jlumbroso/free-disk-space@main with: tool-cache: true android: false - name: Checkout Code uses: actions/checkout@v6 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Get Commit SHA id: vars run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Setup Java ... (clipped 28 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: CI write actions: The workflow introduces automated write operations (auto-commit/push) without explicit audit logging fields (actor/outcome) in the workflow itself, relying on GitHub-native logs/commit history that must be verified as sufficient for audit requirements. Referred Code - name: Auto-fix linting issues run: dart fix --apply - name: Format code run: dart format . - name: Commit and Push changes uses: stefanzweifel/git-auto-commit-action@v5 with: commit_message: "style: auto-fix linting and formatting issues" branch: ${{ github.ref_name }} Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Elevated token usage: The workflow escalates contents: write and uses GITHUB_TOKEN to auto-commit/push, which requires human verification that triggers/branch protections and least-privilege constraints prevent unauthorized writes. Referred Code contents: write steps: - name: Free Disk Space uses: jlumbroso/free-disk-space@main with: tool-cache: true android: false - name: Checkout Code uses: actions/checkout@v6 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Get Commit SHA id: vars run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Setup Java uses: actions/setup-java@v5 ... (clipped 27 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Remove auto-commit from release workflow Remove the auto-fix, format, and auto-commit steps from the release.yml workflow, as committing to a tag is not possible and release artifacts should be built from immutable code. .github/workflows/release.yml [43-47] -- name: Commit and Push changes - uses: stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: "style: auto-fix linting and formatting issues" - branch: ${{ github.ref_name }} +# The auto-commit action is removed as it's not applicable for tag-based workflows. Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly points out that auto-committing to a tag during a release is not possible and is bad practice, as releases should be built from immutable code. Removing these steps prevents a workflow failure and enforces release best practices.	High
	Use correct ref for pull requests In the ci.yml workflow, change the branch for the auto-commit step from github.ref_name to github.head_ref to correctly push changes to the pull request's source branch. .github/workflows/ci.yml [53-57] - name: Commit and Push changes uses: stefanzweifel/git-auto-commit-action@v5 with: commit_message: "style: auto-fix linting and formatting issues" - branch: ${{ github.ref_name }} + branch: ${{ github.head_ref }} Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a bug where the auto-commit step would fail on pull requests because github.ref_name is not a branch that can be pushed to in that context, and provides the correct fix using github.head_ref.	High
General	Prevent triggering redundant CI builds In the nightly.yml workflow, add [skip ci] to the auto-commit message to prevent the commit from triggering other CI workflows. .github/workflows/nightly.yml [57-61] - name: Commit and Push changes uses: stefanzweifel/git-auto-commit-action@v5 with: - commit_message: "style: auto-fix linting and formatting issues" + commit_message: "style: auto-fix linting and formatting issues [skip ci]" branch: ${{ github.ref_name }} Apply / Chat Suggestion importance[1-10]: 7 __ Why: This is a good practice suggestion to prevent potential workflow loops or redundant runs by adding [skip ci] to the commit message, improving the robustness of the CI/CD pipeline.	Medium
More