Skip to content

Update nightly schedule to weekdays at 10:30 PM PT and fix security issues#2910

Merged
brandonpage merged 2 commits into
forcedotcom:devfrom
brandonpage:cleanup-ci-w22712082
May 29, 2026
Merged

Update nightly schedule to weekdays at 10:30 PM PT and fix security issues#2910
brandonpage merged 2 commits into
forcedotcom:devfrom
brandonpage:cleanup-ci-w22712082

Conversation

@brandonpage
Copy link
Copy Markdown
Contributor

@brandonpage brandonpage commented May 29, 2026

Summary

Implements W-22712082 — Cleanup CI for all Repos.

Schedule change: Nightly tests now run every weekday at 10:30 PM PT (30 6 * * 2-6 UTC), up from the previous Mon/Fri-only cadence. Catches regressions within 1 business day instead of up to 4.

Security hardening: All workflows updated to follow the GitHub Actions injection-prevention best practices:

  • All third-party actions SHA-pinned with the resolved tag in a comment (e.g., actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1). Closes the supply-chain attack vector where a moving tag could be retargeted.
  • Top-level permissions: block added to every workflow with the principle of least privilege: contents: read baseline, pull-requests: write only where Danger or mikepenz/action-junit-report posts PR comments.
  • secrets: inherit replaced with explicit secret pass-through at every reusable-workflow caller; on: workflow_call: secrets: blocks now declare exactly which secrets each reusable expects.
  • All ${{ ... }} shell interpolation in run: blocks refactored to env: variables with quoted shell expansions, so attacker-controlled strings cannot break out of the script context.
  • pull_request_target retained (required for fork PRs to receive secrets) with # zizmor: ignore[dangerous-triggers] and an inline comment documenting the Member Check mitigation.
  • actions/checkout steps set with: persist-credentials: false to prevent post-step credential exfiltration via .git/config.
  • Build-step logs archived on failure so engineers can diagnose template/sample-app build failures without re-running.
  • Job-level permissions: on reusable-workflow callers: since the reusable workflows declare permissions: { contents: read, pull-requests: write } (needed for mikepenz/action-junit-report PR comments), the calling jobs in nightly.yaml and pr.yaml now declare matching permissions explicitly. Without this, GitHub rejects the workflow at startup with startup_failure because a caller's effective permissions cannot be less than the called workflow's declared permissions.

After this change, zizmor --offline reports 0 High-confidence findings across all four CI workflows.

Test plan

  • Verified locally with python3 yaml.safe_load, actionlint -shellcheck=, zizmor --offline. All clean.
  • CI verification: opened test PR on personal fork (brandonpage/SalesforceMobileSDK-Android#31) targeting the same cleanup-ci-w22712082 branch as this PR. The test PR triggers the new workflows against a real source change in SalesforceAnalytics. No regressions observed — see linked PR for run details.
  • Reviewer to confirm the permissions: blocks match the team's expected privilege levels for each workflow.

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

Job Summary for Gradle

Pull Request :: test-android
Gradle Root Project Requested Tasks Gradle Version Build Outcome Build Scan®
SalesforceMobileSDK-Android libs:SalesforceHybrid:lint 9.4.1 Build Scan not published
SalesforceMobileSDK-Android libs:SalesforceHybrid:assembleAndroidTest 9.4.1 Build Scan not published
SalesforceMobileSDK-Android libs:SalesforceHybrid:convertCodeCoverage 9.4.1 Build Scan not published

@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.58%. Comparing base (7ef093b) to head (6e96482).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files 
@@            Coverage Diff            @@
##                dev    #2910   +/-   ##
=========================================
  Coverage     66.58%   66.58%           
  Complexity     3108     3108           
=========================================
  Files           226      226           
  Lines         17871    17871           
  Branches       2339     2339           
=========================================
+ Hits          11899    11900    +1     
  Misses         4887     4887           
+ Partials       1085     1084    -1
Components Coverage Δ
Analytics 48.71% <ø> (ø)
SalesforceSDK 62.89% <ø> (+0.01%) ⬆️
Hybrid 59.30% <ø> (ø)
SmartStore 78.22% <ø> (ø)
MobileSync 82.12% <ø> (ø)
see 1 file with indirect coverage changes
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

wmathurin
wmathurin reviewed May 29, 2026
View reviewed changes
Comment thread .github/workflows/nightly.yaml
on:
schedule:
- cron: "0 6 * * 2,6" # cron is UTC, this translates to 10 PM PST Mon and Fri.
- cron: "30 6 * * 2-6" # cron is UTC; 10:30 PM PT every weekday (Mon-Fri).
Copy link
Copy Markdown
Contributor

@wmathurin wmathurin May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do Sunday to Thursday instead (so always followed by a working day the next morning) ?

@brandonpage brandonpage merged commit 8927d93 into forcedotcom:dev May 29, 2026
27 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wmathurin wmathurin wmathurin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brandonpage @wmathurin