fix(ci): de-matrix CI steps smoke tests for correctness skipping

[Andrey Kolkov (androndo)]

Against troubles of merging docs-only PRs like #331

Summary by CodeRabbit

Release Notes

• Chores
  • Internal improvements to testing infrastructure with no user-facing changes.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release-smoke.yml workflow's single matrix-based smoke job (iterating over manifest and helm modes) is replaced with two explicit jobs: smoke-manifest and smoke-helm. Each job has a name matching the required GitHub status context string and carries its own job-level if: condition. The Helm job gains a dedicated azure/setup-helm setup step and runs make helm-smoke directly.

Changes

Smoke workflow matrix → two named jobs

Layer / File(s)	Summary
Inline comments for skipped-job status behavior .github/workflows/release-smoke.yml	Comments updated to describe that job-level if: causes skipped jobs to report under their explicit names, satisfying required status contexts; the changes job output comment updated to reflect two jobs instead of a matrix.
Replace matrix job with smoke-manifest and smoke-helm .github/workflows/release-smoke.yml	The single smoke job with strategy.matrix: mode: [manifest, helm] is removed. Two standalone jobs are introduced: smoke-manifest (named smoke (manifest)) and smoke-helm (named smoke (helm)), each with its own if: condition. The Helm job adds an azure/setup-helm@v4 step pinned to v3.16.4 and runs make helm-smoke unconditionally rather than via a matrix conditional.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• cozystack/etcd-operator#334: Directly modifies the same .github/workflows/release-smoke.yml file, adding changes-based per-job skipping to preserve required status contexts — the prerequisite change that this PR builds upon by splitting the matrix into named jobs.

Poem

🐇 Hoppity-hop through the CI lane,
Two jobs now run where one was plain.
Manifest skips? The context still glows!
Helm finds its name wherever it goes.
No more matrix to tangle the trail—
Each smoke job hops on its own little rail! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: converting matrix-based smoke tests to separate jobs for correct skipping behavior in CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release-smoke.yml (1)

77-79: 💤 Low value

Consider pinning actions to commit hashes and disabling credential persistence.

Static analysis flagged these unpinned action references (actions/checkout@v4, actions/setup-go@v5) and the default persist-credentials: true on checkout. While major version tags are a common project convention (matching dorny/paths-filter@v3 at line 36), pinning to commit hashes provides supply-chain hardening.

Since this appears to be a project-wide pattern, addressing it can be deferred to a separate security hardening effort.

🔒 Example if you choose to harden this job

     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
           cache: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-smoke.yml around lines 77 - 79, Pin the action
references actions/checkout@v4 and actions/setup-go@v5 to specific commit hashes
instead of major version tags to improve supply-chain security, and add
persist-credentials: false to the checkout action to disable default credential
persistence. Replace the major version tags (e.g., `@v4`, `@v5`) with their
corresponding commit SHAs, and add the persist-credentials parameter to the
checkout action configuration.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release-smoke.yml:
- Around line 77-79: Pin the action references actions/checkout@v4 and
actions/setup-go@v5 to specific commit hashes instead of major version tags to
improve supply-chain security, and add persist-credentials: false to the
checkout action to disable default credential persistence. Replace the major
version tags (e.g., `@v4`, `@v5`) with their corresponding commit SHAs, and add the
persist-credentials parameter to the checkout action configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e61c9b78-e511-48c7-997a-37b90311715b

📥 Commits

Reviewing files that changed from the base of the PR and between 4248ade and b7abbd1.

📒 Files selected for processing (1)

• .github/workflows/release-smoke.yml