NO-ISSUE: Consolidate CI setup into a single setup-dev action

[jhernand]

Summary

• Replace the separate setup-go and setup-python composite actions with a unified
  setup-dev action that provisions the full development environment (Go, Ginkgo, Python,
  uv, ruff, and project-specific tools from dev.py setup).
• Cache the bin/ directory containing tools downloaded by dev.py using a key derived from
  dev/tools.py, so binaries are not re-downloaded on every CI run.

Test plan

• Verify all CI jobs pass with the new setup-dev action.
• Confirm cache is populated on first run and restored on subsequent runs.
• Confirm cache invalidates when dev/tools.py is modified.

Summary by CodeRabbit

• Chores
  • Streamlined development environment setup by consolidating development tool configuration into a unified action, replacing separate language-specific setup steps in CI/CD workflows.
  • Removed redundant Python setup action in favor of the unified development tools setup process.

[openshift-ci-robot]

@jhernand: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Replace the separate setup-go and setup-python composite actions with a unified
  setup-dev action that provisions the full development environment (Go, Ginkgo, Python,
  uv, ruff, and project-specific tools from dev.py setup).
• Cache the bin/ directory containing tools downloaded by dev.py using a key derived from
  dev/tools.py, so binaries are not re-downloaded on every CI run.

Test plan

• Verify all CI jobs pass with the new setup-dev action.
• Confirm cache is populated on first run and restored on subsequent runs.
• Confirm cache invalidates when dev/tools.py is modified.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhernand

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jhernand]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This pull request consolidates development tool setup across the CI pipeline by expanding the setup-dev action to handle both Go and Python tooling setup, removing the dedicated setup-python action, and updating all workflow jobs to use the unified setup-dev action instead of separate setup actions.

Changes

CI/CD Setup Consolidation

Layer / File(s)	Summary
Enhanced setup-dev action with Python and caching .github/actions/setup-dev/action.yaml	The composite action is renamed to reflect broader scope (name: "Setup development tools"), Go setup is simplified to a single-line go mod download command, and new steps are added to install Python 3.14, uv, ruff via uv tool install, with caching for uv run dev.py setup keyed to dev/tools.py hash and ${GITHUB_WORKSPACE}/bin appended to GITHUB_PATH.
Workflow jobs adopt unified setup-dev action .github/workflows/check-pull-request.yaml	All six jobs (check-python-code, check-go-code, run-unit-tests, build-binaries, and both integration test jobs) replace separate setup-go and setup-python steps with the consolidated ./.github/actions/setup-dev action.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Security Risk Assessment

Risk Severity: Low

Impact Assessment:

• Single Point of Failure: The unified setup-dev action is now a critical dependency for all CI jobs. If the action fails, all workflows are blocked. However, the changes preserve the same underlying setup logic (setup-python v6, astral-sh/setup-uv v8.2.0, and existing dependency installation), so the risk is primarily operational rather than functional.
• Tool Pinning: The removal of the dedicated setup-python action consolidates version pinning into a single action, improving consistency but centralizing control.
• Cache Key Sensitivity: The uv run dev.py setup caching mechanism is keyed to dev/tools.py hash. If this file is not properly maintained, tools may become stale in the cache without explicit invalidation.
• PATH Manipulation: Appending ${GITHUB_WORKSPACE}/bin to GITHUB_PATH is safe if the directory is writable and the installed tools are from trusted sources (uv).

Mitigation: The PR maintains all existing action version pinning and setup logic, reducing the risk of introducing new vulnerabilities. Ensure dev/tools.py is kept in sync with actual dependencies.

Possibly Related PRs

• osac-project/fulfillment-service#675: Introduced the uv run dev.py lint flow and related setup consolidation patterns now fully adopted in this PR.

Suggested Labels

approved, lgtm

Suggested Reviewers

• rgolangh
• eliorerz

---

🔧 One action to rule them all,
Setup-dev answers CI's call,
Python and Go, unified and fast,
Separate steps are now a thing of the past!
Workflows converge, complexity falls. 🚀

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	check-pull-request.yaml logs internal hostnames via echo ... | sudo tee -a /etc/hosts (e.g., fulfillment-api..., keycloak...), increasing infra-disclosure risk.	Suppress or avoid stdout logging of internal hosts (e.g., redirect tee output to /dev/null or write hosts via heredoc without echoing names).

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: consolidating separate CI setup actions into a single setup-dev action, which is the core objective across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	PR #682’s changed YAMLs only adjust CI setup/caching (e.g., uv tool install ruff==0.15.16; cache key dev-${{ runner.os }}-${{ hashFiles('dev/tools.py') }}); no hardcoded secrets/tokens/passwords/cr...
No-Weak-Crypto	✅ Passed	Reviewed .github/actions/setup-dev/action.yaml and .github/workflows/check-pull-request.yaml plus dev.py/dev/tools.py for md5/sha1/DES/RC4/3DES/Blowfish/ECB and related crypto patterns; none found.
No-Injection-Vectors	✅ Passed	Scanned .github/actions/setup-dev/action.yaml and .github/workflows/check-pull-request.yaml for eval/exec, pickle.loads, unsafe yaml.load, os.system, dangerouslySetInnerHTML, shell=True, and SQL co...
Container-Privileges	✅ Passed	Security: PASS—repo YAML scan found no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation:true; PR updates only .github/actions/setup-dev and the check-pull-request workflow.
Ai-Attribution	✅ Passed	PASS: PR commit message includes Assisted-by: Cursor; no Co-Authored-By trailers found for AI tools—attribution compliant (low risk).

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@jhernand: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vmaas	b8db049	link	true	/test e2e-vmaas
ci/prow/unit	b8db049	link	true	/test unit
ci/prow/images	b8db049	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/setup-dev/action.yaml:
- Line 15: The action metadata is missing the required description field; update
the action metadata in action.yaml to include a top-level description key
alongside name (e.g., add a descriptive string under the description property)
so the metadata meets GitHub Actions schema and improves discoverability; ensure
the description succinctly explains the purpose of "Setup development tools" and
is a plain string value at the same level as name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: ea468459-48e3-452b-b17e-fc54655a6d40

📥 Commits

Reviewing files that changed from the base of the PR and between c385789 and b8db049.

📒 Files selected for processing (3)

• .github/actions/setup-dev/action.yaml
• .github/actions/setup-python/action.yaml
• .github/workflows/check-pull-request.yaml

💤 Files with no reviewable changes (1)

• .github/actions/setup-python/action.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Action metadata missing required description field.

The description field was removed when updating the action name. GitHub Actions metadata requires both name and description for proper documentation and discoverability. Risk: Medium – violates action metadata schema and impedes maintainability.

📝 Proposed fix

 name: Setup development tools
+description: Setup Go, Python, and project-specific development tools with caching
 runs:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	name: Setup development tools
	name: Setup development tools
	description: Setup Go, Python, and project-specific development tools with caching
	runs:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/setup-dev/action.yaml at line 15, The action metadata is
missing the required description field; update the action metadata in
action.yaml to include a top-level description key alongside name (e.g., add a
descriptive string under the description property) so the metadata meets GitHub
Actions schema and improves discoverability; ensure the description succinctly
explains the purpose of "Setup development tools" and is a plain string value at
the same level as name.

Source: Coding guidelines