Shard FMA validation workflows and route Windows apps to arch-matched runners#49348
Conversation
… architecture Partition changed apps by installer_arch (from the winget input JSONs) on a cheap Linux job, then fan out: arm64 apps validate on windows-11-arm and x64/x86/neutral apps on the x64 windows-latest runner. Validation steps move to a reusable workflow shared by the PR gate and the manual full run, with pre-installed app removal flags computed per shard. Large buckets shard into parallel jobs, and no Windows runner spins up when a PR changes no Windows apps.
zizmor flags expanding ${{ inputs.slugs }} directly into run script bodies
as template injection; read it from an env var in both steps instead.
Generalize the partition script to take a platform argument. The darwin workflows get the same structure as Windows minus arch routing: a Linux job detects changed apps and shards them, macOS runners only spin up when darwin apps actually changed, and pre-installed app handling (Chrome, Xcode/Icon Composer, Fleet Desktop MDM stub) is computed per shard.
There was a problem hiding this comment.
Pull request overview
This PR restructures the Fleet-maintained app (FMA) validation GitHub Actions workflows to (1) do cheap change-detection/sharding on Linux and (2) fan out into parallel validation shards on platform-specific runners, including routing Windows apps to native-arch runners based on installer_arch.
Changes:
- Adds a Linux-based partitioning job that emits a dynamic matrix and only starts expensive Windows/macOS runners when needed.
- Introduces reusable validation workflows for Windows and Darwin to run per-shard validation consistently across PR-gated and manual full-run workflows.
- Adds
.github/scripts/partition-fma-apps.shto split apps into shards (and by arch on Windows) and standardizes stable “summary” jobs to keep fixed check names.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test-fma-windows.yml | Manual full Windows run now partitions on Linux and calls a reusable per-shard validation workflow, with a stable summary job. |
| .github/workflows/test-fma-windows-validate.yml | New reusable Windows validation workflow that runs on an arch-matched runner and handles per-shard preinstalled-app cleanup + validation. |
| .github/workflows/test-fma-windows-pr-only.yml | PR-gated Windows workflow now detects/partitions on Linux and fans out validation shards, with a stable summary check. |
| .github/workflows/test-fma-darwin.yml | Manual full macOS run now shards on Linux and calls a reusable per-shard validation workflow, with a stable summary job. |
| .github/workflows/test-fma-darwin-validate.yml | New reusable macOS validation workflow that does per-shard cleanup, filters apps.json, and validates. |
| .github/workflows/test-fma-darwin-pr-only.yml | PR-gated macOS workflow now detects/shards on Linux and fans out validation shards, with a stable summary check. |
| .github/scripts/partition-fma-apps.sh | New partitioner that generates the job matrix, including Windows arch routing + sharding. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThe change adds platform-aware FMA sharding with Windows installer-architecture routing. Darwin and Windows workflows detect or enumerate apps, fan out reusable validation workflows across shards, and aggregate results. New reusable workflows prepare runners, remove conflicting preinstalled software, filter Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/scripts/partition-fma-apps.sh:
- Around line 115-129: Update the architecture handling around the arch
assignment and case statement to distinguish valid arm64, x64, x86, and neutral
metadata from missing or unsupported values. Emit a warning for missing or
invalid architecture metadata, route only explicitly supported non-arm64 values
to x64, and ensure the summary output reports the effective routing architecture
rather than the raw or empty metadata.
In @.github/workflows/test-fma-windows-validate.yml:
- Around line 107-129: Update each preinstalled-app cleanup step, including
“Remove pre-installed google chrome” and the corresponding blocks, to treat
uninstall failures as fatal. Capture and validate each installer process exit
code, fail on parsing or removal exceptions instead of only logging them, and
verify the specific application is absent after cleanup; throw or exit nonzero
whenever an attempted cleanup does not satisfy that app-specific postcondition.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: a682d351-38aa-42ef-b5cd-ef38a7383cbe
📒 Files selected for processing (7)
.github/scripts/partition-fma-apps.sh.github/workflows/test-fma-darwin-pr-only.yml.github/workflows/test-fma-darwin-validate.yml.github/workflows/test-fma-darwin.yml.github/workflows/test-fma-windows-pr-only.yml.github/workflows/test-fma-windows-validate.yml.github/workflows/test-fma-windows.yml
Related issue: N/A — CI improvement for the FMA validation workflows.
Summary
Restructures the Windows and macOS Fleet-maintained app validation workflows around a cheap Linux detect/shard job, with Windows apps additionally routed to a CI runner whose native architecture matches the app's installer.
Both platforms:
ubuntu-latest. Expensive Windows/macOS runners only spin up when their platform actually has changed apps — e.g. a Windows-only letter-batch PR no longer boots a macOS runner just to discover there's nothing to do (and vice versa) — and they check out at depth 1 instead of full history..github/scripts/partition-fma-apps.sh <windows|darwin>emits the job matrix; validation steps move unchanged into reusable workflows (test-fma-windows-validate.yml,test-fma-darwin-validate.yml).shard_sizeinput (Windows default 20 → ~20 shards over 384 apps; macOS default 25 → ~39 shards over 961 apps). Neither full run could previously finish: hundreds of sequential installs blow the 6-hour job limit.test-fma-pr-only,test-fma) aggregate the dynamic matrix results so branch protection / PR gating keeps a fixed check name.Windows arch routing:
<name>/windowsslug'sinstaller_archis read fromee/maintained-apps/inputs/winget/<name>.json:arm64apps →windows-11-arm, x64/x86/neutral apps →windows-latest(x64). Missing input files default to x64 with a warning. This fixes installers that check the native OS architecture and abort under Prism emulation on the ARM runner (Inno SetupArchitecturesAllowed=x64— GOG Galaxy, Reqable — and Docker Desktop). Future arm64 FMAs need no workflow change —installer_arch: arm64in the winget input is enough.macos-latestis arm64 and x86-only casks run under Rosetta 2, which matches how customer Macs run them.Checklist for submitter
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Testing
Manual QA:
actionlintand zizmor 1.25.2 (with the repo's.github/zizmor-gate.ymlconfig) with no findings.test-fma-pr-onlysummary check passed.Summary by CodeRabbit
shard_sizefor manual validation runs.