chore(ci): re-pin phenoShared reusable workflow

[KooshaPari]

User description

Summary

• Replaces the CI stub with an actual call to KooshaPari/phenoShared/.github/workflows/reusable/ci.yml
• PR feat(tools): Start-Menu launcher registrar — native-only Electrobun shortcuts #85 has merged and exposed the reusable CI workflow; this adopts it

Reference update

	Before	After
phenoShared ref	HEAD SHA (pre-merge stub)	5ed0e3bb2279610656755d3adb5403fba94a2bd2 (main)
Workflow	Stub (workflow-present + rust-ci echo)	uses: KooshaPari/phenoShared/.github/workflows/reusable/ci.yml
Semver tag	N/A (was blocked)	No tag available yet — re-pin to tag once cut

No semver tag exists yet for the reusable workflow; pinned to main SHA 5ed0e3b. Will re-pin to tag per phenoShared release policy.

🤖 Generated with Claude Code

Note

Low Risk
Workflow-only change with no application code; risk is limited to CI behavior and dependency on an external pinned workflow SHA.

Overview
Replaces the local CI stub with the shared phenoShared reusable workflow, so push/PR runs on main actually execute Rust CI instead of placeholder echo jobs.

The rust-ci job now uses: KooshaPari/phenoShared/.github/workflows/reusable/ci.yml pinned to main SHA 5ed0e3bb2279610656755d3adb5403fba94a2bd2. Comments were updated to note PR #85 is merged and that a semver tag should be used once phenoShared cuts one. The workflow-present job and the stub rust-ci steps (including the “blocked by missing phenotypeActions” message) were removed.

^{Reviewed by Cursor Bugbot for commit b83758b. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Run the shared Rust CI workflow in this repository

What Changed

• Replaced the placeholder CI job with the shared phenoShared reusable workflow, so push and pull request runs now execute the real Rust CI checks
• Removed the extra stub job that only printed a confirmation message
• Updated the workflow note to reflect the current pinned reference and that it should move to a released tag once available

Impact

✅ Real CI checks on pull requests
✅ Fewer false-green builds
✅ Clearer validation before merge

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d5dbcb65-faaa-4720-9dfd-7aef30c12822

📥 Commits

Reviewing files that changed from the base of the PR and between 890c7ce and b83758b.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Summary

This PR transitions the CI workflow from a local stub implementation to a reusable workflow call from the centralized phenoShared repository. The change replaces placeholder job implementations with an actual external workflow invocation, enabling shared CI infrastructure across the Phenotype ecosystem.

Changes

.github/workflows/ci.yml (26 → 17 lines, -9 net)

• Removed workflow-present job (stub echo step)
• Removed rust-ci stub job (stub echo step reporting missing phenotypeActions repo)
• Added rust-ci job invoking KooshaPari/phenoShared/.github/workflows/reusable/ci.yml@5ed0e3bb2279610656755d3adb5403fba94a2bd2
• Updated comments to reflect main SHA pinning; notes plan to re-pin to a semver tag once phenoShared releases the reusable workflow

.github/workflows/scorecard.yml

• No changes (verified identical to prior commit)

Notes

• The reusable workflow SHA 5ed0e3bb is pinned to phenoShared@main as no stable semver tag exists yet for the reusable/ci.yml workflow (exposed by PR #85 in phenoShared)
• This represents a behavioral change: CI execution will now run against the actual shared workflow instead of emitting stub messages
• No merge conflicts detected in the final state (contrary to the PR description's mention of unresolved markers in scorecard.yml)
• The scorecard workflow is unchanged, despite PR description mentioning an ossf/scorecard-action version bump

Recommendation

Approve with acknowledgment of behavioral impact. The PR achieves its stated objective of adopting the shared phenoShared reusable CI workflow. The stub removal is appropriate given phenoShared now exposes the workflow. The pinning strategy (main SHA → semver tag migration) is sound and documented.

Action items for maintainer (post-merge):

• Monitor phenoShared releases and re-pin to a semver tag once available
• Verify that actual CI (builds, tests) executes correctly under the new reusable workflow

Walkthrough

The CI workflow was simplified by replacing local stub jobs with a direct invocation of the phenoShared reusable Rust CI workflow. The workflow-present and rust-ci stub jobs are removed and replaced with a single rust-ci job using uses to call the shared workflow pinned to a main SHA.

Changes

CI Workflow Reusable Invocation

Layer / File(s)	Summary
CI Workflow to Reusable Workflow Transition .github/workflows/ci.yml	The workflow job structure changed from local stub jobs (workflow-present placeholder and rust-ci runner with steps) to a single rust-ci job invoking KooshaPari/phenoShared/.github/workflows/reusable/ci.yml pinned to a main SHA. Trigger context standardized for push/pull_request on main.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• KooshaPari/phenotype-tooling#22: Both PRs update .github/workflows/ci.yml to invoke the KooshaPari/phenoShared reusable Rust CI workflow with a pinned commit SHA, with direct overlap at the workflow wiring level.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/workflow-hygiene-ubuntu-24

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/workflow-hygiene-ubuntu-24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: Invalid SHA for codeql-action/upload-sarif will break workflow
  • Replaced the invalid SHA with @v4.36.0 tag matching other workflows in the repository
• ✅ Fixed: Trufflehog action inputs silently ignored, scan misconfigured
  • Moved --only-verified flag to extra_args input and removed invalid base_depth and only_verified inputs

Or push these changes by commenting:

@cursor push 4ac90a167b

Preview (4ac90a167b)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -39,6 +39,6 @@
           path: results.sarif
           retention-days: 5
 
-      - uses: github/codeql-action/upload-sarif@2f0f4c8f3d9c8f6b8ed1b1f5f1c4a7a2d0b0d1b7
+      - uses: github/codeql-action/upload-sarif@v4.36.0
         with:
           sarif_file: results.sarif

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -19,5 +19,4 @@
       - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26  # v3.95.2
         with:
           path: ./
-          base_depth: 1
-          only_verified: true
+          extra_args: "--only-verified"

_{You can send follow-ups to the cloud agent here.}

[codeant-ai]

CodeAnt AI is running Incremental review

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Unresolved merge conflict marker in scorecard workflow
  • Removed the accidental merge conflict marker '<<<<<<< HEAD' from line 30 of scorecard.yml, making the YAML valid again.

Or push these changes by commenting:

@cursor push 201fbf4b96

Preview (201fbf4b96)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -27,7 +27,6 @@
         with:
           persist-credentials: false
 
-<<<<<<< HEAD
       - uses: ossf/scorecard-action@f2ea147fec3c2f0d459703eba7405b5e9bcd8c8f  # v2.4.2
         with:
           results_file: results.sarif

_{You can send follow-ups to the cloud agent here.}

[codeant-ai]

CodeAnt AI Incremental review completed.

[codeant-ai]

CodeAnt AI is running Incremental review

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI Incremental review completed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit b83758b. Configure here.}

[cursor]

Missing permissions restriction for external reusable workflow call

Low Severity

The workflow calls a cross-repository reusable workflow (KooshaPari/phenoShared) without declaring permissions: contents: read at the top level. Every other reusable-workflow caller in this repository (trufflehog.yml, cargo-deny.yml) explicitly restricts token permissions to least-privilege. Without this declaration, the external workflow receives a token with broader default permissions than necessary.

 

^{Reviewed by Cursor Bugbot for commit b83758b. Configure here.}