Migrate aiservice-test to shared workflow with dynamic secret env (#2620)

## Summary - Replaces the inline `aiservice-test` job (30 lines of boilerplate) with a 10-line shared workflow call - Uses the new `test-secret-env` input on `ci-python-uv.yml` to dynamically export 7 secrets as masked env vars - Pattern: caller passes `secrets: inherit` + a JSON map of `{ENV_VAR: SECRET_NAME}`, shared workflow uses `toJSON(secrets)` + jq to export them with `::add-mask::` ### Before (inline) ```yaml aiservice-test: runs-on: ubuntu-latest env: SECRET_KEY: ${{ secrets.SECRET_KEY }} DATABASE_URL: ${{ secrets.DATABASE_URL }} # ... 5 more hardcoded secret refs steps: - uses: actions/checkout@v6 - uses: astral-sh/setup-uv@v8.1.0 - run: uv sync - run: uv run pytest ``` ### After (shared workflow) ```yaml aiservice-test: uses: codeflash-ai/github-workflows/.github/workflows/ci-python-uv.yml@main secrets: inherit with: working-directory: "django/aiservice" sync-command: "uv sync" test-command: "uv run pytest" test-secret-env: '{"SECRET_KEY": "SECRET_KEY", "DATABASE_URL": "DATABASE_URL", ...}' ``` First consumer of the `test-secret-env` feature — validates the pattern for future jobs. ## Test plan - [ ] CI passes — aiservice-test job runs via shared workflow and secrets are correctly exported - [ ] Gate job (required-checks-passed) still works with the new job structure - [ ] No regression in other jobs (they're unchanged)
2026-05-04 18:25:18 +00:00 · 2026-04-23 06:00:11 -05:00 · 2026-04-23 06:00:11 -05:00 · 235858d205
commit 235858d205
parent eeecdc11d7
1 changed files with 8 additions and 24 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -48,34 +48,18 @@ jobs:
      typecheck-command: "uv run mypy --non-interactive --config-file pyproject.toml @mypy_allowlist.txt"

  # ---------------------------------------------------------------------------
-  # AI Service — pytest (needs secrets as env vars)
+  # AI Service — pytest (shared workflow + dynamic secret env vars)
  # ---------------------------------------------------------------------------
  aiservice-test:
    needs: determine-changes
    if: fromJSON(needs.determine-changes.outputs.flags).aiservice == 'true'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: django/aiservice
-    env:
-      SECRET_KEY: ${{ secrets.SECRET_KEY }}
-      DATABASE_URL: ${{ secrets.DATABASE_URL }}
-      AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }}
-      AZURE_OPENAI_ENDPOINT: ${{ secrets.AZURE_OPENAI_ENDPOINT }}
-      OPENAI_API_VERSION: ${{ secrets.OPENAI_API_VERSION }}
-      ANTHROPIC_FOUNDRY_API_KEY: ${{ secrets.ANTHROPIC_FOUNDRY_API_KEY }}
-      ANTHROPIC_FOUNDRY_BASE_URL: ${{ secrets.ANTHROPIC_FOUNDRY_BASE_URL }}
-    steps:
-      - uses: actions/checkout@v6
-      - uses: astral-sh/setup-uv@v8.1.0
-        with:
-          python-version: "3.12"
-          enable-cache: true
-      - run: uv sync
-      - name: Test
-        run: uv run pytest
+    uses: codeflash-ai/github-workflows/.github/workflows/ci-python-uv.yml@main
+    secrets: inherit
+    with:
+      working-directory: "django/aiservice"
+      sync-command: "uv sync"
+      test-command: "uv run pytest"
+      test-secret-env: '{"SECRET_KEY": "SECRET_KEY", "DATABASE_URL": "DATABASE_URL", "AZURE_OPENAI_API_KEY": "AZURE_OPENAI_API_KEY", "AZURE_OPENAI_ENDPOINT": "AZURE_OPENAI_ENDPOINT", "OPENAI_API_VERSION": "OPENAI_API_VERSION", "ANTHROPIC_FOUNDRY_API_KEY": "ANTHROPIC_FOUNDRY_API_KEY", "ANTHROPIC_FOUNDRY_BASE_URL": "ANTHROPIC_FOUNDRY_BASE_URL"}'

  # ---------------------------------------------------------------------------
  # Prek — lint (pull_request only)