feat(build): add build_context_from_working_dir for independent modules

[bedatty]

GitHub Actions Shared Workflows

---

Description

Adds a build_context_from_working_dir boolean input to build.yml and pr-security-scan.yml. When true, the Docker build context uses matrix.app.working_dir instead of the repo root.

This enables building independent modules (e.g., tools/mock-btg-server with its own go.mod) without conflicting with the main project's dependencies. Without this, the Docker COPY go.mod go.sum ./ step copies the root module files, causing go mod download failures.

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None. Default is false — no change for existing consumers.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: https://github.com/LerianStudio/plugin-br-pix-indirect-btg/pull/473

Related Issues

Summary by CodeRabbit

• New Features

  • Added configurable option to let workflows use a repository subfolder as the Docker build context.

• Chores

  • Updated CI/CD workflows to support conditional build-context selection for builds and security scans.
  • Changed default behavior for GitOps flow so Docker registry login is disabled by default; login runs only when explicitly enabled.
  • GitOps update steps now fail early if the expected configuration directory is missing.

[coderabbitai]

Walkthrough

Adds a boolean build_context_from_working_dir input (default false) to build and PR security-scan reusable workflows to optionally use the job working directory as the Docker build context. Changes enable_docker_login default to false in the GitOps update workflow and tightens gitops directory checks.

Changes

Cohort / File(s)	Summary
Build workflow .github/workflows/build.yml	Added workflow_call input build_context_from_working_dir: boolean (default false). docker/build-push-action context now uses matrix.app.working_dir when input is true; otherwise uses existing inputs.build_context. Dockerfile path unchanged.
PR security scan workflow .github/workflows/pr-security-scan.yml	Added workflow_call input build_context_from_working_dir: boolean (default false). docker/build-push-action context now prefers matrix.working_dir when input is true; otherwise retains prior monorepo conditional (frontend uses inputs.frontend_folder, else .).
GitOps update workflow .github/workflows/gitops-update.yml	Changed workflow_call input enable_docker_login default from true → false and updated description. “Log in to Docker Hub” step now runs only when inputs.enable_docker_login is enabled. Replaced cd gitops with `cd gitops

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main change: adding a build_context_from_working_dir input for independent module builds.
Description check	✅ Passed	Description covers the purpose, affected workflows, testing validation, and caller reference. Breaking changes section properly documents no breaking changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/build-context-from-working-dir

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	3 file(s)	✅ success
Action Lint	3 file(s)	✅ success
Pinned Actions	3 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	3 file(s)	✅ success
Shell Check	3 file(s)	✅ success
README Check	3 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 23 issue(s): 23 Medium

Severity	Rule	File	Message
🟡 Medium	actions/code-injection/medium	.github/workflows/pr-security-scan.yml:158	Potential code injection in [${{ inputs.build_context_from_working_dir == tru...
🟡 Medium	actions/code-injection/medium	.github/workflows/build.yml:288	Potential code injection in [${{ inputs.build_context_from_working_dir == tru...
🟡 Medium	actions/unpinned-tag	.github/workflows/gitops-update.yml:78	Unpinned 3rd party Action 'GitOps Update' step Uses Step uses 'docker/lo...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:146	Unpinned 3rd party Action 'Build and Push Docker Images' step [Uses Step: cha...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:89	Unpinned 3rd party Action 'PR Security Scan' step Uses Step uses 'docker...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:98	Unpinned 3rd party Action 'PR Security Scan' step [Uses Step: changed-paths](...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:131	Unpinned 3rd party Action 'PR Security Scan' step Uses Step uses 'docker...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:142	Unpinned 3rd party Action 'PR Security Scan' step Uses Step uses 'docker...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:148	Unpinned 3rd party Action 'PR Security Scan' step Uses Step: fs-scan use...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:156	Unpinned 3rd party Action 'PR Security Scan' step Uses Step uses 'docker...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:172	Unpinned 3rd party Action 'PR Security Scan' step Uses Step: image-scan ...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:182	Unpinned 3rd party Action 'PR Security Scan' step [Uses Step: dockerfile-chec...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:190	Unpinned 3rd party Action 'PR Security Scan' step [Uses Step: post-results](1...
🟡 Medium	actions/unpinned-tag	.github/workflows/pr-security-scan.yml:222	Unpinned 3rd party Action 'PR Security Scan' step Uses Step uses 'Lerian...
🟡 Medium	actions/unpinned-tag	.github/workflows/gitops-update.yml:421	Unpinned 3rd party Action 'GitOps Update' step Uses Step uses 'crazy-max...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:213	Unpinned 3rd party Action 'Build and Push Docker Images' step Uses Step ...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:216	Unpinned 3rd party Action 'Build and Push Docker Images' step Uses Step ...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:220	Unpinned 3rd party Action 'Build and Push Docker Images' step Uses Step ...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:227	Unpinned 3rd party Action 'Build and Push Docker Images' step Uses Step ...
🟡 Medium	actions/unpinned-tag	.github/workflows/gitops-update.yml:461	Unpinned 3rd party Action 'GitOps Update' step Uses Step uses 'LerianStu...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:277	Unpinned 3rd party Action 'Build and Push Docker Images' step [Uses Step: met...
🟡 Medium	actions/unpinned-tag	.github/workflows/build.yml:286	Unpinned 3rd party Action 'Build and Push Docker Images' step Uses Step ...
🟡 Medium	actions/untrusted-checkout/medium	.github/workflows/gitops-update.yml:83	Potential unsafe checkout of untrusted pull request on privileged workflow.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/gitops-update.yml (2)

474-474: ⚠️ Potential issue | 🟠 Major

Replace relative path with absolute external reference.

gitops-update.yml is a reusable workflow (workflow_call trigger) designed for external repository callers. The relative path uses: ./.github/workflows/slack-notify.yml will resolve to the caller's workspace, breaking the reference.

Change to:

uses: LerianStudio/github-actions-shared-workflows/.github/workflows/slack-notify.yml@<release-tag>

(No internal self-* wrapper exists to protect this workflow, so external refs are required.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gitops-update.yml at line 474, Replace the relative
workflow reference uses: ./.github/workflows/slack-notify.yml with an absolute
external reusable-workflow reference so callers resolve correctly; update the
uses value on that line to reference the external repo and release tag, e.g.
LerianStudio/github-actions-shared-workflows/.github/workflows/slack-notify.yml@<release-tag>,
ensuring the reusable workflow call uses the external repo and tag instead of a
relative path.

---

461-461: ⚠️ Potential issue | 🟠 Major

Use @master instead of unpinned @main ref for external action.

The LerianStudio/github-actions-argocd-sync repository does not publish semantic version releases. It uses branch references: @master for production and @develop for testing. The current @main reference is incorrect; this repository does not use a main branch. Update to @master to match the action's production branch.

Suggested change

-        uses: LerianStudio/github-actions-argocd-sync@main
+        uses: LerianStudio/github-actions-argocd-sync@master

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gitops-update.yml at line 461, The workflow references the
external action with an incorrect branch ref; update the uses entry for
LerianStudio/github-actions-argocd-sync from `@main` to `@master` so the workflow
points at the repository's production branch; locate the line that contains
"uses: LerianStudio/github-actions-argocd-sync@main" and change the ref to
"@master".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gitops-update.yml:
- Around line 54-57: Update the documentation to reflect the changed default for
the workflow input enable_docker_login: its default is now false (disabled)
instead of true; find references to enable_docker_login in the docs and change
any text that states or implies the default is true to state the default is
false and note callers must set enable_docker_login: true to enable Docker Hub
login.

---

Outside diff comments:
In @.github/workflows/gitops-update.yml:
- Line 474: Replace the relative workflow reference uses:
./.github/workflows/slack-notify.yml with an absolute external reusable-workflow
reference so callers resolve correctly; update the uses value on that line to
reference the external repo and release tag, e.g.
LerianStudio/github-actions-shared-workflows/.github/workflows/slack-notify.yml@<release-tag>,
ensuring the reusable workflow call uses the external repo and tag instead of a
relative path.
- Line 461: The workflow references the external action with an incorrect branch
ref; update the uses entry for LerianStudio/github-actions-argocd-sync from
`@main` to `@master` so the workflow points at the repository's production branch;
locate the line that contains "uses:
LerianStudio/github-actions-argocd-sync@main" and change the ref to "@master".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8a427898-65cf-41f8-8465-ddf9e5967405

📥 Commits

Reviewing files that changed from the base of the PR and between 46b1a80 and 88e7ede.

📒 Files selected for processing (1)

• .github/workflows/gitops-update.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/gitops-update.yml (1)

54-57: ⚠️ Potential issue | 🟠 Major

Breaking caller behavior: default flip for enable_docker_login needs explicit migration handling.

Line 57 changes the default to false, so callers that relied on the implicit default now skip Docker login and may hit pull-rate/auth failures. Either revert the default or treat this as a breaking change with explicit migration notes and caller updates.

Suggested minimal fix (preserve backward compatibility)

       enable_docker_login:
         description: 'Enable Docker Hub login to avoid rate limits. Disabled by default since GitOps updates do not require Docker registry access.'
         type: boolean
-        default: false
+        default: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gitops-update.yml around lines 54 - 57, The default for
the GitHub Action input enable_docker_login was flipped to false which breaks
callers that relied on the previous implicit true; either revert the default to
true in the workflow to preserve backward compatibility (restore the original
default for enable_docker_login) or, if you intend the breaking change, add
explicit migration steps: update all calling workflows to set
enable_docker_login: true where needed, add a prominent changelog/release note
and version bump, and document the new required behavior in the action README so
callers can update accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/gitops-update.yml:
- Around line 54-57: The default for the GitHub Action input enable_docker_login
was flipped to false which breaks callers that relied on the previous implicit
true; either revert the default to true in the workflow to preserve backward
compatibility (restore the original default for enable_docker_login) or, if you
intend the breaking change, add explicit migration steps: update all calling
workflows to set enable_docker_login: true where needed, add a prominent
changelog/release note and version bump, and document the new required behavior
in the action README so callers can update accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 01b4e4da-b1e2-4dc0-a51b-4a72aae378f3

📥 Commits

Reviewing files that changed from the base of the PR and between 88e7ede and 00a078d.

📒 Files selected for processing (1)

• .github/workflows/gitops-update.yml

All comments addressed. CodeQL findings are false positives (with: params, not shell). GitOps docker login default change is intentional.