feat(ci): Add reusable GitHub actions for CI setup; Bump actions/checkout to v6.0.2.

[Bill-hbrhbr]

Description

Adds reusable composite actions for shared CI tool setup and updates this repo’s workflows to use them as well.

• Add exported actions for installing go-task, Python, Java, and uv with pinned upstream action refs
• Add a log-tool-versions action to print tool versions without failing on missing tools
• Update lint and unit-test workflows to use the exported actions
• Pin actions/checkout to v6.0.2 by commit SHA
• Addresses fix(ci): Replace npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk. #109 indirectly, which should be closed by the merge of this PR.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

• CI pass here and also in spider test branch: feat(ci): Bump yscope-dev-utils to y-scope/yscope-dev-utils@38bf51e; Add coverage for building docs; Bump actions/checkout to v6.0.2; Fix task paths in taskfiles/docs.yaml. spider#298

Summary by CodeRabbit

• New Features

  • Added a reusable action to report installed tool versions in CI.
  • Added reusable install actions for go-task, Python, uv and Java with configurable version inputs.

• Chores

  • Updated CI workflows to use the new composite actions for tool installation and reporting, improving consistency and visibility.

[coderabbitai]

Walkthrough

Adds five reusable GitHub composite actions (install-go-task, install-python, install-uv, install-java, print-tool-versions) and updates two CI workflows to use these local actions instead of inline installation commands.

Changes

Cohort / File(s)	Summary
Installation Composite Actions exports/github/actions/install-go-task/action.yaml, exports/github/actions/install-python/action.yaml, exports/github/actions/install-uv/action.yaml, exports/github/actions/install-java/action.yaml	New composite actions that expose optional inputs (version/distribution) and delegate installation to pinned upstream setup actions. install-go-task includes a macOS conditional to install coreutils if md5sum is missing.
Tool Version Reporter exports/github/actions/print-tool-versions/action.yaml	New composite action that loops a predefined TOOLS list and prints each tool's --version or reports it as not found.
Workflow Updates .github/workflows/code-linting-checks.yaml, .github/workflows/unit-tests.yaml	Workflows replaced inline installers with local composite actions (./exports/.../install-go-task, install-uv, etc.), pinned actions/checkout commits, and added a step to run ./exports/.../print-tool-versions before task/test steps.

Sequence Diagram(s)

sequenceDiagram
  participant Workflow as "GitHub Workflow"
  participant Composite as "Local Composite Action"
  participant Upstream as "Pinned Upstream Action"
  participant Runner as "Runner (shell)"

  rect rgba(200,220,255,0.5)
    Workflow->>Composite: call ./exports/.../install-go-task (version)
    Composite->>Upstream: uses go-task/setup-task@<commit> (with.version)
    Upstream->>Runner: install go-task on runner
    Runner-->>Upstream: install result
    Upstream-->>Composite: success/failure
    Composite-->>Workflow: step result
  end

  rect rgba(200,255,220,0.5)
    Workflow->>Composite: call ./exports/.../print-tool-versions
    Composite->>Runner: run loop (tool --version || echo "not found")
    Runner-->>Composite: versions output
    Composite-->>Workflow: printed tool versions
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding reusable GitHub actions for CI setup and bumping actions/checkout to v6.0.2.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@exports/github/actions/install-go-task/action.yaml`:
- Around line 13-16: Update the macOS install step (the job entry with if:
"'macOS' == runner.os" and name "Install coreutils (for md5sum)") to first check
whether md5sum is already available and only run brew install coreutils when it
is missing; change the run field to perform a command existence check (e.g., use
command -v or which for md5sum) and conditionally invoke brew install coreutils
to avoid unnecessary installs and CI latency/failures.

In `@exports/github/actions/log-tool-versions/action.yaml`:
- Around line 19-24: The loop that runs each tool's version ("while IFS= read -r
tool; do" / the invocation "${tool}" --version) can fail the step if a tool
returns non-zero; make the version check best-effort by suppressing non-zero
exits for the version command (e.g., run the "${tool}" --version invocation in a
way that ignores its exit code or append a fallback like "|| true"), and
optionally emit a clear diagnostic when the version command fails so the loop
continues rather than aborting the job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a043c97b-1e6f-442f-82d4-67acebdc069f

📥 Commits

Reviewing files that changed from the base of the PR and between 99431c2 and bb51cc5.

📒 Files selected for processing (4)

• exports/github/actions/install-go-task/action.yaml
• exports/github/actions/install-python/action.yaml
• exports/github/actions/install-uv/action.yaml
• exports/github/actions/log-tool-versions/action.yaml

[davidlion]

Iirc doesn't uv manage/setup the python version to run? If we have uv do we still need to manually install python?

[Bill-hbrhbr]

I think some repos still directly use python3/python3 -m venv instead of uv for some of the task workflows. uv is definitely nicer but not yet standardized.

[davidlion]

We should discuss more with multiple people, but we might want to manually install uv through our tasks similar to what CLP does with rust (also that toolchain code probably should be moved to dev-utils).

In other words, for tools such as rust and uv that are "easy" for us to manage ourselves we can create tasks to install and setup the environment so that both local builds and CI can benefit.

These CI actions would be reserved for tools we expect the user to deal with themselves.

[Bill-hbrhbr]

We already have scripts to install cmake, task, and uv via pipx (see my pending PR: https://github.com/y-scope/clp/pull/1320/changes). The main advantage of pipx is that it avoids modifying system directories. By prepending the pipx bin path to PATH, we can ensure those versions take priority.

Similarly, using GitHub Actions to set up these tools removes the need to worry about runner environment differences, user and group handling, figuring out which parts of our scripts to run, or invoking sudo.

Furthermore, the setup-task and setup-uv actions are published by their respective maintainers, so they are generally reliable and safe to depend on.

[Bill-hbrhbr]

FYI we are also adding nodejs to the toolchains.

[Bill-hbrhbr]

@coderabbitai Open an issue for this discussion.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue create \
  --repo y-scope/yscope-dev-utils \
  --title "feat: Evaluate task-based tool installation vs. GitHub Actions for tools like uv and nodejs" \
  --assignee "Bill-hbrhbr" \
  --body "## Summary

A discussion in `#110` raised the question of whether tools like \`uv\` (and potentially \`nodejs\`) should be installed via [task](https://taskfile.dev/) scripts rather than dedicated GitHub composite Actions.

## Context

In [`#110` (comment)](https://github.com/y-scope/yscope-dev-utils/pull/110#discussion_r3040110941), `@davidlion` suggested that for tools which are relatively easy for us to manage ourselves (e.g., \`uv\`, \`rust\`), we could create task scripts to install and set up the environment — similar to how [CLP handles rust](https://github.com/y-scope/clp/blob/main/taskfiles/toolchains.yaml#L57). This approach would benefit both local builds and CI pipelines equally, while CI composite actions would be reserved for tools that users are expected to manage themselves.

`@davidlion` also noted that the toolchain code from CLP probably should eventually be moved into \`yscope-dev-utils\`.

`@Bill-hbrhbr` noted several advantages of the current approach using \`pipx\` and GitHub Actions (see [CLP `#1320`](https://github.com/y-scope/clp/pull/1320/changes)):
- \`pipx\` avoids modifying system directories; prepending the pipx bin path to \`PATH\` ensures correct version priority.
- GitHub Actions remove the need to handle runner environment differences, user/group handling, partial script invocation, and \`sudo\`.
- \`setup-task\` and \`setup-uv\` are published by their respective maintainers, making them reliable dependencies.

Additionally, \`nodejs\` is being considered for addition to toolchains.

## Discussion Points

- Should tools like \`uv\` be installed via task scripts to unify local and CI setup?
- Which tools are best managed via GitHub composite Actions vs. task scripts?
- Should CLP's toolchain task scripts be migrated to \`yscope-dev-utils\`?

## References

- PR: https://github.com/y-scope/yscope-dev-utils/pull/110
- Discussion comment: https://github.com/y-scope/yscope-dev-utils/pull/110#discussion_r3040110941
- CLP toolchains reference: https://github.com/y-scope/clp/blob/main/taskfiles/toolchains.yaml#L57
- CLP PR with pipx-based install: https://github.com/y-scope/clp/pull/1320/changes

Opened by `@Bill-hbrhbr`."

Length of output: 54

---

@Bill-hbrhbr, I've opened a new issue to track this discussion: #111

The issue captures:

• @davidlion's suggestion to use task-based installation for "easy" tools like uv (similar to CLP's rust toolchain), benefiting both local and CI builds.
• Your points on the advantages of pipx and GitHub Actions (no sudo, no runner environment concerns, maintainer-published actions).
• The potential migration of CLP's toolchain task scripts into yscope-dev-utils.
• The consideration of adding nodejs to toolchains.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@exports/github/actions/install-java/action.yaml`:
- Around line 20-21: Update the template expressions used for the distribution
and java-version inputs to use the idiomatic GitHub Actions spacing: change
`${{inputs.distribution}}` to `${{ inputs.distribution }}` and
`${{inputs.version}}` to `${{ inputs.version }}` in the action.yaml so the keys
distribution and java-version reference inputs with the spaced `${{ ... }}`
format for readability and consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a867df3b-3cef-4c14-9343-e0f0ec37f7ed

📥 Commits

Reviewing files that changed from the base of the PR and between bb51cc5 and 8890f69.

📒 Files selected for processing (5)

• .github/workflows/code-linting-checks.yaml
• .github/workflows/unit-tests.yaml
• exports/github/actions/install-go-task/action.yaml
• exports/github/actions/install-java/action.yaml
• exports/github/actions/print-tool-versions/action.yaml

[coderabbitai]

♻️ Duplicate comments (1)

exports/github/actions/print-tool-versions/action.yaml (1)

26-29: ⚠️ Potential issue | 🟡 Minor

Differentiate “not found” from “version check failed”.

At Line 28, every non-zero from --version is reported as not found, which can hide real tool/runtime issues.

♻️ Suggested fix

         while IFS= read -r tool; do
-          if ! "${tool}" --version; then
-            echo "${tool} not found"
+          if command -v "${tool}" >/dev/null 2>&1; then
+            if ! "${tool}" --version; then
+              echo "${tool} --version failed"
+            fi
+          else
+            echo "${tool} not found"
           fi
         done <<< "${TOOLS}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@exports/github/actions/print-tool-versions/action.yaml` around lines 26 - 29,
The loop currently treats any non-zero exit from running "${tool}" --version as
"not found"; first test existence of the executable (e.g., use command -v or
type to check "${tool}") and only print "${tool} not found" when that check
fails, otherwise run "${tool} --version" and, if it returns non-zero, print a
different message like "${tool} version check failed" (apply this change around
the while loop and the if that invokes "${tool}" --version to separate existence
check from version-check failures).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@exports/github/actions/print-tool-versions/action.yaml`:
- Around line 26-29: The loop currently treats any non-zero exit from running
"${tool}" --version as "not found"; first test existence of the executable
(e.g., use command -v or type to check "${tool}") and only print "${tool} not
found" when that check fails, otherwise run "${tool} --version" and, if it
returns non-zero, print a different message like "${tool} version check failed"
(apply this change around the while loop and the if that invokes "${tool}"
--version to separate existence check from version-check failures).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b4a8b74-52c7-4e9c-941d-fe6e4c6927ce

📥 Commits

Reviewing files that changed from the base of the PR and between 8890f69 and 7df10b9.

📒 Files selected for processing (5)

• exports/github/actions/install-go-task/action.yaml
• exports/github/actions/install-java/action.yaml
• exports/github/actions/install-python/action.yaml
• exports/github/actions/install-uv/action.yaml
• exports/github/actions/print-tool-versions/action.yaml

[junhaoliao]

i have no further concerns other than the ones @davidlion has brought up. if i understand correctly, we will create follow up PRs to address those. then I think we can merge this PR first to quickly unblock the other PRs across different repos that address potential security risks in the CI pipelines

Let's wait for @davidlion 's confirmation before merging