ci: optimize GitHub Actions workflows

[zouyonghe]

Summary

• Rename the docs deployment workflow to avoid showing two release workflows.
• Reduce duplicated CI work by limiting coverage uploads to master/manual runs and shrinking the smoke-test matrix to supported Python versions.
• Align release/Docker dashboard builds with current project tooling and fix workflow lint issues.

Verification

• ruby -e 'require \"psych\"; Dir[\".github/workflows/*.yml\"].each { |f| Psych.load_file(f) }; puts \"workflow YAML OK\"'
• go run github.com/rhysd/actionlint/cmd/actionlint@latest

Summary by Sourcery

Refine GitHub Actions workflows to centralize dashboard build/tooling setup, streamline test and coverage runs, and clarify docs deployment.

New Features:

• Introduce reusable composite actions for setting up pnpm/Node.js and building the dashboard, including optional packaging or copying of build artifacts.

Enhancements:

• Align Docker image, dashboard CI, release, and docs workflows to use shared pnpm/Node.js setup and dashboard build actions with consistent Node and pnpm versions.
• Tighten workflow triggers to only run the dashboard CI when relevant files change and rename the docs workflow to clearly represent documentation deployment.
• Simplify the smoke-test matrix to focus on supported Python/OS combinations and update release tooling to Python 3.12.
• Adjust artifact upload/download actions to specific tagged versions and improve YAML/actionlint compliance in workflows.

Tests:

• Limit coverage workflow execution to branch pushes and manual runs, removing automatic execution on pull requests to reduce redundant CI work.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[sourcery-ai]

Hey - I've left some high level feedback:

• The coverage_test.yml workflow description mentions limiting coverage uploads to master, but the on: push trigger has no branches filter; if you truly intend to restrict this to master you may want to add an explicit branches: [ master ] to avoid running coverage on all branches.
• The Docker dashboard build now uses Node.js 24.13.0 while the dedicated dashboard_ci.yml workflow appears to use a different version; consider aligning these Node versions to avoid subtle build inconsistencies between CI and release images.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `coverage_test.yml` workflow description mentions limiting coverage uploads to master, but the `on: push` trigger has no `branches` filter; if you truly intend to restrict this to `master` you may want to add an explicit `branches: [ master ]` to avoid running coverage on all branches.
- The Docker dashboard build now uses Node.js `24.13.0` while the dedicated `dashboard_ci.yml` workflow appears to use a different version; consider aligning these Node versions to avoid subtle build inconsistencies between CI and release images.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zouyonghe]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The pnpm/Node.js setup and dashboard build steps are now duplicated across multiple workflows (docker-image nightly/release, dashboard_ci, release, build-docs); consider extracting these into a reusable workflow or composite action to keep the CI configuration DRY and easier to update.
• The smoke_test job’s matrix definition combines a base matrix with an include list; you might simplify readability by defining the explicit set of supported (os, python-version) combinations directly (or via include only) so it’s immediately clear which environments are intended to run.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The pnpm/Node.js setup and dashboard build steps are now duplicated across multiple workflows (docker-image nightly/release, dashboard_ci, release, build-docs); consider extracting these into a reusable workflow or composite action to keep the CI configuration DRY and easier to update.
- The smoke_test job’s matrix definition combines a base matrix with an `include` list; you might simplify readability by defining the explicit set of supported (os, python-version) combinations directly (or via `include` only) so it’s immediately clear which environments are intended to run.

## Individual Comments

### Comment 1
<location path=".github/workflows/docker-image.yml" line_range="47-56" />
<code_context>
       - name: checkout
         uses: actions/checkout@v6
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5.0.0
+        uses: pnpm/action-setup@v6.0.3
</code_context>
<issue_to_address>
**suggestion:** Reduce duplication by extracting the pnpm/Node.js setup into a reusable workflow or composite action.

This pnpm/Node.js setup is duplicated across nightly and release jobs. If you expect to reuse this pattern elsewhere, consider a reusable workflow (`workflow_call`) or composite action to centralize version and cache configuration and avoid them drifting over time.

Suggested implementation:

```
      - name: Setup pnpm and Node.js
        uses: ./.github/actions/setup-pnpm-node
        with:
          pnpm-version: 10.28.2
          node-version: '24.13.0'
          cache-dependency-path: dashboard/pnpm-lock.yaml

```

To complete this refactor you will also need to:

1. Create a composite action at `.github/actions/setup-pnpm-node/action.yml` with roughly:
   - `inputs`: `pnpm-version` (required), `node-version` (required), `cache-dependency-path` (optional).
   - `runs.using: "composite"`.
   - `steps`:
     - A step using `pnpm/action-setup@v6.0.3` with `with.version: ${{ inputs.pnpm-version }}`.
     - A step using `actions/setup-node@v6` with:
       - `node-version: ${{ inputs.node-version }}`
       - `cache: pnpm`
       - `cache-dependency-path: ${{ inputs.cache-dependency-path }}` (conditionally if provided).
2. Update the other workflow(s) (e.g. nightly and release jobs) that currently duplicate this pnpm/Node.js setup to use the same composite action, ensuring versions and cache settings stay centralized.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zouyonghe]

@sourcery-ai review

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[SourceryAI]

Hey - I've left some high level feedback:

• The dashboard build logic (pnpm install/build, version file creation, copying/archiving dist) is duplicated across multiple workflows; consider extracting it into a reusable script or composite action to keep behavior consistent and easier to update.
• In dashboard_ci.yml, the Inject Commit SHA step writes COMMIT_SHA to $GITHUB_ENV but then uses the local commit_sha variable instead; either consume the env var later or drop the $GITHUB_ENV write to avoid confusion.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The dashboard build logic (pnpm install/build, version file creation, copying/archiving dist) is duplicated across multiple workflows; consider extracting it into a reusable script or composite action to keep behavior consistent and easier to update.
- In `dashboard_ci.yml`, the `Inject Commit SHA` step writes `COMMIT_SHA` to `$GITHUB_ENV` but then uses the local `commit_sha` variable instead; either consume the env var later or drop the `$GITHUB_ENV` write to avoid confusion.

---

Hi @zouyonghe! 👋

Thanks for trying out Sourcery by commenting with @sourcery-ai review! 🚀

Install the sourcery-ai bot to get automatic code reviews on every pull request ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zouyonghe]

@sourcery-ai review

[sourcery-ai]

Hey - I've left some high level feedback:

• With the new path filters on dashboard_ci.yml, changes to the shared composite actions (e.g. .github/actions/build-dashboard or setup-pnpm-node) won’t trigger dashboard CI, which could let breakages slip through; consider expanding the paths list to include those action directories.
• The pnpm and Node.js versions (10.28.2 / 24.13.0) are repeated in multiple workflows and in the composite action inputs; you might want to centralize them (e.g. via workflow env or reusable workflow inputs) to make future upgrades less error-prone.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- With the new path filters on `dashboard_ci.yml`, changes to the shared composite actions (e.g. `.github/actions/build-dashboard` or `setup-pnpm-node`) won’t trigger dashboard CI, which could let breakages slip through; consider expanding the `paths` list to include those action directories.
- The pnpm and Node.js versions (`10.28.2` / `24.13.0`) are repeated in multiple workflows and in the composite action inputs; you might want to centralize them (e.g. via workflow `env` or reusable workflow inputs) to make future upgrades less error-prone.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[SourceryAI]

Hey - I've reviewed your changes and they look great!

---

Hi @zouyonghe! 👋

Thanks for trying out Sourcery by commenting with @sourcery-ai review! 🚀

Install the sourcery-ai bot to get automatic code reviews on every pull request ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zouyonghe]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path=".github/workflows/build-docs.yml" line_range="25-26" />
<code_context>
+          pnpm-version: ${{ env.PNPM_VERSION }}
+          node-version: ${{ env.NODE_VERSION }}
           cache-dependency-path: docs/pnpm-lock.yaml
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
</code_context>
<issue_to_address>
**suggestion (performance):** Consider scoping the pnpm install to the docs directory to match the cache lockfile path and avoid installing root dependencies.

`cache-dependency-path` points to `docs/pnpm-lock.yaml`, but `pnpm install --frozen-lockfile` runs from the repo root. That can desync the cache from the actual install and pull in root-level workspace deps unnecessarily. Running this step with `working-directory: docs` would align it with the cache and avoid extra installs.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[zouyonghe]

@sourcery-ai review

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[lxfight]

Hey - I've reviewed your changes and they look great!