Skip to main content
The pull request check workflow validates code changes before they are merged, ensuring quality, security, and preventing regressions.

Overview

When a pull request is created or updated, the workflow automatically:
  1. Validates code changes
  2. Runs automated tests (Promptfoo, Redteam)
  3. Performs quality checks (SonarQube)
  4. Validates pull request body
  5. Provides feedback to developers

Reusable Components Used

This workflow leverages the following reusable components:
  • pull-request-check.yaml: Main reusable workflow that orchestrates PR validation
  • setup-project: Sets up Python environment and resolves project metadata
  • check-action-pinning: Validates GitHub Actions are pinned to SHA versions
  • code-quality: Runs pylint, pytest, and hadolint checks
  • sonar-check: Performs SonarCloud code analysis (conditional)
  • promptfoo-evaluation: Runs prompt evaluation tests (conditional)
  • promptfoo-redteaming: Runs security and adversarial tests (conditional)
  • security-check: Scans filesystem for vulnerabilities with Trivy
  • validate-pull-request-body: Validates PR body against template
See the Reusable Components page for detailed documentation on each component.

Workflow Flowchart

Workflow Triggers

The PR workflow is triggered on:
  • PR Opened: When a new pull request is opened
  • PR Updated: When new commits are pushed to the PR branch
  • PR Reopened: When a closed PR is reopened
  • PR Ready for Review: When PR is marked ready for review
  • Manual Trigger: Via workflow_dispatch
Target branches:
  • main
  • develop
  • release/**

Validation Steps

1. Code Quality Checks

The workflow uses the reusable pull-request-check.yaml workflow which includes:
  • SonarQube Analysis: Code quality and security scanning
  • Source Code Analysis: Static analysis of source code
  • Timeout: 360 minutes maximum execution time

2. Testing

Comprehensive testing is performed:
  • Promptfoo Tests: Agent prompt and response validation
    • Configuration: promptfoo_config/*.yaml
  • Redteam Tests: Security and adversarial testing
    • Configuration: redteam.yaml
    • Number of tests: 5

3. Pull Request Body Validation

For feature, hotfix, and bugfix branches, the PR body is validated to ensure:
  • Required information is present
  • Description follows standards
  • Changes are properly documented
Validation is skipped for:
  • PRs from baasbot
  • PRs with ci skip label

Workflow Configuration

The pull request check workflow is defined in .github/workflows/pull-request-check.yaml: 
name: Pull Request Check
on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
      - reopened
      - ready_for_review
    branches:
      - main
      - develop
      - release/**
  workflow_dispatch:

jobs:
  verify:
    name: Validate pull request
    uses: backbase-common/gc-ai-workflows/.github/workflows/pull-request-check.yaml@main
    secrets: inherit
    with:
      enableSonar: true
      timeout: 360
      sourcePath: "src/"
      enablePromptfoo: true
      enableRedteam: true
      promptfooConfig: "promptfoo_config/*.yaml"
      redteamConfig: "redteam.yaml"
      redteamNumTests: "5"

  validate-pull-request-body:
    name: Validate pull request body
    runs-on: ubuntu-latest
    if: ${{ ! startsWith(github.event.pull_request.user.login, 'baasbot') && (startsWith(github.head_ref, 'feature/') || startsWith(github.head_ref, 'hotfix/') || startsWith(github.head_ref, 'bugfix/')) && !contains(github.event.pull_request.labels.*.name, 'ci skip') }}
    steps:
      - name: Validate pull request body
        uses: backbase-common/gc-ai-workflows/validate-pull-request-body@main
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
[!TIP] See the Configurations page for required secrets and template files.

Configuration Options

SonarQube

Enable SonarQube analysis: 
enableSonar: true
sourcePath: "src/"

Promptfoo Testing

Enable prompt and response validation: 
enablePromptfoo: true
promptfooConfig: "promptfoo_config/*.yaml"

Redteam Testing

Enable security and adversarial testing: 
enableRedteam: true
redteamConfig: "redteam.yaml"
redteamNumTests: "5"

Required Checks

Before a PR can be merged, these checks must pass:
  • ✅ Code quality checks (SonarQube)
  • ✅ All tests passing (Promptfoo, Redteam)
  • ✅ PR body validation (for feature/hotfix/bugfix branches)
  • ✅ Code review approval
  • ✅ No security vulnerabilities

PR Status Checks

The workflow provides status checks that must pass before merge:
Comprehensive validation including SonarQube, Promptfoo, and Redteam tests
Ensures PR description meets standards for feature/hotfix/bugfix branches

Best Practices

  • Small PRs: Keep PRs focused and small for easier review
  • Descriptive Titles: Use clear, descriptive PR titles
  • Complete PR Body: Include detailed description for feature/hotfix/bugfix PRs
  • Test Coverage: Ensure new code has adequate test coverage
  • Documentation: Update documentation for new features

Troubleshooting

Failed Checks

If PR checks fail:
  1. Review the error messages in the PR status
  2. Check SonarQube reports for quality issues
  3. Review Promptfoo test failures
  4. Address Redteam security findings
  5. Fix PR body validation issues
  6. Push fixes to the PR branch

Skipping Checks

To skip PR body validation, add the ci skip label to your PR.

Next Steps