Use workflow-setup outputs for repo name; inline safe step-outcome expressions

[Copilot]

Two issues with the check workflows: github.event.repository.name was used directly instead of the pre-sanitized workflow-setup outputs, and step outcome values were unnecessarily wrapped in intermediate env vars despite being safe to inline.

Changes

• Replace github.event.repository.name with needs.setup.outputs.repo across all check workflows — derive the short name in bash via REPO_NAME="${REPO##*/}". In clang-tidy-fix.yaml the parse_comment step runs before workflow-setup, so $GITHUB_REPOSITORY (GitHub's built-in env var) is used instead.

• Remove unnecessary env-var wrappers for step outcomes — LINT_OUTCOME, RUFF_OUTCOME, MYPY_OUTCOME are always one of four controlled strings and are never user-provided; inlined directly as ${{ steps.X.outcome }}.

  # Before
  env:
    LINT_OUTCOME: ${{ steps.lint.outcome }}
    REPO_NAME: ${{ github.event.repository.name }}
  run: |
    if [ "${LINT_OUTCOME}" = 'success' ]; then ...
  
  # After
  env:
    REPO: ${{ needs.setup.outputs.repo }}
  run: |
    REPO_NAME="${REPO##*/}"
    if [ "${{ steps.lint.outcome }}" = 'success' ]; then ...

• Preserve clang-tidy-check non-failing behavior — finding diagnostics emits ::warning:: but does not exit non-zero; only a build tooling failure (cmake exits without any diagnostic output) fails the job.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[greenc-FNAL]

Review the full CodeQL report for details.

[Copilot]

Pull request overview

This PR refactors multiple CI workflows to rely on workflow-setup outputs for repository identification (instead of github.event.repository.name) and simplifies shell logic by inlining safe step outcome expressions, while also tightening checkout behavior and improving relevance detection infrastructure.

Changes:

• Replace direct uses of github.event.repository.name with needs.setup.outputs.repo (deriving REPO_NAME via REPO_NAME="${REPO##*/}") across check workflows.
• Inline step outcome expressions (${{ steps.*.outcome }}) instead of routing them through intermediate env vars; simplify several scripts by passing stable values via env.
• Improve relevance detection plumbing: add exclude-globs, switch to git ls-tree enumeration, and enable an “empty sparse-checkout” mode for change-detection checkouts.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/yaml-fix.yaml	Use working-directory instead of cd for formatter execution.
.github/workflows/yaml-check.yaml	Use needs.setup.outputs.repo to construct bot command hint; disable persisted checkout creds.
.github/workflows/python-check.yaml	Same repo/bot hint update; disable persisted checkout creds.
.github/workflows/markdown-check.yaml	Same repo/bot hint update; disable persisted checkout creds.
.github/workflows/jsonnet-format-fix.yaml	Use $GITHUB_WORKSPACE in docker volume mount (shell-native) for consistency.
.github/workflows/jsonnet-format-check.yaml	Same repo/bot hint update; disable persisted checkout creds.
.github/workflows/header-guards-check.yaml	Same repo/bot hint update; disable persisted checkout creds.
.github/workflows/dependabot-auto-merge.yaml	Replace expression-based event access with $GITHUB_EVENT_* + jq parsing; streamline env usage.
.github/workflows/coverage.yaml	Inline workflow_dispatch inputs via env; reduce repeated expressions; disable persisted checkout creds.
.github/workflows/codeql-analysis.yaml	Inline safe contexts via env; use $GITHUB_EVENT_* + jq for PR number; reduce expression repetition.
.github/workflows/cmake-format-fix.yaml	Use working-directory and run gersemi against ..
.github/workflows/cmake-format-check.yaml	Quote checkout path via env; same repo/bot hint update; disable persisted checkout creds.
.github/workflows/cmake-build.yaml	Use env for build path in cd; disable persisted checkout creds.
.github/workflows/clang-tidy-fix.yaml	Derive bot name from $GITHUB_REPOSITORY; make artifact fix application path-robust; add issues: write.
.github/workflows/clang-tidy-check.yaml	Disable persisted checkout creds; adjust failure/diagnostic handling and include bot hint in output.
.github/workflows/clang-format-check.yaml	Same repo/bot hint update; disable persisted checkout creds.
.github/workflows/actionlint-check.yaml	Use env-provided checkout path; mount via $GITHUB_WORKSPACE consistently; disable persisted checkout creds.
.github/actions/run-change-detection/action.yaml	Configure sparse checkout to avoid materializing PR files; thread through exclude-globs.
.github/actions/detect-relevant-changes/action.yaml	Add exclude-globs; replace find with git ls-tree enumeration to work under sparse/empty working trees.

---

You can also share your feedback on Copilot code review. Take the survey.