From f5ec194937ff37c89fd0c1714aa22e7a2fee9d92 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Thu, 9 Apr 2026 13:34:52 +0100
Subject: [PATCH] Tweaks to CI (#33014)

* Tweak github actions to make Sonar & zizmor happier

* Apply filters on some pnpm install calls

* Remove stale setup-python step

* Add missing needs in complete job

* Remove repository_dispatch for everything bar develop CD

js-sdk now runs the tests downstream so this was unnecessary

* Fix prepare desktop for tests in merge queue

* Iterate

* Iterate

* Iterate

* Discard changes to .github/workflows/build_desktop_linux.yaml

* Discard changes to .github/workflows/build_desktop_macos.yaml
---
 .github/actions/download-verify-element-tarball/action.yml   | 4 +++-
 .github/workflows/build-and-test.yaml                        | 3 +--
 .github/workflows/shared-component-visual-tests-netlify.yaml | 4 +++-
 .github/workflows/sonarqube.yml                              | 4 +++-
 .github/workflows/static_analysis.yaml                       | 2 --
 .github/workflows/tests.yml                                  | 2 --
 6 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.github/actions/download-verify-element-tarball/action.yml b/.github/actions/download-verify-element-tarball/action.yml
index a64bc3241b..40855b85c6 100644
--- a/.github/actions/download-verify-element-tarball/action.yml
+++ b/.github/actions/download-verify-element-tarball/action.yml
@@ -31,7 +31,9 @@ runs:
 
         - name: Move webapp to out-file-path
           shell: bash
-          run: mv ${{ runner.temp }}/download-verify-element-tarball/webapp ${{ inputs.out-file-path }}
+          run: mv ${{ runner.temp }}/download-verify-element-tarball/webapp "$OUT_PATH"
+          env:
+              OUT_PATH: ${{ inputs.out-file-path }}
 
         - name: Clean up temp directory
           shell: bash
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
index 19943434e6..01333a7752 100644
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -18,8 +18,6 @@ on:
     push:
         # We do not build on push to develop as the merge_group check handles that
         branches: [staging, master]
-    repository_dispatch:
-        types: [element-web-notify]
 
     # support triggering from other workflows
     workflow_call:
@@ -246,6 +244,7 @@ jobs:
         needs:
             - playwright_ew
             - downstream-modules
+            - prepare_ed
             - build_ed_windows
             - build_ed_linux
             - build_ed_macos
diff --git a/.github/workflows/shared-component-visual-tests-netlify.yaml b/.github/workflows/shared-component-visual-tests-netlify.yaml
index 1f9ae76826..e4b830406d 100644
--- a/.github/workflows/shared-component-visual-tests-netlify.yaml
+++ b/.github/workflows/shared-component-visual-tests-netlify.yaml
@@ -2,7 +2,9 @@
 # It uploads the received images and diffs to netlify, printing the URLs to the console
 name: Upload Shared Component Visual Test Diffs
 on:
-    workflow_run:
+    # Privilege escalation necessary to deploy to Netlify
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
         workflows: ["Shared Component Visual Tests"]
         types:
             - completed
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index 73efd48ba3..e934f05ad1 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -1,6 +1,8 @@
 name: SonarQube
 on:
-    workflow_run:
+    # Privilege escalation necessary to call upon SonarCloud
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
         workflows: ["Tests"]
         types:
             - completed
diff --git a/.github/workflows/static_analysis.yaml b/.github/workflows/static_analysis.yaml
index f3052ff373..3dd7da0e39 100644
--- a/.github/workflows/static_analysis.yaml
+++ b/.github/workflows/static_analysis.yaml
@@ -5,8 +5,6 @@ on:
         branches: [develop, master]
     merge_group:
         types: [checks_requested]
-    repository_dispatch:
-        types: [element-web-notify]
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
     cancel-in-progress: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index dbec96db01..60730451f6 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -5,8 +5,6 @@ on:
         types: [checks_requested]
     push:
         branches: [develop, master]
-    repository_dispatch:
-        types: [element-web-notify]
     workflow_call:
         inputs:
             disable_coverage: