Shared, versioned reusable workflows for use across Comfy-Org repositories.
This repo is public so any repo — public or private, inside or outside the org — can call these workflows with no extra GitHub Actions settings.
| Workflow | Purpose |
|---|---|
detect-unreviewed-merge.yml |
SOC 2 compliance — detects PRs merged without prior approval and opens a tracking issue in Comfy-Org/unreviewed-merges. |
cursor-review.yml |
Label-triggered multi-model code review. A 4-lab × 2-review-type cursor-agent panel runs adversarial + edge-case passes, a judge model consolidates them into one PR review with per-finding severity badges, and the triggerer gets Slack start/complete DMs. Prompts and scripts live in .github/cursor-review/ — the single source of truth, so consumer repos carry only a thin caller. Requires CURSOR_API_KEY (+ optional SLACK_BOT_TOKEN). |
cursor-review-auto-label.yml |
Companion to cursor-review.yml. On PR assignment, applies the review label for an opted-in reviewer (via the CLOUD_CODE_BOT app token, so the label actually triggers the review). The opt-in roster lives in the caller's vars.CURSOR_REVIEW_OPTED_IN_LOGINS — no roster is baked into the workflow. Requires vars.APP_ID + CLOUD_CODE_BOT_PRIVATE_KEY. |
Reference a workflow by full path and pin to a full commit SHA (with the version as a trailing comment). Also set explicit minimum permissions on the calling job so the default permissive token scope isn't granted:
permissions:
contents: read
pull-requests: read
jobs:
my-job:
uses: Comfy-Org/github-workflows/.github/workflows/<workflow-name>.yml@<sha> # v1
with:
<input>: <value>
secrets:
<SECRET>: ${{ secrets.<SECRET> }}The SHA-pin format satisfies pin-validation tooling (pinact, zizmor, etc.) and gives auditors immutable supply-chain evidence. Dependabot/Renovate can auto-bump the SHA when the upstream tag moves.
A bare @v1 tag is technically allowed but will fail in repos that run pin-validation in CI (e.g. cloud, ComfyUI_frontend).
Per-workflow inputs, required secrets, and triggers are documented in each workflow file's header comment.
Workflows in this repo use semver-style major-version tags (v1, v2, …).
- Breaking changes bump the major (
v1→v2); callers opt in. - Backwards-compatible changes update the existing major tag in place (
git tag -f v1 <sha> && git push -f origin v1) — callers pinned to the tag pick up the update on the next run; callers pinned to a SHA opt in by bumping the SHA.
- Add the workflow file under
.github/workflows/<descriptive-name>.ymlwithon: workflow_call:and a header comment documenting inputs/secrets. - Update the table in this README.
- Move the floating
v1tag (or cut a new major) once the change is reviewed and merged.