From 12fb54c66edd972df36cb8ef73c1d8d975a2db2c Mon Sep 17 00:00:00 2001
From: Bart <bthomee@users.noreply.github.com>
Date: Fri, 17 Oct 2025 12:04:58 -0400
Subject: [PATCH] chore: Clean up Conan variables in CI (#5903)

This change sanitizes inputs by setting them as environment variables, and adjusts the number of CPUs used for building. Namely, GitHub inputs should be sanitized, per recommendation by Semgrep, as using them directly poses a security risk. A recent change further overrode the global configuration by having builds use all cores, but as we have noticed an increased number of job cancelation this change updates it to use all cores less one.

Co-authored-by: Bart Thomee <11445373+bthomee@users.noreply.github.com>
---
 .github/actions/build-deps/action.yml      | 6 +++---
 .github/workflows/reusable-notify-clio.yml | 4 +++-
 conan/global.conf                          | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/actions/build-deps/action.yml b/.github/actions/build-deps/action.yml
index 7b2a3c385a..d99ea77bf5 100644
--- a/.github/actions/build-deps/action.yml
+++ b/.github/actions/build-deps/action.yml
@@ -28,6 +28,7 @@ runs:
         BUILD_DIR: ${{ inputs.build_dir }}
         BUILD_OPTION: ${{ inputs.force_build == 'true' && '*' || 'missing' }}
         BUILD_TYPE: ${{ inputs.build_type }}
+        VERBOSITY: ${{ inputs.verbosity }}
       run: |
         echo 'Installing dependencies.'
         mkdir -p '${{ env.BUILD_DIR }}'
@@ -38,7 +39,6 @@ runs:
           --options:host='&:tests=True' \
           --options:host='&:xrpld=True' \
           --settings:all build_type='${{ env.BUILD_TYPE }}' \
-          --conf:all tools.build:verbosity='${{ inputs.verbosity }}' \
-          --conf:all tools.compilation:verbosity='${{ inputs.verbosity }}' \
-          --conf:all tools.build:jobs=$(nproc) \
+          --conf:all tools.build:verbosity='${{ env.VERBOSITY }}' \
+          --conf:all tools.compilation:verbosity='${{ env.VERBOSITY }}' \
           ..
diff --git a/.github/workflows/reusable-notify-clio.yml b/.github/workflows/reusable-notify-clio.yml
index 99009d953e..fe749beac9 100644
--- a/.github/workflows/reusable-notify-clio.yml
+++ b/.github/workflows/reusable-notify-clio.yml
@@ -64,7 +64,9 @@ jobs:
           conan_remote_name: ${{ inputs.conan_remote_name }}
           conan_remote_url: ${{ inputs.conan_remote_url }}
       - name: Log into Conan remote
-        run: conan remote login ${{ inputs.conan_remote_name }} "${{ secrets.conan_remote_username }}" --password "${{ secrets.conan_remote_password }}"
+        env:
+          CONAN_REMOTE_NAME: ${{ inputs.conan_remote_name }}
+        run: conan remote login ${{ env.CONAN_REMOTE_NAME }} "${{ secrets.conan_remote_username }}" --password "${{ secrets.conan_remote_password }}"
       - name: Upload package
         env:
           CONAN_REMOTE_NAME: ${{ inputs.conan_remote_name }}
diff --git a/conan/global.conf b/conan/global.conf
index 41ac76da89..a184adf629 100644
--- a/conan/global.conf
+++ b/conan/global.conf
@@ -3,4 +3,4 @@
 core:non_interactive=True
 core.download:parallel={{ os.cpu_count() }}
 core.upload:parallel={{ os.cpu_count() }}
-tools.build:jobs={{ (os.cpu_count() * 4/5) | int }}
+tools.build:jobs={{ os.cpu_count() - 1 }}