Add conftest rule to enforce defaults.run.shell: bash in GitHub Actions workflows

[Copilot]

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Adds Open Policy Agent rule to enforce defaults.run.shell: bash in all GitHub Actions workflow files, enabling pipefail by default for improved error handling in CI/CD pipelines.

Changes:

• Added two rego rules in .github/policy.rego:
  • deny_missing_shell_defaults: Fails if workflow lacks defaults.run.shell
  • deny_wrong_shell_defaults: Fails if shell is not bash
  • Both rules check input.jobs to skip composite actions (which set shell per-step)
• Updated 20 workflow files to add defaults.run.shell: bash
• Removed redundant job-level shell setting from r.yml

Why bash? Bash's pipefail mode causes pipelines to fail if any command fails, not just the last one. This prevents silent failures in CI workflows.

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Verified with conftest:

# All 424 tests pass
bin/conftest test --namespace mlflow --policy .github/policy.rego .github/workflows/*.yml

# Rule correctly catches violations
bin/conftest test --policy .github/policy.rego workflow-missing-shell.yml
# FAIL: Workflow must have 'defaults.run.shell: bash' to enable pipefail by default

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

Original prompt

Add conftest rule to ensure github actions config file has shell=true. to enable pipefail by default Ignore composite actions

defaults:
  run:
    shell: bash

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

@Copilot Thank you for the contribution! Could you fix the following issue(s)?

⚠ Invalid PR template

This PR does not appear to have been filed using the MLflow PR template. Please copy the PR template from here and fill it out.