CI safety prompts: require explicit YES and profile selection for builds/releases

- build.yml & release.yml now request cost confirmation and profile (minimal/full)
- default profile is minimal (ubuntu-only, Tkinter only)
- heavy PyQt steps only in full profile

Author: mauriciomenon

.github/workflows/build.yml

@@ -1,18 +1,36 @@
 name: build-binaries
 
 on:
-  # Disable automatic triggers to avoid unexpected costs; run manually from the Actions tab
-  workflow_dispatch: {}
+  # Manual only; requires explicit cost confirmation
+  workflow_dispatch:
+    inputs:
+      confirm_cost:
+        description: "Type YES to confirm you understand this build consumes CI minutes and may incur costs."
+        required: true
+        default: "NO"
+      profile:
+        description: "Build profile (minimal = low-cost emergency, full = all OS/arch)"
+        required: true
+        type: choice
+        options:
+          - minimal
+          - full
+        default: minimal
 
 jobs:
   build:
+    # Hard gate: only proceed if user confirmed cost
+    if: ${{ github.event.inputs.confirm_cost == 'YES' }}
     name: Build PyInstaller binaries
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [windows-latest, windows-11-arm, macos-13, macos-14, ubuntu-latest, ubuntu-22.04-arm]
+        os: ${{ fromJSON(github.event.inputs.profile == 'full' && '["windows-latest","windows-11-arm","macos-13","macos-14","ubuntu-latest","ubuntu-22.04-arm"]' || '["ubuntu-latest"]') }}
         python-version: ['3.11']
+    env:
+      PROFILE: ${{ github.event.inputs.profile }}
+      BUILD_PYQT: ${{ github.event.inputs.profile == 'full' && 'true' || 'false' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -22,8 +40,8 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Install Qt dev tools (Linux only)
-        if: runner.os == 'Linux'
+      - name: Install Qt dev tools (Linux only, full profile)
+        if: runner.os == 'Linux' && env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           set -euo pipefail
@@ -40,8 +58,8 @@ jobs:
             sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0 || true
           fi
 
-      - name: Check qmake (Linux only)
-        if: runner.os == 'Linux'
+      - name: Check qmake (Linux only, full profile)
+        if: runner.os == 'Linux' && env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           set -euo pipefail
@@ -57,9 +75,14 @@ jobs:
         shell: bash
         run: |
           python -m pip install --upgrade pip
-          if [ -f requirements.txt ]; then pip install -r requirements.txt; else pip install PyQt6; fi
-          # Ensure common runtime deps are available for PyInstaller analysis
-          pip install pyinstaller requests ffmpeg-python
+          # Minimal deps for Tkinter build by default; full profile includes PyQt6
+          if [ "$PROFILE" = "full" ]; then
+            if [ -f requirements.txt ]; then pip install -r requirements.txt; else pip install PyQt6; fi
+          else
+            # Ensure no heavy GUI deps in minimal profile
+            pip install ffmpeg-python requests || true
+          fi
+          pip install pyinstaller
 
       - name: Install Linux extras (patchelf)
         if: runner.os == 'Linux'
@@ -69,34 +92,35 @@ jobs:
             sudo apt-get update && sudo apt-get install -y patchelf
           fi
 
-      - name: Build PyQt6 app
+      - name: Build PyQt6 app (full profile only)
+        if: env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           pyinstaller --name ffmpeg-gui-pyqt6 --noconfirm --onefile --windowed GUI_pyqt6_WINFF.py
 
-      - name: Build Tkinter app
+      - name: Build Tkinter app (always)
         shell: bash
         run: |
           pyinstaller --name ffmpeg-gui-tkinter --noconfirm --onefile --windowed GUI_tkinter_WINFF.py
 
-      - name: Collect artifacts
+      - name: Collect artifacts (robust)
         shell: bash
         run: |
           mkdir -p artifacts
           arch_lc=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
           if [[ "$RUNNER_OS" == "Windows" ]]; then
-            cp dist/ffmpeg-gui-pyqt6.exe "artifacts/ffmpeg-gui-pyqt6-win-${arch_lc}.exe"
-            cp dist/ffmpeg-gui-tkinter.exe "artifacts/ffmpeg-gui-tkinter-win-${arch_lc}.exe"
+            [ -f dist/ffmpeg-gui-pyqt6.exe ] && cp dist/ffmpeg-gui-pyqt6.exe "artifacts/ffmpeg-gui-pyqt6-win-${arch_lc}.exe" || true
+            [ -f dist/ffmpeg-gui-tkinter.exe ] && cp dist/ffmpeg-gui-tkinter.exe "artifacts/ffmpeg-gui-tkinter-win-${arch_lc}.exe" || true
           elif [[ "$RUNNER_OS" == "macOS" ]]; then
             # Package .app bundles as zips, suffix with architecture
             cd dist
-            zip -r "../artifacts/ffmpeg-gui-pyqt6-macos-${arch_lc}.app.zip" "ffmpeg-gui-pyqt6.app"
-            zip -r "../artifacts/ffmpeg-gui-tkinter-macos-${arch_lc}.app.zip" "ffmpeg-gui-tkinter.app"
+            [ -d "ffmpeg-gui-pyqt6.app" ] && zip -r "../artifacts/ffmpeg-gui-pyqt6-macos-${arch_lc}.app.zip" "ffmpeg-gui-pyqt6.app" || true
+            [ -d "ffmpeg-gui-tkinter.app" ] && zip -r "../artifacts/ffmpeg-gui-tkinter-macos-${arch_lc}.app.zip" "ffmpeg-gui-tkinter.app" || true
             cd -
           else
             # Linux artifacts (ELF executables), suffix with architecture
-            cp dist/ffmpeg-gui-pyqt6 "artifacts/ffmpeg-gui-pyqt6-linux-${arch_lc}"
-            cp dist/ffmpeg-gui-tkinter "artifacts/ffmpeg-gui-tkinter-linux-${arch_lc}"
+            [ -f dist/ffmpeg-gui-pyqt6 ] && cp dist/ffmpeg-gui-pyqt6 "artifacts/ffmpeg-gui-pyqt6-linux-${arch_lc}" || true
+            [ -f dist/ffmpeg-gui-tkinter ] && cp dist/ffmpeg-gui-tkinter "artifacts/ffmpeg-gui-tkinter-linux-${arch_lc}" || true
           fi
 
       - name: Upload artifacts

.github/workflows/release.yml

@@ -1,21 +1,38 @@
 name: release
 
 on:
-  # Manual only to fully block automatic release builds
-  workflow_dispatch: {}
+  # Manual only; require explicit cost confirmation
+  workflow_dispatch:
+    inputs:
+      confirm_cost:
+        description: "Type YES to confirm you understand this release build consumes CI minutes and may incur costs."
+        required: true
+        default: "NO"
+      profile:
+        description: "Build profile (minimal = low-cost emergency, full = all OS/arch)"
+        required: true
+        type: choice
+        options:
+          - minimal
+          - full
+        default: minimal
 
 permissions:
   contents: write
 
 jobs:
   build:
+    if: ${{ github.event.inputs.confirm_cost == 'YES' }}
     name: Build release artifacts
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        os: [windows-latest, windows-11-arm, macos-13, macos-14, ubuntu-latest, ubuntu-22.04-arm]
+        os: ${{ fromJSON(github.event.inputs.profile == 'full' && '["windows-latest","windows-11-arm","macos-13","macos-14","ubuntu-latest","ubuntu-22.04-arm"]' || '["ubuntu-latest"]') }}
         python-version: ['3.11']
+    env:
+      PROFILE: ${{ github.event.inputs.profile }}
+      BUILD_PYQT: ${{ github.event.inputs.profile == 'full' && 'true' || 'false' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -25,8 +42,8 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Install Qt dev tools (Linux only)
-        if: runner.os == 'Linux'
+      - name: Install Qt dev tools (Linux only, full profile)
+        if: runner.os == 'Linux' && env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           set -euo pipefail
@@ -40,8 +57,8 @@ jobs:
             sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0 || true
           fi
 
-      - name: Check qmake (Linux only)
-        if: runner.os == 'Linux'
+      - name: Check qmake (Linux only, full profile)
+        if: runner.os == 'Linux' && env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           set -euo pipefail
@@ -56,8 +73,12 @@ jobs:
         shell: bash
         run: |
           python -m pip install --upgrade pip
-          if [ -f requirements.txt ]; then pip install -r requirements.txt; else pip install PyQt6; fi
-          pip install pyinstaller requests ffmpeg-python
+          if [ "$PROFILE" = "full" ]; then
+            if [ -f requirements.txt ]; then pip install -r requirements.txt; else pip install PyQt6; fi
+          else
+            pip install ffmpeg-python requests || true
+          fi
+          pip install pyinstaller
 
       - name: Install Linux extras (patchelf)
         if: runner.os == 'Linux'
@@ -67,12 +88,13 @@ jobs:
             sudo apt-get update && sudo apt-get install -y patchelf
           fi
 
-      - name: Build PyQt6 app
+      - name: Build PyQt6 app (full profile only)
+        if: env.BUILD_PYQT == 'true'
         shell: bash
         run: |
           pyinstaller --name ffmpeg-gui-pyqt6 --noconfirm --onefile --windowed GUI_pyqt6_WINFF.py
 
-      - name: Build Tkinter app
+      - name: Build Tkinter app (always)
         shell: bash
         run: |
           pyinstaller --name ffmpeg-gui-tkinter --noconfirm --onefile --windowed GUI_tkinter_WINFF.py