From e855ee7341556b59a04ea0565b3da7a595f47144 Mon Sep 17 00:00:00 2001
From: Dmitry Gurevich <dmitry.gurevich@elastic.co>
Date: Thu, 19 Mar 2026 18:52:21 +0200
Subject: [PATCH] fix(ci): Replace setup steps with Hermit action (#4058)

### Summary of your changes

This PR updates the CI workflows to use the Hermit action instead of
separate initialization steps.

(cherry picked from commit edcd88a41c9f7c74e848f6684fe0e4505040ab9d)
---
 .github/workflows/cloudformation-ci.yml   | 24 ++++--------------
 .github/workflows/sync-rule-templates.yml | 21 +++-------------
 .github/workflows/test-gcp-dm.yml         | 30 ++++++-----------------
 3 files changed, 17 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/cloudformation-ci.yml b/.github/workflows/cloudformation-ci.yml
index 69e157c6aa..ea18ae73c8 100644
--- a/.github/workflows/cloudformation-ci.yml
+++ b/.github/workflows/cloudformation-ci.yml
@@ -36,9 +36,11 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - name: Init Hermit
-        run: ./bin/hermit env -r >> $GITHUB_ENV
-        working-directory: ./
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
+        with:
+          init-tools: 'true'
+          free-disk: 'true'
 
       - name: Set up unique deployment names
         run: |
@@ -46,22 +48,6 @@ jobs:
           echo "TF_VAR_deployment_name=DEPLOY_PR${{ github.event.number }}-$suffix" >> $GITHUB_ENV
           echo "CNVM_STACK_NAME=cnvm-stack-pr${{ github.event.number }}-$suffix" >> $GITHUB_ENV
 
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
-        with:
-          python-version: '3.9'
-
-      - name: Install Poetry
-        run: |
-          curl -sSL https://install.python-poetry.org | python3 -
-          poetry --version
-
-      - name: Install Fleet API dependencies
-        id: fleet-api-deps
-        working-directory: ./tests
-        run: |
-          poetry install
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4
         with:
diff --git a/.github/workflows/sync-rule-templates.yml b/.github/workflows/sync-rule-templates.yml
index 207fb70ec2..f6834ebcc0 100644
--- a/.github/workflows/sync-rule-templates.yml
+++ b/.github/workflows/sync-rule-templates.yml
@@ -29,24 +29,11 @@ jobs:
           token: ${{ secrets.CLOUDSEC_MACHINE_TOKEN }}
           path: cloudbeat
 
-      - name: Init Hermit
-        working-directory: cloudbeat
-        run: ./bin/hermit env -r >> $GITHUB_ENV
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
         with:
-          python-version: "3.9"
-
-      - name: Install Poetry
-        working-directory: cloudbeat
-        run: |
-          curl -sSL https://install.python-poetry.org | python3 -
-          poetry --version
-
-      - name: Install dependencies
-        working-directory: cloudbeat/security-policies
-        run: poetry install
+          init-tools: 'true'
+          free-disk: 'true'
 
       - name: Sync CIS Rules with integrations repo
         working-directory: cloudbeat
diff --git a/.github/workflows/test-gcp-dm.yml b/.github/workflows/test-gcp-dm.yml
index 37cd732c84..d4da9c5006 100644
--- a/.github/workflows/test-gcp-dm.yml
+++ b/.github/workflows/test-gcp-dm.yml
@@ -47,18 +47,11 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - name: Init Hermit
-        run: ./bin/hermit env -r >> $GITHUB_ENV
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
         with:
-          python-version: "3.9"
-
-      - name: Install Poetry
-        run: |
-          curl -sSL https://install.python-poetry.org | python3 -
-          poetry --version
+          init-tools: 'true'
+          free-disk: 'true'
 
       - id: google-auth
         name: Authenticate to Google Cloud
@@ -149,18 +142,11 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - name: Init Hermit
-        run: ./bin/hermit env -r >> $GITHUB_ENV
-
-      - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
         with:
-          python-version: "3.9"
-
-      - name: Install Poetry
-        run: |
-          curl -sSL https://install.python-poetry.org | python3 -
-          poetry --version
+          init-tools: 'true'
+          free-disk: 'true'
 
       - id: google-auth
         name: Authenticate to Google Cloud