feat: adding new workflows for aggregated docker build and preview en…

[codechirag123]

…v build

Summary by CodeRabbit

• New Features

  • Introduced workflows for deploying and destroying temporary environments for testing pull requests labeled 'deploy-pr'.
  • Added a reusable workflow for building and pushing Docker images, including versioning and vulnerability scanning.

• Documentation

  • New workflow documentation added for "Deploy PR Environment," "Build and Push Docker Images," and "Destroy PR Environment".

[changeset-bot]

⚠️ No Changeset found

Latest commit: 662486b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request introduces three new GitHub Actions workflow files: build-preview-environment.yml, build-push-docker-images.yml, and destroy-preview-environment.yml. The first workflow deploys a temporary environment for pull requests labeled with 'deploy-pr', executing various jobs to build and push Docker images for different applications. The second workflow defines a reusable process for building and pushing Docker images, incorporating version management and vulnerability scanning. The third workflow manages the destruction of temporary environments when pull requests are closed or unlabeled, enhancing the CI/CD processes related to pull request handling and Docker image management.

Changes

File Path	Change Summary
.github/workflows/build-preview-environment.yml	New workflow for deploying a temporary environment for pull requests with 'deploy-pr' label.
.github/workflows/build-push-docker-images.yml	New reusable workflow for building and pushing Docker images with versioning and vulnerability scanning.
.github/workflows/destroy-preview-environment.yml	New workflow for managing the destruction of temporary environments for pull requests with 'deploy-pr' label.

Possibly related PRs

• Dev 250/adding dependency wf service release #2583: This PR enhances the workflow for building and pushing Docker images, which is relevant to the jobs defined in the main PR's workflow.
• chore: reverting the condition to run release action before publish work-flow service #2629: This PR reverts changes in the workflow service, which could impact the deployment processes outlined in the main PR.
• Dev 318/workflow on demand migration #2637: This PR introduces new workflows for database operations and deployments, which are related to the deployment environment discussed in the main PR.
• fix(ci-cd): adding image tag for migrations in default action #2720: This PR focuses on ensuring migrations are handled correctly during deployments, which aligns with the main PR's objective of managing deployment environments.
• Dev 318/ci checkout submodule #2775: This PR refines the CI/CD methodology, which is relevant to the main PR's introduction of a new deployment workflow.
• fix: changing environment call for argo app action #2814: This PR modifies the environment variable handling in the database operations workflow, which is relevant to the deployment processes in the main PR.
• Dev 318/hotfix action #2830: This PR introduces a new workflow for hotfix deployments, which is related to the deployment strategies discussed in the main PR.
• Dev 318/hotfix action #2863: This PR updates the hotfix deployment workflow, which is relevant to the deployment processes outlined in the main PR.

Suggested reviewers

• MayurDuduka
• liorzam

🐇 In the meadow, where bunnies play,
New workflows hop in, brightening the day!
With Docker images built with care,
Deployments now dance in the air!
For every pull request, a preview to see,
Hooray for the changes, oh so merry and free! 🐰✨

Warning

Rate limit exceeded

@codechirag123 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 26 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 86d6ddc and 4a95238.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 8

🧹 Outside diff range and nitpick comments (4)

.github/workflows/build-preview-environment.yml (2)

3-5: Consider enabling cancel-in-progress for resource efficiency

Setting cancel-in-progress: false means older deployments will continue running even when new changes are pushed. This could lead to unnecessary resource usage and potential conflicts.

concurrency:
  group: "deploy-${{ github.event.pull_request.head.ref }}"
-  cancel-in-progress: false
+  cancel-in-progress: true

---

26-26: Fix YAML formatting issues

The following formatting issues were detected:

• Trailing spaces on lines 26, 67, and 68
• Missing newline at end of file

Please ensure these are fixed in the final version.

Also applies to: 67-68, 77-77

🧰 Tools

🪛 yamllint (1.29.0-1)

[error] 26-26: trailing spaces

(trailing-spaces)

.github/workflows/build-push-docker-images.yml (2)

6-21: Consider adding input validation patterns

While the inputs are well-defined, consider adding pattern validation for:

• registry: Ensure it matches a valid registry URL format
• context: Validate it's a valid path within the repository

   registry:
     required: true
     description: "The Docker registry URL"
     type: string
+    pattern: '^[a-zA-Z0-9][a-zA-Z0-9-._]*\.[a-zA-Z0-9][a-zA-Z0-9-._]*[a-zA-Z0-9]$'
   context:
     required: true
     description: "The build context path for the Docker image"
     type: string
+    pattern: '^[a-zA-Z0-9-_/.]+$'

---

61-64: Remove unnecessary QEMU platforms

The QEMU setup includes arm platforms, but the build steps only target linux/amd64. Either remove the unused platforms or update the build steps to include multi-platform builds.

   with:
-    platforms: 'arm64,arm'
+    platforms: 'amd64'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between ca5299c and 80f6351.

📒 Files selected for processing (2)

• .github/workflows/build-preview-environment.yml (1 hunks)
• .github/workflows/build-push-docker-images.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.29.0-1)

.github/workflows/build-preview-environment.yml

[error] 26-26: trailing spaces

(trailing-spaces)

---

[error] 67-67: trailing spaces

(trailing-spaces)

---

[error] 68-68: trailing spaces

(trailing-spaces)

---

[error] 77-77: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/build-push-docker-images.yml

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 91-91: trailing spaces

(trailing-spaces)

---

[error] 114-114: trailing spaces

(trailing-spaces)

🪛 actionlint (1.7.3)

.github/workflows/build-push-docker-images.yml

40-40: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

42-42: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

---

53-53: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

68-68: the runner of "actions/cache@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

102-102: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

117-117: if: condition "${{ inputs.image_name }} != 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

🔇 Additional comments (1)

.github/workflows/build-preview-environment.yml (1)

27-58: Reduce duplication in build job configurations

Consider using workflow-level variables to reduce repetition of common values.

env:
  REGISTRY: ghcr.io/${{ github.repository_owner }}
  REF: ${{ github.event.pull_request.head.sha }}

jobs:
  # ... other jobs ...
  build-wf-service:
    uses: ./.github/workflows/build-push-docker-images.yml
    with:
      registry: ${{ env.REGISTRY }}
      context: services/workflows-service
      image_name: workflows-service
      ref: ${{ env.REF }}

Also, verify that the reusable workflow exists and is properly configured.

✅ Verification successful

Reusable workflow exists and is properly configured

The reusable workflow .github/workflows/build-push-docker-images.yml exists and accepts all the required inputs (registry, context, image_name, ref) that are being passed from the caller workflow. The workflow is well-structured with proper Docker build, push, and security scanning steps.

The original suggestion to use workflow-level variables to reduce duplication is valid and would improve maintainability without any negative impact on functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the existence and configuration of the reusable workflow
if [ -f ".github/workflows/build-push-docker-images.yml" ]; then
  echo "Checking build-push-docker-images.yml configuration..."
  cat .github/workflows/build-push-docker-images.yml
else
  echo "Error: build-push-docker-images.yml not found!"
  exit 1
fi

Length of output: 4649

[coderabbitai]

Actionable comments posted: 8

🧹 Outside diff range and nitpick comments (2)

.github/workflows/build-preview-environment.yml (1)

16-18: Improve readability of REF environment variable

The current ternary operation is complex and hard to read. Consider breaking it down into multiple steps using a shell script.

 env:
-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event_name == 'pull_request' && github.event.pull_request.head.sha }}
+  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event.pull_request.head.sha }}

.github/workflows/build-push-docker-images.yml (1)

110-110: Consider using matrix builds for multi-platform support

Currently, the workflow only builds for linux/amd64. Consider using matrix builds to support multiple platforms simultaneously.

Example configuration:

strategy:
  matrix:
    platform: [linux/amd64, linux/arm64]
...
with:
  platforms: ${{ matrix.platform }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 80f6351 and 0266fff.

📒 Files selected for processing (2)

• .github/workflows/build-preview-environment.yml (1 hunks)
• .github/workflows/build-push-docker-images.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build-preview-environment.yml

35-35: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

35-35: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

94-94: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/build-push-docker-images.yml

33-33: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

44-44: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

46-46: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

---

57-57: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

58-58: invalid runner name "node16" at runs.using in "Bump version" action defined at "/inmem/22/25208af2-2395-4641-ac5a-e36e53a0d1e5/home/jailuser/git/.github/actions/bump-version". valid runners are "composite", "docker", and "node20". see https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

(action)

---

63-63: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

66-66: the runner of "docker/setup-qemu-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

72-72: the runner of "actions/cache@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

81-81: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

89-89: the runner of "docker/metadata-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

106-106: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

121-121: if: condition "${{ inputs.image_name }} != 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

🪛 yamllint (1.35.1)

.github/workflows/build-preview-environment.yml

[error] 41-41: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

[warning] 90-90: too few spaces after comma

(commas)

---

[warning] 90-90: too few spaces after comma

(commas)

---

[warning] 90-90: too few spaces after comma

(commas)

---

[warning] 90-90: too few spaces after comma

(commas)

---

[error] 98-98: trailing spaces

(trailing-spaces)

---

[error] 99-99: trailing spaces

(trailing-spaces)

---

[error] 108-108: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/build-push-docker-images.yml

[error] 54-54: trailing spaces

(trailing-spaces)

---

[error] 95-95: trailing spaces

(trailing-spaces)

---

[error] 118-118: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

.github/workflows/build-preview-environment.yml (2)

3-5: Well-configured concurrency settings!

The concurrency configuration with cancel-in-progress: false ensures that parallel deployments don't interfere with each other, preventing race conditions.

---

49-88: Well-structured build jobs configuration!

The build jobs are well-organized with:

• Proper use of reusable workflow
• Correct dependency chain
• Consistent configuration pattern across all services

.github/workflows/build-push-docker-images.yml (1)

1-26: LGTM! Well-structured workflow inputs

The workflow inputs are well-defined with clear descriptions and appropriate required flags.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (7)

.github/workflows/destroy-preview-environment.yml (3)

1-1: Fix typo in comment

There's a typo in the comment: "forwhen" should be "for when".

-# Destroys a temporary environment that was created forwhen a pull request is created / updated with a 'deploy-pr' label or triggerred manually
+# Destroys a temporary environment that was created for when a pull request is created / updated with a 'deploy-pr' label or triggered manually

---

18-18: Consider simplifying the REF environment variable

The current conditional logic can be simplified using the null coalescing operator.

-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref }}
+  REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref }}

---

50-50: Fix formatting issues

There are some minor formatting issues to address:

• Remove trailing spaces on lines 50 and 61
• Add newline at end of file

Also applies to: 61-61, 78-78

🧰 Tools

🪛 yamllint (1.35.1)

[error] 50-50: trailing spaces

(trailing-spaces)

.github/workflows/build-preview-environment.yml (4)

3-5: Consider enabling cancel-in-progress for efficiency

Setting cancel-in-progress: true would help prevent resource waste by canceling outdated builds when new commits are pushed.

concurrency:
  group: "deploy-${{ github.event.pull_request.head.ref }}"
-  cancel-in-progress: false
+  cancel-in-progress: true

---

17-18: Simplify the REF environment variable

The current expression is complex and could be simplified for better readability.

env:
-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event_name == 'pull_request' && github.event.pull_request.head.ref }}
+  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref_name || github.event.pull_request.head.ref }}

---

59-98: Optimize build jobs configuration

Consider these improvements:

1. Define common values at the workflow level
2. Enable parallel builds for faster execution

# At the top level, add:
env:
+  REGISTRY: ghcr.io/${{ github.repository_owner }}

# Then in each job:
  build-wf-service:
    needs: deploy-dev-pr-environment
    uses: ./.github/workflows/build-push-docker-images.yml
    with:
-      registry: ghcr.io/${{ github.repository_owner }}
+      registry: ${{ env.REGISTRY }}
      # ... rest of the config

Additionally, consider adding strategy: { fail-fast: false } to each build job to allow other builds to continue if one fails.

---

99-102: Add timeout and retry mechanisms for reliability

Consider adding timeout and retry mechanisms to handle transient failures gracefully.

deploy-preview:
  needs: [deploy-dev-pr-environment,build-wf-service,build-backoffice,build-kyb,build-dashboard]
  runs-on: ubuntu-latest
+  timeout-minutes: 10
  steps:
+    - name: Wait for services to be ready
+      uses: actions/github-script@v7
+      with:
+        script: |
+          let retries = 5;
+          while (retries > 0) {
+            try {
+              // Add health check logic here
+              break;
+            } catch (error) {
+              retries--;
+              if (retries === 0) throw error;
+              await new Promise(r => setTimeout(r, 30000));
+            }
+          }

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0266fff and 4573b3f.

📒 Files selected for processing (2)

• .github/workflows/build-preview-environment.yml (1 hunks)
• .github/workflows/destroy-preview-environment.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build-preview-environment.yml

31-31: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

104-104: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/destroy-preview-environment.yml

30-30: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

67-67: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

.github/workflows/build-preview-environment.yml

[error] 51-51: trailing spaces

(trailing-spaces)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[error] 115-115: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/destroy-preview-environment.yml

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 78-78: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

.github/workflows/destroy-preview-environment.yml (1)

47-48: Potential environment name collisions

Trimming branch names to 8 characters could lead to environment name collisions if multiple branches share the same prefix.

Consider using a hash of the full branch name instead:

-  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | sha256sum | cut -c 1-8)

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (6)

.github/workflows/destroy-preview-environment.yml (3)

1-1: Fix typo in comment

There's a typo in the comment: "forwhen" should be "for when".

-# Destroys a temporary environment that was created forwhen a pull request is created / updated with a 'deploy-pr' label or triggerred manually
+# Destroys a temporary environment that was created for when a pull request is created / updated with a 'deploy-pr' label or triggered manually

---

18-18: Improve readability of REF environment variable

The current ternary operation is complex and hard to read. Consider using a composite run steps action to set this variable more clearly.

Create a new composite action file .github/actions/set-ref/action.yml:

name: 'Set REF'
description: 'Sets the REF environment variable based on the event type'
runs:
  using: "composite"
  steps:
    - shell: bash
      run: |
        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
          echo "REF=${{ github.ref }}" >> $GITHUB_ENV
        elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
          echo "REF=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
        fi

Then use it in the workflow:

-env:
-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref }}
+steps:
+  - uses: ./.github/actions/set-ref

---

21-21: Rename job to better reflect its purpose

The job name deploy-dev-pr-environment is misleading in a destruction workflow. Consider renaming it to something more appropriate.

-  deploy-dev-pr-environment:
+  prepare-environment-destruction:

.github/workflows/build-preview-environment.yml (3)

3-5: Consider adding timeout to concurrency group

While the concurrency configuration prevents parallel runs, it should include a timeout to prevent stuck workflows from blocking subsequent runs.

concurrency:
  group: "deploy-${{ github.event.pull_request.head.ref }}"
  cancel-in-progress: false
+ timeout-minutes: 60

---

100-100: Fix formatting in job dependencies

Add spaces after commas in the needs array for better readability.

-    needs: [deploy-dev-pr-environment,build-wf-service,build-backoffice,build-kyb,build-dashboard]
+    needs: [deploy-dev-pr-environment, build-wf-service, build-backoffice, build-kyb, build-dashboard]

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

59-97: Consider parameterizing common build configuration

The build jobs share similar configuration. Consider extracting common values into workflow-level variables.

+env:
+  REGISTRY: ghcr.io/${{ github.repository_owner }}

 build-wf-service:
   needs: deploy-dev-pr-environment
   uses: ./.github/workflows/build-push-docker-images.yml
   with:
-    registry: ghcr.io/${{ github.repository_owner }}
+    registry: ${{ env.REGISTRY }}
     context: services/workflows-service
     image_name: workflows-service
     ref: ${{ needs.deploy-dev-pr-environment.outputs.ref }}
     tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 4573b3f and d5da7b2.

📒 Files selected for processing (2)

• .github/workflows/build-preview-environment.yml (1 hunks)
• .github/workflows/destroy-preview-environment.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build-preview-environment.yml

31-31: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

104-104: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/destroy-preview-environment.yml

30-30: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

67-67: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

.github/workflows/build-preview-environment.yml

[error] 51-51: trailing spaces

(trailing-spaces)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[error] 115-115: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/destroy-preview-environment.yml

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 78-78: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (5)

.github/workflows/destroy-preview-environment.yml (2)

30-33: ⚠️ Potential issue

Fix shell script safety issues

The shell scripts lack proper quoting which could lead to word splitting issues.

Apply these fixes:

 shell: bash
 run: |
-  BRANCH_NAME=${{ env.REF }}
-  CLEAN_BRANCH_NAME=${BRANCH_NAME#refs/heads/}
+  BRANCH_NAME="${{ env.REF }}"
+  CLEAN_BRANCH_NAME="${BRANCH_NAME#refs/heads/}"
   echo "ref=$CLEAN_BRANCH_NAME" >> $GITHUB_OUTPUT

 shell: bash
 run: |
-  SANITIZED_BRANCH_NAME=$(echo -n ${{ steps.clean-ref.outputs.ref }} | tr "/" "-")
+  SANITIZED_BRANCH_NAME=$(echo -n "${{ steps.clean-ref.outputs.ref }}" | tr "/" "-")
   echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
-  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+  TRIMMED_BRANCH_NAME=$(echo -n "${SANITIZED_BRANCH_NAME}" | cut -c 1-8)
-  echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-  echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+  echo "sanitized_env_name=${SANITIZED_BRANCH_NAME}" >> $GITHUB_OUTPUT;
+  echo "trimmed_env_name=${TRIMMED_BRANCH_NAME}" >> $GITHUB_OUTPUT;

 run: |
   echo "deploying environment"
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_ENV
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_OUTPUT
+  PR_ENV_NAME="${{ steps.sanitize_env.outputs.trimmed_env_name }}"
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_ENV
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_OUTPUT

Also applies to: 44-49, 53-56

🧰 Tools

🪛 actionlint (1.7.4)

30-30: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

67-78: ⚠️ Potential issue

Update and improve the repository dispatch implementation

Several improvements are needed in this section:

1. The github-script action version is outdated
2. The repository dispatch could be simplified since it's targeting the same repository
3. Error handling is missing for the dispatch event creation
4. File should end with a newline

Apply these improvements:

-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GIT_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
           script: |
+            try {
               await github.rest.repos.createDispatchEvent({
-                owner: 'ballerine-io',
-                repo: 'cloud-infra-config',
+                owner: context.repo.owner,
+                repo: context.repo.repo,
                 event_type: 'destroy-preview',
                 client_payload: {
                   'ref': '${{ needs.deploy-dev-pr-environment.outputs.env_name }}'
                 }
               });
+            } catch (error) {
+              core.setFailed(`Failed to create dispatch event: ${error.message}`);
+            }

🧰 Tools

🪛 actionlint (1.7.4)

67-67: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

[error] 78-78: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/build-preview-environment.yml (3)

12-15: Review permissions following principle of least privilege

The workflow requests broad write permissions. Consider restricting them based on actual usage:

• contents: write might be unnecessary as the workflow only reads the repository
• pull-requests: write isn't used in any visible operations

permissions:
  id-token: write
-  contents: write
+  contents: read
-  pull-requests: write
+  pull-requests: read

---

46-50: Fix shell script quoting and improve variable naming consistency

The shell script has potential word splitting issues and inconsistent variable naming.

shell: bash
run: |
-  SANITIZED_BRANCH_NAME=$(echo -n ${{ steps.clean-ref.outputs.ref }} | tr "/" "-")
+  SANITIZED_BRANCH_NAME=$(echo -n "${{ steps.clean-ref.outputs.ref }}" | tr "/" "-")
   echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
-  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+  TRIMMED_BRANCH_NAME=$(echo -n "${SANITIZED_BRANCH_NAME}" | cut -c 1-8)
-  echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-  echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+  echo "sanitized_env_name=${SANITIZED_BRANCH_NAME}" >> "${GITHUB_OUTPUT}"
+  echo "trimmed_env_name=${TRIMMED_BRANCH_NAME}" >> "${GITHUB_OUTPUT}"

---

104-115: ⚠️ Potential issue

Add error handling for repository dispatch and update github-script

The repository dispatch lacks error handling and uses an outdated action version.

-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GIT_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
           script: |
-            await github.rest.repos.createDispatchEvent({
-              owner: 'ballerine-io',
-              repo: 'cloud-infra-config',
-              event_type: 'deploy-preview',
-              client_payload: {
-                'ref': '${{ needs.deploy-dev-pr-environment.outputs.env_name }}'
-              }
-            });
+            try {
+              await github.rest.repos.createDispatchEvent({
+                owner: 'ballerine-io',
+                repo: 'cloud-infra-config',
+                event_type: 'deploy-preview',
+                client_payload: {
+                  'ref': '${{ needs.deploy-dev-pr-environment.outputs.env_name }}'
+                }
+              });
+              console.log('Successfully triggered deploy-preview event');
+            } catch (error) {
+              console.error('Failed to trigger deploy-preview event:', error);
+              throw error;
+            }

🧰 Tools

🪛 actionlint (1.7.4)

104-104: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

[error] 115-115: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (9)

.github/workflows/destroy-preview-environment.yml (4)

1-1: Fix typo in comment

There's a typo in the comment: "forwhen" should be "for when".

-# Destroys a temporary environment that was created forwhen a pull request is created / updated with a 'deploy-pr' label or triggerred manually
+# Destroys a temporary environment that was created for when a pull request is created / updated with a 'deploy-pr' label or triggered manually

---

17-19: Consider improving REF variable readability

The current ternary expression is a bit hard to read. Consider breaking it down into multiple lines for better readability.

 env:
-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref }}
+  REF: ${{
+    github.event_name == 'workflow_dispatch'
+    ? github.ref
+    : github.event_name == 'pull_request'
+      ? github.event.pull_request.head.ref
+      : ''
+  }}

---

60-63: Improve conditional readability

The job condition is complex and could be more readable by using better formatting.

-    if: |
-      (github.event_name == 'pull_request' && github.event.action == 'unlabeled' && github.event.label.name == 'deploy-pr') 
-      ||
-      (github.event_name == 'pull_request' && github.event.action == 'closed' && contains(github.event.pull_request.labels.*.name, 'deploy-pr'))
+    if: >-
+      (
+        github.event_name == 'pull_request' &&
+        github.event.action == 'unlabeled' &&
+        github.event.label.name == 'deploy-pr'
+      ) ||
+      (
+        github.event_name == 'pull_request' &&
+        github.event.action == 'closed' &&
+        contains(github.event.pull_request.labels.*.name, 'deploy-pr')
+      )

🧰 Tools

🪛 yamllint (1.35.1)

[error] 61-61: trailing spaces

(trailing-spaces)

---

50-50: Fix formatting issues

There are some minor formatting issues to address:

1. Remove trailing spaces on lines 50 and 61
2. Add a newline at the end of file

Also applies to: 61-61, 84-84

🧰 Tools

🪛 yamllint (1.35.1)

[error] 50-50: trailing spaces

(trailing-spaces)

.github/workflows/build-push-docker-images.yml (1)

5-25: Consider adding input validation patterns

The workflow inputs could benefit from pattern validation to ensure correct formats:

• registry: URL format validation
• ref: Git reference format validation
• tag: Docker tag format validation

     inputs:
       registry:
         required: true
         description: "The Docker registry URL"
         type: string
+        pattern: '^[a-zA-Z0-9][a-zA-Z0-9-_./:]*$'
       context:
         required: true
         description: "The build context path for the Docker image"
         type: string
       image_name:
         required: true
         description: "The name of the Docker image"
         type: string
+        pattern: '^[a-z0-9][a-z0-9-_.]*$'
       ref:
         required: true
         description: "Branch name of the Preview"
         type: string
+        pattern: '^[a-zA-Z0-9-_./]+$'
       tag:
         required: true
         description: "Tag name of the Preview Image"
         type: string
+        pattern: '^[a-zA-Z0-9][-a-zA-Z0-9_.]*$'

.github/workflows/build-preview-environment.yml (4)

3-5: Consider adding timeout for concurrent workflows

While the concurrency configuration prevents parallel runs, it might be beneficial to add a timeout to automatically cancel stuck workflows.

 concurrency:
   group: "deploy-${{ github.event.pull_request.head.ref }}"
   cancel-in-progress: false
+  timeout-minutes: 60

---

59-98: Add documentation for build job configurations

Consider adding comments to document the purpose of each build job and its corresponding Docker image. This will help maintainers understand the relationship between services and their containers.

+  # Build the Workflows Service container image
   build-wf-service:
     needs: deploy-dev-pr-environment
     uses: ./.github/workflows/build-push-docker-images.yml
     with:
       registry: ghcr.io/${{ github.repository_owner }}
       context: services/workflows-service
       image_name: workflows-service
       ref: ${{ needs.deploy-dev-pr-environment.outputs.ref }}
       tag: ${{ needs.deploy-dev-pr-environment.outputs.env_name }}

---

106-106: Update secret name for consistency

The secret name GIT_TOKEN is inconsistent with GitHub's conventional naming. Consider using GITHUB_TOKEN or a more descriptive name like WORKFLOW_DISPATCH_TOKEN.

-          github-token: ${{ secrets.GIT_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}

---

100-100: Fix formatting issues

There are minor formatting issues that should be addressed:

1. Add spaces after commas in the needs array
2. Add a trailing newline at the end of the file

-    needs: [deploy-dev-pr-environment,build-wf-service,build-backoffice,build-kyb,build-dashboard]
+    needs: [deploy-dev-pr-environment, build-wf-service, build-backoffice, build-kyb, build-dashboard]

Also applies to: 121-121

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d5da7b2 and 662486b.

📒 Files selected for processing (3)

• .github/workflows/build-preview-environment.yml (1 hunks)
• .github/workflows/build-push-docker-images.yml (1 hunks)
• .github/workflows/destroy-preview-environment.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build-preview-environment.yml

31-31: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

45-45: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

54-54: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

.github/workflows/build-push-docker-images.yml

51-51: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

53-53: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

---

64-64: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

65-65: invalid runner name "node16" at runs.using in "Bump version" action defined at "/inmem/20/e4134770-740c-48c6-b87e-d975073b6281/home/jailuser/git/.github/actions/bump-version". valid runners are "composite", "docker", and "node20". see https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

(action)

---

79-79: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

88-88: the runner of "docker/login-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

96-96: the runner of "docker/metadata-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/destroy-preview-environment.yml

30-30: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

53-53: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint (1.35.1)

.github/workflows/build-preview-environment.yml

[error] 51-51: trailing spaces

(trailing-spaces)

---

[error] 58-58: trailing spaces

(trailing-spaces)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[warning] 100-100: too few spaces after comma

(commas)

---

[error] 121-121: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/build-push-docker-images.yml

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 102-102: trailing spaces

(trailing-spaces)

.github/workflows/destroy-preview-environment.yml

[error] 50-50: trailing spaces

(trailing-spaces)

---

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 84-84: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (5)

.github/workflows/destroy-preview-environment.yml (1)

30-33: ⚠️ Potential issue

Fix shell script safety issues

The shell scripts lack proper quoting which could lead to word splitting issues.

Apply these fixes:

 shell: bash
 run: |
-  BRANCH_NAME=${{ env.REF }}
-  CLEAN_BRANCH_NAME=${BRANCH_NAME#refs/heads/}
+  BRANCH_NAME="${{ env.REF }}"
+  CLEAN_BRANCH_NAME="${BRANCH_NAME#refs/heads/}"
   echo "ref=$CLEAN_BRANCH_NAME" >> $GITHUB_OUTPUT

 shell: bash
 run: |
-  SANITIZED_BRANCH_NAME=$(echo -n ${{ steps.clean-ref.outputs.ref }} | tr "/" "-")
+  SANITIZED_BRANCH_NAME=$(echo -n "${{ steps.clean-ref.outputs.ref }}" | tr "/" "-")
   echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
-  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+  TRIMMED_BRANCH_NAME=$(echo -n "${SANITIZED_BRANCH_NAME}" | cut -c 1-8)
-  echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-  echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+  echo "sanitized_env_name=${SANITIZED_BRANCH_NAME}" >> $GITHUB_OUTPUT
+  echo "trimmed_env_name=${TRIMMED_BRANCH_NAME}" >> $GITHUB_OUTPUT

 run: |
   echo "deploying environment"
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_ENV
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_OUTPUT
+  PR_ENV_NAME="${{ steps.sanitize_env.outputs.trimmed_env_name }}"
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_ENV
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_OUTPUT

Also applies to: 44-49, 53-56

🧰 Tools

🪛 actionlint (1.7.4)

30-30: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

.github/workflows/build-push-docker-images.yml (3)

124-134: ⚠️ Potential issue

Update Trivy security scanning configuration

The current Trivy configuration needs improvement:

1. Using master tag which could be unstable
2. Missing important configuration options

       - name: Scan Docker Image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
         continue-on-error: true
         with:
           image-ref: ${{ steps.docker_meta.outputs.tags }}
           format: 'table'
           ignore-unfixed: true
           exit-code: 1
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
-          timeout: '5m'
+          timeout: '10m'
+          list-all-pkgs: true
+          security-checks: 'vuln,config,secret'

Likely invalid or redundant comment.

---

64-67: Verify bump-version action configuration

The bump-version action might have compatibility issues with the runner.

✅ Verification successful

No compatibility issues found with bump-version action

The action is properly configured to use node16 runtime, which is compatible with the ubuntu-latest runner. The action's implementation is compiled (webpack bundled) and doesn't show any obvious compatibility issues. The usage in the workflow is also correct with the required tag input being properly passed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check the bump-version action configuration
if [ -f ".github/actions/bump-version/action.yml" ]; then
  echo "Checking bump-version action configuration..."
  cat ".github/actions/bump-version/action.yml"
else
  echo "Warning: bump-version action configuration not found"
fi

Length of output: 502

---

Script:

#!/bin/bash
# Check the Node.js version used in the GitHub Actions runner
cat .github/workflows/build-push-docker-images.yml | grep -A 5 "runs-on:"

# Check if the action's dist/index.js exists and its Node.js compatibility indicators
if [ -f ".github/actions/bump-version/dist/index.js" ]; then
    head -n 10 .github/actions/bump-version/dist/index.js
fi

# Look for any package.json in the action directory to check Node.js requirements
if [ -f ".github/actions/bump-version/package.json" ]; then
    cat .github/actions/bump-version/package.json | grep -A 5 -B 5 "\"engines\""
fi

Length of output: 750

🧰 Tools

🪛 actionlint (1.7.4)

64-64: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

65-65: invalid runner name "node16" at runs.using in "Bump version" action defined at "/inmem/20/e4134770-740c-48c6-b87e-d975073b6281/home/jailuser/git/.github/actions/bump-version". valid runners are "composite", "docker", and "node20". see https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

(action)

---

51-60: ⚠️ Potential issue

Fix version retrieval logic

The version retrieval step has several issues:

1. The if condition syntax needs correction
2. The echo in git tag command is unnecessary
3. Missing error handling for no tags case

-        if: ${{ inputs.image_name }} == 'workflows-service'
+        if: inputs.image_name == 'workflows-service'
         id: version
         run: |
-          TAG=$(git tag -l "$(echo ${{ inputs.image_name }}@)*" | sort -V -r | head -n 1)
+          TAG=$(git tag -l "${{ inputs.image_name }}@*" | sort -V -r | head -n 1)
+          if [ -z "$TAG" ]; then
+            TAG="${{ inputs.image_name }}@0.0.1"
+            echo "Warning: No existing tags found, using initial version" >&2
+          fi
           echo "tag=$TAG"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
           echo "TAG=$TAG" >> "$GITHUB_ENV"

Likely invalid or redundant comment.

🧰 Tools

🪛 actionlint (1.7.4)

51-51: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

53-53: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

.github/workflows/build-preview-environment.yml (1)

17-18: Add error handling for REF variable

The REF variable should handle all possible event types and provide meaningful errors.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

.github/workflows/build-push-docker-images.yml (1)

72-76: Remove unnecessary QEMU platforms

The QEMU setup includes arm platforms, but the build only targets linux/amd64. This creates unnecessary overhead.

       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: 'arm64,arm'
+          platforms: 'amd64'

Also applies to: 115-116

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 662486b and 86d6ddc.

📒 Files selected for processing (1)

• .github/workflows/build-push-docker-images.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build-push-docker-images.yml

51-51: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

53-53: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

---

64-64: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

65-65: invalid runner name "node16" at runs.using in "Bump version" action defined at "/inmem/14/c6713ddf-9a4f-40d5-ae8d-203b0b3f6af9/home/jailuser/git/.github/actions/bump-version". valid runners are "composite", "docker", and "node20". see https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

(action)

---

79-79: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

96-96: the runner of "docker/metadata-action@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

.github/workflows/build-push-docker-images.yml

[error] 61-61: trailing spaces

(trailing-spaces)

---

[error] 102-102: trailing spaces

(trailing-spaces)

🔇 Additional comments (4)

.github/workflows/build-push-docker-images.yml (4)

1-26: LGTM! Well-structured workflow inputs

The workflow inputs are clearly defined with appropriate descriptions and requirements.

---

27-31: Review and minimize required permissions

The workflow currently requests broad write permissions. Consider:

1. Removing pull-requests: write as it doesn't appear to be used
2. Documenting why each permission is needed in comments

---

124-134: Enhance security scanning configuration

The current Trivy configuration uses the master tag which could be unstable.

---

51-61: ⚠️ Potential issue

Fix version retrieval logic

The version retrieval step has several issues:

1. The if condition syntax needs correction
2. The echo in git tag command is unnecessary
3. Error handling for cases when no tags exist is missing

Apply this diff:

-        if: ${{ inputs.image_name }} == 'workflows-service'
+        if: inputs.image_name == 'workflows-service'
         id: version
         run: |
-          TAG=$(git tag -l "$(echo ${{ inputs.image_name }}@)*" | sort -V -r | head -n 1)
+          TAG=$(git tag -l "${{ inputs.image_name }}@*" | sort -V -r | head -n 1)
+          if [ -z "$TAG" ]; then
+            TAG="${{ inputs.image_name }}@0.0.1"
+            echo "No existing tags found, using initial version"
+          fi
           echo "tag=$TAG"

Likely invalid or redundant comment.

🧰 Tools

🪛 actionlint (1.7.4)

51-51: if: condition "${{ inputs.image_name }} == 'workflows-service'" is always evaluated to true because extra characters are around ${{ }}

(if-cond)

---

53-53: shellcheck reported issue in this script: SC2116:style:1:19: Useless echo? Instead of 'cmd $(echo foo)', just use 'cmd foo'

(shellcheck)

🪛 yamllint (1.35.1)

[error] 61-61: trailing spaces

(trailing-spaces)

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

.github/workflows/destroy-preview-environment.yml (4)

1-1: Fix typo in comment

There's a typo in the comment: "forwhen" should be "for when".

-# Destroys a temporary environment that was created forwhen a pull request is created / updated with a 'deploy-pr' label or triggerred manually
+# Destroys a temporary environment that was created for when a pull request is created / updated with a 'deploy-pr' label or triggered manually

---

16-18: Simplify REF environment variable

The complex conditional logic could be simplified using GitHub's default context variables.

 env:
-  REF: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event_name == 'pull_request' && github.event.pull_request.head.ref }}
+  REF: ${{ github.head_ref || github.ref }}

---

40-56: Consolidate environment name sanitization steps

The environment name sanitization could be simplified into a single step using GitHub's composite actions.

Consider creating a reusable composite action for environment name handling:

# .github/actions/sanitize-env-name/action.yml
name: 'Sanitize Environment Name'
description: 'Sanitizes and formats environment names'
inputs:
  ref:
    description: 'Git reference to sanitize'
    required: true
outputs:
  sanitized_name:
    description: 'Sanitized environment name'
  trimmed_name:
    description: 'Trimmed environment name'
runs:
  using: 'composite'
  steps:
    - shell: bash
      run: |
        SANITIZED_NAME=$(echo -n "${{ inputs.ref }}" | tr "/" "-")
        TRIMMED_NAME=$(echo -n "${SANITIZED_NAME}" | cut -c 1-8)
        echo "sanitized_name=${SANITIZED_NAME}" >> $GITHUB_OUTPUT
        echo "trimmed_name=${TRIMMED_NAME}" >> $GITHUB_OUTPUT

Then use it in the workflow:

-      - name: "Sanitize ENV name"
-        id: sanitize_env
-        shell: bash
-        run: |
-          SANITIZED_BRANCH_NAME=$(echo -n ${{ steps.clean-ref.outputs.ref }} | tr "/" "-")
-          echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
-          TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
-          echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-          echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-        
-      - name: Environment deployment
-        id: env-name
-        run: |
-          echo "deploying environment"
-          echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_ENV
-          echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_OUTPUT
+      - name: Sanitize and set environment name
+        id: env-name
+        uses: ./.github/actions/sanitize-env-name
+        with:
+          ref: ${{ steps.clean-ref.outputs.ref }}
+      - run: |
+          echo "PR_ENV_NAME=${{ steps.env-name.outputs.trimmed_name }}" >> $GITHUB_ENV
+          echo "PR_ENV_NAME=${{ steps.env-name.outputs.trimmed_name }}" >> $GITHUB_OUTPUT

🧰 Tools

🪛 actionlint (1.7.4)

43-43: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

43-43: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

52-52: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

52-52: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint (1.35.1)

[error] 49-49: trailing spaces

(trailing-spaces)

---

49-49: Fix YAML formatting issues

There are several formatting issues in the file:

1. Remove trailing spaces on lines 49 and 60
2. Add a newline at the end of file

-          echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;        
+          echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT
 
     if: |
-      (github.event_name == 'pull_request' && github.event.action == 'unlabeled' && github.event.label.name == 'deploy-pr') 
+      (github.event_name == 'pull_request' && github.event.action == 'unlabeled' && github.event.label.name == 'deploy-pr')
 
               throw error;
-            }
+            }
+

Also applies to: 60-60, 83-83

🧰 Tools

🪛 yamllint (1.35.1)

[error] 49-49: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 86d6ddc and 4a95238.

📒 Files selected for processing (1)

• .github/workflows/destroy-preview-environment.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/destroy-preview-environment.yml

29-29: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

43-43: shellcheck reported issue in this script: SC2086:info:4:53: Double quote to prevent globbing and word splitting

(shellcheck)

---

43-43: shellcheck reported issue in this script: SC2086:info:5:49: Double quote to prevent globbing and word splitting

(shellcheck)

---

52-52: shellcheck reported issue in this script: SC2086:info:2:74: Double quote to prevent globbing and word splitting

(shellcheck)

---

52-52: shellcheck reported issue in this script: SC2086:info:3:74: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint (1.35.1)

.github/workflows/destroy-preview-environment.yml

[error] 49-49: trailing spaces

(trailing-spaces)

---

[error] 60-60: trailing spaces

(trailing-spaces)

---

[error] 83-83: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)

.github/workflows/destroy-preview-environment.yml (2)

29-32: ⚠️ Potential issue

Fix shell script safety issues

The shell scripts lack proper quoting which could lead to word splitting issues.

Apply these fixes:

 shell: bash
 run: |
-  BRANCH_NAME=${{ env.REF }}
-  CLEAN_BRANCH_NAME=${BRANCH_NAME#refs/heads/}
+  BRANCH_NAME="${{ env.REF }}"
+  CLEAN_BRANCH_NAME="${BRANCH_NAME#refs/heads/}"
   echo "ref=$CLEAN_BRANCH_NAME" >> $GITHUB_OUTPUT

 shell: bash
 run: |
-  SANITIZED_BRANCH_NAME=$(echo -n ${{ steps.clean-ref.outputs.ref }} | tr "/" "-")
+  SANITIZED_BRANCH_NAME=$(echo -n "${{ steps.clean-ref.outputs.ref }}" | tr "/" "-")
   echo "Sanitized branch name: $SANITIZED_BRANCH_NAME"
-  TRIMMED_BRANCH_NAME=$(echo -n "$SANITIZED_BRANCH_NAME" | cut -c 1-8)
+  TRIMMED_BRANCH_NAME=$(echo -n "${SANITIZED_BRANCH_NAME}" | cut -c 1-8)
-  echo "sanitized_env_name=$SANITIZED_BRANCH_NAME" >> $GITHUB_OUTPUT;
-  echo "trimmed_env_name=$TRIMMED_BRANCH_NAME" >> $GITHUB_OUTPUT;
+  echo "sanitized_env_name=${SANITIZED_BRANCH_NAME}" >> $GITHUB_OUTPUT
+  echo "trimmed_env_name=${TRIMMED_BRANCH_NAME}" >> $GITHUB_OUTPUT

 run: |
   echo "deploying environment"
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_ENV
-  echo "PR_ENV_NAME=${{ steps.sanitize_env.outputs.trimmed_env_name }}" >> $GITHUB_OUTPUT
+  PR_ENV_NAME="${{ steps.sanitize_env.outputs.trimmed_env_name }}"
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_ENV
+  echo "PR_ENV_NAME=${PR_ENV_NAME}" >> $GITHUB_OUTPUT

Also applies to: 44-49, 53-56

🧰 Tools

🪛 actionlint (1.7.4)

29-29: shellcheck reported issue in this script: SC2086:info:3:34: Double quote to prevent globbing and word splitting

(shellcheck)

---

66-83: ⚠️ Potential issue

Enhance repository dispatch implementation

The repository dispatch implementation needs several improvements:

1. The token name is inconsistent (GIT_TOKEN vs GH_TOKEN)
2. Error handling could be more informative
3. Missing validation for the environment name

Apply these improvements:

         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.GIT_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
           script: |
+            const envName = '${{ needs.deploy-dev-pr-environment.outputs.env_name }}';
+            
+            if (!envName) {
+              throw new Error('Environment name is empty or undefined');
+            }
+
             try {
               await github.rest.repos.createDispatchEvent({
                 owner: 'ballerine-io',
                 repo: 'cloud-infra-config',
                 event_type: 'destroy-preview',
                 client_payload: {
-                  'ref': '${{ needs.deploy-dev-pr-environment.outputs.env_name }}'
+                  'ref': envName
                 }
               });
-              console.log('Successfully triggered deploy-preview event');
+              console.log(`Successfully triggered destroy-preview event for environment: ${envName}`);
             } catch (error) {
-              console.error('Failed to trigger deploy-preview event:', error);
+              console.error(`Failed to trigger destroy-preview event for environment ${envName}:`, error);
+              core.setFailed(`Failed to trigger destroy-preview event: ${error.message}`);
               throw error;
             }
+

🧰 Tools

🪛 yamllint (1.35.1)

[error] 83-83: no new line character at the end of file

(new-line-at-end-of-file)