-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP Convert CircleCI config to Github Actions #8147
base: master
Are you sure you want to change the base?
Conversation
📝 Walkthrough📝 WalkthroughWalkthroughThe changes introduce enhancements to the CI/CD pipeline, including an updated shell script, Changes
Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 4
🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)
4-9
: Consider restricting branch patternsThe current trigger configuration runs on all branches (
'*'
). This might lead to unnecessary workflow runs. Consider:
- Limiting to specific branch patterns (e.g.,
main
,develop
,feature/*
)- Using path filters to run only when relevant files change
push: branches: - - '*' + - main + - develop + - 'feature/**' + paths-ignore: + - '**.md' + - 'docs/**' pull_request: branches: - - '*' + - main + - develop
12-18
: Enhance security of Docker credentialsThe Docker credentials are exposed as environment variables. While they are using secrets, consider:
- Limiting the scope of these credentials to only the job that needs them
- Using GITHUB_TOKEN where possible for container registry authentication
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (2)
- .github/not-on-master.sh (1 hunks)
- .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
57-57: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
72-72: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting
(shellcheck)
117-117: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
137-137: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
137-137: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
153-153: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
153-153: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
161-161: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
161-161: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
169-169: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
169-169: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🔇 Additional comments (4)
.github/not-on-master.sh (3)
1-2
: LGTM: Robust shell script configuration.The script follows shell scripting best practices:
- Uses proper shebang line for portability
- Sets appropriate safety flags:
-E
: ERR trap inheritance-e
: Exit on error-u
: Error on unbound variables-o pipefail
: Propagate pipe failures
7-7
: Consider adding command validation.The
exec "$@"
executes arbitrary commands passed as arguments without validation.Consider:
- Adding command whitelisting
- Implementing logging for audit purposes
- Adding error handling for failed commands
4-8
:⚠️ Potential issueFix branch reference comparison.
The current branch comparison has potential issues:
GITHUB_REF
typically includes the full ref path (e.g., "refs/heads/master")- String comparison should use
=
instead of==
for POSIX compatibilityApply this fix:
-if [ "${GITHUB_REF}" == "master" ]; then +if [ "${GITHUB_REF}" = "refs/heads/master" ]; thenAdditionally, consider adding input validation:
.github/workflows/build_test_deploy.yml (1)
21-43
: LGTM! Well-structured frontend checksThe frontend code checks job is well-organized with:
- Proper Node.js setup
- Comprehensive checks (lint, types, cyclic deps)
- Clear step names
run: | | ||
for i in {1..20}; do # retry | ||
curl --fail -v http://localhost:9000/api/health && s=0 && break || s=$? | ||
sleep 5 | ||
done | ||
(exit $s) | ||
- name: Run webknossos-datastore smoke test | ||
run: | | ||
for i in {1..20}; do # retry | ||
curl --fail -v http://localhost:9090/data/health && s=0 && break || s=$? | ||
sleep 5 | ||
done | ||
(exit $s) | ||
- name: Run webknossos-tracingstore smoke test | ||
run: | | ||
for i in {1..20}; do # retry | ||
curl --fail -v http://localhost:9050/tracings/health && s=0 && break || s=$? | ||
sleep 5 | ||
done | ||
(exit $s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Refactor duplicated health check logic
The health check implementation is duplicated across three services. Consider extracting this into a reusable composite action:
- Create
.github/actions/health-check/action.yml
:
name: 'Health Check'
description: 'Performs health check with retries'
inputs:
url:
description: 'Health check URL'
required: true
runs:
using: 'composite'
steps:
- shell: bash
run: |
for i in {1..20}; do
curl --fail -v "${{ inputs.url }}" && exit 0
sleep 5
done
exit 1
- Use it in the workflow:
- uses: ./.github/actions/health-check
with:
url: http://localhost:9000/api/health
🧰 Tools
🪛 actionlint
153-153: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
153-153: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
161-161: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
161-161: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
169-169: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
169-169: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting
(shellcheck)
|
||
- name: Push docker images | ||
run: | | ||
function retry() { | ||
for i in {1..5}; do | ||
"$@" && s=0 && break || s=$? | ||
sleep 10 | ||
done | ||
return $s | ||
} | ||
retry docker login -u $DOCKER_USER -p $DOCKER_PASS | ||
retry docker compose push webknossos | ||
retry docker compose push webknossos-datastore | ||
retry docker compose push webknossos-tracingstore | ||
if [[ ${{ github.ref_type }} == "branch" ]]; then | ||
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
fi | ||
docker logout |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consolidate Docker push retry logic
The Docker push steps have complex retry logic. Consider:
- Using GitHub's built-in retry functionality
- Creating a reusable function for Docker operations
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ env.DOCKER_USER }}
password: ${{ env.DOCKER_PASS }}
- name: Push images
uses: nick-invision/retry@v2
with:
timeout_minutes: 10
max_attempts: 3
command: |
docker compose push webknossos
docker compose push webknossos-datastore
docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
# ... tag and push branch images
fi
🧰 Tools
🪛 actionlint
180-180: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sound great. Please do it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hotzenklotz, glad you like the suggestion! Here's the updated workflow with the consolidated Docker push retry logic:
name: CI Pipeline
on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
workflow_dispatch:
env:
USER_NAME: circleci
USER_UID: 1000
USER_GID: 1000
TZ: Europe/Berlin
DOCKER_USER: ${{ secrets.DOCKER_USER }}
DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
jobs:
static_frontent_code_checks:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 5
- uses: actions/setup-node@v4
with:
node-version: 18
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
- name: Lint frontend code and check formatting
run: yarn run check-frontend
- name: Typecheck frontend code
run: yarn typecheck
- name: Check for cyclic dependencies in frontend
run: yarn check-cyclic-dependencies
build_test_deploy:
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 5
- name: "Custom environment variables"
run: |
if [[ ${{ github.ref_type }} == "branch" ]]; then
NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
else
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
fi
- name: Set up Docker
uses: docker/setup-buildx-action@v2
# ... other build and test steps ...
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ env.DOCKER_USER }}
password: ${{ env.DOCKER_PASS }}
- name: Push docker images
uses: nick-invision/retry@v2
with:
timeout_minutes: 10
max_attempts: 3
command: |
docker compose push webknossos
docker compose push webknossos-datastore
docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
docker tag scalableminds/webknossos:${{ env.DOCKER_TAG }} scalableminds/webknossos:${{ env.NORMALIZED_BRANCH }}
docker push scalableminds/webknossos:${{ env.NORMALIZED_BRANCH }}
docker tag scalableminds/webknossos-datastore:${{ env.DOCKER_TAG }} scalableminds/webknossos-datastore:${{ env.NORMALIZED_BRANCH }}
docker push scalableminds/webknossos-datastore:${{ env.NORMALIZED_BRANCH }}
docker tag scalableminds/webknossos-tracingstore:${{ env.DOCKER_TAG }} scalableminds/webknossos-tracingstore:${{ env.NORMALIZED_BRANCH }}
docker push scalableminds/webknossos-tracingstore:${{ env.NORMALIZED_BRANCH }}
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${{ env.NORMALIZED_BRANCH }}
docker push scalableminds/webknossos-dev:${{ env.NORMALIZED_BRANCH }}
fi
- name: Logout from Docker Hub
run: docker logout
# ... remaining steps ...
This update simplifies the retry logic by utilizing the nick-invision/retry@v2
action and the docker/login-action@v2
for authentication with Docker Hub.
Let me know if you have any questions or need further assistance!
(^‿^)/
|
||
- name: "Custom environment variables" | ||
run: | | ||
if [[ ${{ github.ref_type }} == "branch" ]]; then | ||
NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g') | ||
echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV | ||
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}" | ||
echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV | ||
else | ||
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV | ||
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix shell script quoting issues
The branch normalization script has potential issues with word splitting. Apply proper quoting:
if [[ ${{ github.ref_type }} == "branch" ]]; then
- NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
+ NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
- echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+ echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
- DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
+ DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
- echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+ echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: "Custom environment variables" | |
run: | | |
if [[ ${{ github.ref_type }} == "branch" ]]; then | |
NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g') | |
echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV | |
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}" | |
echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV | |
else | |
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV | |
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV | |
fi | |
- name: "Custom environment variables" | |
run: | | |
if [[ ${{ github.ref_type }} == "branch" ]]; then | |
NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g') | |
echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}" | |
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}" | |
echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}" | |
else | |
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV | |
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV | |
fi |
🧰 Tools
🪛 actionlint
57-57: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
57-57: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 6
🧹 Outside diff range and nitpick comments (4)
.github/actions/health_check_action.yml (1)
16-16
: Add newline at end of file.Following YAML best practices, ensure there's a newline character at the end of the file.
🧰 Tools
🪛 yamllint
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
project/BuildInfoSettings.scala (1)
16-17
: Consider documenting CI environment variables.Since these environment variables are crucial for versioning and build information, consider adding documentation about their expected values and usage.
Add a comment block above the variable declarations:
+ // CI environment variables used for versioning: + // CI_BUILD_NUM: Build number from CI system (e.g., GitHub Actions run number) + // CI_TAG: Git tag from CI system, if building a tagged commit val ciBuild: String = if (System.getenv().containsKey("CI_BUILD_NUM")) System.getenv().get("CI_BUILD_NUM") else "" val ciTag: String = if (System.getenv().containsKey("CI_TAG")) System.getenv().get("CI_TAG") else "".github/workflows/build_test_deploy.yml (1)
28-30
: Fix YAML indentationThe indentation is inconsistent with the rest of the file.
- uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 18🧰 Tools
🪛 yamllint
[warning] 30-30: wrong indentation: expected 8 but found 10
(indentation)
docker-compose.yml (1)
Line range hint
249-257
: Fix syntax error in dev service command.There's an extra quote at the end of the
-Ddatastore.redis.address=redis
line which will cause the command to fail.Apply this fix:
command: - bash - -c - > sbt -v -d -jvm-debug 5005 "run -Djava.net.preferIPv4Stack=true -Dtracingstore.fossildb.address=fossildb -Dtracingstore.redis.address=redis" - -Ddatastore.redis.address=redis" + -Ddatastore.redis.address=redis
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (4)
- .github/actions/health_check_action.yml (1 hunks)
- .github/workflows/build_test_deploy.yml (1 hunks)
- docker-compose.yml (1 hunks)
- project/BuildInfoSettings.scala (1 hunks)
🧰 Additional context used
🪛 yamllint
.github/actions/health_check_action.yml
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
.github/workflows/build_test_deploy.yml
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[warning] 30-30: wrong indentation: expected 8 but found 10
(indentation)
[warning] 46-46: too many blank lines
(4 > 2) (empty-lines)
[error] 153-153: trailing spaces
(trailing-spaces)
[error] 155-155: trailing spaces
(trailing-spaces)
[error] 159-159: trailing spaces
(trailing-spaces)
[error] 164-164: trailing spaces
(trailing-spaces)
🪛 actionlint
.github/workflows/build_test_deploy.yml
56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting
(shellcheck)
116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🔇 Additional comments (2)
.github/actions/health_check_action.yml (1)
1-6
: LGTM! Clear and well-structured action metadata.The action name, description, and input parameters are well-defined and follow GitHub Actions best practices.
project/BuildInfoSettings.scala (1)
16-17
: LGTM! Verify environment variables in GitHub Actions workflow.The change from CircleCI-specific environment variables to generic CI variables is a good practice for portability.
Let's verify that these environment variables are properly set in the GitHub Actions workflow:
for i in {1..20}; do | ||
curl --fail -v "${{ inputs.url }}" && exit 0 | ||
sleep 5 | ||
done | ||
exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enhance security and reliability of the health check implementation.
Consider the following improvements:
- Add timeout to prevent hanging requests
- Validate the URL input
- Remove verbose flag to prevent potential sensitive information exposure
- Make retry count and delay configurable
Apply this diff to implement the suggested improvements:
+inputs:
+ url:
+ description: 'Health check URL'
+ required: true
+ max_attempts:
+ description: 'Maximum number of retry attempts'
+ required: false
+ default: '20'
+ retry_delay:
+ description: 'Delay between retries in seconds'
+ required: false
+ default: '5'
runs:
using: 'composite'
steps:
- shell: bash
run: |
- for i in {1..20}; do
- curl --fail -v "${{ inputs.url }}" && exit 0
- sleep 5
+ # Validate URL format
+ if ! [[ "${{ inputs.url }}" =~ ^https?:// ]]; then
+ echo "Error: Invalid URL format. Must start with http:// or https://"
+ exit 1
+ fi
+
+ for i in $(seq 1 ${{ inputs.max_attempts }}); do
+ echo "Attempt $i of ${{ inputs.max_attempts }}"
+ # Add timeout and remove verbose flag
+ if curl --fail --max-time 30 "${{ inputs.url }}"; then
+ echo "Health check succeeded"
+ exit 0
+ fi
+ echo "Attempt failed, retrying in ${{ inputs.retry_delay }} seconds..."
+ sleep ${{ inputs.retry_delay }}
done
+ echo "Health check failed after ${{ inputs.max_attempts }} attempts"
exit 1
Committable suggestion was skipped due to low confidence.
🧰 Tools
🪛 yamllint
[error] 16-16: no new line character at the end of file
(new-line-at-end-of-file)
run: .github/not-on-master.sh docker compose run base yarn typecheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove duplicate type checking
The frontend type checking is already performed in the static_frontend_code_checks
job (line 38-39).
Consider removing this duplicate step to improve pipeline performance.
- name: Report coverage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't silently ignore coverage failures
The coverage command ignores failures with || true
, which could hide important coverage regressions.
Consider:
- Setting a minimum coverage threshold
- Making the job fail if coverage drops below the threshold
- Using a coverage reporting action to track trends
- run: .github/not-on-master.sh docker compose run base yarn coverage || true
+ run: |
+ .github/not-on-master.sh docker compose run base yarn coverage
+ continue-on-error: true
Committable suggestion was skipped due to low confidence.
USER_NAME: root | ||
USER_UID: 1000 | ||
USER_GID: 1000 | ||
DOCKER_USER: ${{ secrets.DOCKER_USER }} | ||
DOCKER_PASS: ${{ secrets.DOCKER_PASS }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security: Avoid running containers as root user
Running containers as root user (USER_NAME: root
) is a security anti-pattern. Consider:
- Using a non-root user for better security
- Following the principle of least privilege
- USER_NAME: root
+ USER_NAME: webknossos
Committable suggestion was skipped due to low confidence.
|
||
- name: Assert schema.sql and evolutions are equal | ||
run: | | ||
docker compose up -d postgres | ||
sleep 3 | ||
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Replace sleep with proper postgres readiness check
Using sleep
is not reliable for ensuring postgres is ready. Consider using a proper health check.
- sleep 3
+ until docker compose exec -T postgres pg_isready; do
+ echo "Waiting for postgres..."
+ sleep 1
+ done
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Assert schema.sql and evolutions are equal | |
run: | | |
docker compose up -d postgres | |
sleep 3 | |
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema | |
- name: Assert schema.sql and evolutions are equal | |
run: | | |
docker compose up -d postgres | |
until docker compose exec -T postgres pg_isready; do | |
echo "Waiting for postgres..." | |
sleep 1 | |
done | |
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema |
- CI_TAG=${GITHUB_REF} | ||
- CI_BUILD_NUM=${GITHUB_JOB} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Codebase verification
Environment variables need adjustment for GitHub Actions
Based on the usage in project/BuildInfoSettings.scala
, these variables are used to populate build information. The current mappings need to be corrected:
CI_TAG=${GITHUB_REF}
- This will include the full ref path, makingciTag
contain unwanted prefixes like "refs/tags/" or "refs/heads/"CI_BUILD_NUM=${GITHUB_JOB}
- This will store the job name instead of a build number inciBuild
, which differs from the previous behavior
Suggested fix:
- - CI_TAG=${GITHUB_REF}
- - CI_BUILD_NUM=${GITHUB_JOB}
+ - CI_TAG=${GITHUB_REF_NAME}
+ - CI_BUILD_NUM=${GITHUB_RUN_NUMBER}
GITHUB_REF_NAME
provides just the branch/tag name without the "refs/*/" prefixGITHUB_RUN_NUMBER
provides a sequential number for the workflow runs, similar to the previous CI build number
🔗 Analysis chain
Review environment variable mappings for GitHub Actions.
The current mappings might not provide equivalent values:
GITHUB_REF
includes the full reference path (e.g., 'refs/heads/main', 'refs/tags/v1.0.0') unlikeCIRCLE_TAG
which only contained the tag name.GITHUB_JOB
provides the job name, not a sequential build number likeCIRCLE_BUILD_NUM
.
Consider these alternatives:
- - CI_TAG=${GITHUB_REF}
- - CI_BUILD_NUM=${GITHUB_JOB}
+ - CI_TAG=${GITHUB_REF#refs/tags/}
+ - CI_BUILD_NUM=${GITHUB_RUN_NUMBER}
Let's verify the usage of these variables:
Let me gather more context about how these variables might be used in the application code.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Search for CI_TAG and CI_BUILD_NUM usage in the codebase
rg "CI_(TAG|BUILD_NUM)" --type-add 'config:*.{yml,yaml,json,conf,properties}' -t config
Length of output: 191
Script:
#!/bin/bash
# Search for CI_TAG and CI_BUILD_NUM usage in all files
rg "CI_(TAG|BUILD_NUM)" -A 3 -B 3
# Also check for any shell scripts that might use these variables
fd ".sh$" --exec grep -l "CI_TAG\|CI_BUILD_NUM" {} \;
Length of output: 1350
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (3)
.github/workflows/build_test_deploy.yml (3)
23-23
: Fix YAML indentation issuesThere are inconsistent indentation levels in the workflow file:
- Line 23: Should be 6 spaces instead of 4
- Line 30: Should be 8 spaces instead of 10
steps: - - name: Checkout code + - name: Checkout code uses: actions/checkout@v3 with: fetch-depth: 5 - uses: actions/setup-node@v4 with: - node-version: 18 + node-version: 18Also applies to: 30-30
🧰 Tools
🪛 yamllint
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
44-46
: Remove excessive blank linesThere are too many consecutive blank lines (4 > 2) between the jobs.
- name: Check for cyclic dependencies in frontend run: yarn check-cyclic-dependencies - - build_test_deploy:🧰 Tools
🪛 yamllint
[warning] 46-46: too many blank lines
(4 > 2) (empty-lines)
153-165
: Fix trailing spaces in YAMLRemove trailing spaces from the following lines:
- Line 153:
with:
- Line 155: Empty line with spaces
- Line 159:
with:
- Line 164:
with:
- name: Run webknossos smoke test uses: ./.github/actions/health_check_action - with: + with: url: http://localhost:9000/api/health - name: Run webknossos-datastore smoke test uses: ./.github/actions/health_check_action - with: + with: url: http://localhost:9090/data/health - name: Run webknossos-tracingstore smoke test uses: ./.github/actions/health_check_action - with: + with: url: http://localhost:9050/tracings/health🧰 Tools
🪛 yamllint
[error] 153-153: trailing spaces
(trailing-spaces)
[error] 155-155: trailing spaces
(trailing-spaces)
[error] 159-159: trailing spaces
(trailing-spaces)
[error] 164-164: trailing spaces
(trailing-spaces)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
⛔ Files ignored due to path filters (1)
yarn.lock
is excluded by!**/yarn.lock
,!**/*.lock
📒 Files selected for processing (2)
- .github/workflows/build_test_deploy.yml (1 hunks)
- docker-compose.yml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- docker-compose.yml
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting
(shellcheck)
116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[warning] 30-30: wrong indentation: expected 8 but found 10
(indentation)
[warning] 46-46: too many blank lines
(4 > 2) (empty-lines)
[error] 153-153: trailing spaces
(trailing-spaces)
[error] 155-155: trailing spaces
(trailing-spaces)
[error] 159-159: trailing spaces
(trailing-spaces)
[error] 164-164: trailing spaces
(trailing-spaces)
run: docker compose run base yarn build | ||
|
||
- name: Build webknossos (sbt) | ||
run: | | ||
if [ "${{ github.ref }}" == "refs/heads/master" ]; then | ||
docker compose run compile sbt -no-colors clean compile stage | ||
else | ||
docker compose run compile sbt -no-colors -DfailOnWarning compile stage | ||
fi | ||
- name: Build webknossos-datastore (sbt) | ||
run: docker compose run base sbt -no-colors -DfailOnWarning "project webknossosDatastore" copyMessages compile stage | ||
|
||
- name: Build webknossos-tracingstore (sbt) | ||
run: docker compose run base sbt -no-colors -DfailOnWarning "project webknossosTracingstore" copyMessages compile stage | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider parallelizing build steps
The build steps for webknossos, datastore, and tracingstore are running sequentially. Consider using GitHub Actions' job parallelization to speed up the pipeline:
- Split the builds into separate jobs
- Use job outputs to share build artifacts
- Use job dependencies to maintain the correct order
Example structure:
jobs:
build-webknossos:
# ... build webknossos
outputs:
checksum: ${{ steps.checksum.outputs.value }}
build-datastore:
needs: build-webknossos
# ... build datastore
build-tracingstore:
needs: build-webknossos
# ... build tracingstore
tests:
needs: [build-webknossos, build-datastore, build-tracingstore]
# ... run tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)
13-15
: Remove or document commented environment variablesThe commented user-related environment variables (
USER_NAME
,USER_UID
,USER_GID
) should either be removed if they're no longer needed or documented if they serve a specific purpose.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting
(shellcheck)
116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[warning] 30-30: wrong indentation: expected 8 but found 10
(indentation)
[warning] 46-46: too many blank lines
(4 > 2) (empty-lines)
[error] 153-153: trailing spaces
(trailing-spaces)
[error] 155-155: trailing spaces
(trailing-spaces)
[error] 159-159: trailing spaces
(trailing-spaces)
[error] 164-164: trailing spaces
(trailing-spaces)
🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)
20-42
: LGTM: Frontend checks are well-structuredThe frontend checks job is well-organized with appropriate steps for dependency installation, linting, type checking, and cyclic dependency validation.
🧰 Tools
🪛 yamllint
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[warning] 30-30: wrong indentation: expected 8 but found 10
(indentation)
for i in {1..5}; do | ||
"$@" && s=0 && break || s=$? | ||
sleep 10 | ||
done | ||
return $s | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider using GitHub Actions' built-in retry functionality
Instead of implementing a custom retry function, consider using GitHub Actions' built-in retry functionality with the nick-invision/retry@v2
action:
- uses: nick-invision/retry@v2
with:
timeout_minutes: 10
max_attempts: 5
command: docker login -u "${DOCKER_USER}" -p "${DOCKER_PASS}"
This approach provides better logging and integration with GitHub Actions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 4
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (2)
- .github/workflows/build_test_deploy.yml (1 hunks)
- Dockerfile (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
54-54: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
54-54: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
54-54: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
54-54: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
131-131: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
151-151: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
151-151: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
183-183: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[error] 70-70: trailing spaces
(trailing-spaces)
[error] 80-80: trailing spaces
(trailing-spaces)
[error] 165-165: trailing spaces
(trailing-spaces)
[error] 167-167: trailing spaces
(trailing-spaces)
[error] 171-171: trailing spaces
(trailing-spaces)
[error] 176-176: trailing spaces
(trailing-spaces)
🔇 Additional comments (2)
Dockerfile (1)
11-11
: Please clarify the Docker-dev image reference in the comment.The comment mentions "Docker-dev image" but this dependency isn't clearly documented. This could make it difficult for other developers to understand the build prerequisites.
Let's check for any Docker-dev image references:
✅ Verification successful
Let me check the docker-compose files to understand if there's a dev image defined:
Let me check the Dockerfile.dev since I found a reference to webknossos-dev image in docker-compose.yml:
Based on the docker-compose.yml and Dockerfile.dev analysis, I can now generate the final response:
The Docker-dev image reference is accurate and well-integrated
The comment refers to the
webknossos-dev
image which is properly defined in docker-compose.yml under thebase
service. This dev image is built from Dockerfile.dev and is used for development and compilation tasks. The compiled Scala output from this dev environment is indeed used in the production Dockerfile, making the comment accurate and helpful.🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Search for Docker-dev image references in the repository rg -i "docker-dev.*image" # Check docker-compose files for related services fd -e yml -e yaml | xargs rg -l "docker"Length of output: 329
Script:
#!/bin/bash # Check contents of docker-compose files for dev image definitions echo "=== Main docker-compose.yml ===" cat docker-compose.yml echo -e "\n=== tools/hosting/docker-compose.yml ===" cat tools/hosting/docker-compose.yml echo -e "\n=== webknossos-tracingstore/deployment/docker-compose.yml ===" cat webknossos-tracingstore/deployment/docker-compose.yml echo -e "\n=== webknossos-datastore/deployment/docker-compose.yml ===" cat webknossos-datastore/deployment/docker-compose.ymlLength of output: 14631
Script:
#!/bin/bash # Check Dockerfile.dev contents cat Dockerfile.devLength of output: 1079
.github/workflows/build_test_deploy.yml (1)
4-6
: Consider including additional protected branches in push triggersThe push trigger is currently limited to the
master
branch. Consider including other protected branches (e.g.,main
,develop
,release/*
) to ensure the pipeline runs on all important branches.
@@ -8,6 +8,7 @@ RUN curl -sL "https://deb.nodesource.com/setup_${VERSION_NODE}" | bash - \ | |||
RUN mkdir -p /webknossos | |||
WORKDIR /webknossos | |||
|
|||
# Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image | |||
COPY target/universal/stage . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider validating the copied Scala artifacts.
While the COPY command is correct, consider adding validation to ensure the required Scala artifacts are present and complete.
Consider adding a validation step:
# Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image
COPY target/universal/stage .
+RUN test -f bin/webknossos && \
+ test -d lib || \
+ (echo "Error: Required Scala artifacts are missing" && exit 1)
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
COPY target/universal/stage . | |
# Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image | |
COPY target/universal/stage . | |
RUN test -f bin/webknossos && \ | |
test -d lib || \ | |
(echo "Error: Required Scala artifacts are missing" && exit 1) |
run: | | ||
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }} | ||
yarn run docs --project-version $WK_VERSION | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Add error handling to documentation build
The documentation build step should fail the workflow if there are any errors.
- name: Build frontend documentation
run: |
+ set -eo pipefail
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
- yarn run docs --project-version $WK_VERSION
+ yarn run docs --project-version "${WK_VERSION}"
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Build frontend documentation | |
run: | | |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }} | |
yarn run docs --project-version $WK_VERSION | |
- name: Build frontend documentation | |
run: | | |
set -eo pipefail | |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }} | |
yarn run docs --project-version "${WK_VERSION}" | |
|
||
- name: Install dependencies | ||
run: apt-get update \ | ||
&& apt-get install -y \ | ||
findutils \ | ||
libdraco-dev \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Optimize apt-get commands
The apt-get installation can be optimized to reduce the image size and improve build time.
- - name: Install dependencies
- run: apt-get update \
- && apt-get install -y \
- findutils \
- libdraco-dev \
- libblosc1
+ - name: Install dependencies
+ run: |
+ apt-get update && apt-get install -y --no-install-recommends \
+ findutils \
+ libdraco-dev \
+ libblosc1 \
+ && rm -rf /var/lib/apt/lists/*
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Install dependencies | |
run: apt-get update \ | |
&& apt-get install -y \ | |
findutils \ | |
libdraco-dev \ | |
libblosc1 | |
- name: Install dependencies | |
run: | | |
apt-get update && apt-get install -y --no-install-recommends \ | |
findutils \ | |
libdraco-dev \ | |
libblosc1 \ | |
&& rm -rf /var/lib/apt/lists/* |
|
||
- name: Install frontend dependencies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Add yarn cache to improve CI performance
Consider using GitHub's cache action for yarn dependencies to speed up the CI pipeline.
- uses: actions/setup-node@v4
with:
node-version: 18
+ cache: 'yarn'
+
+ - name: Get yarn cache directory path
+ id: yarn-cache-dir-path
+ run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+ - uses: actions/cache@v3
+ id: yarn-cache
+ with:
+ path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+ key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-yarn-
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Install frontend dependencies | |
run: corepack enable && yarn install --immutable | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
cache: 'yarn' | |
- name: Get yarn cache directory path | |
id: yarn-cache-dir-path | |
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT | |
- uses: actions/cache@v3 | |
id: yarn-cache | |
with: | |
path: ${{ steps.yarn-cache-dir-path.outputs.dir }} | |
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-yarn- | |
- name: Install frontend dependencies | |
run: corepack enable && yarn install --immutable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 5
🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)
12-17
: Add timezone environment variableConsider adding
TZ: UTC
(or your preferred timezone) to ensure consistent timestamps across the pipeline execution.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
- .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
73-73: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
73-73: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
73-73: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
73-73: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
141-141: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
158-158: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
158-158: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
189-189: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 23-23: wrong indentation: expected 6 but found 4
(indentation)
[warning] 52-52: wrong indentation: expected 6 but found 8
(indentation)
[error] 89-89: trailing spaces
(trailing-spaces)
[error] 99-99: trailing spaces
(trailing-spaces)
[error] 172-172: trailing spaces
(trailing-spaces)
[error] 174-174: trailing spaces
(trailing-spaces)
[error] 177-177: trailing spaces
(trailing-spaces)
[error] 182-182: trailing spaces
(trailing-spaces)
foo: | ||
runs-on: ubuntu-20.04 | ||
static_frontend_code_checks: | ||
runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Align Ubuntu versions across jobs
The static_frontend_code_checks
job uses ubuntu-24.04
while build_test_deploy
uses ubuntu-20.04
. This inconsistency could lead to environment differences. Consider using the same Ubuntu version for both jobs.
Also applies to: 46-46
env: | ||
POSTGRES_DB: webknossos | ||
POSTGRES_USER: webknossos_user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use secrets for database credentials
Database credentials are currently hardcoded in the workflow file. Consider using GitHub secrets:
- POSTGRES_DB: webknossos
- POSTGRES_USER: webknossos_user
- POSTGRES_PASSWORD: secret_password
+ POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
+ POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+ POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
POSTGRES_DB: webknossos | |
POSTGRES_USER: webknossos_user | |
POSTGRES_PASSWORD: secret_password | |
POSTGRES_DB: ${{ secrets.POSTGRES_DB }} | |
POSTGRES_USER: ${{ secrets.POSTGRES_USER }} | |
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} |
- name: Build frontend documentation | ||
run: | | ||
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Improve documentation version handling
The current version fallback chain could be more explicit:
- WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
+ WK_VERSION=$(
+ if [ -n "${{ github.event.release.tag_name }}" ]; then
+ echo "${{ github.event.release.tag_name }}"
+ elif [ "${{ github.ref }}" = "refs/heads/master" ]; then
+ echo "${{ github.run_number }}"
+ else
+ echo "dev"
+ fi
+ )
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Build frontend documentation | |
run: | | |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }} | |
yarn run docs --project-version $WK_VERSION | |
- name: Build frontend documentation | |
run: | | |
WK_VERSION=$( | |
if [ -n "${{ github.event.release.tag_name }}" ]; then | |
echo "${{ github.event.release.tag_name }}" | |
elif [ "${{ github.ref }}" = "refs/heads/master" ]; then | |
echo "${{ github.run_number }}" | |
else | |
echo "dev" | |
fi | |
) | |
yarn run docs --project-version $WK_VERSION |
|
||
- name: Build webknossos docker image | ||
run: | | ||
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true | ||
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos | ||
- name: Build webknossos-datastore docker image | ||
run: docker compose build --pull webknossos-datastore | ||
|
||
- name: Build webknossos-tracingstore docker image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Optimize Docker builds with layer caching
Consider using BuildKit's cache features to speed up builds:
- run: docker compose build --pull webknossos-datastore
+ run: |
+ DOCKER_BUILDKIT=1 docker compose build \
+ --pull \
+ --build-arg BUILDKIT_INLINE_CACHE=1 \
+ webknossos-datastore
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Build webknossos docker image | |
run: | | |
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true | |
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos | |
- name: Build webknossos-datastore docker image | |
run: docker compose build --pull webknossos-datastore | |
- name: Build webknossos-tracingstore docker image | |
run: docker compose build --pull webknossos-tracingstore | |
- name: Build webknossos docker image | |
run: | | |
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true | |
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos | |
- name: Build webknossos-datastore docker image | |
run: | | |
DOCKER_BUILDKIT=1 docker compose build \ | |
--pull \ | |
--build-arg BUILDKIT_INLINE_CACHE=1 \ | |
webknossos-datastore | |
- name: Build webknossos-tracingstore docker image | |
run: docker compose build --pull webknossos-tracingstore |
🧰 Tools
🪛 actionlint
141-141: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
|
||
# - name: Prepare dependency folders | ||
# run: mkdir -p project/target target ~/.ivy2 ~/.cache/coursier | ||
|
||
# - name: Assert unique evolution numbers | ||
# run: docker compose run base tools/postgres/dbtool.js assert-unique-evolution-numbers | ||
|
||
# - name: Assert schema.sql and evolutions are equal | ||
# run: | | ||
# docker compose up -d postgres | ||
# sleep 3 | ||
# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Codebase verification
These database validation steps should be uncommented and fixed
The commented-out steps are critical database schema validation checks that:
- Ensure evolution numbers are unique (
assert-unique-evolution-numbers
) - Verify schema.sql matches the evolutions (
check-evolutions-schema
)
These checks are important as evidenced by:
- The
dbtool.js
script contains active implementations of these commands - The script is actively used in other parts of the codebase for database validation
- No alternative validation steps exist in the workflow file
🔗 Analysis chain
Clean up commented code blocks
Several steps are commented out but seem important for database schema validation. Either:
- Remove these comments if they're no longer needed
- Uncomment and fix them if they're still required
Let me check how these database tools are actually used to determine if the commented steps are still needed.
Let me check if these database validation steps are replaced by other mechanisms in the workflow.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check if these database tools are used elsewhere
rg -l "dbtool.js"
Length of output: 217
Script:
#!/bin/bash
# Check the content of files that use dbtool.js
rg "dbtool\.js" -C 3
# Also check if there are any other similar database schema validation tasks
rg "schema" .github/workflows/ -C 3
Length of output: 6445
Script:
#!/bin/bash
# Check the entire workflow file for other database validation steps
cat .github/workflows/build_test_deploy.yml
# Also check if dbtool.js exists and what commands it supports
cat tools/postgres/dbtool.js 2>/dev/null || echo "File not found"
Length of output: 21423
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)
102-107
: Optimize Java setup configurationThe Java setup could be improved:
- Consider using a specific version instead of latest
- Enable concurrent garbage collection for better CI performance
- name: Set up Java uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '21' cache: 'sbt' + java-package: jdk + architecture: x64 + env: + JAVA_OPTS: "-XX:+UseG1GC -XX:+UseStringDeduplication"
172-180
: Consider parallelizing test executionThe backend and e2e tests are running sequentially. Consider:
- Running backend tests in parallel using test splitting
- Implementing test sharding for e2e tests
Example configuration for parallel test execution:
strategy: matrix: test-group: [1, 2, 3, 4] steps: - name: Run backend tests run: | TOTAL_GROUPS=4 GROUP=${{ matrix.test-group }} .github/not-on-master.sh docker compose run backend-tests --split-by=timings --group=$GROUP/$TOTAL_GROUPS🧰 Tools
🪛 actionlint
176-176: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
176-176: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
153-153: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
176-176: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
176-176: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
207-207: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 75-75: trailing spaces
(trailing-spaces)
[error] 98-98: trailing spaces
(trailing-spaces)
[error] 190-190: trailing spaces
(trailing-spaces)
[error] 192-192: trailing spaces
(trailing-spaces)
[error] 195-195: trailing spaces
(trailing-spaces)
[error] 200-200: trailing spaces
(trailing-spaces)
🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)
4-16
: Verify branch protection rules alignment
The workflow triggers look good, but please ensure they align with your repository's branch protection rules, especially for the master
branch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (3)
.github/workflows/build_test_deploy.yml (3)
4-16
: Consider refining the pull request trigger configurationThe current configuration triggers on PRs for all branches (
'*'
). Consider limiting this to specific branches that are relevant to your workflow, such as:pull_request: branches: - - '*' + - master + - develop + - 'release/**'
66-70
: Optimize PostgreSQL health check configurationThe current health check configuration might be too aggressive:
- 2s interval might be too frequent and could cause unnecessary load
- 30 retries with 2s interval = 60s total wait time, which might be excessive
Consider adjusting the values:
options: >- --health-cmd pg_isready - --health-interval 2s - --health-timeout 5s - --health-retries 30 + --health-interval 10s + --health-timeout 5s + --health-retries 12
111-116
: Optimize OS dependencies installationThe current apt-get installation can be improved:
- Clean up cache to reduce image size
- Combine commands to reduce layers
- Remove commented out packages
- run: sudo apt-get update && sudo apt-get install -y libdraco-dev libblosc-dev + run: | + sudo apt-get update && \ + sudo apt-get install -y --no-install-recommends \ + libdraco-dev \ + libblosc-dev && \ + sudo rm -rf /var/lib/apt/lists/*
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
156-156: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
179-179: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
179-179: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
210-210: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 75-75: trailing spaces
(trailing-spaces)
[error] 98-98: trailing spaces
(trailing-spaces)
[error] 193-193: trailing spaces
(trailing-spaces)
[error] 195-195: trailing spaces
(trailing-spaces)
[error] 198-198: trailing spaces
(trailing-spaces)
[error] 203-203: trailing spaces
(trailing-spaces)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 4
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
157-157: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 75-75: trailing spaces
(trailing-spaces)
[error] 98-98: trailing spaces
(trailing-spaces)
[error] 194-194: trailing spaces
(trailing-spaces)
[error] 196-196: trailing spaces
(trailing-spaces)
[error] 199-199: trailing spaces
(trailing-spaces)
[error] 204-204: trailing spaces
(trailing-spaces)
🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)
81-91
: 🛠️ Refactor suggestion
Fix shell script quoting in environment variables
The script has potential issues with word splitting. Apply proper quoting:
if [[ ${{ github.ref_type }} == "branch" ]]; then
- NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
+ NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
- echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+ echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
- DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
+ DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
- echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+ echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
Likely invalid or redundant comment.
🧰 Tools
🪛 actionlint
82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
default: false | ||
|
||
env: | ||
USER_NAME: root |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security: Avoid running as root user
Running containers as root user is a security risk. Consider using a non-root user with minimal required permissions.
- USER_NAME: root
+ USER_NAME: webknossos
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
USER_NAME: root | |
USER_NAME: webknossos |
|
||
- name: Lint frontend code and check formatting | ||
run: yarn run check-frontend | ||
|
||
- name: Typecheck frontend code | ||
run: yarn typecheck | ||
|
||
- name: Check for cyclic dependencies in frontend |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Add error handling to frontend checks
The frontend check commands should fail fast if any check fails. Add proper error handling:
- name: Lint frontend code and check formatting
run: |
+ set -euo pipefail
yarn run check-frontend
- name: Typecheck frontend code
run: |
+ set -euo pipefail
yarn typecheck
- name: Check for cyclic dependencies in frontend
run: |
+ set -euo pipefail
yarn check-cyclic-dependencies
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
- name: Lint frontend code and check formatting | |
run: yarn run check-frontend | |
- name: Typecheck frontend code | |
run: yarn typecheck | |
- name: Check for cyclic dependencies in frontend | |
run: yarn check-cyclic-dependencies | |
- name: Lint frontend code and check formatting | |
run: | | |
set -euo pipefail | |
yarn run check-frontend | |
- name: Typecheck frontend code | |
run: | | |
set -euo pipefail | |
yarn typecheck | |
- name: Check for cyclic dependencies in frontend | |
run: | | |
set -euo pipefail | |
yarn check-cyclic-dependencies |
- name: Run end-to-end tests | ||
run: | | ||
for i in {1..3}; do # retry | ||
.github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$? | ||
done | ||
(exit $s) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Fix shell script quoting in retry logic
The retry logic needs proper quoting and error handling:
run: |
+ set -euo pipefail
for i in {1..3}; do # retry
- .github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$?
+ if .github/not-on-master.sh docker compose run e2e-tests; then
+ s=0
+ break
+ else
+ s=$?
+ fi
done
- (exit $s)
+ (exit "${s}")
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
run: | | |
for i in {1..3}; do # retry | |
.github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$? | |
done | |
(exit $s) | |
run: | | |
set -euo pipefail | |
for i in {1..3}; do # retry | |
if .github/not-on-master.sh docker compose run e2e-tests; then | |
s=0 | |
break | |
else | |
s=$? | |
fi | |
done | |
(exit "${s}") |
🧰 Tools
🪛 actionlint
180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 4
🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)
4-16
: Consider optimizing workflow triggersThe workflow configuration could be more efficient:
- The
push
trigger could specify paths to reduce unnecessary runs- The
pull_request
trigger could also use path filterspush: branches: - master + paths: + - 'app/**' + - 'webknossos-datastore/**' + - 'webknossos-tracingstore/**' + - 'package.json' + - 'yarn.lock' pull_request: branches: - '*' + paths: + - 'app/**' + - 'webknossos-datastore/**' + - 'webknossos-tracingstore/**' + - 'package.json' + - 'yarn.lock'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
154-154: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)
(shellcheck)
180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 74-74: trailing spaces
(trailing-spaces)
[error] 97-97: trailing spaces
(trailing-spaces)
[error] 127-127: trailing spaces
(trailing-spaces)
[error] 128-128: trailing spaces
(trailing-spaces)
[error] 194-194: trailing spaces
(trailing-spaces)
[error] 196-196: trailing spaces
(trailing-spaces)
[error] 199-199: trailing spaces
(trailing-spaces)
[error] 204-204: trailing spaces
(trailing-spaces)
🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)
26-48
: 🛠️ Refactor suggestion
Optimize frontend checks performance
The frontend checks job could be improved:
- Add yarn caching
- Add proper error handling
- Consider parallelizing the checks
- uses: actions/setup-node@v4
with:
node-version: 18
+ cache: 'yarn'
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
- name: Lint frontend code and check formatting
- run: yarn run check-frontend
+ run: |
+ set -euo pipefail
+ yarn run check-frontend
- name: Typecheck frontend code
- run: yarn typecheck
+ run: |
+ set -euo pipefail
+ yarn typecheck
- name: Check for cyclic dependencies in frontend
- run: yarn check-cyclic-dependencies
+ run: |
+ set -euo pipefail
+ yarn check-cyclic-dependencies
Likely invalid or redundant comment.
🧰 Tools
🪛 yamllint
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
env: | ||
USER_NAME: root | ||
USER_UID: 1000 | ||
USER_GID: 1000 | ||
DOCKER_USER: ${{ secrets.DOCKER_USER }} | ||
DOCKER_PASS: ${{ secrets.DOCKER_PASS }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security: Critical configuration issues
Several security concerns need to be addressed:
- Running as root user is a security risk
- Consider using GitHub's OIDC for Docker Hub authentication instead of storing credentials
env:
- USER_NAME: root
+ USER_NAME: webknossos
USER_UID: 1000
USER_GID: 1000
- DOCKER_USER: ${{ secrets.DOCKER_USER }}
- DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
Consider using OIDC for Docker Hub:
permissions:
id-token: write
contents: read
jobs:
build:
steps:
- uses: docker/login-action@v2
with:
registry: docker.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
env: | ||
POSTGRES_URL: jdbc:postgresql://postgres/webknossos | ||
POSTGRES_USER: webknossos_user |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security: Use secrets for database credentials
Database credentials should not be hardcoded in the workflow file.
env:
- POSTGRES_URL: jdbc:postgresql://postgres/webknossos
- POSTGRES_USER: webknossos_user
- POSTGRES_PASSWORD: secret_password
+ POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
+ POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+ POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
POSTGRES_URL: jdbc:postgresql://postgres/webknossos | |
POSTGRES_USER: webknossos_user | |
POSTGRES_PASSWORD: secret_password | |
POSTGRES_URL: ${{ secrets.POSTGRES_URL }} | |
POSTGRES_USER: ${{ secrets.POSTGRES_USER }} | |
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }} |
|
||
# - name: Assert unique evolution numbers | ||
# run: node tools/postgres/dbtool.js assert-unique-evolution-numbers | ||
|
||
# - name: Assert schema.sql and evolutions are equal | ||
# run: | | ||
# docker compose up -d postgres | ||
# sleep 3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uncomment and fix database validation steps
The commented-out database validation steps are critical for ensuring schema integrity.
-# - name: Assert unique evolution numbers
-# run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
+- name: Assert unique evolution numbers
+ run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
-# - name: Assert schema.sql and evolutions are equal
-# run: |
-# docker compose up -d postgres
-# sleep 3
-# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
+- name: Assert schema.sql and evolutions are equal
+ run: |
+ docker compose up -d postgres
+ until docker compose exec -T postgres pg_isready; do
+ echo "Waiting for postgres..."
+ sleep 1
+ done
+ docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
# - name: Assert unique evolution numbers | |
# run: node tools/postgres/dbtool.js assert-unique-evolution-numbers | |
# - name: Assert schema.sql and evolutions are equal | |
# run: | | |
# docker compose up -d postgres | |
# sleep 3 | |
# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema | |
- name: Assert unique evolution numbers | |
run: node tools/postgres/dbtool.js assert-unique-evolution-numbers | |
- name: Assert schema.sql and evolutions are equal | |
run: | | |
docker compose up -d postgres | |
until docker compose exec -T postgres pg_isready; do | |
echo "Waiting for postgres..." | |
sleep 1 | |
done | |
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema |
- name: Push docker images | ||
run: | | ||
function retry() { | ||
for i in {1..5}; do | ||
"$@" && s=0 && break || s=$? | ||
sleep 10 | ||
done | ||
return $s | ||
} | ||
retry docker login -u $DOCKER_USER -p $DOCKER_PASS | ||
retry docker compose push webknossos | ||
retry docker compose push webknossos-datastore | ||
retry docker compose push webknossos-tracingstore | ||
if [[ ${{ github.ref_type }} == "branch" ]]; then | ||
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix shell script issues in Docker operations
The Docker operations script has multiple quoting and error handling issues.
function retry() {
+ local cmd=("$@")
for i in {1..5}; do
- "$@" && s=0 && break || s=$?
+ if "${cmd[@]}"; then
+ return 0
+ fi
sleep 10
done
- return $s
+ return 1
}
-retry docker login -u $DOCKER_USER -p $DOCKER_PASS
+retry docker login -u "${DOCKER_USER}" -p "${DOCKER_PASS}"
retry docker compose push webknossos
retry docker compose push webknossos-datastore
retry docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
- docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
+ docker tag "scalableminds/webknossos:${DOCKER_TAG}" "scalableminds/webknossos:${NORMALIZED_BRANCH}"
# Similar fixes for other docker commands
fi
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 actionlint
211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting
(shellcheck)
211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting
(shellcheck)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (2)
.github/not-on-master.sh
(1 hunks).github/workflows/build_test_deploy.yml
(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/not-on-master.sh
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
157-157: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 74-74: trailing spaces
(trailing-spaces)
[error] 97-97: trailing spaces
(trailing-spaces)
[error] 127-127: trailing spaces
(trailing-spaces)
[error] 128-128: trailing spaces
(trailing-spaces)
[error] 149-149: trailing spaces
(trailing-spaces)
[error] 195-195: trailing spaces
(trailing-spaces)
[error] 197-197: trailing spaces
(trailing-spaces)
[error] 200-200: trailing spaces
(trailing-spaces)
[error] 205-205: trailing spaces
(trailing-spaces)
[error] 220-220: trailing spaces
(trailing-spaces)
🔇 Additional comments (3)
.github/workflows/build_test_deploy.yml (3)
4-16
: LGTM! Well-structured workflow triggers
The workflow triggers and debug input configuration are properly set up, providing good flexibility for CI/CD operations.
18-23
: Skip comment: Security concerns already addressed
A previous review has already flagged the security concerns about running as root and suggested using OIDC for Docker Hub authentication.
26-48
: Skip comment: Error handling improvements already suggested
A previous review has already suggested adding proper error handling to the frontend check commands.
🧰 Tools
🪛 yamllint
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
run: .github/not-on-master.sh yarn coverage || true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't silence coverage failures
The coverage command is set to ignore failures with || true
. This could hide important coverage regressions.
Consider:
- Remove the
|| true
- Set a minimum coverage threshold
- Make the job fail if coverage drops below the threshold
- run: .github/not-on-master.sh yarn coverage || true
+ run: |
+ set -eo pipefail
+ .github/not-on-master.sh yarn coverage
Committable suggestion skipped: line range outside the PR's diff.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)
101-106
: Consider caching Java dependencies more effectively.While SBT caching is enabled, consider also caching the local Maven repository to speed up builds:
- uses: actions/setup-java@v4 with: distribution: 'temurin' java-version: '21' cache: 'sbt' + cache-dependency-path: | + **/*.sbt + project/**.scala + project/**.sbt
150-151
: Optimize test execution configuration.Consider improving the test execution:
- Add test parallelization
- Configure test output format
- Add test results reporting
- run: .github/not-on-master.sh sbt -v "testOnly backend.*" + run: | + .github/not-on-master.sh sbt -v \ + 'set Test / parallelExecution := true' \ + 'set Test / testOptions += Tests.Argument("-oDF")' \ + "testOnly backend.*" + - name: Upload test results + if: always() + uses: actions/upload-artifact@v3 + with: + name: test-results + path: target/test-reports/
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (2)
.github/workflows/build_test_deploy.yml
(1 hunks)docker-compose.yml
(3 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 74-74: trailing spaces
(trailing-spaces)
[error] 97-97: trailing spaces
(trailing-spaces)
[error] 127-127: trailing spaces
(trailing-spaces)
[error] 128-128: trailing spaces
(trailing-spaces)
[error] 149-149: trailing spaces
(trailing-spaces)
[error] 178-178: trailing spaces
(trailing-spaces)
[error] 187-187: trailing spaces
(trailing-spaces)
[error] 189-189: trailing spaces
(trailing-spaces)
[error] 192-192: trailing spaces
(trailing-spaces)
[error] 197-197: trailing spaces
(trailing-spaces)
[error] 199-199: trailing spaces
(trailing-spaces)
[error] 219-219: trailing spaces
(trailing-spaces)
🔇 Additional comments (7)
docker-compose.yml (2)
106-107
: Environment variable mappings need adjustment
The previous review comment about environment variable mappings is still valid. Please refer to the existing comment for detailed explanation and suggested fixes.
119-157
: Document local development setup and verify GitHub Actions coverage
While commenting out these services aligns with the migration to GitHub Actions, some concerns need to be addressed:
-
Local Development Impact:
- The
dev
service is typically used for local development - Consider keeping it uncommented or document alternative local development setup
- The
-
CI Coverage:
- Ensure all these commented out services have equivalent workflows in GitHub Actions:
- Compilation checks
- Development environment
- Backend tests
- Linting and formatting
- Screenshot tests
- Ensure all these commented out services have equivalent workflows in GitHub Actions:
Let's verify the GitHub Actions workflow coverage:
Also applies to: 160-174, 204-213
✅ Verification successful
GitHub Actions workflows cover the commented-out services
All previously commented-out services in docker-compose.yml
have corresponding GitHub Actions workflows, ensuring continuous integration remains comprehensive.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check if all commented out services have equivalent GitHub Actions jobs
# Check for workflow files
echo "Checking .github/workflows directory for CI jobs..."
fd . .github/workflows -e yml -e yaml -x cat {} \; | grep -A 5 "jobs:"
# Look for specific job types in workflows
echo -e "\nChecking for specific job coverage..."
rg -i "compile|test|lint|format|screenshot" .github/workflows
Length of output: 3662
.github/workflows/build_test_deploy.yml (5)
4-16
: LGTM! Well-structured workflow triggers with debugging support.
The workflow triggers are properly configured, and the addition of the tmate debugging option is a nice feature for troubleshooting.
18-23
: Skip: Issues already addressed in past reviews.
26-48
: Skip: Improvements already suggested in past reviews.
🧰 Tools
🪛 yamllint
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
51-72
: Skip: Security concerns already addressed in past reviews.
🧰 Tools
🪛 yamllint
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
153-231
: Skip: Docker-related improvements already suggested in past reviews.
🧰 Tools
🪛 actionlint
160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint
[error] 178-178: trailing spaces
(trailing-spaces)
[error] 187-187: trailing spaces
(trailing-spaces)
[error] 189-189: trailing spaces
(trailing-spaces)
[error] 192-192: trailing spaces
(trailing-spaces)
[error] 197-197: trailing spaces
(trailing-spaces)
[error] 199-199: trailing spaces
(trailing-spaces)
[error] 219-219: trailing spaces
(trailing-spaces)
# run: .circleci/slack-notification.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Consider implementing GitHub Actions native Slack integration.
Instead of using the CircleCI script, implement Slack notifications using GitHub Actions:
- name: Notify Slack
if: github.ref == 'refs/heads/master'
uses: slackapi/[email protected]
with:
channel-id: 'CHANNEL_ID'
slack-message: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
Co-authored-by: robert-oleynik <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 3
🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)
34-37
: Add yarn cache to improve CI performanceConsider using GitHub's cache action for yarn dependencies to speed up the CI pipeline.
- uses: actions/setup-node@v4 with: node-version: 18 + cache: 'yarn'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.4)
.github/workflows/build_test_deploy.yml
30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
76-76: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
157-157: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint (1.35.1)
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 74-74: trailing spaces
(trailing-spaces)
[error] 97-97: trailing spaces
(trailing-spaces)
[error] 127-127: trailing spaces
(trailing-spaces)
[error] 128-128: trailing spaces
(trailing-spaces)
[error] 149-149: trailing spaces
(trailing-spaces)
[error] 178-178: trailing spaces
(trailing-spaces)
[error] 188-188: trailing spaces
(trailing-spaces)
[error] 190-190: trailing spaces
(trailing-spaces)
[error] 193-193: trailing spaces
(trailing-spaces)
[error] 198-198: trailing spaces
(trailing-spaces)
[error] 200-200: trailing spaces
(trailing-spaces)
[error] 220-220: trailing spaces
(trailing-spaces)
🔇 Additional comments (5)
.github/workflows/build_test_deploy.yml (5)
18-23
: Security: Critical configuration issues need attention
- Running as root user is a security risk
- Consider using GitHub's OIDC for Docker Hub authentication
62-64
: Security: Use secrets for database credentials
Database credentials should not be hardcoded in the workflow file.
119-126
: Uncomment and fix database validation steps
The commented-out database validation steps are critical for ensuring schema integrity.
233-234
: Don't silence coverage failures
The coverage command ignores failures with || true
, which could hide important coverage regressions.
41-48
: 🛠️ Refactor suggestion
Add error handling to frontend checks
The check commands should fail fast if any check fails.
- name: Lint frontend code and check formatting
- run: yarn run check-frontend
+ run: |
+ set -euo pipefail
+ yarn run check-frontend
- name: Typecheck frontend code
- run: yarn typecheck
+ run: |
+ set -euo pipefail
+ yarn typecheck
- name: Check for cyclic dependencies in frontend
- run: yarn check-cyclic-dependencies
+ run: |
+ set -euo pipefail
+ yarn check-cyclic-dependencies
Likely invalid or redundant comment.
uses: nick-invision/retry@v2 | ||
with: | ||
timeout_minutes: 10 | ||
max_attempts: 3 | ||
command: | | ||
docker compose push webknossos | ||
docker compose push webknossos-datastore | ||
docker compose push webknossos-tracingstore | ||
if [[ ${{ github.ref_type }} == "branch" ]]; then | ||
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH} | ||
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH} | ||
fi | ||
docker logout |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Improve Docker push retry logic
The Docker push steps could be optimized:
- Use GitHub's retry action consistently
- Add proper error handling
- Use proper quoting in shell commands
command: |
+ set -euo pipefail
docker compose push webknossos
docker compose push webknossos-datastore
docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
- docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
+ docker tag "scalableminds/webknossos:${DOCKER_TAG}" "scalableminds/webknossos:${NORMALIZED_BRANCH}"
# Similar fixes for other docker commands
fi
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 yamllint (1.35.1)
[error] 220-220: trailing spaces
(trailing-spaces)
inputs: | ||
debug_enabled: | ||
type: boolean | ||
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' | ||
required: false | ||
default: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Codebase verification
Restrict debug access and protect sensitive data
The workflow contains several security concerns that need to be addressed:
- The
workflow_dispatch
trigger has no permission restrictions, allowing any user with repository access to enable debugging - The tmate debugging session has no timeout configured
- The workflow exposes sensitive environment variables and credentials:
- Database credentials (POSTGRES_PASSWORD)
- Docker credentials (DOCKER_USER, DOCKER_PASS)
- These are visible in logs and to anyone with debug access
Recommendations:
- Add
permissions
field to restrict who can trigger workflow_dispatch - Configure tmate timeout using
timeout-minutes
- Move sensitive values to GitHub Actions secrets
- Use secret masking for all credential environment variables
- Add job-level timeout to limit maximum debug session duration
🔗 Analysis chain
Review debug access controls
The tmate debugging option could potentially expose sensitive information. Consider:
- Limiting the
workflow_dispatch
trigger to specific user roles - Adding a timeout for debug sessions
- Documenting security implications in the workflow
Based on the search results, there are numerous files containing sensitive information like passwords, tokens, secrets, and credentials. Let me analyze the workflow file further to provide specific recommendations.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Check if there are any sensitive files that might be exposed during debug
rg -g '!.git' -l '(?i)(password|secret|key|token|credential)' || echo "No sensitive files found"
Length of output: 36548
Script:
#!/bin/bash
# Check if there are any environment variables or secrets used in the workflow
rg -g '.github/workflows/build_test_deploy.yml' '(?i)(secret|token|password|credential|key)'
# Check if there are any security controls on the workflow_dispatch trigger
cat .github/workflows/build_test_deploy.yml
Length of output: 8697
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: robert-oleynik <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (1)
.github/workflows/build_test_deploy.yml
(1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.4)
.github/workflows/build_test_deploy.yml
30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
76-76: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
157-157: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting
(shellcheck)
🪛 yamllint (1.35.1)
.github/workflows/build_test_deploy.yml
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
[warning] 59-59: wrong indentation: expected 6 but found 8
(indentation)
[error] 74-74: trailing spaces
(trailing-spaces)
[error] 97-97: trailing spaces
(trailing-spaces)
[error] 127-127: trailing spaces
(trailing-spaces)
[error] 128-128: trailing spaces
(trailing-spaces)
[error] 149-149: trailing spaces
(trailing-spaces)
[error] 178-178: trailing spaces
(trailing-spaces)
[error] 189-189: trailing spaces
(trailing-spaces)
[error] 191-191: trailing spaces
(trailing-spaces)
[error] 194-194: trailing spaces
(trailing-spaces)
[error] 199-199: trailing spaces
(trailing-spaces)
[error] 201-201: trailing spaces
(trailing-spaces)
[error] 221-221: trailing spaces
(trailing-spaces)
🔇 Additional comments (9)
.github/workflows/build_test_deploy.yml (9)
18-23
:
Critical security improvements needed
Several security concerns need to be addressed:
- Running as root user is a security risk
- Consider using GitHub's OIDC for Docker Hub authentication
Apply these security improvements:
env:
- USER_NAME: root
+ USER_NAME: webknossos
USER_UID: 1000
USER_GID: 1000
- DOCKER_USER: ${{ secrets.DOCKER_USER }}
- DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
+permissions:
+ id-token: write
+ contents: read
Then update the Docker login step to use OIDC:
- uses: docker/login-action@v2
with:
registry: docker.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
34-39
: 🛠️ Refactor suggestion
Add yarn cache to improve CI performance
- uses: actions/setup-node@v4
with:
node-version: 18
+ cache: 'yarn'
+
+ - name: Get yarn cache directory path
+ id: yarn-cache-dir-path
+ run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+ - uses: actions/cache@v3
+ id: yarn-cache
+ with:
+ path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+ key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-yarn-
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
41-48
: 🛠️ Refactor suggestion
Add error handling to frontend checks
- name: Lint frontend code and check formatting
- run: yarn run check-frontend
+ run: |
+ set -euo pipefail
+ yarn run check-frontend
- name: Typecheck frontend code
- run: yarn typecheck
+ run: |
+ set -euo pipefail
+ yarn typecheck
- name: Check for cyclic dependencies in frontend
- run: yarn check-cyclic-dependencies
+ run: |
+ set -euo pipefail
+ yarn check-cyclic-dependencies
62-64
:
Use secrets for database credentials
env:
- POSTGRES_URL: jdbc:postgresql://postgres/webknossos
- POSTGRES_USER: webknossos_user
- POSTGRES_PASSWORD: secret_password
+ POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
+ POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+ POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
71-72
:
Restrict PostgreSQL port exposure
ports:
- - 5432:5432
+ - 127.0.0.1:5432:5432
80-90
:
Fix shell script quoting issues
- name: "Custom environment variables"
run: |
if [[ ${{ github.ref_type }} == "branch" ]]; then
- NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
- echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+ NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
+ echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
- echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+ echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
else
- echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
- echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+ echo "NORMALIZED_BRANCH=master" >> "${GITHUB_ENV}"
+ echo "DOCKER_TAG=${{ github.ref_name }}" >> "${GITHUB_ENV}"
fi
🧰 Tools
🪛 actionlint (1.7.4)
81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting
(shellcheck)
81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting
(shellcheck)
119-126
:
Uncomment and fix database validation steps
These commented-out steps are critical for ensuring database schema integrity.
- # - name: Assert unique evolution numbers
- # run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
+ - name: Assert unique evolution numbers
+ run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
- # - name: Assert schema.sql and evolutions are equal
- # run: |
- # docker compose up -d postgres
- # sleep 3
- # docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
+ - name: Assert schema.sql and evolutions are equal
+ run: |
+ docker compose up -d postgres
+ until docker compose exec -T postgres pg_isready; do
+ echo "Waiting for postgres..."
+ sleep 1
+ done
+ docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
234-235
:
Don't silence coverage failures
- run: .github/not-on-master.sh yarn coverage || true
+ run: |
+ set -eo pipefail
+ .github/not-on-master.sh yarn coverage
Consider:
- Setting a minimum coverage threshold
- Making the job fail if coverage drops below the threshold
- Using a coverage reporting action to track trends
237-238
: 🛠️ Refactor suggestion
Implement GitHub Actions native Slack integration
Replace the CircleCI script with GitHub Actions native Slack integration:
- name: Notify Slack
if: github.ref == 'refs/heads/master'
uses: slackapi/[email protected]
with:
channel-id: 'CHANNEL_ID'
slack-message: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
static_frontend_code_checks: | ||
runs-on: ubuntu-24.04 | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 5 No newline at end of file | ||
fetch-depth: 5 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update checkout action version
The actions/checkout@v3
action is outdated.
- name: Checkout code
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
fetch-depth: 5
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
static_frontend_code_checks: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 5 | |
\ No newline at end of file | |
fetch-depth: 5 | |
static_frontend_code_checks: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 5 | |
🧰 Tools
🪛 actionlint (1.7.4)
30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 yamllint (1.35.1)
[warning] 29-29: wrong indentation: expected 6 but found 4
(indentation)
push: | ||
branches: | ||
- master | ||
pull_request: | ||
branches: | ||
- '*' | ||
workflow_dispatch: | ||
inputs: | ||
debug_enabled: | ||
type: boolean | ||
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' | ||
required: false | ||
default: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enhance security controls for debugging access
The workflow_dispatch trigger with debugging capabilities needs additional security controls:
- Add permissions to restrict who can trigger the workflow
- Configure timeout for debug sessions
- Protect sensitive data during debug sessions
Add these security controls:
name: CI Pipeline
on:
push:
branches:
- master
pull_request:
branches:
- '*'
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false
+permissions:
+ actions: write
+ contents: read
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- '*' | |
workflow_dispatch: | |
inputs: | |
debug_enabled: | |
type: boolean | |
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' | |
required: false | |
default: false | |
name: CI Pipeline | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- '*' | |
workflow_dispatch: | |
inputs: | |
debug_enabled: | |
type: boolean | |
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' | |
required: false | |
default: false | |
permissions: | |
actions: write | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true |
- name: Start webknossos, datastore, and tracingstore | ||
run: | | ||
mkdir -p fossildb/data && chown -R 999:999 fossildb/data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mkdir -p fossildb/data && chown -R 999:999 fossildb/data | |
id -u | |
ls -al fossildb | |
mkdir -p fossildb/data && chown -R 999:999 fossildb/data |
PR converts CircleCI config to Github Actions.
I wanted to see 1) how quick/slow GA is compared to CircleCI and 2) consolidate all CI jobs in GA to have one less service to rely upon. GA also has pretty nice Slack integration.
URL of deployed dev instance (used for testing):
Steps to test:
Issues:
(Please delete unneeded items, merge only when none are left open)