Skip to content

ci: build agentwatch-landing, and run the Docker build on pull requests(Closes #608)#621

Closed
SakethSumanBathini wants to merge 1 commit into
sreerevanth:mainfrom
SakethSumanBathini:ci/close-build-coverage-gaps
Closed

ci: build agentwatch-landing, and run the Docker build on pull requests(Closes #608)#621
SakethSumanBathini wants to merge 1 commit into
sreerevanth:mainfrom
SakethSumanBathini:ci/close-build-coverage-gaps

Conversation

@SakethSumanBathini

@SakethSumanBathini SakethSumanBathini commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

(Closes #608)

Two gaps in CI coverage, same underlying shape: things that can break silently because nothing
builds them.

agentwatch-landing was never built

CI runs python-lint, python-tests, integration-tests, frontend-build, docker-build and
security. None of them touch agentwatch-landing/.

It's a full Next.js application with its own package.json and lockfile, and it was never
installed, never built and never type-checked by any workflow. A dependency break or a type error
landed silently, and the first person to find out was whoever deployed. frontend/ has had a build
job all along, so the asymmetry looked accidental rather than deliberate.

The new landing-build job mirrors frontend-build, with one difference: no separate
type-check step. Unlike frontend, the landing app declares no type-check script in
package.json — and doesn't need a standalone one, because next build runs its own TypeScript
phase as part of the build:

✓ Compiled successfully in 1541ms
✓ Finished TypeScript in 1882ms

Confirmed locally: npm ci succeeds, and the build above is the first successful build this app
has had
, as far as CI history shows. It's healthy — it's simply been running unprotected.

The Docker build never ran on a pull request

if: github.event_name == 'push' && github.ref == 'refs/heads/main'

So the images were only built after a change had already merged. A pull request touching
Dockerfile.api got no Docker build at all, which means a broken Dockerfile could only be
discovered on main — at which point it's everyone's problem rather than the author's.

Now it runs on pull requests too, so it's a gate rather than a post-mortem. The cost is modest: both
builds already use the Actions layer cache (cache-from: type=gha), so unchanged layers are pulled
rather than rebuilt.

This one matters immediately: I have a follow-up PR hardening Dockerfile.api (non-root user,
multi-stage build, no build tooling in the runtime image). Without this change, that PR would be
completely unverifiable by CI — it would land unchecked. With it, CI builds the image on the PR
itself and proves it works before anyone merges it.

Summary by CodeRabbit

  • Chores
    • Added automated build validation for the landing page application.
    • Docker builds now run for pull requests as well as pushes to the main branch.
    • Docker builds wait for both frontend and landing page builds to complete.
    • Simplified dependency security scanning while continuing to report known vulnerabilities without blocking the workflow.

@vercel

vercel Bot commented Jul 12, 2026

Copy link
Copy Markdown

@SakethSumanBathini is attempting to deploy a commit to the sreerevanth's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The CI workflow adds a dedicated landing application build, makes Docker builds run for pull requests after both frontend builds, and simplifies dependency auditing by installing the crypto extra before running pip-audit.

Changes

CI workflow changes

Layer / File(s) Summary
Landing and Docker build flow
.github/workflows/ci.yml
Adds the landing-build job and makes docker-build depend on it and run for pull requests.
Dependency security audit
.github/workflows/ci.yml
Installs the crypto extra and runs pip-audit --desc directly.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related issues

  • Issue 609 — Directly proposes the landing-build CI job implemented by this change.

Poem

A rabbit hops through CI’s bright lane,
Landing builds now join the train.
Docker waits till checks are done,
Audits scan beneath the sun.
“Hop, hop!” says Bunny, “Clean builds won!”

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning [ #608 ] The PR updates .github/workflows/ci.yml, but the linked issue requires adding a .gitattributes file for LF and binary handling. Add a .gitattributes file with text=auto eol=lf, *.sh text eol=lf, and binary rules for PNG, JPG, and ICO files.
Out of Scope Changes check ⚠️ Warning The change set is a CI workflow update and does not address the requested .gitattributes fix for Windows line-ending churn. Split the CI workflow changes into a separate PR and add the .gitattributes changes requested in #608.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the CI workflow changes for the landing build and Docker builds on pull requests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

154-154: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Set persist-credentials: false on the checkout step.

The actions/checkout@v4 step persists the GitHub token in local Git config by default. Since landing-build doesn't need to push or perform authenticated Git operations after checkout, disabling credential persistence reduces exposure if the runner environment is compromised.

🔒️ Proposed fix
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 154, Update the actions/checkout@v4 step in
the landing-build job to set persist-credentials to false, leaving the rest of
the checkout configuration unchanged.

Source: Linters/SAST tools


147-168: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add a permissions: block to landing-build for least-privilege.

The new landing-build job inherits the default (or broad) token permissions because no permissions: block is declared. Since this job only builds and doesn't publish artifacts or call authenticated APIs, it should use read-only permissions.

🔒️ Proposed fix
   landing-build:
     name: Landing Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: agentwatch-landing
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 147 - 168, Add a job-level permissions
block to the landing-build job, granting only read-only repository contents
access needed by actions/checkout and leaving all other token permissions
disabled. Keep the existing build steps and environment unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 174: Update the docker-build job’s needs configuration to include
landing-build alongside python-tests and frontend-build, ensuring docker-build
waits for and is blocked by a failing landing-build.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 154: Update the actions/checkout@v4 step in the landing-build job to set
persist-credentials to false, leaving the rest of the checkout configuration
unchanged.
- Around line 147-168: Add a job-level permissions block to the landing-build
job, granting only read-only repository contents access needed by
actions/checkout and leaving all other token permissions disabled. Keep the
existing build steps and environment unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9a65dc68-28df-4ffe-b7e5-00cf9d69909d

📥 Commits

Reviewing files that changed from the base of the PR and between 9559520 and 614e4a4.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
docker-build:
name: Docker Build
runs-on: ubuntu-latest
needs: [python-tests, frontend-build]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

docker-build does not wait for landing-build.

The PR summary and stack context state that docker-build should wait for landing-build, but the needs array only lists python-tests and frontend-build. This means a failing landing-build won't block docker-build, and the new landing CI coverage isn't acting as a gate for the Docker build step.

🔧 Proposed fix
-    needs: [python-tests, frontend-build]
+    needs: [python-tests, frontend-build, landing-build]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
needs: [python-tests, frontend-build]
needs: [python-tests, frontend-build, landing-build]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 174, Update the docker-build job’s needs
configuration to include landing-build alongside python-tests and
frontend-build, ensuring docker-build waits for and is blocked by a failing
landing-build.

@github-actions

Copy link
Copy Markdown
Contributor

🧪 PR Test Results

Check Result
Tests (pytest tests/) ✅ success
Lint (ruff check .) ❌ failure
Coverage (agentwatch) 74.70%

Python 3.12 · commit 614e4a4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CHORE] Add .gitattributes to stop CRLF churn on Windows

1 participant