feat: Add release workflows to publish plugin binaries and image.#24
Conversation
# Conflicts: # plugins/out_clp_s3/Dockerfile
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/binaries.yml:
- Around line 35-39: The workflow currently pipes downloads directly into tar/sh
(the commands "curl -fsSL \"https://go.dev/dl/go1.24.linux-${{ matrix.arch
}}.tar.gz\" | tar -C /usr/local -xz" and "curl -fsSL
https://taskfile.dev/install.sh | sh -s -- -d -b /usr/local/bin"), which is
unauthenticated; change these steps to first download the files to disk, fetch
the corresponding checksum/signature files (and GPG keys if available), verify
the downloaded artifacts (e.g., sha256sum or gpg --verify) and fail the job on
mismatch, then extract/install from the verified local copy; ensure commands and
step names reflect the verification (download Go tarball + checksum/signature,
verify, then tar -C /usr/local -xz on the verified file; download Task installer
+ checksum/signature, verify, then run sh on the verified installer).
- Around line 50-55: The "Upload to release" step uses the gh CLI command gh
release upload which errors if the asset already exists; update the step that
runs gh release upload in the workflow to include the --clobber flag so the
command replaces any existing asset on reruns (locate the step named "Upload to
release" and modify the gh release upload invocation to add --clobber).
- Line 23: Replace the mutable tag "actions/checkout@v6" with a pinned commit
SHA for actions/checkout and add the checkout input persist-credentials: false;
specifically update the checkout step that currently uses "actions/checkout@v6"
to use "actions/checkout@<commit-sha>" and include persist-credentials: false in
that step to prevent persisted Git credentials being mounted into the build
container.
In @.github/workflows/image.yml:
- Line 23: Replace mutable action tags with exact commit SHAs for each
third-party action referenced (actions/checkout, docker/setup-buildx-action,
docker/login-action, docker/metadata-action, docker/build-push-action) so they
are pinned to immutable revisions, and add persist-credentials: false to the
actions/checkout step to disable credential persistence; update the workflow
entries that currently use actions/checkout@v6, docker/setup-buildx-action@v3,
docker/login-action@v3, docker/metadata-action@v5, and
docker/build-push-action@v6 to their corresponding commit SHAs and ensure the
checkout step includes persist-credentials: false.
In `@plugins/out_clp_s3/README.md`:
- Around line 18-20: The fenced code blocks in README.md (the triple-backtick
blocks shown in the diff) are missing required blank lines before and after each
fence which triggers MD031 lint warnings; edit the README.md to add one empty
line immediately before each opening ``` and one empty line immediately after
each closing ``` for all occurrences (the blocks shown around the curl example
and the other fenced blocks referenced) so every fenced code block is surrounded
by a blank line.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 636ec32f-8f40-417a-a0f6-fbfd63e6f6e6
📒 Files selected for processing (5)
.github/workflows/binaries.yml.github/workflows/image.yml.github/workflows/release.ymlplugins/out_clp_s3/Dockerfileplugins/out_clp_s3/README.md
This reverts commit b5754a1.
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/image.yml (1)
22-27: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winSerialise image publishing runs.
When
pushis enabled, concurrent runs can race while updating shared tags such aslatest, leaving the registry with an unintended image. Add a concurrency group keyed by the ref or image and retain completed release runs.Suggested change
+concurrency: + group: image-${{ github.ref }} + cancel-in-progress: false + jobs: build:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/image.yml around lines 22 - 27, Add a concurrency configuration to the image publishing workflow’s build job, keyed by the relevant ref or image identifier so concurrent pushes serialize while preserving completed release runs. Keep the existing permissions and build steps unchanged.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/binaries.yml:
- Around line 55-60: Update the “Upload to release” step to pass
inputs.release_tag through a dedicated environment variable, then reference that
variable in the gh release upload command instead of directly expanding the
input in run. Preserve the existing release condition, repository, archive name,
and clobber behavior.
---
Outside diff comments:
In @.github/workflows/image.yml:
- Around line 22-27: Add a concurrency configuration to the image publishing
workflow’s build job, keyed by the relevant ref or image identifier so
concurrent pushes serialize while preserving completed release runs. Keep the
existing permissions and build steps unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 129a5257-7313-4327-b958-918854179da1
📒 Files selected for processing (4)
.github/workflows/binaries.yml.github/workflows/image.yml.gitmodulestools/yscope-dev-utils
Description
Adds GitHub Actions to build and publish the out_clp_s3 plugin:
releases.
local build) plus minor cleanups.
Checklist
breaking change.
Validation
Testing binary and image workflows worked. but will need to wait to release to test release workflow that publishes images
Summary by CodeRabbit
New Features
Bug Fixes
Documentation