Skip to content

fix: Update AWS SDK dependencies and improve signal handling in SSM manager#150

Merged
ditahkk merged 6 commits into
mainfrom
issues/149-sig-bug
Dec 28, 2025
Merged

fix: Update AWS SDK dependencies and improve signal handling in SSM manager#150
ditahkk merged 6 commits into
mainfrom
issues/149-sig-bug

Conversation

@ditahkk

@ditahkk ditahkk commented Dec 28, 2025

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features

    • RDS management CLI (list/start/stop/reboot) and RDS client support; SSM-based SSH, SSH-config generation, and RDP tunneling. New macOS/Linux and Windows installers.
  • Bug Fixes

    • Signal forwarding improved so Ctrl+C targets subprocesses (sessions/port-forwards) without terminating the main process.
  • Tests

    • Comprehensive unit tests for RDS and SSM SSH/SSH-config/RDP commands.
  • Chores

    • Large dependency upgrades, CI/workflow restructuring, new formatting target, and extensive documentation/tooling updates.

✏️ Tip: You can customize this high-level summary in your review settings.

@ditahkk ditahkk self-assigned this Dec 28, 2025
@ditahkk ditahkk linked an issue Dec 28, 2025 that may be closed by this pull request
@coderabbitai

coderabbitai Bot commented Dec 28, 2025

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Adds RDS CLI commands and implementations, SSM SSH/SSH‑config/RDP features, extends ClientPool with an RDS client, forwards parent SIGINT/SIGTERM to AWS CLI subprocesses in SSM manager, upgrades many Go module dependencies, and adds comprehensive unit tests for RDS and SSM SSH behaviors.

Changes

Cohort / File(s) Summary
Dependency updates
ztictl/go.mod
Large dependency bumps: AWS SDK v2 (added rds), smithy-go, spf13/cobra, golang.org/x/*, gdamore/tcell/v2, github.com/rivo/uniseg, and many transitive/internal version updates.
SSM manager (signal handling)
ztictl/internal/ssm/manager.go
Install signal handlers in parent to ignore SIGINT/SIGTERM and forward them to AWS CLI subprocesses in StartSession and ForwardPort.
Client pool (RDS)
ztictl/internal/ssm/client_pool.go
Add RDS client to internal clientSet and expose GetRDSClient(ctx, region) accessor on ClientPool.
SSM CLI features & wiring
ztictl/cmd/ztictl/ssm.go, ztictl/cmd/ztictl/ssm_ssh.go, ztictl/cmd/ztictl/ssm_ssh_test.go
Register ssm ssh, ssm ssh-config, and ssm rdp; implement SSM-based ProxyCommand, SSH-config generation/append, port-forwarding, cross-platform RDP launch, and unit tests covering behavior and flags.
RDS CLI wiring & logic
ztictl/cmd/ztictl/rds.go, ztictl/cmd/ztictl/rds_power.go, ztictl/cmd/ztictl/rds_test.go
Add rds command with list, start, stop, reboot subcommands; implement RDS client usage, status polling (--wait), colorized status output, and tests validating CLI behavior and flags.
SSM help text / registration
ztictl/cmd/ztictl/ssm.go
Expand SSM long help and register new subcommands (ssh, ssh-config, rdp).
CI/workflows & tooling
.github/workflows/*, Makefile, ztictl/Makefile, .prettierrc, .prettierignore
Rework CI into path-gated jobs, update Go toolchain and release flow, add fmt target and auto-versioning in Makefiles, add Prettier config/ignore.
Docs, tests & scripts
docs/**, CHANGELOG.md, RELEASE_NOTES.md, scripts/install.*, tests/**
Large documentation updates, new installers (bash + PowerShell), QA/test docs, changelog/release notes edits; mostly formatting/content additions.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User
  participant CLI as ztictl (process)
  participant Pool as ClientPool
  participant SSM as AWS SSM
  participant Sub as aws-cli / ssh / rdp

  User->>CLI: ztictl ssm ssh <instance>
  CLI->>Pool: GetSSMClient(ctx, region)
  Pool-->>CLI: SSM client
  CLI->>SSM: StartSession API (StartSSHSession)
  SSM-->>CLI: session payload / proxy details
  CLI->>Sub: spawn ssh subprocess with ProxyCommand
  Note right of CLI: parent ignores SIGINT/SIGTERM and forwards them to subprocess
  User->>Sub: Ctrl+C
  Sub->>CLI: subprocess exits
  CLI->>SSM: cleanup / close session
  Sub-->>User: ssh exits
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Suggested reviewers

  • elvisnk
  • elvisnkamo
  • godsonten

Poem

🐰 Hop-hop, new clients join the burrow,
I stitch up SSH and RDS in a furrow,
Signals hop past, no session to break,
Docs and tests baked like carrot cake,
I nibble keys — the CLI springs to wake!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 26.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately captures the two main changes: AWS SDK dependency updates and signal handling improvements in the SSM manager.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch issues/149-sig-bug

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
ztictl/internal/ssm/manager.go (1)

408-413: Critical: Same signal handling issue as in StartSession.

This code has the identical problem as lines 137-142. signal.Notify() alone does not prevent default signal handling. Please apply the same fix here.

🔎 Recommended fix
-	// Ignore SIGINT in the parent process so it passes through to the AWS CLI subprocess.
-	// This fixes Ctrl+C handling in WSL2/Windows Terminal where the signal would otherwise
-	// kill the parent Go process and disconnect the port forwarding session.
-	sigChan := make(chan os.Signal, 1)
-	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
-	defer signal.Stop(sigChan)
+	// Ignore SIGINT/SIGTERM in the parent process so they pass through to the AWS CLI subprocess.
+	// This fixes Ctrl+C handling in WSL2/Windows Terminal where the signal would otherwise
+	// kill the parent Go process and disconnect the port forwarding session.
+	signal.Ignore(syscall.SIGINT, syscall.SIGTERM)
+	defer signal.Reset(syscall.SIGINT, syscall.SIGTERM)
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d8c087 and 447ac52.

⛔ Files ignored due to path filters (1)
  • ztictl/go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • ztictl/go.mod
  • ztictl/internal/ssm/manager.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test Go Code (macos-latest)
  • GitHub Check: Test Go Code (windows-latest)
  • GitHub Check: Test Go Code (ubuntu-latest)
🔇 Additional comments (2)
ztictl/go.mod (2)

20-20: spf13/cobra v1.10.2 is a valid stable release. The version exists and includes standard maintenance work (CI/linter fixes, YAML migration, refactors). No action required.


8-16: No issues found. All AWS SDK v2 versions (v1.41.0 and related service packages) are legitimate releases from AWS with no known security advisories.

Comment thread ztictl/internal/ssm/manager.go
- Updated go.mod to include the RDS service from AWS SDK v2.
- Modified client_pool.go to initialize and expose an RDS client in the ClientPool struct.
- Added a new method GetRDSClient to retrieve the RDS client from the pool.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (6)
ztictl/cmd/ztictl/ssm_ssh_test.go (1)

62-118: Tests create mock commands instead of testing actual command implementation.

The test creates a new cobra.Command with mocked Run function instead of testing ssmSSHCmd directly. While this tests the expected behavior, it doesn't verify that the actual command has the correct Args validator set. Consider testing the actual command's Execute method or at minimum verify that ssmSSHCmd.Args behaves correctly (which you do in TestSsmSSHCmdStructure).

ztictl/cmd/ztictl/rds_power.go (3)

126-130: Consider reusing ClientPool across commands.

A new ClientPool is created for each command invocation. For a CLI tool, this is acceptable, but if performance becomes a concern, consider making the pool a package-level singleton or passing it via context.


287-316: waitForRDSStatus doesn't respect context cancellation during polling.

The function uses time.Sleep which doesn't respond to context cancellation. If the user presses Ctrl+C during the wait, the function won't exit until the current sleep completes.

🔎 Proposed fix to respect context cancellation
 func waitForRDSStatus(ctx context.Context, rdsClient *rds.Client, dbIdentifier, targetStatus string) error {
 	maxWait := 30 * time.Minute
 	pollInterval := 30 * time.Second
 	deadline := time.Now().Add(maxWait)
+	ticker := time.NewTicker(pollInterval)
+	defer ticker.Stop()
 
 	for time.Now().Before(deadline) {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
 		resp, err := rdsClient.DescribeDBInstances(ctx, &rds.DescribeDBInstancesInput{
 			DBInstanceIdentifier: aws.String(dbIdentifier),
 		})
 		if err != nil {
 			return fmt.Errorf("failed to check instance status: %w", err)
 		}
 
 		if len(resp.DBInstances) == 0 {
 			return fmt.Errorf("instance %s not found", dbIdentifier)
 		}
 
 		status := aws.ToString(resp.DBInstances[0].DBInstanceStatus)
 		fmt.Printf("  Current status: %s\n", status)
 
 		if status == targetStatus {
 			return nil
 		}
 
-		time.Sleep(pollInterval)
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
 	}
 
 	return fmt.Errorf("timeout waiting for instance to reach %s status", targetStatus)
 }

150-166: Consider using a table writer for cleaner output formatting.

The manual fmt.Printf with fixed-width formatting may misalign if values exceed the column widths. Consider using a tabwriter or ensuring endpoint strings are truncated.

ztictl/cmd/ztictl/ssm_ssh.go (2)

369-375: Hardcoded /u:Administrator may not be appropriate for all Windows instances.

The xfreerdp command hardcodes the Administrator username, which may not be the desired user for all Windows instances. Consider making this configurable or omitting it to let the user enter credentials.

🔎 Proposed fix to make username configurable or remove hardcoding
-		if _, err := exec.LookPath("xfreerdp"); err == nil {
-			cmd = exec.Command("xfreerdp", fmt.Sprintf("/v:localhost:%d", port), "/u:Administrator")
+		if _, err := exec.LookPath("xfreerdp"); err == nil {
+			cmd = exec.Command("xfreerdp", fmt.Sprintf("/v:localhost:%d", port))
 		} else if _, err := exec.LookPath("rdesktop"); err == nil {

Alternatively, add a --rdp-user flag to the RDP command and pass it through.


217-221: Duplicate detection uses simple string matching.

The check strings.Contains(string(existingConfig), fmt.Sprintf("Host %s\n", name)) could have false positives if the name appears as a substring in another Host entry or in a comment. Consider using a more robust pattern match.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 447ac52 and 11c7174.

⛔ Files ignored due to path filters (1)
  • ztictl/go.sum is excluded by !**/*.sum
📒 Files selected for processing (8)
  • ztictl/cmd/ztictl/rds.go
  • ztictl/cmd/ztictl/rds_power.go
  • ztictl/cmd/ztictl/rds_test.go
  • ztictl/cmd/ztictl/ssm.go
  • ztictl/cmd/ztictl/ssm_ssh.go
  • ztictl/cmd/ztictl/ssm_ssh_test.go
  • ztictl/go.mod
  • ztictl/internal/ssm/client_pool.go
🧰 Additional context used
🧬 Code graph analysis (3)
ztictl/internal/ssm/client_pool.go (1)
ztictl/pkg/aws/client.go (1)
  • Client (18-25)
ztictl/cmd/ztictl/rds_test.go (2)
ztictl/cmd/ztictl/root.go (1)
  • Execute (200-202)
ztictl/pkg/colors/colors.go (1)
  • Error (19-19)
ztictl/cmd/ztictl/ssm_ssh.go (2)
ztictl/pkg/logging/logging.go (3)
  • LogError (162-166)
  • LogInfo (148-152)
  • LogWarn (155-159)
ztictl/cmd/ztictl/ssm_validation.go (2)
  • ValidateInstanceState (31-64)
  • InstanceValidationRequirements (15-27)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test Go Code (ubuntu-latest)
  • GitHub Check: Test Go Code (macos-latest)
  • GitHub Check: Test Go Code (windows-latest)
🔇 Additional comments (17)
ztictl/cmd/ztictl/ssm.go (2)

11-31: LGTM - Updated documentation and examples are clear.

The Long description properly documents the new SSH, SSH-config, and RDP subcommands alongside existing commands.


56-58: LGTM - Subcommand wiring follows established patterns.

The new SSH, SSH-config, and RDP commands are registered consistently with the existing subcommand pattern.

ztictl/internal/ssm/client_pool.go (2)

12-12: LGTM - RDS client integration follows established patterns.

The RDS client is added consistently with the existing client pool architecture: import, struct field, initialization, and accessor all follow the same pattern as other AWS service clients.

Also applies to: 29-29, 85-85


131-137: LGTM - GetRDSClient accessor is consistent with other accessors.

The implementation correctly reuses GetClients for connection pooling and thread safety.

ztictl/cmd/ztictl/rds.go (1)

1-29: LGTM - Well-structured RDS command entry point.

The command follows the established CLI patterns in this codebase with clear documentation and examples.

ztictl/cmd/ztictl/ssm_ssh_test.go (3)

492-529: LGTM - Good unit tests for buildProxyCommand helper.

The tests verify that the proxy command contains the expected components for SSM SSH session establishment.


531-543: LGTM - Platform-specific SSH command test.

The test correctly validates platform-specific behavior using runtime.GOOS.


545-580: LGTM - Region example consistency tests.

These tests ensure documentation examples use consistent region references, which helps maintain documentation quality.

ztictl/cmd/ztictl/rds_test.go (3)

56-85: LGTM - Good subcommand registration verification.

This test ensures all expected RDS subcommands are properly registered.


612-642: LGTM - Comprehensive status colorization tests.

Tests cover all expected RDS status values and verify the output contains the original status text.


663-685: LGTM - Consolidated argument validation tests.

Good approach to test argument validation for multiple commands in a single test function, reducing code duplication.

ztictl/cmd/ztictl/rds_power.go (1)

318-332: LGTM - Comprehensive status colorization.

The colorizeRDSStatus function handles all common RDS states with appropriate color coding for visibility.

ztictl/cmd/ztictl/ssm_ssh.go (3)

1-16: LGTM - Clean imports and package declaration.

The imports are well-organized and include only necessary dependencies.


388-398: LGTM - Well-structured ProxyCommand builder.

The function correctly handles Windows vs Unix command naming and constructs a proper SSM start-session command for SSH tunneling.


408-426: LGTM - Flag initialization follows established patterns.

All flags are properly defined with shorthands, defaults, and descriptive help text.

ztictl/go.mod (2)

3-3: Go 1.24.5 is a valid, released version. However, consider updating to Go 1.25.5 (the latest stable release as of December 2025) if your project requires the most recent features or security updates.

Likely an incorrect or invalid review comment.


7-26: Dependency updates look consistent and well-structured.

The AWS SDK v2 packages are updated coherently, and the RDS service dependency aligns with the RDS command functionality. The uniseg addition is expected as an indirect dependency from tcell.

Comment thread ztictl/cmd/ztictl/ssm_ssh.go
- Updated QA_SSM_TESTS.md to include additional formatting and clarity improvements.
- Refined README.md in tools directory for better option descriptions.
- Modernized .golangci.yml configuration for improved linting practices.
- Modified Makefile to auto-detect version from git tags and added formatting target.
- Enhanced README.md in ztictl with clearer installation and feature descriptions.
- Optimized RDS command handling by reusing client pool for efficiency.
- Improved SSH command handling by adding a delay for RDP client launch.
- Updated fuzzy finder documentation to clarify usage and validation rules.
- Enhanced validation documentation for instance states and SSM agent statuses.
- Implemented signal draining in session management to prevent channel overflow.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
CONTRIBUTING.md (1)

132-159: Update release process to match actual CI/CD pipeline and correct file/version references.

The documented release process has several critical inaccuracies:

  1. File naming: Change RELEASE_NOTES.txt to RELEASE_NOTES.md
  2. Version source: Update VERSION variable location from "ssm/authaws scripts" to src/00_version.sh (the single source of truth per the file's own comments)
  3. Release process flow: The current instructions skip the release branch step required for automated documentation generation. Per docs/CI_CD_PIPELINE.md, the correct flow is:
    • Create release branch: git checkout -b release/vX.Y.Z (triggers auto-doc generation)
    • Pull generated CHANGELOG.md: git pull origin release/vX.Y.Z
    • Then tag and push: git tag vX.Y.Z && git push origin vX.Y.Z (triggers build/release)
  4. CHANGELOG generation: CHANGELOG.md is auto-generated by the auto-generate-docs.yml workflow (not manually edited), making the current instruction to "add new entry" unnecessary and potentially conflicting.

Refer to docs/CI_CD_PIPELINE.md and docs/development/RELEASE.md for the complete, automated release workflow.

docs/COMMANDS.md (2)

186-242: Add RDS Commands documentation section to COMMANDS.md.

The RDS command implementation (list, start, stop, reboot) exists in the codebase but is not documented in COMMANDS.md. A dedicated "RDS Commands" section should be added with usage examples for:

  • ztictl rds list - List RDS instances
  • ztictl rds start <db-identifier> - Start a stopped instance
  • ztictl rds stop <db-identifier> - Stop a running instance
  • ztictl rds reboot <db-identifier> - Reboot an instance

Include available flags (--region, --wait, --force-failover) and example commands for each operation.


100-184: Add documentation for missing SSM SSH/RDP commands.

The PR implements three new SSM commands (ssm ssh, ssm ssh-config, ssm rdp) that are fully functional but missing from the COMMANDS.md documentation.

Add new subsections to the SSM Operations section documenting:

  • ztictl ssm ssh - SSH to instances via SSM tunnel (no port 22 required)
  • ztictl ssm ssh-config - Generate SSH config entries for native SSH access through SSM
  • ztictl ssm rdp - RDP to Windows instances via SSM tunnel (no port 3389 required)

Each should include available flags and usage examples consistent with existing command documentation.

🧹 Nitpick comments (5)
docs/CONFIGURATION.md (1)

323-326: Add language specifier to the code block.

The fenced code block at line 323 should specify a language for proper syntax highlighting.

🔎 Proposed fix
-   ```
+   ```text
    Error: SSO start URL must begin with https://
    Fix: ztictl config repair
    ```
docs/ztiaws-demo.md (1)

278-286: Add blank lines around the table.

The table should be surrounded by blank lines for proper markdown formatting and better readability.

🔎 Proposed fix
 Summary of Benefits
+
 | Feature | Traditional AWS CLI | With ZTiAWS |
 | ---------------- | ------------------- | ----------------------------- |
 | Authentication | Manual SSO setup | Guided or auto-detected login |
 | Instance Access | Long IDs, SSH | Interactive fuzzy finder |
 | OS Detection | Manual scripts | Auto-detect and adapt |
 | Multi-Region Ops | Loops & scripts | Single command |
 | File Transfers | Manual S3 upload | Smart routing with S3 |
 | Power Control | Console or SDK | Tag-based automation |
+
 ---
scripts/install.ps1 (1)

44-54: Consider adding checksum verification for security.

The download logic uses HTTPS and TLS 1.2, which is good. However, for security best practices, consider adding checksum verification of the downloaded binary to ensure integrity and detect any tampering or corruption during download.

Verify if the GitHub releases include checksums (e.g., SHA256SUMS file). If available, the script could download and verify the checksum before proceeding:

# Example enhancement (if checksums are published)
$checksumUrl = "https://github.com/$repo/releases/latest/download/SHA256SUMS"
$expectedHash = (Invoke-WebRequest -Uri $checksumUrl -UseBasicParsing).Content | 
    Select-String $assetName | 
    ForEach-Object { $_.Line.Split()[0] }

$actualHash = (Get-FileHash $destPath -Algorithm SHA256).Hash

if ($actualHash -ne $expectedHash) {
    Write-Host "  [ERROR] Checksum verification failed" -ForegroundColor Red
    Remove-Item $destPath
    exit 1
}

This is a recommended security improvement but not critical if the releases don't currently publish checksums.

ztictl/Makefile (1)

98-108: Consider documenting Prettier auto-install behavior.

The npx prettier command will auto-install Prettier on first run if not already cached, which may cause a delay. The graceful fallback for missing Node.js is good, but users might appreciate knowing that npx handles installation automatically.

Optional enhancement:

🔎 Add a note to the error message
-	@cd .. && npx prettier --write "**/*.md" "**/*.json" "**/*.yaml" "**/*.yml" 2>/dev/null || echo "Install Node.js for Prettier support: npm install -g prettier"
+	@cd .. && npx prettier --write "**/*.md" "**/*.json" "**/*.yaml" "**/*.yml" 2>/dev/null || echo "Install Node.js for Prettier support (npx will auto-install on first run)"
ztictl/cmd/ztictl/ssm_ssh.go (1)

330-350: Consider adding tunnel readiness check before launching RDP client.

The 2-second delay is an improvement, but it's still a race condition—the tunnel established by ForwardPort (line 350) might not be ready when launchRDPClient executes. A more robust approach would poll the local port for connectivity before launching the client.

🔎 Proposed enhancement with readiness check
 	if launch {
-		// Launch RDP client in background after giving tunnel time to establish
+		// Launch RDP client after verifying tunnel is ready
 		go func() {
-			time.Sleep(2 * time.Second) // Wait for tunnel to be ready
+			// Poll local port to ensure tunnel is established
+			timeout := time.After(30 * time.Second)
+			ticker := time.NewTicker(500 * time.Millisecond)
+			defer ticker.Stop()
+
+			for {
+				select {
+				case <-timeout:
+					logging.LogWarn("Timeout waiting for RDP tunnel to be ready")
+					return
+				case <-ticker.C:
+					conn, err := net.DialTimeout("tcp", fmt.Sprintf("localhost:%d", localPort), time.Second)
+					if err == nil {
+						conn.Close()
+						// Tunnel is ready
+						launchRDPClient(localPort)
+						return
+					}
+				}
+			}
 			launchRDPClient(localPort)
 		}()
 	} else {

This ensures the RDP client only launches after confirming the tunnel is accepting connections.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 11c7174 and b936bba.

📒 Files selected for processing (47)
  • .github/ISSUE_TEMPLATE/bug_report.md
  • .github/ISSUE_TEMPLATE/feature_request.md
  • .github/ISSUE_TEMPLATE/region_request.md
  • .github/workflows/auto-generate-docs.yml
  • .github/workflows/build.yml
  • .prettierignore
  • .prettierrc
  • CHANGELOG.md
  • CLAUDE.md
  • CONTRIBUTING.md
  • INSTALLATION.md
  • Makefile
  • README.md
  • RELEASE_NOTES.md
  • RELEASE_NOTES.txt
  • docs/CI_CD_AUTHENTICATION.md
  • docs/CI_CD_PIPELINE.md
  • docs/COMMANDS.md
  • docs/CONFIGURATION.md
  • docs/IAM_PERMISSIONS.md
  • docs/LOGGING.md
  • docs/MULTI_REGION.md
  • docs/NOTIFICATIONS.md
  • docs/PRODUCTION_VERSION_FIX.md
  • docs/QUICK_START.md
  • docs/REGIONS.md
  • docs/TROUBLESHOOTING.md
  • docs/VERSION_CHECKING.md
  • docs/development/BUILD_ARTIFACTS.md
  • docs/development/RELEASE.md
  • docs/examples/github-actions-oidc.yml
  • docs/examples/gitlab-ci-oidc.yml
  • docs/ztiaws-demo.md
  • scripts/README.md
  • scripts/install.ps1
  • scripts/install.sh
  • tests/QA_AUTHAWS_TESTS.md
  • tests/QA_SSM_TESTS.md
  • tools/README.md
  • ztictl/.golangci.yml
  • ztictl/Makefile
  • ztictl/README.md
  • ztictl/cmd/ztictl/rds_power.go
  • ztictl/cmd/ztictl/ssm_ssh.go
  • ztictl/docs/FUZZY_FINDER_FEATURES.md
  • ztictl/docs/VALIDATION.md
  • ztictl/internal/ssm/manager.go
💤 Files with no reviewable changes (1)
  • RELEASE_NOTES.txt
✅ Files skipped from review due to trivial changes (13)
  • tools/README.md
  • docs/IAM_PERMISSIONS.md
  • docs/examples/github-actions-oidc.yml
  • README.md
  • .prettierrc
  • docs/QUICK_START.md
  • docs/NOTIFICATIONS.md
  • .github/workflows/auto-generate-docs.yml
  • docs/TROUBLESHOOTING.md
  • scripts/README.md
  • ztictl/.golangci.yml
  • .prettierignore
  • docs/REGIONS.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • ztictl/internal/ssm/manager.go
🧰 Additional context used
🪛 actionlint (1.7.9)
.github/workflows/build.yml

92-92: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)


188-188: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)


255-255: "github.event.pull_request.title" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

🪛 checkmake (0.2.2)
Makefile

[warning] 7-7: Missing required phony target "all"

(minphony)


[warning] 70-70: Target body for "fmt" exceeds allowed length of 5 (8).

(maxbodylength)

ztictl/Makefile

[warning] 99-99: Target body for "fmt" exceeds allowed length of 5 (8).

(maxbodylength)

🪛 Checkov (3.2.334)
.github/workflows/build.yml

[high] 132-133: AWS Access Key

(CKV_SECRET_2)


[high] 133-134: AWS Access Key

(CKV_SECRET_2)

🪛 LanguageTool
docs/ztiaws-demo.md

[style] ~272-~272: Consider a different adjective to strengthen your wording.
Context: ...rs** — interact with AWS safely without deep CLI experience. Adoption Insight: Used...

(DEEP_PROFOUND)

docs/PRODUCTION_VERSION_FIX.md

[uncategorized] ~7-~7: The official name of this software platform is spelled with a capital “H”.
Context: ... support (corporate firewalls block api.github.com) - No TLS certificate handling (cor...

(GITHUB)

docs/LOGGING.md

[grammar] ~23-~23: Ensure spelling is correct
Context: ...essages (cyan) ## Script Behavior ### authaws - Purpose: Authentication workflows requ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

docs/CI_CD_PIPELINE.md

[uncategorized] ~29-~29: The official name of this software platform is spelled with a capital “H”.
Context: ...lized workflows: ### Primary Workflow: .github/workflows/build.yml (Unified CI/CD) *...

(GITHUB)

CHANGELOG.md

[grammar] ~299-~299: Use a hyphen to join words.
Context: ...d security package with Windows and Unix specific validation scenarios ## [v2.5....

(QB_NEW_EN_HYPHEN)

RELEASE_NOTES.md

[uncategorized] ~33-~33: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...ther Changes - Wrap commands in proper markdown code blocks - docs: finalize ZTiAWS dem...

(MARKDOWN_NNP)

docs/CI_CD_AUTHENTICATION.md

[style] ~92-~92: The double modal “required Stored” is nonstandard (only accepted in certain dialects). Consider “to be Stored”.
Context: ...rity risk) - Manual rotation required - Stored in secrets manager (additional exposure...

(NEEDS_FIXED)

🪛 markdownlint-cli2 (0.18.1)
docs/ztiaws-demo.md

278-278: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

.github/ISSUE_TEMPLATE/bug_report.md

29-29: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

INSTALLATION.md

79-79: Bare URL used

(MD034, no-bare-urls)


83-83: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)


457-457: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

ztictl/README.md

274-274: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

.github/ISSUE_TEMPLATE/region_request.md

9-9: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

CHANGELOG.md

72-72: Bare URL used

(MD034, no-bare-urls)

CLAUDE.md

264-264: Spaces inside emphasis markers

(MD037, no-space-in-emphasis)

RELEASE_NOTES.md

45-45: Bare URL used

(MD034, no-bare-urls)

docs/CONFIGURATION.md

323-323: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

docs/VERSION_CHECKING.md

15-15: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)


21-21: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)


27-27: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)


34-34: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: 2b. Test (macos-latest)
  • GitHub Check: 2b. Test (windows-latest)
  • GitHub Check: 2b. Test (ubuntu-latest)
🔇 Additional comments (61)
.github/ISSUE_TEMPLATE/feature_request.md (1)

8-8: ✅ Template improvements align with PR goals and best practices.

The changes meaningfully enhance the feature request template:

  • Blank line after YAML frontmatter (line 8): Improves readability and follows standard markdown conventions.
  • New descriptive sections (lines 12–27): The addition of "Describe the solution you'd like," "Describe alternatives you've considered," and "Screenshots or Examples" sections follow GitHub's recommended patterns for issue templates and will help requesters provide more complete context.
  • Expanded "Additional context" (lines 19–24): Including AWS CLI Version and SSM Plugin Version fields is particularly relevant for a tool that integrates deeply with AWS/SSM, and aligns well with the PR's focus on dependency management and signal handling improvements.
  • Checklist update (lines 33–38): Adding "This feature requires AWS CLI/SSM plugin changes" as a checklist item provides explicit tracking for dependencies that may affect this project.

The template is now more structured and will help contributors provide richer context for feature discussions.

Also applies to: 12-27, 33-38

CONTRIBUTING.md (3)

22-28: Well-structured additions to region contribution guidelines.

The new "Region Code Guidelines" and "Required Information" sections provide clear direction for contributors adding new regions. The examples are concrete and helpful.

Also applies to: 30-37


42-57: Good expansion of Development Process with actionable test commands.

Adding explicit test execution commands (make test for Go, shell script path) removes ambiguity and makes it easier for new contributors to validate changes locally.


92-118: Clear commit message guidelines with body and footer examples.

The expanded format with optional body/footer and concrete examples will help contributors write more informative commit messages. The Types section is now more complete.

ztictl/docs/VALIDATION.md (1)

1-301: All documentation references and code examples verified successfully. The files, functions, and implementation details in the VALIDATION.md documentation are accurate and match the actual codebase in ztictl/cmd/ztictl/ssm_validation.go. All six helper functions exist with correct signatures, the InstanceValidationRequirements struct matches the documented definition, all code examples follow correct patterns used throughout the codebase, and all referenced documentation files and GitHub issues are valid.

ztictl/README.md (4)

19-48: Enhanced feature documentation is comprehensive and well-structured.

The expanded sections on multi-OS support, cross-platform coverage, and performance benefits clearly articulate the advantages of ztictl. The formatting with emojis and visual hierarchy makes the content approachable and easy to scan.


81-110: Fuzzy finder and interactive instance selection documentation is clear and actionable.

The examples showing both traditional and interactive workflows, combined with keyboard shortcuts and validation details, provide good guidance for users. Cross-references to detailed documentation in separate files follow best practices.


154-160: Authentication table with security ratings is valuable for operator decision-making.

The comparison of IAM authentication methods (OIDC, EC2 Instance Profile, ECS Task Role, IAM Keys) with security ratings and setup complexity helps users choose the right approach for their environment. Cross-platform examples for each method add practical value.


243-273: Core operations examples effectively demonstrate cross-platform capabilities.

The progression from listing instances through platform detection and adapting commands to Linux and Windows scenarios clearly illustrates the auto-detection feature. Examples are concrete and highlight real-world use cases.

.github/ISSUE_TEMPLATE/region_request.md (1)

8-25: LGTM! Improved readability.

The added blank lines improve visual separation between sections in the issue template.

docs/CONFIGURATION.md (1)

7-457: LGTM! Documentation formatting improvements.

The changes improve consistency and readability:

  • Standardized quote style in YAML examples (single quotes)
  • Improved table alignment and spacing
  • Better section organization with consistent spacing

These are presentation-only changes with no impact on functionality.

docs/examples/gitlab-ci-oidc.yml (1)

39-40: LGTM! Quote style consistency.

The change from double quotes to single quotes is a stylistic improvement that aligns with the rest of the configuration formatting in the PR.

CLAUDE.md (1)

1-335: LGTM! Improved documentation formatting.

The spacing adjustments improve readability and section organization throughout the Claude memory file. No content or logic changes.

docs/ztiaws-demo.md (1)

1-316: LGTM! Documentation formatting improvements.

The extensive markdown formatting changes improve readability and visual consistency throughout the demo document. These are presentation-only changes.

docs/LOGGING.md (2)

17-17: Good fix! Corrected list formatting.

Removing the extra dash fixes the bullet point formatting for consistency with other list items.


21-46: Excellent documentation additions.

The new sections (Script Behavior, Environment Variables, File Format) provide valuable context for users understanding the logging system's behavior across different tools and configurations.

Makefile (2)

4-6: Good addition! Automatic version detection.

The VERSION variable using git describe provides useful context and will help track which version of the codebase is being used. The fallback to "dev" handles repositories without tags gracefully.


69-79: Useful formatting target with minor security consideration.

The fmt target provides convenient code formatting across Go and documentation files. The graceful fallback when Node.js is missing is well-handled.

The npx command at line 76 will download and execute prettier from npm. While this is standard practice, verify that the repository's contributor guidelines document this dependency or consider pinning to a specific prettier version for reproducibility:

# Current (works but unpinned)
npx prettier --write ...

# Alternative with version pinning (more reproducible)
npx prettier@3.x --write ...

This is not a security risk in the current context but may help with build reproducibility.

scripts/install.ps1 (2)

1-26: Well-structured PowerShell installer script.

The script header, error handling setup, and architecture detection are well-implemented. The 64-bit check is appropriate given the available binaries.


56-80: Excellent user experience and verification.

The PATH modification is scoped to the user (not system-wide), which is appropriate. The installation verification and usage guidance provide a good user experience. The fallback handling when version check fails is thoughtful.

scripts/install.sh (6)

1-9: LGTM!

The script uses proper bash error handling with set -euo pipefail, which ensures the installer fails fast on errors, undefined variables, or pipeline failures.


25-40: LGTM!

OS and architecture detection is robust, with proper normalization to match GitHub release asset naming conventions. Windows is appropriately blocked with guidance to use the PowerShell installer.


45-56: LGTM!

Download logic is well-implemented with:

  • Secure temporary file handling via mktemp and trap-based cleanup
  • Proper curl/wget fallback with appropriate flags
  • Downloads to temporary location before installation

60-69: LGTM!

Installation logic properly handles permission scenarios:

  • Direct installation when the directory is writable
  • Automatic sudo elevation when needed
  • Ensures executable permissions in both paths

71-85: LGTM!

Verification logic is user-friendly:

  • Checks if the binary is accessible in PATH
  • Displays version information when available
  • Provides clear guidance for updating PATH if needed

87-92: LGTM!

Usage examples are clear and demonstrate key commands including authentication, SSM listing with region shortcuts, and help access.

CHANGELOG.md (1)

1-619: LGTM!

The CHANGELOG follows the Keep a Changelog format and documents the project's history comprehensively. The changes in this PR improve formatting consistency (code blocks, headers, etc.) without altering the semantic content.

docs/development/BUILD_ARTIFACTS.md (1)

1-115: LGTM!

Documentation clearly explains the distinction between source files (commit) and build artifacts (ignore), with updated references to ARM64 builds and comprehensive workflow guidance. The rationale for not committing binaries is well-articulated.

INSTALLATION.md (1)

1-455: LGTM!

The installation guide is comprehensive and well-organized with:

  • Quick install one-liners for Linux/macOS
  • Platform-specific detailed instructions for all supported architectures
  • Windows setup with both PowerShell and GUI guidance
  • Extensive troubleshooting section
  • Clear migration path from legacy bash tools
ztictl/Makefile (1)

9-10: LGTM!

Version auto-detection using git describe is robust and provides meaningful version strings for both releases ("2.11.0") and development builds ("2.11.0-3-g1a2b3c4"), with a sensible fallback to "dev".

docs/development/RELEASE.md (1)

1-121: LGTM!

The release documentation is comprehensive and includes:

  • Step-by-step Git commands for the release workflow
  • Clear emphasis on waiting for auto-generated documentation
  • Review checkpoints before proceeding
  • Troubleshooting guidance
  • Emergency release procedures

This provides a solid foundation for consistent release processes.

ztictl/cmd/ztictl/rds_power.go (9)

1-20: LGTM!

Package structure is clean with appropriate imports. The shared rdsClientPool at the package level is an efficient pattern for reusing AWS clients across commands.


23-122: LGTM!

Command definitions are well-structured with:

  • Clear help text and examples showing region shortcuts
  • Proper argument validation (ExactArgs for start/stop/reboot)
  • Consistent error handling pattern
  • Helpful notes about RDS limitations (e.g., 7-day auto-restart for stopped instances)

124-172: LGTM!

The list function is well-implemented with:

  • Proper nil checking for optional endpoint fields
  • Colorized status output for better UX
  • Clear table formatting
  • Graceful handling of empty results

174-207: LGTM!

The start function provides good UX with:

  • Immediate feedback that the command was sent
  • Optional --wait flag with clear messaging
  • Helpful guidance when not waiting
  • Proper error wrapping

209-243: LGTM!

The stop function includes an important user warning about RDS's 7-day auto-restart policy, which helps prevent surprises. The implementation is consistent with the start command.


245-284: LGTM!

The reboot function properly handles the --force-failover flag for Multi-AZ instances and provides clear user feedback about the operation's impact.


286-326: LGTM!

The wait function implements robust polling with:

  • Reasonable timeouts (30 minutes) and intervals (30 seconds) for RDS operations
  • Exponential backoff for transient errors
  • Consecutive error tracking to avoid infinite retries
  • Clear progress feedback to the user
  • Proper deadline checking to prevent infinite loops

328-342: LGTM!

Status colorization improves UX by making instance states immediately recognizable, with semantically appropriate colors (green for available, red for failed, yellow for stopped, etc.).


344-360: LGTM!

Flag initialization is consistent across commands with:

  • Clear descriptions including region shortcode examples
  • Appropriate shorthand flags (-r, -w, -f)
  • Sensible defaults (wait=false)
ztictl/cmd/ztictl/ssm_ssh.go (6)

19-93: LGTM!

Both SSH and SSH-config commands are well-defined with:

  • Flexible argument handling (optional instance identifier triggers fuzzy finder)
  • Clear requirements (AWS CLI v2, Session Manager plugin, SSH client)
  • Comprehensive examples showing region shortcuts
  • Proper flag handling and error propagation

95-157: LGTM!

SSH connection implementation is robust with:

  • Instance state validation (running + SSM online)
  • Sensible defaults (ec2-user)
  • Proper ProxyCommand construction for SSM tunneling
  • Full stdio forwarding for interactive sessions
  • Support for identity files and extra SSH arguments

159-249: LGTM!

SSH config generation is well-implemented with:

  • Secure file permissions (0700 for .ssh directory, 0600 for config file)
  • Duplicate entry detection to prevent configuration conflicts
  • Clear usage examples for both appended and printed output
  • Proper error handling throughout

357-387: LGTM!

RDP client launcher provides comprehensive cross-platform support:

  • Windows: mstsc with proper port syntax
  • macOS: native rdp:// URL handling
  • Linux: Multiple fallbacks (xfreerdp, rdesktop, remmina) with helpful messaging if none are installed
  • Graceful failure handling (warns but doesn't crash)

389-407: LGTM!

Platform-specific command helpers are correctly implemented:

  • buildProxyCommand uses proper AWS SSM document (AWS-StartSSHSession) with correct parameter syntax (%%p for SSH port)
  • getSSHCommand handles Windows .exe suffix appropriately
  • Both functions are simple and maintainable

409-427: LGTM!

Flag initialization is well-designed:

  • SSH: Supports multiple -o arguments via StringArrayP
  • SSH-config: Boolean append flag for automatic config file modification
  • RDP: Configurable local port with sensible default (33389) to avoid conflicts
  • All flags have clear descriptions and appropriate types
ztictl/docs/FUZZY_FINDER_FEATURES.md (1)

1-182: LGTM!

The documentation is comprehensive and well-structured, covering fuzzy finder features, keyboard shortcuts, mouse support, and platform compatibility. The instance state validation table and error feedback examples are clear and helpful for users.

.github/workflows/build.yml (2)

130-136: Test credentials are intentional placeholder values.

The AWS credentials used here are AWS's documented example credentials (AKIAIOSFODNN7EXAMPLE), not real secrets. Combined with AWS_EC2_METADATA_DISABLED: 'true', this correctly sets up an isolated test environment. The Checkov warnings are false positives in this context.


268-336: LGTM - Build and release pipeline is well-structured.

The cross-platform build matrix with proper versioning, artifact naming, and checksum generation follows best practices. The conditional execution ensures builds only run for tags or manual dispatch.

docs/VERSION_CHECKING.md (1)

1-57: LGTM!

The documentation clearly explains the version checking design decisions including proxy support, TLS configuration, retry logic, and error handling. The environment variables table provides a helpful quick reference.

docs/CI_CD_AUTHENTICATION.md (1)

1-926: LGTM!

This is a comprehensive and well-structured CI/CD authentication guide. It effectively covers the spectrum from recommended OIDC federation to fallback IAM access keys, with practical examples for major CI/CD platforms and clear security considerations.

tests/QA_AUTHAWS_TESTS.md (1)

1-469: LGTM!

The QA test suite is comprehensive, covering backward compatibility, flag-based parameters, mixed syntax, error handling, edge cases, and performance. The inclusion of test data cleanup procedures and the warning about not committing real credentials demonstrates good practices.

docs/PRODUCTION_VERSION_FIX.md (1)

1-35: LGTM!

The documentation clearly explains the production version check issues and their solutions. The lowercase "api.github.com" is correct as it's a domain name reference.

docs/MULTI_REGION.md (1)

1-317: LGTM!

The multi-region operations guide is comprehensive, covering configuration, command usage, execution control, filtering, error handling, and troubleshooting. The use cases section provides practical examples for security patching, configuration auditing, and log collection.

docs/CI_CD_PIPELINE.md (1)

1-442: LGTM - Well-documented pipeline architecture.

The CI/CD pipeline documentation provides excellent coverage of the design philosophy, job architecture, and workflow behavior. The mermaid diagram and behavior matrix effectively communicate the pipeline flow. Minor version inconsistencies noted separately.

docs/COMMANDS.md (1)

271-318: LGTM on Interactive Fuzzy Finder documentation.

The Interactive Fuzzy Finder section is well-structured with clear feature descriptions, keyboard shortcuts, instance information details, and practical workflow examples. Documentation clearly explains when fuzzy finder launches and how to use it.

tests/QA_SSM_TESTS.md (5)

1-26: Verify test coverage for RDS and SSM SSH features mentioned in PR objectives.

This QA document is scoped to "SSM Flag-Based Parameters QA Test Suite" and documents testing for flag-based parameter support. However, the AI summary states the PR "Adds RDS CLI commands and SSM SSH/SSH-config/RDP features" and includes "new unit tests for RDS and SSM SSH features."

This document does not cover:

  • RDS command testing (list, start, stop, reboot operations)
  • SSM SSH feature testing (SSH proxy, SSH-config generation, RDP features)

Either:

  1. Separate QA documents should exist for RDS and SSM SSH features and should be included in this review, or
  2. New test sections should be added to this document to cover these features

Please verify that all QA documentation for the PR is included and complete.


472-518: LGTM on test execution checklist and expected results.

The Test Execution Checklist and Expected Results sections are well-organized with clear, measurable criteria. Success and failure criteria appropriately cover backward compatibility, flag support, syntax mixing, error handling, and performance. The checklist provides good coverage of pre-test setup, execution phases, and post-test validation.


39-81: LGTM on test data setup and validation procedures.

The Test Data Setup section provides clear, practical instructions for environment configuration with safety warnings (⚠️ WARNING note on line 46 about not committing sensitive test data). The validate_instance_id() function provides validation before test execution, and test file creation is properly documented. This setup approach reduces errors and improves test reliability.


536-591: LGTM on reporting and maintenance sections.

The Test Report Template provides comprehensive fields for documenting test execution (date, tester, environment details, summary counts, findings). Maintenance section appropriately covers ongoing testing procedures and test case update guidance to keep the test suite current as features evolve.


1-80: The QA test document correctly focuses on the flag-based parameter support feature for the ssm bash script. The commit message mentions signal handling improvements ("Implemented signal draining in session management"), but these are in the ztictl Go tool (ztictl/cmd/ztictl/ssm_exec_multi.go), not the bash ssm script covered by this QA document. No signal handling enhancements to the bash script itself are present in this PR, so the test coverage is appropriately scoped for the documented feature.

Comment thread .github/ISSUE_TEMPLATE/bug_report.md Outdated
Comment thread .github/workflows/build.yml
Comment thread .github/workflows/build.yml
Comment thread CONTRIBUTING.md Outdated
Comment thread CONTRIBUTING.md Outdated
Comment thread INSTALLATION.md Outdated
Comment thread RELEASE_NOTES.md
Comment thread RELEASE_NOTES.md
Comment thread RELEASE_NOTES.md
Comment thread ztictl/README.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (2)
docs/CI_CD_PIPELINE.md (1)

380-388: Approved: Past version inconsistency has been corrected.

The previous review comment flagging Go version (1.25 vs 1.24) and golangci-lint (v2.4.0 vs v1.61.0) discrepancies in the Maintenance section has been properly addressed. The section now correctly reflects Go 1.24 and golangci-lint v1.61.0. The added note at line 387 instructing maintainers to keep values in sync is a good improvement.

.github/workflows/build.yml (1)

124-128: Go version 1.24 is outdated.

Per previous review, Go 1.25.5 was released in December 2025. Consider updating to 1.25 across all jobs (also at lines 227 and 311) to benefit from the latest improvements and security fixes.

🧹 Nitpick comments (2)
.github/workflows/build.yml (2)

252-256: Consider failing the build on vulnerability findings.

The continue-on-error: true on govulncheck means known vulnerabilities in dependencies won't block the PR. While this approach allows gradual adoption, consider at least failing on HIGH/CRITICAL severity findings to prevent merging code with known exploitable vulnerabilities.

🔎 Example: Fail on vulnerabilities
      - name: Run Go vulnerability check
        working-directory: ./ztictl
-       run: govulncheck ./... || true
-       continue-on-error: true
+       run: govulncheck ./...

386-388: Add existence check for install scripts.

The step copies scripts/install.sh and scripts/install.ps1 without verifying they exist. If these files are missing, the release job will fail silently at this point.

🔎 Proposed defensive check
-          cp scripts/install.sh release/
-          cp scripts/install.ps1 release/
+          [ -f scripts/install.sh ] && cp scripts/install.sh release/
+          [ -f scripts/install.ps1 ] && cp scripts/install.ps1 release/
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b936bba and 9381b9c.

📒 Files selected for processing (5)
  • .github/ISSUE_TEMPLATE/bug_report.md
  • .github/workflows/build.yml
  • CONTRIBUTING.md
  • INSTALLATION.md
  • docs/CI_CD_PIPELINE.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • CONTRIBUTING.md
  • .github/ISSUE_TEMPLATE/bug_report.md
🧰 Additional context used
🪛 Checkov (3.2.334)
.github/workflows/build.yml

[high] 137-138: AWS Access Key

(CKV_SECRET_2)


[high] 138-139: AWS Access Key

(CKV_SECRET_2)

🪛 LanguageTool
docs/CI_CD_PIPELINE.md

[uncategorized] ~29-~29: The official name of this software platform is spelled with a capital “H”.
Context: ...lized workflows: ### Primary Workflow: .github/workflows/build.yml (Unified CI/CD) *...

(GITHUB)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: 2b. Test (macos-latest)
  • GitHub Check: 2b. Test (windows-latest)
  • GitHub Check: 2b. Test (ubuntu-latest)
🔇 Additional comments (7)
INSTALLATION.md (1)

1-455: Comprehensive documentation update—well executed and complete.

This extensive revision properly documents ztictl installation across platforms (Linux AMD64/ARM64, macOS Intel/Apple Silicon, Windows) with clear setup instructions, PATH configuration, usage examples, and troubleshooting guidance. The transition from deprecated bash tools to the modern Go binary is well-explained with clear migration messaging.

All code blocks are properly labeled with language specifiers (bash, powershell), which aligns with markdown linting standards. Download URLs follow the correct GitHub release pattern, and the Go 1.24+ requirement is current (as of February 2025 release). The document structure is clear and user-friendly, with appropriate sections for quick install, platform-specific setup, building from source, and legacy tool support.

.github/workflows/build.yml (6)

18-48: Well-designed change detection gate.

The path-based filtering approach efficiently skips unnecessary jobs. The conditional logic correctly excludes workflow_dispatch and tag pushes where change detection isn't applicable.


88-108: Script injection vulnerability properly remediated.

The PR metadata is now passed through environment variables instead of direct interpolation, addressing the previously flagged script injection concern. The variables are properly quoted when passed to the script.


136-140: Static analysis false positive - these are well-known AWS example credentials.

The flagged credentials (AKIAIOSFODNN7EXAMPLE and wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) are official placeholder credentials from AWS documentation, intentionally used for testing with AWS_EC2_METADATA_DISABLED: 'true'. These are not real secrets and pose no security risk.


317-345: Build logic is well-structured.

Good version derivation from tags vs commits, proper binary naming conventions per platform, and the smoke test on linux-amd64 verifies the build works before uploading artifacts.


408-437: Release notification properly implemented.

Tag format validation, fail-fast settings, and continue-on-error: true ensure notifications don't block releases while still catching invalid tag formats early.


238-246: The Trivy action is already pinned to the latest version.

The workflow uses aquasecurity/trivy-action@0.33.1, which is the current latest release (published September 3, 2025). No version update is needed.

Likely an incorrect or invalid review comment.

Comment thread docs/CI_CD_PIPELINE.md Outdated
Comment thread docs/CI_CD_PIPELINE.md Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
docs/CI_CD_PIPELINE.md (1)

301-301: Minor: Markdown table syntax issue.

Line 301 uses v\* which may not render correctly in the Markdown table. Consider using inline code formatting or unescaped syntax for consistency with other table rows.

🔎 Proposed fix
-| **Tag push (v\*)** | `build` → `release` → `notification` | Full release pipeline |
+| **Tag push (v*)** | `build` → `release` → `notification` | Full release pipeline |
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c6064c and 6c53fee.

📒 Files selected for processing (1)
  • docs/CI_CD_PIPELINE.md
🧰 Additional context used
🪛 LanguageTool
docs/CI_CD_PIPELINE.md

[uncategorized] ~29-~29: The official name of this software platform is spelled with a capital “H”.
Context: ...lized workflows: ### Primary Workflow: .github/workflows/build.yml (Unified CI/CD) *...

(GITHUB)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: 2b. Test (windows-latest)
🔇 Additional comments (2)
docs/CI_CD_PIPELINE.md (2)

174-174: ✅ Version consistency resolved.

The documentation now consistently references Go 1.24 and golangci-lint v1.61.0 across all sections (lines 174, 382, 384, 411). The addition of the sync note at line 387 is helpful for future maintenance.

Also applies to: 384-384, 411-411


391-391: Go version statement is accurate. The claim that Go 1.25.5 is the latest stable release as of December 2025 has been verified and is correct.

@ditahkk ditahkk merged commit 13fddc3 into main Dec 28, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Ctrl+C handling breaks SSM session behavior

2 participants