add build-push-deploy #11
Conversation
Review Summary |
Review Summary🏷️ Draft Comments (1)
🔍 Comments beyond diff scope (1)
|
![entelligence-ai-pr-reviews[bot]](https://avatars.githubusercontent.com/in/932812?s=60&v=4){kind=small}
|
🔒 Entelligence AI Vulnerability Scanner ✅ No security vulnerabilities found! Your code passed our comprehensive security analysis. |
| # Do the actual deployment | ||
| with: | ||
| environment-slug: ${{matrix.deploy-env}} | ||
| k8s-namespace: ${{inputs.deploy-namespace || matrix.deploy-env}} |
There was a problem hiding this comment.
correctness: k8s-namespace assignment uses ${{inputs.deploy-namespace || matrix.deploy-env}}, but GitHub Actions expressions do not support || for defaulting, causing the value to be set to the literal string or empty if deploy-namespace is not provided, resulting in deployments to the wrong namespace or failure.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, line 123, the expression for `k8s-namespace` uses `${{inputs.deploy-namespace || matrix.deploy-env}}`, but GitHub Actions expressions do not support `||` for defaulting. Update this line to use a supported conditional expression so that if `inputs.deploy-namespace` is set (not empty), it is used; otherwise, fall back to `matrix.deploy-env`. Replace the line with: `k8s-namespace: ${{ inputs.deploy-namespace != '' && inputs.deploy-namespace || matrix.deploy-env }}`.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| k8s-namespace: ${{inputs.deploy-namespace || matrix.deploy-env}} | |
| k8s-namespace: ${{ inputs.deploy-namespace != '' && inputs.deploy-namespace || matrix.deploy-env }} |
|
|
||
| migrate: | ||
| runs-on: mdb-dev | ||
| container: ${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} |
There was a problem hiding this comment.
correctness: migrate job's container image reference uses ${{ inputs.docker-image-ref }} which may be undefined if not provided, causing the job to fail to start.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, line 97, the `migrate` job's `container` field references `${{ inputs.docker-image-ref }}` directly, which may be undefined if not provided, causing the job to fail. Update the container image reference to append `-${{ inputs.docker-image-ref }}` only if `docker-image-ref` is set, otherwise omit it. Ensure the job works whether or not `docker-image-ref` is provided.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| container: ${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | |
| 0097 [+]: container: ${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}${{ inputs.docker-image-ref && format('-{0}', inputs.docker-image-ref) || '' }} |
| strategy: | ||
| matrix: | ||
| deploy-env: ${{fromJson(needs.get-deploy-labels.outputs.deploy-envs)}} | ||
| container: ${{ vars.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} |
There was a problem hiding this comment.
correctness: container image reference changed from secrets.ECR_REGISTRY to vars.ECR_REGISTRY, which may break runtime if vars.ECR_REGISTRY is not set or does not match the expected registry value.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, line 101, the `container` image reference was changed from `secrets.ECR_REGISTRY` to `vars.ECR_REGISTRY`. This may cause runtime failures if `vars.ECR_REGISTRY` is not set or does not match the expected registry. Please revert this line to use `secrets.ECR_REGISTRY` instead.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| container: ${{ vars.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | |
| container: ${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} |
| container: ${{ vars.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | ||
| if: ${{ needs.get-deploy-labels.outputs.deploy-envs != '[]' }} | ||
| steps: | ||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 |
There was a problem hiding this comment.
correctness: aws-actions/amazon-ecr-login@v2 step is added after the container image is referenced, which may cause ECR authentication to fail if the image is not already available locally.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, lines 101-106, the ECR login step is defined after the container image is referenced, which can cause authentication failures if the image is not already present. Move the 'Login to Amazon ECR' step before the 'container:' definition so that authentication occurs before the image is pulled.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| container: ${{ vars.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | |
| if: ${{ needs.get-deploy-labels.outputs.deploy-envs != '[]' }} | |
| steps: | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| if: ${{ needs.get-deploy-labels.outputs.deploy-envs != '[]' }} | |
| steps: | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| container: ${{ vars.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} |
| export NAMESPACE=${{inputs.deploy-namespace || matrix.deploy-env}} | ||
| export IMAGE_TAG=${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | ||
| export JOB_NAME=$(grep -E '^ *name:' ${{ inputs.migration-job-file }} | head -1 | awk '{print $2}') | ||
|
|
||
| kubectl -n $NAMESPACE delete job --ignore-not-found $JOB_NAME | ||
| envsubst '${IMAGE_TAG} ${NAMESPACE}' < ${{ inputs.migration-job-file }} | kubectl apply -f - |
There was a problem hiding this comment.
correctness: envsubst '${IMAGE_TAG} ${NAMESPACE}' < ${{ inputs.migration-job-file }} will not substitute variables in the YAML unless the YAML contains ${IMAGE_TAG} and ${NAMESPACE} placeholders; if the YAML uses a different variable format or hardcoded values, the migration job will use incorrect image or namespace.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, lines 111-116, the workflow uses `envsubst '${IMAGE_TAG} ${NAMESPACE}' < ${{ inputs.migration-job-file }}` to substitute variables in the migration job YAML. This only works if the YAML contains exactly `${IMAGE_TAG}` and `${NAMESPACE}` placeholders. If the YAML uses different variable names or hardcoded values, the migration job will not use the correct image or namespace, leading to failed or incorrect migrations. Change the line to use `envsubst < ${{ inputs.migration-job-file }}` so all environment variables are substituted, ensuring the correct values are injected.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| export NAMESPACE=${{inputs.deploy-namespace || matrix.deploy-env}} | |
| export IMAGE_TAG=${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | |
| export JOB_NAME=$(grep -E '^ *name:' ${{ inputs.migration-job-file }} | head -1 | awk '{print $2}') | |
| kubectl -n $NAMESPACE delete job --ignore-not-found $JOB_NAME | |
| envsubst '${IMAGE_TAG} ${NAMESPACE}' < ${{ inputs.migration-job-file }} | kubectl apply -f - | |
| export NAMESPACE=${{inputs.deploy-namespace || matrix.deploy-env}} | |
| export IMAGE_TAG=${{ inputs.stage-name }}-${{ inputs.docker-image-ref }} | |
| export JOB_NAME=$(grep -E '^ *name:' ${{ inputs.migration-job-file }} | head -1 | awk '{print $2}') | |
| kubectl -n $NAMESPACE delete job --ignore-not-found $JOB_NAME | |
| envsubst < ${{ inputs.migration-job-file }} | kubectl apply -f - |
| kubectl -n $NAMESPACE delete job --ignore-not-found $JOB_NAME | ||
| envsubst '${IMAGE_TAG} ${NAMESPACE}' < ${{ inputs.migration-job-file }} | kubectl apply -f - | ||
|
|
||
| kubectl -n "$NAMESPACE" wait --for=condition=complete --timeout=1m "job/$JOB_NAME" |
There was a problem hiding this comment.
performance: kubectl -n "$NAMESPACE" wait --for=condition=complete --timeout=1m "job/$JOB_NAME" uses a fixed 1-minute timeout, which can cause unnecessary resource contention or failed deployments for large/slow migrations, impacting reliability and user experience.
🤖 AI Agent Prompt for Cursor/Windsurf
📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue
In .github/workflows/build-push-deploy.yml, line 118, the migration job wait step uses a hardcoded 1-minute timeout, which can cause failures for long-running migrations and resource contention. Refactor this to use a configurable timeout (e.g., an input like `migration-wait-timeout` with a sensible default such as 5m), so that deployments can scale for larger jobs.
📝 Committable Code Suggestion
‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| kubectl -n "$NAMESPACE" wait --for=condition=complete --timeout=1m "job/$JOB_NAME" | |
| kubectl -n "$NAMESPACE" wait --for=condition=complete --timeout=${{ inputs.migration-wait-timeout || '5m' }} "job/$JOB_NAME" |
2 participants
No description provided.