Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP Convert CircleCI config to Github Actions #8147

Open
wants to merge 46 commits into
base: master
Choose a base branch
from
Open

WIP Convert CircleCI config to Github Actions #8147

wants to merge 46 commits into from

Conversation

hotzenklotz
Copy link
Member

@hotzenklotz hotzenklotz commented Oct 24, 2024

PR converts CircleCI config to Github Actions.

I wanted to see 1) how quick/slow GA is compared to CircleCI and 2) consolidate all CI jobs in GA to have one less service to rely upon. GA also has pretty nice Slack integration.

URL of deployed dev instance (used for testing):

  • https://___.webknossos.xyz

Steps to test:

  • CI should be enough

Issues:

  • fixes #

(Please delete unneeded items, merge only when none are left open)

@hotzenklotz hotzenklotz self-assigned this Oct 24, 2024
Copy link
Contributor

coderabbitai bot commented Oct 24, 2024

📝 Walkthrough
📝 Walkthrough

Walkthrough

The changes introduce enhancements to the CI/CD pipeline, including an updated shell script, not-on-master.sh, for conditional execution based on the current branch. The CI pipeline configuration in .github/workflows/build_test_deploy.yml is significantly modified, with new triggers for push and pull_request events, the addition of environment variables, and the creation of a new job for building and testing the application. A new health check workflow is also added to monitor a specified URL. The Dockerfile and other related files have been updated to reflect changes in environment variables and the build process.

Changes

File Path Change Summary
.github/not-on-master.sh Updated to include a shebang, error handling options, and logic to skip execution on the master branch.
.github/workflows/build_test_deploy.yml - Added triggers for push on master and pull_request on all branches.
- Introduced environment variables: USER_NAME, USER_UID, USER_GID, DOCKER_USER, DOCKER_PASS.
- Renamed job from foo to static_frontend_code_checks.
- Added new job build_test_deploy with steps for building and testing the application.
.github/actions/health_check_action.yml New action added for URL health checking with retries.
docker-compose.yml Updated environment variables from CircleCI to GitHub Actions (CIRCLE_TAG to CI_TAG, etc.).
project/BuildInfoSettings.scala Updated environment variable checks from CircleCI to GitHub Actions.
Dockerfile New command added to copy compiled Scala output into the working directory.

Possibly related PRs

Suggested labels

testing

Suggested reviewers

  • daniel-wer

Poem

In the garden of code where the rabbits play,
A script hops in, to keep troubles at bay.
With branches in mind, it knows when to skip,
While builds and tests flow on a smooth, happy trip.
So let’s cheer for the changes, both big and small,
In our CI wonderland, we’ll conquer them all! 🐇✨


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@hotzenklotz hotzenklotz added the CI label Oct 24, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)

4-9: Consider restricting branch patterns

The current trigger configuration runs on all branches ('*'). This might lead to unnecessary workflow runs. Consider:

  • Limiting to specific branch patterns (e.g., main, develop, feature/*)
  • Using path filters to run only when relevant files change
  push:
    branches:
-      - '*'
+      - main
+      - develop
+      - 'feature/**'
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
  pull_request:
    branches:
-      - '*'
+      - main
+      - develop

12-18: Enhance security of Docker credentials

The Docker credentials are exposed as environment variables. While they are using secrets, consider:

  1. Limiting the scope of these credentials to only the job that needs them
  2. Using GITHUB_TOKEN where possible for container registry authentication
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 6a0dcc0 and 4a9811e.

📒 Files selected for processing (2)
  • .github/not-on-master.sh (1 hunks)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

57-57: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


72-72: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting

(shellcheck)


117-117: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


137-137: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


137-137: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


153-153: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


153-153: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)


161-161: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


161-161: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)


169-169: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


169-169: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (4)
.github/not-on-master.sh (3)

1-2: LGTM: Robust shell script configuration.

The script follows shell scripting best practices:

  • Uses proper shebang line for portability
  • Sets appropriate safety flags:
    • -E: ERR trap inheritance
    • -e: Exit on error
    • -u: Error on unbound variables
    • -o pipefail: Propagate pipe failures

7-7: Consider adding command validation.

The exec "$@" executes arbitrary commands passed as arguments without validation.

Consider:

  1. Adding command whitelisting
  2. Implementing logging for audit purposes
  3. Adding error handling for failed commands

4-8: ⚠️ Potential issue

Fix branch reference comparison.

The current branch comparison has potential issues:

  1. GITHUB_REF typically includes the full ref path (e.g., "refs/heads/master")
  2. String comparison should use = instead of == for POSIX compatibility

Apply this fix:

-if [ "${GITHUB_REF}" == "master" ]; then
+if [ "${GITHUB_REF}" = "refs/heads/master" ]; then

Additionally, consider adding input validation:

.github/workflows/build_test_deploy.yml (1)

21-43: LGTM! Well-structured frontend checks

The frontend code checks job is well-organized with:

  • Proper Node.js setup
  • Comprehensive checks (lint, types, cyclic deps)
  • Clear step names

Comment on lines 152 to 174
run: |
for i in {1..20}; do # retry
curl --fail -v http://localhost:9000/api/health && s=0 && break || s=$?
sleep 5
done
(exit $s)

- name: Run webknossos-datastore smoke test
run: |
for i in {1..20}; do # retry
curl --fail -v http://localhost:9090/data/health && s=0 && break || s=$?
sleep 5
done
(exit $s)

- name: Run webknossos-tracingstore smoke test
run: |
for i in {1..20}; do # retry
curl --fail -v http://localhost:9050/tracings/health && s=0 && break || s=$?
sleep 5
done
(exit $s)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Refactor duplicated health check logic

The health check implementation is duplicated across three services. Consider extracting this into a reusable composite action:

  1. Create .github/actions/health-check/action.yml:
name: 'Health Check'
description: 'Performs health check with retries'
inputs:
  url:
    description: 'Health check URL'
    required: true
runs:
  using: 'composite'
  steps:
    - shell: bash
      run: |
        for i in {1..20}; do
          curl --fail -v "${{ inputs.url }}" && exit 0
          sleep 5
        done
        exit 1
  1. Use it in the workflow:
- uses: ./.github/actions/health-check
  with:
    url: http://localhost:9000/api/health
🧰 Tools
🪛 actionlint

153-153: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


153-153: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)


161-161: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


161-161: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)


169-169: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


169-169: shellcheck reported issue in this script: SC2086:info:5:7: Double quote to prevent globbing and word splitting

(shellcheck)

Comment on lines 179 to 203
- name: Push docker images
run: |
function retry() {
for i in {1..5}; do
"$@" && s=0 && break || s=$?
sleep 10
done
return $s
}
retry docker login -u $DOCKER_USER -p $DOCKER_PASS
retry docker compose push webknossos
retry docker compose push webknossos-datastore
retry docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
fi
docker logout

Copy link
Contributor

@coderabbitai coderabbitai bot Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consolidate Docker push retry logic

The Docker push steps have complex retry logic. Consider:

  1. Using GitHub's built-in retry functionality
  2. Creating a reusable function for Docker operations
- name: Login to Docker Hub
  uses: docker/login-action@v2
  with:
    username: ${{ env.DOCKER_USER }}
    password: ${{ env.DOCKER_PASS }}

- name: Push images
  uses: nick-invision/retry@v2
  with:
    timeout_minutes: 10
    max_attempts: 3
    command: |
      docker compose push webknossos
      docker compose push webknossos-datastore
      docker compose push webknossos-tracingstore
      if [[ ${{ github.ref_type }} == "branch" ]]; then
        # ... tag and push branch images
      fi
🧰 Tools
🪛 actionlint

180-180: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sound great. Please do it!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hotzenklotz, glad you like the suggestion! Here's the updated workflow with the consolidated Docker push retry logic:

name: CI Pipeline

on:
  push:
    branches:
      - '*'
  pull_request:
    branches:
      - '*'
  workflow_dispatch:

env:
  USER_NAME: circleci
  USER_UID: 1000
  USER_GID: 1000
  TZ: Europe/Berlin
  DOCKER_USER: ${{ secrets.DOCKER_USER }}
  DOCKER_PASS: ${{ secrets.DOCKER_PASS }}

jobs:
  static_frontent_code_checks:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 5

      - uses: actions/setup-node@v4
        with:
          node-version: 18

      - name: Install frontend dependencies
        run: corepack enable && yarn install --immutable

      - name: Lint frontend code and check formatting
        run: yarn run check-frontend

      - name: Typecheck frontend code
        run: yarn typecheck

      - name: Check for cyclic dependencies in frontend
        run: yarn check-cyclic-dependencies

  build_test_deploy:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 5

      - name: "Custom environment variables"
        run: |
          if [[ ${{ github.ref_type }} == "branch" ]]; then
            NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
            echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
            DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
            echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
          else
            echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
            echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
          fi

      - name: Set up Docker
        uses: docker/setup-buildx-action@v2

      # ... other build and test steps ...

      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ env.DOCKER_USER }}
          password: ${{ env.DOCKER_PASS }}

      - name: Push docker images
        uses: nick-invision/retry@v2
        with:
          timeout_minutes: 10
          max_attempts: 3
          command: |
            docker compose push webknossos
            docker compose push webknossos-datastore
            docker compose push webknossos-tracingstore
            if [[ ${{ github.ref_type }} == "branch" ]]; then
              docker tag scalableminds/webknossos:${{ env.DOCKER_TAG }} scalableminds/webknossos:${{ env.NORMALIZED_BRANCH }}
              docker push scalableminds/webknossos:${{ env.NORMALIZED_BRANCH }}
              docker tag scalableminds/webknossos-datastore:${{ env.DOCKER_TAG }} scalableminds/webknossos-datastore:${{ env.NORMALIZED_BRANCH }}
              docker push scalableminds/webknossos-datastore:${{ env.NORMALIZED_BRANCH }}
              docker tag scalableminds/webknossos-tracingstore:${{ env.DOCKER_TAG }} scalableminds/webknossos-tracingstore:${{ env.NORMALIZED_BRANCH }}
              docker push scalableminds/webknossos-tracingstore:${{ env.NORMALIZED_BRANCH }}
              docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${{ env.NORMALIZED_BRANCH }}
              docker push scalableminds/webknossos-dev:${{ env.NORMALIZED_BRANCH }}
            fi

      - name: Logout from Docker Hub
        run: docker logout

      # ... remaining steps ...

This update simplifies the retry logic by utilizing the nick-invision/retry@v2 action and the docker/login-action@v2 for authentication with Docker Hub.

Let me know if you have any questions or need further assistance!

(^‿^)/

Comment on lines +56 to +66
- name: "Custom environment variables"
run: |
if [[ ${{ github.ref_type }} == "branch" ]]; then
NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
else
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix shell script quoting issues

The branch normalization script has potential issues with word splitting. Apply proper quoting:

  if [[ ${{ github.ref_type }} == "branch" ]]; then
-   NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
+   NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
-   echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+   echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
-   DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
+   DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
-   echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+   echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: "Custom environment variables"
run: |
if [[ ${{ github.ref_type }} == "branch" ]]; then
NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
else
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
fi
- name: "Custom environment variables"
run: |
if [[ ${{ github.ref_type }} == "branch" ]]; then
NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
else
echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
fi
🧰 Tools
🪛 actionlint

57-57: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


57-57: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Outside diff range and nitpick comments (4)
.github/actions/health_check_action.yml (1)

16-16: Add newline at end of file.

Following YAML best practices, ensure there's a newline character at the end of the file.

🧰 Tools
🪛 yamllint

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

project/BuildInfoSettings.scala (1)

16-17: Consider documenting CI environment variables.

Since these environment variables are crucial for versioning and build information, consider adding documentation about their expected values and usage.

Add a comment block above the variable declarations:

+  // CI environment variables used for versioning:
+  // CI_BUILD_NUM: Build number from CI system (e.g., GitHub Actions run number)
+  // CI_TAG: Git tag from CI system, if building a tagged commit
  val ciBuild: String =
    if (System.getenv().containsKey("CI_BUILD_NUM")) System.getenv().get("CI_BUILD_NUM") else ""
  val ciTag: String = if (System.getenv().containsKey("CI_TAG")) System.getenv().get("CI_TAG") else ""
.github/workflows/build_test_deploy.yml (1)

28-30: Fix YAML indentation

The indentation is inconsistent with the rest of the file.

    - uses: actions/setup-node@v4
      with:
-          node-version: 18
+        node-version: 18
🧰 Tools
🪛 yamllint

[warning] 30-30: wrong indentation: expected 8 but found 10

(indentation)

docker-compose.yml (1)

Line range hint 249-257: Fix syntax error in dev service command.

There's an extra quote at the end of the -Ddatastore.redis.address=redis line which will cause the command to fail.

Apply this fix:

     command:
       - bash
       - -c
       - >
         sbt
         -v -d -jvm-debug 5005
         "run
           -Djava.net.preferIPv4Stack=true
           -Dtracingstore.fossildb.address=fossildb
           -Dtracingstore.redis.address=redis"
-          -Ddatastore.redis.address=redis"
+          -Ddatastore.redis.address=redis
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 4a9811e and 53e35c4.

📒 Files selected for processing (4)
  • .github/actions/health_check_action.yml (1 hunks)
  • .github/workflows/build_test_deploy.yml (1 hunks)
  • docker-compose.yml (1 hunks)
  • project/BuildInfoSettings.scala (1 hunks)
🧰 Additional context used
🪛 yamllint
.github/actions/health_check_action.yml

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

.github/workflows/build_test_deploy.yml

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[warning] 30-30: wrong indentation: expected 8 but found 10

(indentation)


[warning] 46-46: too many blank lines

(4 > 2) (empty-lines)


[error] 153-153: trailing spaces

(trailing-spaces)


[error] 155-155: trailing spaces

(trailing-spaces)


[error] 159-159: trailing spaces

(trailing-spaces)


[error] 164-164: trailing spaces

(trailing-spaces)

🪛 actionlint
.github/workflows/build_test_deploy.yml

56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting

(shellcheck)


116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (2)
.github/actions/health_check_action.yml (1)

1-6: LGTM! Clear and well-structured action metadata.

The action name, description, and input parameters are well-defined and follow GitHub Actions best practices.

project/BuildInfoSettings.scala (1)

16-17: LGTM! Verify environment variables in GitHub Actions workflow.

The change from CircleCI-specific environment variables to generic CI variables is a good practice for portability.

Let's verify that these environment variables are properly set in the GitHub Actions workflow:

Comment on lines +12 to +16
for i in {1..20}; do
curl --fail -v "${{ inputs.url }}" && exit 0
sleep 5
done
exit 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Enhance security and reliability of the health check implementation.

Consider the following improvements:

  1. Add timeout to prevent hanging requests
  2. Validate the URL input
  3. Remove verbose flag to prevent potential sensitive information exposure
  4. Make retry count and delay configurable

Apply this diff to implement the suggested improvements:

+inputs:
+  url:
+    description: 'Health check URL'
+    required: true
+  max_attempts:
+    description: 'Maximum number of retry attempts'
+    required: false
+    default: '20'
+  retry_delay:
+    description: 'Delay between retries in seconds'
+    required: false
+    default: '5'
 runs:
   using: 'composite'
   steps:
     - shell: bash
       run: |
-        for i in {1..20}; do
-          curl --fail -v "${{ inputs.url }}" && exit 0
-          sleep 5
+        # Validate URL format
+        if ! [[ "${{ inputs.url }}" =~ ^https?:// ]]; then
+          echo "Error: Invalid URL format. Must start with http:// or https://"
+          exit 1
+        fi
+        
+        for i in $(seq 1 ${{ inputs.max_attempts }}); do
+          echo "Attempt $i of ${{ inputs.max_attempts }}"
+          # Add timeout and remove verbose flag
+          if curl --fail --max-time 30 "${{ inputs.url }}"; then
+            echo "Health check succeeded"
+            exit 0
+          fi
+          echo "Attempt failed, retrying in ${{ inputs.retry_delay }} seconds..."
+          sleep ${{ inputs.retry_delay }}
         done
+        echo "Health check failed after ${{ inputs.max_attempts }} attempts"
         exit 1

Committable suggestion was skipped due to low confidence.

🧰 Tools
🪛 yamllint

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

Comment on lines 142 to 143
run: .github/not-on-master.sh docker compose run base yarn typecheck
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove duplicate type checking

The frontend type checking is already performed in the static_frontend_code_checks job (line 38-39).

Consider removing this duplicate step to improve pipeline performance.

Comment on lines 195 to 196
- name: Report coverage
run: .github/not-on-master.sh docker compose run base yarn coverage || true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Don't silently ignore coverage failures

The coverage command ignores failures with || true, which could hide important coverage regressions.

Consider:

  1. Setting a minimum coverage threshold
  2. Making the job fail if coverage drops below the threshold
  3. Using a coverage reporting action to track trends
-        run: .github/not-on-master.sh docker compose run base yarn coverage || true
+        run: |
+          .github/not-on-master.sh docker compose run base yarn coverage
+        continue-on-error: true

Committable suggestion was skipped due to low confidence.

Comment on lines +13 to +17
USER_NAME: root
USER_UID: 1000
USER_GID: 1000
DOCKER_USER: ${{ secrets.DOCKER_USER }}
DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security: Avoid running containers as root user

Running containers as root user (USER_NAME: root) is a security anti-pattern. Consider:

  1. Using a non-root user for better security
  2. Following the principle of least privilege
-  USER_NAME: root
+  USER_NAME: webknossos

Committable suggestion was skipped due to low confidence.

Comment on lines 84 to 89
- name: Assert schema.sql and evolutions are equal
run: |
docker compose up -d postgres
sleep 3
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Replace sleep with proper postgres readiness check

Using sleep is not reliable for ensuring postgres is ready. Consider using a proper health check.

-          sleep 3
+          until docker compose exec -T postgres pg_isready; do
+            echo "Waiting for postgres..."
+            sleep 1
+          done
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Assert schema.sql and evolutions are equal
run: |
docker compose up -d postgres
sleep 3
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
- name: Assert schema.sql and evolutions are equal
run: |
docker compose up -d postgres
until docker compose exec -T postgres pg_isready; do
echo "Waiting for postgres..."
sleep 1
done
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

Comment on lines +108 to +109
- CI_TAG=${GITHUB_REF}
- CI_BUILD_NUM=${GITHUB_JOB}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

⚠️ Potential issue

Environment variables need adjustment for GitHub Actions

Based on the usage in project/BuildInfoSettings.scala, these variables are used to populate build information. The current mappings need to be corrected:

  1. CI_TAG=${GITHUB_REF} - This will include the full ref path, making ciTag contain unwanted prefixes like "refs/tags/" or "refs/heads/"
  2. CI_BUILD_NUM=${GITHUB_JOB} - This will store the job name instead of a build number in ciBuild, which differs from the previous behavior

Suggested fix:

-      - CI_TAG=${GITHUB_REF}
-      - CI_BUILD_NUM=${GITHUB_JOB}
+      - CI_TAG=${GITHUB_REF_NAME}
+      - CI_BUILD_NUM=${GITHUB_RUN_NUMBER}
  • GITHUB_REF_NAME provides just the branch/tag name without the "refs/*/" prefix
  • GITHUB_RUN_NUMBER provides a sequential number for the workflow runs, similar to the previous CI build number
🔗 Analysis chain

Review environment variable mappings for GitHub Actions.

The current mappings might not provide equivalent values:

  1. GITHUB_REF includes the full reference path (e.g., 'refs/heads/main', 'refs/tags/v1.0.0') unlike CIRCLE_TAG which only contained the tag name.
  2. GITHUB_JOB provides the job name, not a sequential build number like CIRCLE_BUILD_NUM.

Consider these alternatives:

-      - CI_TAG=${GITHUB_REF}
-      - CI_BUILD_NUM=${GITHUB_JOB}
+      - CI_TAG=${GITHUB_REF#refs/tags/}
+      - CI_BUILD_NUM=${GITHUB_RUN_NUMBER}

Let's verify the usage of these variables:


Let me gather more context about how these variables might be used in the application code.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for CI_TAG and CI_BUILD_NUM usage in the codebase
rg "CI_(TAG|BUILD_NUM)" --type-add 'config:*.{yml,yaml,json,conf,properties}' -t config

Length of output: 191


Script:

#!/bin/bash
# Search for CI_TAG and CI_BUILD_NUM usage in all files
rg "CI_(TAG|BUILD_NUM)" -A 3 -B 3

# Also check for any shell scripts that might use these variables
fd ".sh$" --exec grep -l "CI_TAG\|CI_BUILD_NUM" {} \;

Length of output: 1350

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)
.github/workflows/build_test_deploy.yml (3)

23-23: Fix YAML indentation issues

There are inconsistent indentation levels in the workflow file:

  • Line 23: Should be 6 spaces instead of 4
  • Line 30: Should be 8 spaces instead of 10
    steps:
-    - name: Checkout code
+      - name: Checkout code
       uses: actions/checkout@v3
       with:
         fetch-depth: 5

     - uses: actions/setup-node@v4
       with:
-          node-version: 18
+        node-version: 18

Also applies to: 30-30

🧰 Tools
🪛 yamllint

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


44-46: Remove excessive blank lines

There are too many consecutive blank lines (4 > 2) between the jobs.

    - name: Check for cyclic dependencies in frontend
      run: yarn check-cyclic-dependencies

-

-

  build_test_deploy:
🧰 Tools
🪛 yamllint

[warning] 46-46: too many blank lines

(4 > 2) (empty-lines)


153-165: Fix trailing spaces in YAML

Remove trailing spaces from the following lines:

  • Line 153: with:
  • Line 155: Empty line with spaces
  • Line 159: with:
  • Line 164: with:
      - name: Run webknossos smoke test
        uses: ./.github/actions/health_check_action
-        with: 
+        with:
          url: http://localhost:9000/api/health

      - name: Run webknossos-datastore smoke test
        uses: ./.github/actions/health_check_action
-        with: 
+        with:
          url: http://localhost:9090/data/health

      - name: Run webknossos-tracingstore smoke test
        uses: ./.github/actions/health_check_action
-        with: 
+        with:
          url: http://localhost:9050/tracings/health
🧰 Tools
🪛 yamllint

[error] 153-153: trailing spaces

(trailing-spaces)


[error] 155-155: trailing spaces

(trailing-spaces)


[error] 159-159: trailing spaces

(trailing-spaces)


[error] 164-164: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 53e35c4 and eb8af0b.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • .github/workflows/build_test_deploy.yml (1 hunks)
  • docker-compose.yml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • docker-compose.yml
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting

(shellcheck)


116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[warning] 30-30: wrong indentation: expected 8 but found 10

(indentation)


[warning] 46-46: too many blank lines

(4 > 2) (empty-lines)


[error] 153-153: trailing spaces

(trailing-spaces)


[error] 155-155: trailing spaces

(trailing-spaces)


[error] 159-159: trailing spaces

(trailing-spaces)


[error] 164-164: trailing spaces

(trailing-spaces)

Comment on lines 95 to 111
run: docker compose run base yarn build

- name: Build webknossos (sbt)
run: |
if [ "${{ github.ref }}" == "refs/heads/master" ]; then
docker compose run compile sbt -no-colors clean compile stage
else
docker compose run compile sbt -no-colors -DfailOnWarning compile stage
fi

- name: Build webknossos-datastore (sbt)
run: docker compose run base sbt -no-colors -DfailOnWarning "project webknossosDatastore" copyMessages compile stage

- name: Build webknossos-tracingstore (sbt)
run: docker compose run base sbt -no-colors -DfailOnWarning "project webknossosTracingstore" copyMessages compile stage

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider parallelizing build steps

The build steps for webknossos, datastore, and tracingstore are running sequentially. Consider using GitHub Actions' job parallelization to speed up the pipeline:

  1. Split the builds into separate jobs
  2. Use job outputs to share build artifacts
  3. Use job dependencies to maintain the correct order

Example structure:

jobs:
  build-webknossos:
    # ... build webknossos
    outputs:
      checksum: ${{ steps.checksum.outputs.value }}

  build-datastore:
    needs: build-webknossos
    # ... build datastore

  build-tracingstore:
    needs: build-webknossos
    # ... build tracingstore

  tests:
    needs: [build-webknossos, build-datastore, build-tracingstore]
    # ... run tests

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)

13-15: Remove or document commented environment variables

The commented user-related environment variables (USER_NAME, USER_UID, USER_GID) should either be removed if they're no longer needed or documented if they serve a specific purpose.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between eb8af0b and 1d77e3c.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

56-56: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


56-56: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


71-71: shellcheck reported issue in this script: SC2086:info:1:42: Double quote to prevent globbing and word splitting

(shellcheck)


116-116: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


136-136: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


136-136: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


171-171: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[warning] 30-30: wrong indentation: expected 8 but found 10

(indentation)


[warning] 46-46: too many blank lines

(4 > 2) (empty-lines)


[error] 153-153: trailing spaces

(trailing-spaces)


[error] 155-155: trailing spaces

(trailing-spaces)


[error] 159-159: trailing spaces

(trailing-spaces)


[error] 164-164: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)

20-42: LGTM: Frontend checks are well-structured

The frontend checks job is well-organized with appropriate steps for dependency installation, linting, type checking, and cyclic dependency validation.

🧰 Tools
🪛 yamllint

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[warning] 30-30: wrong indentation: expected 8 but found 10

(indentation)

Comment on lines 172 to 178
for i in {1..5}; do
"$@" && s=0 && break || s=$?
sleep 10
done
return $s
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider using GitHub Actions' built-in retry functionality

Instead of implementing a custom retry function, consider using GitHub Actions' built-in retry functionality with the nick-invision/retry@v2 action:

- uses: nick-invision/retry@v2
  with:
    timeout_minutes: 10
    max_attempts: 5
    command: docker login -u "${DOCKER_USER}" -p "${DOCKER_PASS}"

This approach provides better logging and integration with GitHub Actions.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 1d77e3c and 7acf3a9.

📒 Files selected for processing (2)
  • .github/workflows/build_test_deploy.yml (1 hunks)
  • Dockerfile (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

54-54: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


54-54: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


54-54: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


54-54: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


131-131: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


151-151: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


151-151: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


183-183: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[error] 70-70: trailing spaces

(trailing-spaces)


[error] 80-80: trailing spaces

(trailing-spaces)


[error] 165-165: trailing spaces

(trailing-spaces)


[error] 167-167: trailing spaces

(trailing-spaces)


[error] 171-171: trailing spaces

(trailing-spaces)


[error] 176-176: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)
Dockerfile (1)

11-11: Please clarify the Docker-dev image reference in the comment.

The comment mentions "Docker-dev image" but this dependency isn't clearly documented. This could make it difficult for other developers to understand the build prerequisites.

Let's check for any Docker-dev image references:

✅ Verification successful

Let me check the docker-compose files to understand if there's a dev image defined:


Let me check the Dockerfile.dev since I found a reference to webknossos-dev image in docker-compose.yml:


Based on the docker-compose.yml and Dockerfile.dev analysis, I can now generate the final response:

The Docker-dev image reference is accurate and well-integrated

The comment refers to the webknossos-dev image which is properly defined in docker-compose.yml under the base service. This dev image is built from Dockerfile.dev and is used for development and compilation tasks. The compiled Scala output from this dev environment is indeed used in the production Dockerfile, making the comment accurate and helpful.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for Docker-dev image references in the repository
rg -i "docker-dev.*image"

# Check docker-compose files for related services
fd -e yml -e yaml | xargs rg -l "docker"

Length of output: 329


Script:

#!/bin/bash
# Check contents of docker-compose files for dev image definitions
echo "=== Main docker-compose.yml ==="
cat docker-compose.yml

echo -e "\n=== tools/hosting/docker-compose.yml ==="
cat tools/hosting/docker-compose.yml

echo -e "\n=== webknossos-tracingstore/deployment/docker-compose.yml ==="
cat webknossos-tracingstore/deployment/docker-compose.yml

echo -e "\n=== webknossos-datastore/deployment/docker-compose.yml ==="
cat webknossos-datastore/deployment/docker-compose.yml

Length of output: 14631


Script:

#!/bin/bash
# Check Dockerfile.dev contents
cat Dockerfile.dev

Length of output: 1079

.github/workflows/build_test_deploy.yml (1)

4-6: Consider including additional protected branches in push triggers

The push trigger is currently limited to the master branch. Consider including other protected branches (e.g., main, develop, release/*) to ensure the pipeline runs on all important branches.

@@ -8,6 +8,7 @@ RUN curl -sL "https://deb.nodesource.com/setup_${VERSION_NODE}" | bash - \
RUN mkdir -p /webknossos
WORKDIR /webknossos

# Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image
COPY target/universal/stage .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider validating the copied Scala artifacts.

While the COPY command is correct, consider adding validation to ensure the required Scala artifacts are present and complete.

Consider adding a validation step:

 # Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image
 COPY target/universal/stage .
+RUN test -f bin/webknossos && \
+    test -d lib || \
+    (echo "Error: Required Scala artifacts are missing" && exit 1)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
COPY target/universal/stage .
# Copy compiled Scala output from a previous build step, e.g. output of the Docker-dev image
COPY target/universal/stage .
RUN test -f bin/webknossos && \
test -d lib || \
(echo "Error: Required Scala artifacts are missing" && exit 1)

Comment on lines 207 to 211
run: |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
yarn run docs --project-version $WK_VERSION

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add error handling to documentation build

The documentation build step should fail the workflow if there are any errors.

      - name: Build frontend documentation
        run: |
+         set -eo pipefail
          WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
-         yarn run docs --project-version $WK_VERSION
+         yarn run docs --project-version "${WK_VERSION}"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Build frontend documentation
run: |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
yarn run docs --project-version $WK_VERSION
- name: Build frontend documentation
run: |
set -eo pipefail
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
yarn run docs --project-version "${WK_VERSION}"

Comment on lines 81 to 86
- name: Install dependencies
run: apt-get update \
&& apt-get install -y \
findutils \
libdraco-dev \
libblosc1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Optimize apt-get commands

The apt-get installation can be optimized to reduce the image size and improve build time.

-      - name: Install dependencies
-        run: apt-get update \
-          && apt-get install -y \
-          findutils \
-          libdraco-dev \
-          libblosc1
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install -y --no-install-recommends \
+            findutils \
+            libdraco-dev \
+            libblosc1 \
+          && rm -rf /var/lib/apt/lists/*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Install dependencies
run: apt-get update \
&& apt-get install -y \
findutils \
libdraco-dev \
libblosc1
- name: Install dependencies
run: |
apt-get update && apt-get install -y --no-install-recommends \
findutils \
libdraco-dev \
libblosc1 \
&& rm -rf /var/lib/apt/lists/*

Comment on lines +32 to +33
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add yarn cache to improve CI performance

Consider using GitHub's cache action for yarn dependencies to speed up the CI pipeline.

    - uses: actions/setup-node@v4
      with:
        node-version: 18
+       cache: 'yarn'
+
+   - name: Get yarn cache directory path
+     id: yarn-cache-dir-path
+     run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+   - uses: actions/cache@v3
+     id: yarn-cache
+     with:
+       path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+       key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+       restore-keys: |
+         ${{ runner.os }}-yarn-

    - name: Install frontend dependencies
      run: corepack enable && yarn install --immutable
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable
- uses: actions/setup-node@v4
with:
node-version: 18
cache: 'yarn'
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
id: yarn-cache
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-
- name: Install frontend dependencies
run: corepack enable && yarn install --immutable

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)

12-17: Add timezone environment variable

Consider adding TZ: UTC (or your preferred timezone) to ensure consistent timestamps across the pipeline execution.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7acf3a9 and da87a2a.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

73-73: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


73-73: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


73-73: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


73-73: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


141-141: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


158-158: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


158-158: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


189-189: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 23-23: wrong indentation: expected 6 but found 4

(indentation)


[warning] 52-52: wrong indentation: expected 6 but found 8

(indentation)


[error] 89-89: trailing spaces

(trailing-spaces)


[error] 99-99: trailing spaces

(trailing-spaces)


[error] 172-172: trailing spaces

(trailing-spaces)


[error] 174-174: trailing spaces

(trailing-spaces)


[error] 177-177: trailing spaces

(trailing-spaces)


[error] 182-182: trailing spaces

(trailing-spaces)

foo:
runs-on: ubuntu-20.04
static_frontend_code_checks:
runs-on: ubuntu-24.04
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Align Ubuntu versions across jobs

The static_frontend_code_checks job uses ubuntu-24.04 while build_test_deploy uses ubuntu-20.04. This inconsistency could lead to environment differences. Consider using the same Ubuntu version for both jobs.

Also applies to: 46-46

Comment on lines 55 to 57
POSTGRES_DB: webknossos
POSTGRES_USER: webknossos_user
POSTGRES_PASSWORD: secret_password
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Use secrets for database credentials

Database credentials are currently hardcoded in the workflow file. Consider using GitHub secrets:

-            POSTGRES_DB: webknossos
-            POSTGRES_USER: webknossos_user
-            POSTGRES_PASSWORD: secret_password
+            POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
+            POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+            POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
POSTGRES_DB: webknossos
POSTGRES_USER: webknossos_user
POSTGRES_PASSWORD: secret_password
POSTGRES_DB: ${{ secrets.POSTGRES_DB }}
POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}

Comment on lines 213 to 216
- name: Build frontend documentation
run: |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
yarn run docs --project-version $WK_VERSION
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Improve documentation version handling

The current version fallback chain could be more explicit:

-          WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
+          WK_VERSION=$(
+            if [ -n "${{ github.event.release.tag_name }}" ]; then
+              echo "${{ github.event.release.tag_name }}"
+            elif [ "${{ github.ref }}" = "refs/heads/master" ]; then
+              echo "${{ github.run_number }}"
+            else
+              echo "dev"
+            fi
+          )
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Build frontend documentation
run: |
WK_VERSION=${{ github.event.release.tag_name || github.run_number || 'dev' }}
yarn run docs --project-version $WK_VERSION
- name: Build frontend documentation
run: |
WK_VERSION=$(
if [ -n "${{ github.event.release.tag_name }}" ]; then
echo "${{ github.event.release.tag_name }}"
elif [ "${{ github.ref }}" = "refs/heads/master" ]; then
echo "${{ github.run_number }}"
else
echo "dev"
fi
)
yarn run docs --project-version $WK_VERSION

Comment on lines 140 to 149
- name: Build webknossos docker image
run: |
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos

- name: Build webknossos-datastore docker image
run: docker compose build --pull webknossos-datastore

- name: Build webknossos-tracingstore docker image
run: docker compose build --pull webknossos-tracingstore
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Optimize Docker builds with layer caching

Consider using BuildKit's cache features to speed up builds:

-        run: docker compose build --pull webknossos-datastore
+        run: |
+          DOCKER_BUILDKIT=1 docker compose build \
+            --pull \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            webknossos-datastore
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Build webknossos docker image
run: |
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos
- name: Build webknossos-datastore docker image
run: docker compose build --pull webknossos-datastore
- name: Build webknossos-tracingstore docker image
run: docker compose build --pull webknossos-tracingstore
- name: Build webknossos docker image
run: |
docker pull scalableminds/webknossos:$NORMALIZED_BRANCH || true
DEV_CACHE=$NORMALIZED_BRANCH docker compose build --pull webknossos
- name: Build webknossos-datastore docker image
run: |
DOCKER_BUILDKIT=1 docker compose build \
--pull \
--build-arg BUILDKIT_INLINE_CACHE=1 \
webknossos-datastore
- name: Build webknossos-tracingstore docker image
run: docker compose build --pull webknossos-tracingstore
🧰 Tools
🪛 actionlint

141-141: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

Comment on lines 108 to 119
# - name: Prepare dependency folders
# run: mkdir -p project/target target ~/.ivy2 ~/.cache/coursier

# - name: Assert unique evolution numbers
# run: docker compose run base tools/postgres/dbtool.js assert-unique-evolution-numbers

# - name: Assert schema.sql and evolutions are equal
# run: |
# docker compose up -d postgres
# sleep 3
# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

These database validation steps should be uncommented and fixed

The commented-out steps are critical database schema validation checks that:

  1. Ensure evolution numbers are unique (assert-unique-evolution-numbers)
  2. Verify schema.sql matches the evolutions (check-evolutions-schema)

These checks are important as evidenced by:

  • The dbtool.js script contains active implementations of these commands
  • The script is actively used in other parts of the codebase for database validation
  • No alternative validation steps exist in the workflow file
🔗 Analysis chain

Clean up commented code blocks

Several steps are commented out but seem important for database schema validation. Either:

  1. Remove these comments if they're no longer needed
  2. Uncomment and fix them if they're still required

Let me check how these database tools are actually used to determine if the commented steps are still needed.


Let me check if these database validation steps are replaced by other mechanisms in the workflow.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if these database tools are used elsewhere
rg -l "dbtool.js"

Length of output: 217


Script:

#!/bin/bash
# Check the content of files that use dbtool.js
rg "dbtool\.js" -C 3

# Also check if there are any other similar database schema validation tasks
rg "schema" .github/workflows/ -C 3

Length of output: 6445


Script:

#!/bin/bash
# Check the entire workflow file for other database validation steps
cat .github/workflows/build_test_deploy.yml

# Also check if dbtool.js exists and what commands it supports
cat tools/postgres/dbtool.js 2>/dev/null || echo "File not found"

Length of output: 21423

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)

102-107: Optimize Java setup configuration

The Java setup could be improved:

  1. Consider using a specific version instead of latest
  2. Enable concurrent garbage collection for better CI performance
   - name: Set up Java
     uses: actions/setup-java@v4
     with:
       distribution: 'temurin'
       java-version: '21'
       cache: 'sbt'
+      java-package: jdk
+      architecture: x64
+    env:
+      JAVA_OPTS: "-XX:+UseG1GC -XX:+UseStringDeduplication"

172-180: Consider parallelizing test execution

The backend and e2e tests are running sequentially. Consider:

  1. Running backend tests in parallel using test splitting
  2. Implementing test sharding for e2e tests

Example configuration for parallel test execution:

strategy:
  matrix:
    test-group: [1, 2, 3, 4]
steps:
  - name: Run backend tests
    run: |
      TOTAL_GROUPS=4
      GROUP=${{ matrix.test-group }}
      .github/not-on-master.sh docker compose run backend-tests --split-by=timings --group=$GROUP/$TOTAL_GROUPS
🧰 Tools
🪛 actionlint

176-176: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


176-176: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d12c110 and f25cca0.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


153-153: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


176-176: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


176-176: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


207-207: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 75-75: trailing spaces

(trailing-spaces)


[error] 98-98: trailing spaces

(trailing-spaces)


[error] 190-190: trailing spaces

(trailing-spaces)


[error] 192-192: trailing spaces

(trailing-spaces)


[error] 195-195: trailing spaces

(trailing-spaces)


[error] 200-200: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)

4-16: Verify branch protection rules alignment

The workflow triggers look good, but please ensure they align with your repository's branch protection rules, especially for the master branch.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (3)
.github/workflows/build_test_deploy.yml (3)

4-16: Consider refining the pull request trigger configuration

The current configuration triggers on PRs for all branches ('*'). Consider limiting this to specific branches that are relevant to your workflow, such as:

  pull_request:
    branches:
-     - '*'
+     - master
+     - develop
+     - 'release/**'

66-70: Optimize PostgreSQL health check configuration

The current health check configuration might be too aggressive:

  • 2s interval might be too frequent and could cause unnecessary load
  • 30 retries with 2s interval = 60s total wait time, which might be excessive

Consider adjusting the values:

  options: >-
    --health-cmd pg_isready
-   --health-interval 2s
-   --health-timeout 5s
-   --health-retries 30
+   --health-interval 10s
+   --health-timeout 5s
+   --health-retries 12

111-116: Optimize OS dependencies installation

The current apt-get installation can be improved:

  1. Clean up cache to reduce image size
  2. Combine commands to reduce layers
  3. Remove commented out packages
- run: sudo apt-get update && sudo apt-get install -y libdraco-dev libblosc-dev
+ run: |
+   sudo apt-get update && \
+   sudo apt-get install -y --no-install-recommends \
+     libdraco-dev \
+     libblosc-dev && \
+   sudo rm -rf /var/lib/apt/lists/*
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between f25cca0 and 816989d.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


156-156: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


179-179: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


179-179: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


210-210: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 75-75: trailing spaces

(trailing-spaces)


[error] 98-98: trailing spaces

(trailing-spaces)


[error] 193-193: trailing spaces

(trailing-spaces)


[error] 195-195: trailing spaces

(trailing-spaces)


[error] 198-198: trailing spaces

(trailing-spaces)


[error] 203-203: trailing spaces

(trailing-spaces)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 816989d and d9322ce.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


157-157: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 75-75: trailing spaces

(trailing-spaces)


[error] 98-98: trailing spaces

(trailing-spaces)


[error] 194-194: trailing spaces

(trailing-spaces)


[error] 196-196: trailing spaces

(trailing-spaces)


[error] 199-199: trailing spaces

(trailing-spaces)


[error] 204-204: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)

81-91: 🛠️ Refactor suggestion

Fix shell script quoting in environment variables

The script has potential issues with word splitting. Apply proper quoting:

  if [[ ${{ github.ref_type }} == "branch" ]]; then
-   NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
+   NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
-   echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+   echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
-   DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
+   DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
-   echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+   echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"

Likely invalid or redundant comment.

🧰 Tools
🪛 actionlint

82-82: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


82-82: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)

default: false

env:
USER_NAME: root
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security: Avoid running as root user

Running containers as root user is a security risk. Consider using a non-root user with minimal required permissions.

-  USER_NAME: root
+  USER_NAME: webknossos
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
USER_NAME: root
USER_NAME: webknossos

Comment on lines +41 to +48
- name: Lint frontend code and check formatting
run: yarn run check-frontend

- name: Typecheck frontend code
run: yarn typecheck

- name: Check for cyclic dependencies in frontend
run: yarn check-cyclic-dependencies
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add error handling to frontend checks

The frontend check commands should fail fast if any check fails. Add proper error handling:

    - name: Lint frontend code and check formatting
      run: |
+       set -euo pipefail
        yarn run check-frontend

    - name: Typecheck frontend code
      run: |
+       set -euo pipefail
        yarn typecheck

    - name: Check for cyclic dependencies in frontend
      run: |
+       set -euo pipefail
        yarn check-cyclic-dependencies
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Lint frontend code and check formatting
run: yarn run check-frontend
- name: Typecheck frontend code
run: yarn typecheck
- name: Check for cyclic dependencies in frontend
run: yarn check-cyclic-dependencies
- name: Lint frontend code and check formatting
run: |
set -euo pipefail
yarn run check-frontend
- name: Typecheck frontend code
run: |
set -euo pipefail
yarn typecheck
- name: Check for cyclic dependencies in frontend
run: |
set -euo pipefail
yarn check-cyclic-dependencies

Comment on lines 180 to 185
run: |
for i in {1..3}; do # retry
.github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$?
done
(exit $s)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Fix shell script quoting in retry logic

The retry logic needs proper quoting and error handling:

  run: |
+   set -euo pipefail
    for i in {1..3}; do # retry
-     .github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$?
+     if .github/not-on-master.sh docker compose run e2e-tests; then
+       s=0
+       break
+     else
+       s=$?
+     fi
    done
-   (exit $s)
+   (exit "${s}")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
for i in {1..3}; do # retry
.github/not-on-master.sh docker compose run e2e-tests && s=0 && break || s=$?
done
(exit $s)
run: |
set -euo pipefail
for i in {1..3}; do # retry
if .github/not-on-master.sh docker compose run e2e-tests; then
s=0
break
else
s=$?
fi
done
(exit "${s}")
🧰 Tools
🪛 actionlint

180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)

4-16: Consider optimizing workflow triggers

The workflow configuration could be more efficient:

  1. The push trigger could specify paths to reduce unnecessary runs
  2. The pull_request trigger could also use path filters
  push:
    branches:
      - master
+   paths:
+     - 'app/**'
+     - 'webknossos-datastore/**'
+     - 'webknossos-tracingstore/**'
+     - 'package.json'
+     - 'yarn.lock'
  pull_request:
    branches:
      - '*'
+   paths:
+     - 'app/**'
+     - 'webknossos-datastore/**'
+     - 'webknossos-tracingstore/**'
+     - 'package.json'
+     - 'yarn.lock'
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d9322ce and b162be2.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


154-154: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)


180-180: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)


180-180: shellcheck reported issue in this script: SC2086:info:4:7: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 74-74: trailing spaces

(trailing-spaces)


[error] 97-97: trailing spaces

(trailing-spaces)


[error] 127-127: trailing spaces

(trailing-spaces)


[error] 128-128: trailing spaces

(trailing-spaces)


[error] 194-194: trailing spaces

(trailing-spaces)


[error] 196-196: trailing spaces

(trailing-spaces)


[error] 199-199: trailing spaces

(trailing-spaces)


[error] 204-204: trailing spaces

(trailing-spaces)

🔇 Additional comments (1)
.github/workflows/build_test_deploy.yml (1)

26-48: 🛠️ Refactor suggestion

Optimize frontend checks performance

The frontend checks job could be improved:

  1. Add yarn caching
  2. Add proper error handling
  3. Consider parallelizing the checks
 - uses: actions/setup-node@v4
   with:
     node-version: 18
+    cache: 'yarn'

 - name: Install frontend dependencies
   run: corepack enable && yarn install --immutable

 - name: Lint frontend code and check formatting
-  run: yarn run check-frontend
+  run: |
+    set -euo pipefail
+    yarn run check-frontend

 - name: Typecheck frontend code
-  run: yarn typecheck
+  run: |
+    set -euo pipefail
+    yarn typecheck

 - name: Check for cyclic dependencies in frontend
-  run: yarn check-cyclic-dependencies
+  run: |
+    set -euo pipefail
+    yarn check-cyclic-dependencies

Likely invalid or redundant comment.

🧰 Tools
🪛 yamllint

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)

Comment on lines +18 to +23
env:
USER_NAME: root
USER_UID: 1000
USER_GID: 1000
DOCKER_USER: ${{ secrets.DOCKER_USER }}
DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security: Critical configuration issues

Several security concerns need to be addressed:

  1. Running as root user is a security risk
  2. Consider using GitHub's OIDC for Docker Hub authentication instead of storing credentials
 env:
-  USER_NAME: root
+  USER_NAME: webknossos
   USER_UID: 1000
   USER_GID: 1000
-  DOCKER_USER: ${{ secrets.DOCKER_USER }}
-  DOCKER_PASS: ${{ secrets.DOCKER_PASS }}

Consider using OIDC for Docker Hub:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    steps:
      - uses: docker/login-action@v2
        with:
          registry: docker.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

Comment on lines +62 to +64
POSTGRES_URL: jdbc:postgresql://postgres/webknossos
POSTGRES_USER: webknossos_user
POSTGRES_PASSWORD: secret_password
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security: Use secrets for database credentials

Database credentials should not be hardcoded in the workflow file.

 env:
-  POSTGRES_URL: jdbc:postgresql://postgres/webknossos
-  POSTGRES_USER: webknossos_user
-  POSTGRES_PASSWORD: secret_password
+  POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
+  POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+  POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
POSTGRES_URL: jdbc:postgresql://postgres/webknossos
POSTGRES_USER: webknossos_user
POSTGRES_PASSWORD: secret_password
POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}

Comment on lines +119 to +126
# - name: Assert unique evolution numbers
# run: node tools/postgres/dbtool.js assert-unique-evolution-numbers

# - name: Assert schema.sql and evolutions are equal
# run: |
# docker compose up -d postgres
# sleep 3
# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Uncomment and fix database validation steps

The commented-out database validation steps are critical for ensuring schema integrity.

-# - name: Assert unique evolution numbers
-#   run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
+- name: Assert unique evolution numbers
+  run: node tools/postgres/dbtool.js assert-unique-evolution-numbers

-# - name: Assert schema.sql and evolutions are equal
-#   run: |
-#     docker compose up -d postgres
-#     sleep 3
-#     docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
+- name: Assert schema.sql and evolutions are equal
+  run: |
+    docker compose up -d postgres
+    until docker compose exec -T postgres pg_isready; do
+      echo "Waiting for postgres..."
+      sleep 1
+    done
+    docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# - name: Assert unique evolution numbers
# run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
# - name: Assert schema.sql and evolutions are equal
# run: |
# docker compose up -d postgres
# sleep 3
# docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
- name: Assert unique evolution numbers
run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
- name: Assert schema.sql and evolutions are equal
run: |
docker compose up -d postgres
until docker compose exec -T postgres pg_isready; do
echo "Waiting for postgres..."
sleep 1
done
docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

Comment on lines 211 to 233
run: |
function retry() {
for i in {1..5}; do
"$@" && s=0 && break || s=$?
sleep 10
done
return $s
}
retry docker login -u $DOCKER_USER -p $DOCKER_PASS
retry docker compose push webknossos
retry docker compose push webknossos-datastore
retry docker compose push webknossos-tracingstore
if [[ ${{ github.ref_type }} == "branch" ]]; then
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
fi
docker logout
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix shell script issues in Docker operations

The Docker operations script has multiple quoting and error handling issues.

 function retry() {
+  local cmd=("$@")
   for i in {1..5}; do
-    "$@" && s=0 && break || s=$?
+    if "${cmd[@]}"; then
+      return 0
+    fi
     sleep 10
   done
-  return $s
+  return 1
 }
-retry docker login -u $DOCKER_USER -p $DOCKER_PASS
+retry docker login -u "${DOCKER_USER}" -p "${DOCKER_PASS}"
 retry docker compose push webknossos
 retry docker compose push webknossos-datastore
 retry docker compose push webknossos-tracingstore
 if [[ ${{ github.ref_type }} == "branch" ]]; then
-  docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
+  docker tag "scalableminds/webknossos:${DOCKER_TAG}" "scalableminds/webknossos:${NORMALIZED_BRANCH}"
   # Similar fixes for other docker commands
 fi

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 actionlint

211-211: shellcheck reported issue in this script: SC2034:warning:2:3: i appears unused. Verify use (or export if used externally)

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:6:10: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:23: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:8:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:39: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:13:78: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:14:46: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:49: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:15:98: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:16:56: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:52: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:17:104: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:18:59: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:19:72: Double quote to prevent globbing and word splitting

(shellcheck)


211-211: shellcheck reported issue in this script: SC2086:info:20:50: Double quote to prevent globbing and word splitting

(shellcheck)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b162be2 and 77d54be.

📒 Files selected for processing (2)
  • .github/not-on-master.sh (1 hunks)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/not-on-master.sh
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


157-157: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 74-74: trailing spaces

(trailing-spaces)


[error] 97-97: trailing spaces

(trailing-spaces)


[error] 127-127: trailing spaces

(trailing-spaces)


[error] 128-128: trailing spaces

(trailing-spaces)


[error] 149-149: trailing spaces

(trailing-spaces)


[error] 195-195: trailing spaces

(trailing-spaces)


[error] 197-197: trailing spaces

(trailing-spaces)


[error] 200-200: trailing spaces

(trailing-spaces)


[error] 205-205: trailing spaces

(trailing-spaces)


[error] 220-220: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)
.github/workflows/build_test_deploy.yml (3)

4-16: LGTM! Well-structured workflow triggers

The workflow triggers and debug input configuration are properly set up, providing good flexibility for CI/CD operations.


18-23: Skip comment: Security concerns already addressed

A previous review has already flagged the security concerns about running as root and suggested using OIDC for Docker Hub authentication.


26-48: Skip comment: Error handling improvements already suggested

A previous review has already suggested adding proper error handling to the frontend check commands.

🧰 Tools
🪛 yamllint

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)

Comment on lines +233 to +234
run: .github/not-on-master.sh yarn coverage || true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Don't silence coverage failures

The coverage command is set to ignore failures with || true. This could hide important coverage regressions.

Consider:

  1. Remove the || true
  2. Set a minimum coverage threshold
  3. Make the job fail if coverage drops below the threshold
-        run: .github/not-on-master.sh yarn coverage || true
+        run: |
+          set -eo pipefail
+          .github/not-on-master.sh yarn coverage

Committable suggestion skipped: line range outside the PR's diff.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)
.github/workflows/build_test_deploy.yml (2)

101-106: Consider caching Java dependencies more effectively.

While SBT caching is enabled, consider also caching the local Maven repository to speed up builds:

 - uses: actions/setup-java@v4
   with:
     distribution: 'temurin'
     java-version: '21'
     cache: 'sbt'
+    cache-dependency-path: |
+      **/*.sbt
+      project/**.scala
+      project/**.sbt

150-151: Optimize test execution configuration.

Consider improving the test execution:

  1. Add test parallelization
  2. Configure test output format
  3. Add test results reporting
-        run: .github/not-on-master.sh sbt -v "testOnly backend.*"
+        run: |
+          .github/not-on-master.sh sbt -v \
+            'set Test / parallelExecution := true' \
+            'set Test / testOptions += Tests.Argument("-oDF")' \
+            "testOnly backend.*"
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-results
+          path: target/test-reports/
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 77d54be and 46f6696.

📒 Files selected for processing (2)
  • .github/workflows/build_test_deploy.yml (1 hunks)
  • docker-compose.yml (3 hunks)
🧰 Additional context used
🪛 actionlint
.github/workflows/build_test_deploy.yml

81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 74-74: trailing spaces

(trailing-spaces)


[error] 97-97: trailing spaces

(trailing-spaces)


[error] 127-127: trailing spaces

(trailing-spaces)


[error] 128-128: trailing spaces

(trailing-spaces)


[error] 149-149: trailing spaces

(trailing-spaces)


[error] 178-178: trailing spaces

(trailing-spaces)


[error] 187-187: trailing spaces

(trailing-spaces)


[error] 189-189: trailing spaces

(trailing-spaces)


[error] 192-192: trailing spaces

(trailing-spaces)


[error] 197-197: trailing spaces

(trailing-spaces)


[error] 199-199: trailing spaces

(trailing-spaces)


[error] 219-219: trailing spaces

(trailing-spaces)

🔇 Additional comments (7)
docker-compose.yml (2)

106-107: Environment variable mappings need adjustment

The previous review comment about environment variable mappings is still valid. Please refer to the existing comment for detailed explanation and suggested fixes.


119-157: Document local development setup and verify GitHub Actions coverage

While commenting out these services aligns with the migration to GitHub Actions, some concerns need to be addressed:

  1. Local Development Impact:

    • The dev service is typically used for local development
    • Consider keeping it uncommented or document alternative local development setup
  2. CI Coverage:

    • Ensure all these commented out services have equivalent workflows in GitHub Actions:
      • Compilation checks
      • Development environment
      • Backend tests
      • Linting and formatting
      • Screenshot tests

Let's verify the GitHub Actions workflow coverage:

Also applies to: 160-174, 204-213

✅ Verification successful

GitHub Actions workflows cover the commented-out services
All previously commented-out services in docker-compose.yml have corresponding GitHub Actions workflows, ensuring continuous integration remains comprehensive.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if all commented out services have equivalent GitHub Actions jobs

# Check for workflow files
echo "Checking .github/workflows directory for CI jobs..."
fd . .github/workflows -e yml -e yaml -x cat {} \; | grep -A 5 "jobs:"

# Look for specific job types in workflows
echo -e "\nChecking for specific job coverage..."
rg -i "compile|test|lint|format|screenshot" .github/workflows

Length of output: 3662

.github/workflows/build_test_deploy.yml (5)

4-16: LGTM! Well-structured workflow triggers with debugging support.

The workflow triggers are properly configured, and the addition of the tmate debugging option is a nice feature for troubleshooting.


18-23: Skip: Issues already addressed in past reviews.


26-48: Skip: Improvements already suggested in past reviews.

🧰 Tools
🪛 yamllint

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


51-72: Skip: Security concerns already addressed in past reviews.

🧰 Tools
🪛 yamllint

[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


153-231: Skip: Docker-related improvements already suggested in past reviews.

🧰 Tools
🪛 actionlint

160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint

[error] 178-178: trailing spaces

(trailing-spaces)


[error] 187-187: trailing spaces

(trailing-spaces)


[error] 189-189: trailing spaces

(trailing-spaces)


[error] 192-192: trailing spaces

(trailing-spaces)


[error] 197-197: trailing spaces

(trailing-spaces)


[error] 199-199: trailing spaces

(trailing-spaces)


[error] 219-219: trailing spaces

(trailing-spaces)

Comment on lines +235 to +236
# run: .circleci/slack-notification.sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider implementing GitHub Actions native Slack integration.

Instead of using the CircleCI script, implement Slack notifications using GitHub Actions:

- name: Notify Slack
  if: github.ref == 'refs/heads/master'
  uses: slackapi/[email protected]
  with:
    channel-id: 'CHANNEL_ID'
    slack-message: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
  env:
    SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (1)
.github/workflows/build_test_deploy.yml (1)

34-37: Add yarn cache to improve CI performance

Consider using GitHub's cache action for yarn dependencies to speed up the CI pipeline.

 - uses: actions/setup-node@v4
   with:
     node-version: 18
+    cache: 'yarn'
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 219a68f and 0be3a3b.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.4)
.github/workflows/build_test_deploy.yml

30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


76-76: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


157-157: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint (1.35.1)
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 74-74: trailing spaces

(trailing-spaces)


[error] 97-97: trailing spaces

(trailing-spaces)


[error] 127-127: trailing spaces

(trailing-spaces)


[error] 128-128: trailing spaces

(trailing-spaces)


[error] 149-149: trailing spaces

(trailing-spaces)


[error] 178-178: trailing spaces

(trailing-spaces)


[error] 188-188: trailing spaces

(trailing-spaces)


[error] 190-190: trailing spaces

(trailing-spaces)


[error] 193-193: trailing spaces

(trailing-spaces)


[error] 198-198: trailing spaces

(trailing-spaces)


[error] 200-200: trailing spaces

(trailing-spaces)


[error] 220-220: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)
.github/workflows/build_test_deploy.yml (5)

18-23: Security: Critical configuration issues need attention

  1. Running as root user is a security risk
  2. Consider using GitHub's OIDC for Docker Hub authentication

62-64: Security: Use secrets for database credentials

Database credentials should not be hardcoded in the workflow file.


119-126: Uncomment and fix database validation steps

The commented-out database validation steps are critical for ensuring schema integrity.


233-234: Don't silence coverage failures

The coverage command ignores failures with || true, which could hide important coverage regressions.


41-48: 🛠️ Refactor suggestion

Add error handling to frontend checks

The check commands should fail fast if any check fails.

 - name: Lint frontend code and check formatting
-  run: yarn run check-frontend
+  run: |
+    set -euo pipefail
+    yarn run check-frontend

 - name: Typecheck frontend code
-  run: yarn typecheck
+  run: |
+    set -euo pipefail
+    yarn typecheck

 - name: Check for cyclic dependencies in frontend
-  run: yarn check-cyclic-dependencies
+  run: |
+    set -euo pipefail
+    yarn check-cyclic-dependencies

Likely invalid or redundant comment.

.github/workflows/build_test_deploy.yml Outdated Show resolved Hide resolved
Comment on lines 211 to 231
uses: nick-invision/retry@v2
with:
timeout_minutes: 10
max_attempts: 3
command: |
docker compose push webknossos
docker compose push webknossos-datastore
docker compose push webknossos-tracingstore

if [[ ${{ github.ref_type }} == "branch" ]]; then
docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-datastore:${DOCKER_TAG} scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-datastore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-tracingstore:${DOCKER_TAG} scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-tracingstore:${NORMALIZED_BRANCH}
docker tag scalableminds/webknossos-dev scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
retry docker push scalableminds/webknossos-dev:${NORMALIZED_BRANCH}
fi
docker logout
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Improve Docker push retry logic

The Docker push steps could be optimized:

  1. Use GitHub's retry action consistently
  2. Add proper error handling
  3. Use proper quoting in shell commands
 command: |
+  set -euo pipefail
   docker compose push webknossos
   docker compose push webknossos-datastore
   docker compose push webknossos-tracingstore
   
   if [[ ${{ github.ref_type }} == "branch" ]]; then
-    docker tag scalableminds/webknossos:${DOCKER_TAG} scalableminds/webknossos:${NORMALIZED_BRANCH}
+    docker tag "scalableminds/webknossos:${DOCKER_TAG}" "scalableminds/webknossos:${NORMALIZED_BRANCH}"
     # Similar fixes for other docker commands
   fi

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 yamllint (1.35.1)

[error] 220-220: trailing spaces

(trailing-spaces)

Comment on lines +11 to +16
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Restrict debug access and protect sensitive data

The workflow contains several security concerns that need to be addressed:

  1. The workflow_dispatch trigger has no permission restrictions, allowing any user with repository access to enable debugging
  2. The tmate debugging session has no timeout configured
  3. The workflow exposes sensitive environment variables and credentials:
    • Database credentials (POSTGRES_PASSWORD)
    • Docker credentials (DOCKER_USER, DOCKER_PASS)
    • These are visible in logs and to anyone with debug access

Recommendations:

  • Add permissions field to restrict who can trigger workflow_dispatch
  • Configure tmate timeout using timeout-minutes
  • Move sensitive values to GitHub Actions secrets
  • Use secret masking for all credential environment variables
  • Add job-level timeout to limit maximum debug session duration
🔗 Analysis chain

Review debug access controls

The tmate debugging option could potentially expose sensitive information. Consider:

  1. Limiting the workflow_dispatch trigger to specific user roles
  2. Adding a timeout for debug sessions
  3. Documenting security implications in the workflow

Based on the search results, there are numerous files containing sensitive information like passwords, tokens, secrets, and credentials. Let me analyze the workflow file further to provide specific recommendations.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any sensitive files that might be exposed during debug
rg -g '!.git' -l '(?i)(password|secret|key|token|credential)' || echo "No sensitive files found"

Length of output: 36548


Script:

#!/bin/bash
# Check if there are any environment variables or secrets used in the workflow
rg -g '.github/workflows/build_test_deploy.yml' '(?i)(secret|token|password|credential|key)'

# Check if there are any security controls on the workflow_dispatch trigger
cat .github/workflows/build_test_deploy.yml

Length of output: 8697

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 0be3a3b and d22dade.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.4)
.github/workflows/build_test_deploy.yml

30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


76-76: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


157-157: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 yamllint (1.35.1)
.github/workflows/build_test_deploy.yml

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)


[warning] 59-59: wrong indentation: expected 6 but found 8

(indentation)


[error] 74-74: trailing spaces

(trailing-spaces)


[error] 97-97: trailing spaces

(trailing-spaces)


[error] 127-127: trailing spaces

(trailing-spaces)


[error] 128-128: trailing spaces

(trailing-spaces)


[error] 149-149: trailing spaces

(trailing-spaces)


[error] 178-178: trailing spaces

(trailing-spaces)


[error] 189-189: trailing spaces

(trailing-spaces)


[error] 191-191: trailing spaces

(trailing-spaces)


[error] 194-194: trailing spaces

(trailing-spaces)


[error] 199-199: trailing spaces

(trailing-spaces)


[error] 201-201: trailing spaces

(trailing-spaces)


[error] 221-221: trailing spaces

(trailing-spaces)

🔇 Additional comments (9)
.github/workflows/build_test_deploy.yml (9)

18-23: ⚠️ Potential issue

Critical security improvements needed

Several security concerns need to be addressed:

  1. Running as root user is a security risk
  2. Consider using GitHub's OIDC for Docker Hub authentication

Apply these security improvements:

 env:
-  USER_NAME: root
+  USER_NAME: webknossos
   USER_UID: 1000
   USER_GID: 1000
-  DOCKER_USER: ${{ secrets.DOCKER_USER }}
-  DOCKER_PASS: ${{ secrets.DOCKER_PASS }}

+permissions:
+  id-token: write
+  contents: read

Then update the Docker login step to use OIDC:

      - uses: docker/login-action@v2
        with:
          registry: docker.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

34-39: 🛠️ Refactor suggestion

Add yarn cache to improve CI performance

     - uses: actions/setup-node@v4
       with:
         node-version: 18
+        cache: 'yarn'
+
+    - name: Get yarn cache directory path
+      id: yarn-cache-dir-path
+      run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+    - uses: actions/cache@v3
+      id: yarn-cache
+      with:
+        path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+        key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-yarn-

     - name: Install frontend dependencies
       run: corepack enable && yarn install --immutable

41-48: 🛠️ Refactor suggestion

Add error handling to frontend checks

     - name: Lint frontend code and check formatting
-      run: yarn run check-frontend
+      run: |
+        set -euo pipefail
+        yarn run check-frontend

     - name: Typecheck frontend code
-      run: yarn typecheck
+      run: |
+        set -euo pipefail
+        yarn typecheck

     - name: Check for cyclic dependencies in frontend
-      run: yarn check-cyclic-dependencies
+      run: |
+        set -euo pipefail
+        yarn check-cyclic-dependencies

62-64: ⚠️ Potential issue

Use secrets for database credentials

           env:
-            POSTGRES_URL: jdbc:postgresql://postgres/webknossos
-            POSTGRES_USER: webknossos_user
-            POSTGRES_PASSWORD: secret_password
+            POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
+            POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+            POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}

71-72: ⚠️ Potential issue

Restrict PostgreSQL port exposure

           ports:
-            - 5432:5432
+            - 127.0.0.1:5432:5432

80-90: ⚠️ Potential issue

Fix shell script quoting issues

       - name: "Custom environment variables"
         run: |
           if [[ ${{ github.ref_type }} == "branch" ]]; then
-            NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
-            echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+            NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
+            echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
             DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
-            echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+            echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
           else
-            echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
-            echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+            echo "NORMALIZED_BRANCH=master" >> "${GITHUB_ENV}"
+            echo "DOCKER_TAG=${{ github.ref_name }}" >> "${GITHUB_ENV}"
           fi
🧰 Tools
🪛 actionlint (1.7.4)

81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


119-126: ⚠️ Potential issue

Uncomment and fix database validation steps

These commented-out steps are critical for ensuring database schema integrity.

-      # - name: Assert unique evolution numbers
-      #   run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
+      - name: Assert unique evolution numbers
+        run: node tools/postgres/dbtool.js assert-unique-evolution-numbers

-      # - name: Assert schema.sql and evolutions are equal
-      #   run: |
-      #     docker compose up -d postgres
-      #     sleep 3
-      #     docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
+      - name: Assert schema.sql and evolutions are equal
+        run: |
+          docker compose up -d postgres
+          until docker compose exec -T postgres pg_isready; do
+            echo "Waiting for postgres..."
+            sleep 1
+          done
+          docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

234-235: ⚠️ Potential issue

Don't silence coverage failures

-        run: .github/not-on-master.sh yarn coverage || true
+        run: |
+          set -eo pipefail
+          .github/not-on-master.sh yarn coverage

Consider:

  1. Setting a minimum coverage threshold
  2. Making the job fail if coverage drops below the threshold
  3. Using a coverage reporting action to track trends

237-238: 🛠️ Refactor suggestion

Implement GitHub Actions native Slack integration

Replace the CircleCI script with GitHub Actions native Slack integration:

      - name: Notify Slack
        if: github.ref == 'refs/heads/master'
        uses: slackapi/[email protected]
        with:
          channel-id: 'CHANNEL_ID'
          slack-message: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

Comment on lines 8 to 33
static_frontend_code_checks:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 5 No newline at end of file
fetch-depth: 5

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Update checkout action version

The actions/checkout@v3 action is outdated.

     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 5
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
static_frontend_code_checks:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 5
\ No newline at end of file
fetch-depth: 5
static_frontend_code_checks:
runs-on: ubuntu-24.04
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 5
🧰 Tools
🪛 actionlint (1.7.4)

30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint (1.35.1)

[warning] 29-29: wrong indentation: expected 6 but found 4

(indentation)

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d22dade and c0c3db5.

📒 Files selected for processing (1)
  • .github/workflows/build_test_deploy.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.4)
.github/workflows/build_test_deploy.yml

30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


76-76: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


157-157: the runner of "docker/setup-buildx-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)


160-160: shellcheck reported issue in this script: SC2086:info:1:38: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (8)
.github/workflows/build_test_deploy.yml (8)

237-238: Implement native GitHub Actions Slack integration

Replace the CircleCI Slack notification with GitHub Actions native integration:

- name: Notify Slack
  if: github.ref == 'refs/heads/master'
  uses: slackapi/[email protected]
  with:
    channel-id: 'CHANNEL_ID'
    slack-message: "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
  env:
    SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

18-23: ⚠️ Potential issue

Critical security improvements needed

Several security concerns need to be addressed:

  1. Running as root user is a security risk
  2. Docker credentials should use GitHub's OIDC
  3. Environment variables should be moved to secrets

Apply these security improvements:

 env:
-  USER_NAME: root
+  USER_NAME: webknossos
   USER_UID: 1000
   USER_GID: 1000
-  DOCKER_USER: ${{ secrets.DOCKER_USER }}
-  DOCKER_PASS: ${{ secrets.DOCKER_PASS }}

Add OIDC configuration for Docker Hub:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    steps:
      - uses: docker/login-action@v2
        with:
          registry: docker.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

34-39: 🛠️ Refactor suggestion

Add yarn cache to improve CI performance

Add caching for yarn dependencies:

    - uses: actions/setup-node@v4
      with:
        node-version: 18
+       cache: 'yarn'
+
+   - name: Get yarn cache directory path
+     id: yarn-cache-dir-path
+     run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+
+   - uses: actions/cache@v3
+     id: yarn-cache
+     with:
+       path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+       key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+       restore-keys: |
+         ${{ runner.os }}-yarn-

    - name: Install frontend dependencies
      run: corepack enable && yarn install --immutable

62-64: ⚠️ Potential issue

Move database credentials to secrets

          env:
-           POSTGRES_URL: jdbc:postgresql://postgres/webknossos
-           POSTGRES_USER: webknossos_user
-           POSTGRES_PASSWORD: secret_password
+           POSTGRES_URL: ${{ secrets.POSTGRES_URL }}
+           POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
+           POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}

119-126: ⚠️ Potential issue

Enable critical database validation steps

The commented-out database validation steps are important for ensuring schema integrity.

-      # - name: Assert unique evolution numbers
-      #   run: node tools/postgres/dbtool.js assert-unique-evolution-numbers
+      - name: Assert unique evolution numbers
+        run: node tools/postgres/dbtool.js assert-unique-evolution-numbers

-      # - name: Assert schema.sql and evolutions are equal
-      #   run: |
-      #     docker compose up -d postgres
-      #     sleep 3
-      #     docker compose run compile tools/postgres/dbtool.js check-evolutions-schema
+      - name: Assert schema.sql and evolutions are equal
+        run: |
+          docker compose up -d postgres
+          until docker compose exec -T postgres pg_isready; do
+            echo "Waiting for postgres..."
+            sleep 1
+          done
+          docker compose run compile tools/postgres/dbtool.js check-evolutions-schema

81-90: ⚠️ Potential issue

Fix shell script quoting issues

        run: |
          if [[ ${{ github.ref_type }} == "branch" ]]; then
-           NORMALIZED_BRANCH=$(echo ${{ github.ref_name }} | sed 's/[\/-]/_/g')
-           echo "NORMALIZED_BRANCH=$NORMALIZED_BRANCH" >> $GITHUB_ENV
+           NORMALIZED_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[\/-]/_/g')
+           echo "NORMALIZED_BRANCH=${NORMALIZED_BRANCH}" >> "${GITHUB_ENV}"
-           DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
-           echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+           DOCKER_TAG="${NORMALIZED_BRANCH}__${{ github.run_number }}"
+           echo "DOCKER_TAG=${DOCKER_TAG}" >> "${GITHUB_ENV}"
          else
-           echo "NORMALIZED_BRANCH=master" >> $GITHUB_ENV
-           echo "DOCKER_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+           echo "NORMALIZED_BRANCH=master" >> "${GITHUB_ENV}"
+           echo "DOCKER_TAG=${{ github.ref_name }}" >> "${GITHUB_ENV}"
          fi
🧰 Tools
🪛 actionlint (1.7.4)

81-81: shellcheck reported issue in this script: SC2086:info:3:50: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:5:36: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:7:38: Double quote to prevent globbing and word splitting

(shellcheck)


81-81: shellcheck reported issue in this script: SC2086:info:8:47: Double quote to prevent globbing and word splitting

(shellcheck)


234-235: ⚠️ Potential issue

Don't silence coverage failures

The coverage command ignores failures with || true. This could hide important coverage regressions.

-        run: .github/not-on-master.sh yarn coverage || true
+        run: |
+          set -eo pipefail
+          .github/not-on-master.sh yarn coverage
+        continue-on-error: true

30-32: ⚠️ Potential issue

Update checkout action version

The actions/checkout@v3 action is outdated.

     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 5

Likely invalid or redundant comment.

🧰 Tools
🪛 actionlint (1.7.4)

30-30: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

Comment on lines +4 to +16
push:
branches:
- master
pull_request:
branches:
- '*'
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add security controls for workflow triggers

The workflow needs additional security controls:

  1. Add permissions to restrict access
  2. Add concurrency controls to prevent parallel runs
  3. Configure timeout for debug sessions

Add these security configurations:

 name: CI Pipeline

 on:
   push:
     branches:
       - master
   pull_request:
     branches:
       - '*'
   workflow_dispatch:
     inputs:
       debug_enabled:
         type: boolean
         description: 'Run the build with tmate debugging enabled'
         required: false
         default: false

+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
push:
branches:
- master
pull_request:
branches:
- '*'
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false
push:
branches:
- master
pull_request:
branches:
- '*'
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled'
required: false
default: false
permissions:
contents: read
actions: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants