celery worker github workflow#304
Conversation
📝 WalkthroughWalkthroughA new GitHub Actions workflow is added that triggers manually via ChangesCelery Worker Develop Build & Push Workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: "Checkout" | ||
| uses: "actions/checkout@v3" | ||
|
|
||
| - name: Get commit hash | ||
| id: get-commit-hash | ||
| run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)" | ||
|
|
||
| - name: Get timestamp | ||
| id: get-timestamp | ||
| run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')" | ||
|
|
||
| - name: Cache Docker layers | ||
| id: cache-docker-layers | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: /tmp/.buildx-cache | ||
| key: ${{ runner.os }}-docker-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-docker- | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build Docker Image | ||
| id: build-image | ||
| run: | | ||
| docker build -f wavefront/server/docker/celery_worker.Dockerfile -t rootflo:${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }} . | ||
| echo "IMAGE_TAG=${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }}" >> $GITHUB_ENV | ||
|
|
||
| - id: "Auth-to-GCP" | ||
| uses: "google-github-actions/auth@v1" | ||
| with: | ||
| credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" | ||
|
|
||
| - name: "Set up Cloud SDK" | ||
| uses: "google-github-actions/setup-gcloud@v1" | ||
|
|
||
| - name: "Docker auth for GCP" | ||
| run: |- | ||
| gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet | ||
|
|
||
| - name: Tag and push image to GCP Artifact Registry | ||
| run: | | ||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
| docker push ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
|
|
||
| # Configure AWS credentials and push to ECR | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ env.AWS_REGION }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v1 | ||
|
|
||
| - name: Tag and push image to Amazon ECR | ||
| run: | | ||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
| docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
|
|
||
| # Configure Azure credentials and push to ACR | ||
| - name: Login to Azure | ||
| uses: azure/login@v2 | ||
| with: | ||
| creds: ${{ secrets.AZURE_CREDENTIALS }} | ||
|
|
||
| - name: Docker auth for Azure ACR | ||
| run: az acr login --name ${{ env.ACR_REGISTRY_NAME }} | ||
|
|
||
| - name: Tag and push image to Azure Container Registry | ||
| run: | | ||
| docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
| docker push ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
|
|
||
| - name: Cleanup Docker images | ||
| run: | | ||
| docker rmi rootflo:${{ env.IMAGE_TAG }} || true | ||
| docker rmi ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} || true | ||
| docker rmi ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true | ||
| docker rmi ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/build-wavefront-celery_worker-develop.yaml (1)
36-51: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick winWire the Docker cache into the build, or drop the cache step.
/tmp/.buildx-cacheis restored here, but the currentdocker buildnever reads or writes it. Switch todocker buildx buildwith cache import/export, or remove the unused cache step.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 36 - 51, The Docker cache setup is currently unused because the build step does not read from or write to /tmp/.buildx-cache. Update the Build Docker Image step in the workflow to use docker/setup-buildx-action and buildx cache import/export so the cache restored by actions/cache@v3 is actually consumed, or remove the Cache Docker layers step entirely if you want to keep using plain docker build. Reference the existing cache-docker-layers and build-image steps when wiring the cache into the build.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-wavefront-celery_worker-develop.yaml:
- Around line 20-22: The build-push-artifact job in the develop workflow is not
restricted to the develop branch, so a manual dispatch can publish from the
wrong ref. Add an appropriate ref guard to this job or workflow so it only runs
when the current ref is develop, using the existing build-push-artifact job name
and the workflow’s ref-based condition to gate publishing.
- Around line 3-6: The workflow currently relies on default token scopes, but it
only needs read access for checkout. Add an explicit top-level permissions block
to the workflow and set the GITHUB_TOKEN scope to the minimum required, locating
the change near the workflow_dispatch and env section in the workflow file.
- Around line 28-34: The GitHub Actions steps in the workflow still use the
deprecated set-output command, so update the Get commit hash and Get timestamp
steps to write commit-hash and timestamp to the $GITHUB_OUTPUT environment file
instead. Keep the same step ids (get-commit-hash and get-timestamp) and preserve
the existing outputs so any later steps referencing steps.*.outputs.* continue
to work.
- Around line 25-26: Update the workflow job to use supported major versions for
the existing GitHub Actions in the build-wavefront-celery_worker-develop
workflow, including actions/checkout, actions/cache, google-github-actions/auth,
and google-github-actions/setup-gcloud. In the Checkout step, set
persist-credentials to false since this job only needs to read the commit hash
and does not use repository credentials; keep the change localized to the
checkout and related action version declarations in this workflow.
---
Nitpick comments:
In @.github/workflows/build-wavefront-celery_worker-develop.yaml:
- Around line 36-51: The Docker cache setup is currently unused because the
build step does not read from or write to /tmp/.buildx-cache. Update the Build
Docker Image step in the workflow to use docker/setup-buildx-action and buildx
cache import/export so the cache restored by actions/cache@v3 is actually
consumed, or remove the Cache Docker layers step entirely if you want to keep
using plain docker build. Reference the existing cache-docker-layers and
build-image steps when wiring the cache into the build.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0d714551-5f10-474f-bb47-22046c1102e0
📒 Files selected for processing (1)
.github/workflows/build-wavefront-celery_worker-develop.yaml
| on: | ||
| workflow_dispatch: | ||
|
|
||
| env: |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set minimal GITHUB_TOKEN permissions.
The workflow only needs repository read access for checkout, so add an explicit top-level permission block.
Suggested permission block
on:
workflow_dispatch:
+permissions:
+ contents: read
+
env:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| workflow_dispatch: | |
| env: | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 3
- 6, The workflow currently relies on default token scopes, but it only needs
read access for checkout. Add an explicit top-level permissions block to the
workflow and set the GITHUB_TOKEN scope to the minimum required, locating the
change near the workflow_dispatch and env section in the workflow file.
Source: Linters/SAST tools
| jobs: | ||
| build-push-artifact: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Gate this develop publish job to the develop ref.
This workflow is named/scoped as a develop build, but a manual dispatch can otherwise publish an image from a non-develop ref into the same registries.
Suggested guard
jobs:
build-push-artifact:
+ if: github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| jobs: | |
| build-push-artifact: | |
| runs-on: ubuntu-latest | |
| jobs: | |
| build-push-artifact: | |
| if: github.ref == 'refs/heads/develop' | |
| runs-on: ubuntu-latest |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 20
- 22, The build-push-artifact job in the develop workflow is not restricted to
the develop branch, so a manual dispatch can publish from the wrong ref. Add an
appropriate ref guard to this job or workflow so it only runs when the current
ref is develop, using the existing build-push-artifact job name and the
workflow’s ref-based condition to gate publishing.
| - name: "Checkout" | ||
| uses: "actions/checkout@v3" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n 'actions/checkout@v3|google-github-actions/(auth|setup-gcloud)`@v1`|persist-credentials' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fiRepository: rootflo/wavefront
Length of output: 2311
🏁 Script executed:
#!/bin/bash
set -euo pipefail
workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"
echo '--- file outline ---'
ast-grep outline "$workflow" --view expanded || true
echo '--- relevant lines ---'
nl -ba "$workflow" | sed -n '1,140p'
echo '--- checkout/auth/gcloud/cache references ---'
rg -n 'checkout|auth@|setup-gcloud|cache@|persist-credentials|push|git ' "$workflow"Repository: rootflo/wavefront
Length of output: 315
🏁 Script executed:
#!/bin/bash
set -euo pipefail
workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"
echo '--- numbered file slice ---'
awk 'NR>=1 && NR<=140 {printf "%4d %s\n", NR, $0}' "$workflow"
echo '--- git/push-related commands ---'
rg -n 'git (push|tag|commit)|push:|persist-credentials|checkout|docker push|gcloud|auth@|setup-gcloud' "$workflow"Repository: rootflo/wavefront
Length of output: 5382
Upgrade the workflow actions and disable checkout credentials
- Bump
actions/checkout@v3,actions/cache@v3,google-github-actions/auth@v1, andgoogle-github-actions/setup-gcloud@v1; these majors are already flagged as unsupported. - Add
persist-credentials: falseto checkout: this job only reads the commit hash and pushes Docker images, so repo credentials aren’t used.
🧰 Tools
🪛 actionlint (1.7.12)
[error] 26-26: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.26.1)
[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 25
- 26, Update the workflow job to use supported major versions for the existing
GitHub Actions in the build-wavefront-celery_worker-develop workflow, including
actions/checkout, actions/cache, google-github-actions/auth, and
google-github-actions/setup-gcloud. In the Checkout step, set
persist-credentials to false since this job only needs to read the commit hash
and does not use repository credentials; keep the change localized to the
checkout and related action version declarations in this workflow.
Source: Linters/SAST tools
| - name: Get commit hash | ||
| id: get-commit-hash | ||
| run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)" | ||
|
|
||
| - name: Get timestamp | ||
| id: get-timestamp | ||
| run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n '::set-output|GITHUB_OUTPUT' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fiRepository: rootflo/wavefront
Length of output: 2328
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/build-wavefront-celery_worker-develop.yaml"
cat -n "$file" | sed -n '1,120p'Repository: rootflo/wavefront
Length of output: 4910
Replace deprecated set-output commands with $GITHUB_OUTPUT. Use the environment file for both commit-hash and timestamp so steps.*.outputs.* stays supported.
🧰 Tools
🪛 actionlint (1.7.12)
[error] 30-30: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
(deprecated-commands)
[error] 34-34: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
(deprecated-commands)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 28
- 34, The GitHub Actions steps in the workflow still use the deprecated
set-output command, so update the Get commit hash and Get timestamp steps to
write commit-hash and timestamp to the $GITHUB_OUTPUT environment file instead.
Keep the same step ids (get-commit-hash and get-timestamp) and preserve the
existing outputs so any later steps referencing steps.*.outputs.* continue to
work.
Source: Linters/SAST tools
Summary by CodeRabbit