Thanks to visit codestin.com
Credit goes to github.com

Skip to content

celery worker github workflow#304

Merged
rootflo-hardik merged 1 commit into
developfrom
fix/add_celery_workflow
Jun 30, 2026
Merged

celery worker github workflow#304
rootflo-hardik merged 1 commit into
developfrom
fix/add_celery_workflow

Conversation

@rootflo-hardik

@rootflo-hardik rootflo-hardik commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Chores
    • Added an automated workflow to build and publish the Celery Worker container image during development.
    • The image can now be pushed to multiple cloud container registries in one run.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is added that triggers manually via workflow_dispatch. It builds a Docker image from wavefront/server/docker/celery_worker.Dockerfile, tags it with a short commit hash and timestamp, pushes the image to GCP Artifact Registry, Amazon ECR, and Azure ACR, then removes local Docker tags.

Changes

Celery Worker Develop Build & Push Workflow

Layer / File(s) Summary
Workflow trigger, env vars, and Docker build
.github/workflows/build-wavefront-celery_worker-develop.yaml
Defines workflow_dispatch trigger, global env vars for GCP/AWS/Azure registries and image name, job checkout, commit hash and timestamp computation, Docker layer caching, and image build with IMAGE_TAG exported to $GITHUB_ENV.
Push to GCP, AWS, Azure, and cleanup
.github/workflows/build-wavefront-celery_worker-develop.yaml
Authenticates and pushes the built image to GCP Artifact Registry, Amazon ECR, and Azure ACR in sequence, then removes all local Docker tags with `

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • rootflo/wavefront#263: Adds the same Azure ACR publishing pattern (env vars, azure/login@v2, az acr login, tag/push, cleanup) to another build workflow.
  • rootflo/wavefront#286: Introduces ACR-related env vars and Docker login/push steps in another build-wavefront-*-app-develop.yaml workflow with the same structure.

Suggested reviewers

  • vishnurk6247
  • vizsatiz

🐇 A Dockerfile for the celery crew,
Three clouds now shimmer in morning dew,
GCP, AWS, Azure in line,
Each registry gleams with the new image sign,
Hop hop hooray, the workers deploy! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: adding a GitHub workflow for the Celery worker.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/add_celery_workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment on lines +22 to +107
runs-on: ubuntu-latest

steps:
- name: "Checkout"
uses: "actions/checkout@v3"

- name: Get commit hash
id: get-commit-hash
run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"

- name: Get timestamp
id: get-timestamp
run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"

- name: Cache Docker layers
id: cache-docker-layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys: |
${{ runner.os }}-docker-

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build Docker Image
id: build-image
run: |
docker build -f wavefront/server/docker/celery_worker.Dockerfile -t rootflo:${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }} .
echo "IMAGE_TAG=${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }}" >> $GITHUB_ENV

- id: "Auth-to-GCP"
uses: "google-github-actions/auth@v1"
with:
credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}"

- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"

- name: "Docker auth for GCP"
run: |-
gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet

- name: Tag and push image to GCP Artifact Registry
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
docker push ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}

# Configure AWS credentials and push to ECR
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1

- name: Tag and push image to Amazon ECR
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}

# Configure Azure credentials and push to ACR
- name: Login to Azure
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Docker auth for Azure ACR
run: az acr login --name ${{ env.ACR_REGISTRY_NAME }}

- name: Tag and push image to Azure Container Registry
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }}
docker push ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }}

- name: Cleanup Docker images
run: |
docker rmi rootflo:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.ACR_REGISTRY }}/${{ env.ACR_REPOSITORY }}:${{ env.IMAGE_TAG }} || true

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.github/workflows/build-wavefront-celery_worker-develop.yaml (1)

36-51: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Wire the Docker cache into the build, or drop the cache step.

/tmp/.buildx-cache is restored here, but the current docker build never reads or writes it. Switch to docker buildx build with cache import/export, or remove the unused cache step.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 36
- 51, The Docker cache setup is currently unused because the build step does not
read from or write to /tmp/.buildx-cache. Update the Build Docker Image step in
the workflow to use docker/setup-buildx-action and buildx cache import/export so
the cache restored by actions/cache@v3 is actually consumed, or remove the Cache
Docker layers step entirely if you want to keep using plain docker build.
Reference the existing cache-docker-layers and build-image steps when wiring the
cache into the build.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-wavefront-celery_worker-develop.yaml:
- Around line 20-22: The build-push-artifact job in the develop workflow is not
restricted to the develop branch, so a manual dispatch can publish from the
wrong ref. Add an appropriate ref guard to this job or workflow so it only runs
when the current ref is develop, using the existing build-push-artifact job name
and the workflow’s ref-based condition to gate publishing.
- Around line 3-6: The workflow currently relies on default token scopes, but it
only needs read access for checkout. Add an explicit top-level permissions block
to the workflow and set the GITHUB_TOKEN scope to the minimum required, locating
the change near the workflow_dispatch and env section in the workflow file.
- Around line 28-34: The GitHub Actions steps in the workflow still use the
deprecated set-output command, so update the Get commit hash and Get timestamp
steps to write commit-hash and timestamp to the $GITHUB_OUTPUT environment file
instead. Keep the same step ids (get-commit-hash and get-timestamp) and preserve
the existing outputs so any later steps referencing steps.*.outputs.* continue
to work.
- Around line 25-26: Update the workflow job to use supported major versions for
the existing GitHub Actions in the build-wavefront-celery_worker-develop
workflow, including actions/checkout, actions/cache, google-github-actions/auth,
and google-github-actions/setup-gcloud. In the Checkout step, set
persist-credentials to false since this job only needs to read the commit hash
and does not use repository credentials; keep the change localized to the
checkout and related action version declarations in this workflow.

---

Nitpick comments:
In @.github/workflows/build-wavefront-celery_worker-develop.yaml:
- Around line 36-51: The Docker cache setup is currently unused because the
build step does not read from or write to /tmp/.buildx-cache. Update the Build
Docker Image step in the workflow to use docker/setup-buildx-action and buildx
cache import/export so the cache restored by actions/cache@v3 is actually
consumed, or remove the Cache Docker layers step entirely if you want to keep
using plain docker build. Reference the existing cache-docker-layers and
build-image steps when wiring the cache into the build.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d714551-5f10-474f-bb47-22046c1102e0

📥 Commits

Reviewing files that changed from the base of the PR and between 3fdd66f and e041f16.

📒 Files selected for processing (1)
  • .github/workflows/build-wavefront-celery_worker-develop.yaml

Comment on lines +3 to +6
on:
workflow_dispatch:

env:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set minimal GITHUB_TOKEN permissions.

The workflow only needs repository read access for checkout, so add an explicit top-level permission block.

Suggested permission block
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
workflow_dispatch:
env:
on:
workflow_dispatch:
permissions:
contents: read
env:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 3
- 6, The workflow currently relies on default token scopes, but it only needs
read access for checkout. Add an explicit top-level permissions block to the
workflow and set the GITHUB_TOKEN scope to the minimum required, locating the
change near the workflow_dispatch and env section in the workflow file.

Source: Linters/SAST tools

Comment on lines +20 to +22
jobs:
build-push-artifact:
runs-on: ubuntu-latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Gate this develop publish job to the develop ref.

This workflow is named/scoped as a develop build, but a manual dispatch can otherwise publish an image from a non-develop ref into the same registries.

Suggested guard
 jobs:
   build-push-artifact:
+    if: github.ref == 'refs/heads/develop'
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
build-push-artifact:
runs-on: ubuntu-latest
jobs:
build-push-artifact:
if: github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 20
- 22, The build-push-artifact job in the develop workflow is not restricted to
the develop branch, so a manual dispatch can publish from the wrong ref. Add an
appropriate ref guard to this job or workflow so it only runs when the current
ref is develop, using the existing build-push-artifact job name and the
workflow’s ref-based condition to gate publishing.

Comment on lines +25 to +26
- name: "Checkout"
uses: "actions/checkout@v3"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n 'actions/checkout@v3|google-github-actions/(auth|setup-gcloud)`@v1`|persist-credentials' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fi

Repository: rootflo/wavefront

Length of output: 2311


🏁 Script executed:

#!/bin/bash
set -euo pipefail

workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"

echo '--- file outline ---'
ast-grep outline "$workflow" --view expanded || true

echo '--- relevant lines ---'
nl -ba "$workflow" | sed -n '1,140p'

echo '--- checkout/auth/gcloud/cache references ---'
rg -n 'checkout|auth@|setup-gcloud|cache@|persist-credentials|push|git ' "$workflow"

Repository: rootflo/wavefront

Length of output: 315


🏁 Script executed:

#!/bin/bash
set -euo pipefail

workflow=".github/workflows/build-wavefront-celery_worker-develop.yaml"

echo '--- numbered file slice ---'
awk 'NR>=1 && NR<=140 {printf "%4d  %s\n", NR, $0}' "$workflow"

echo '--- git/push-related commands ---'
rg -n 'git (push|tag|commit)|push:|persist-credentials|checkout|docker push|gcloud|auth@|setup-gcloud' "$workflow"

Repository: rootflo/wavefront

Length of output: 5382


Upgrade the workflow actions and disable checkout credentials

  • Bump actions/checkout@v3, actions/cache@v3, google-github-actions/auth@v1, and google-github-actions/setup-gcloud@v1; these majors are already flagged as unsupported.
  • Add persist-credentials: false to checkout: this job only reads the commit hash and pushes Docker images, so repo credentials aren’t used.
🧰 Tools
🪛 actionlint (1.7.12)

[error] 26-26: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 zizmor (1.26.1)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 25
- 26, Update the workflow job to use supported major versions for the existing
GitHub Actions in the build-wavefront-celery_worker-develop workflow, including
actions/checkout, actions/cache, google-github-actions/auth, and
google-github-actions/setup-gcloud. In the Checkout step, set
persist-credentials to false since this job only needs to read the commit hash
and does not use repository credentials; keep the change localized to the
checkout and related action version declarations in this workflow.

Source: Linters/SAST tools

Comment on lines +28 to +34
- name: Get commit hash
id: get-commit-hash
run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"

- name: Get timestamp
id: get-timestamp
run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
workflow="$(fd -p 'build-wavefront-celery_worker-develop.yaml' .github/workflows | head -n1)"
rg -n '::set-output|GITHUB_OUTPUT' "$workflow"
if command -v actionlint >/dev/null; then actionlint "$workflow"; fi

Repository: rootflo/wavefront

Length of output: 2328


🏁 Script executed:

#!/bin/bash
set -euo pipefail
file=".github/workflows/build-wavefront-celery_worker-develop.yaml"
cat -n "$file" | sed -n '1,120p'

Repository: rootflo/wavefront

Length of output: 4910


Replace deprecated set-output commands with $GITHUB_OUTPUT. Use the environment file for both commit-hash and timestamp so steps.*.outputs.* stays supported.

🧰 Tools
🪛 actionlint (1.7.12)

[error] 30-30: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)


[error] 34-34: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-wavefront-celery_worker-develop.yaml around lines 28
- 34, The GitHub Actions steps in the workflow still use the deprecated
set-output command, so update the Get commit hash and Get timestamp steps to
write commit-hash and timestamp to the $GITHUB_OUTPUT environment file instead.
Keep the same step ids (get-commit-hash and get-timestamp) and preserve the
existing outputs so any later steps referencing steps.*.outputs.* continue to
work.

Source: Linters/SAST tools

@rootflo-hardik rootflo-hardik merged commit 0b239ae into develop Jun 30, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants