DAT-20906 DevOps :: Create Automated Release Workflow for Liquibase Secure Extensions (BigQuery, Databricks, MongoDB, Azure, AWS) #419
Conversation
…release workflow - Commented out the steps for updating the POM file, checking for artifacts in draft releases, and downloading published release artifacts. - This change aims to streamline the workflow by temporarily disabling sections related to artifact management while maintaining the overall structure for future adjustments.
…kflow - Changed the environment variable for the Dependabot step to use LIQUIBOT_PAT_GPM_ACCESS instead of the previous token output from the get-token step. This update ensures proper access for Dependabot operations on the repository.
…kflow - Replaced the environment variable for the Dependabot step to use the token output from the get-token step instead of LIQUIBOT_PAT_GPM_ACCESS. This change ensures proper access for Dependabot operations on the repository.
…e workflow - Improved error handling for Dependabot updates by capturing output and checking for specific known issues, such as GoogleBigQueryJDBC42 authentication failures. - Ensured that the workflow continues gracefully in case of known issues while properly reporting unexpected errors.
…e workflow - Improved handling of Dependabot updates by checking for successful updates and known problematic dependencies. - Added logic to skip known authentication issues while continuing with other updates, ensuring smoother workflow execution.
…lease workflow - Restored the steps for updating the POM file, checking for artifacts in draft releases, and downloading published release artifacts. - This change aims to re-enable artifact management functionality in the workflow, ensuring proper handling of extension releases.
WalkthroughThis change enhances the extension automated release workflow by replacing a simple dependabot update step with a resilient multi-step approach. The new logic captures command output and exit codes, distinguishes between known authentication failures for private dependencies and critical errors, logs appropriate warnings for known failures, and continues execution while maintaining existing success logging. Changes
Sequence DiagramsequenceDiagram
participant WF as Workflow
participant Dependabot
participant Logger
WF->>Dependabot: Execute update command (capture output)
Dependabot-->>WF: Returns exit code + output
alt Exit Code = 0
WF->>Logger: Log successful completion
Logger-->>WF: ✓
else Exit Code ≠ 0
WF->>WF: Inspect output for successful updates
alt Updates Found
WF->>WF: Check for known auth failure patterns
alt Only Known Failures
WF->>Logger: Log warnings (skip problematic deps)
Logger-->>WF: Continue execution
else Other Errors Present
WF->>WF: Fail step with original exit code
end
else No Updates Found
WF->>WF: Fail step with original exit code
end
end
WF->>Logger: Preserve existing success logging
Logger-->>WF: ✓
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
.github/workflows/extension-automated-release.yml (2)
130-158: Consider more robust output parsing for Dependabot error detection.The error-handling logic relies on grep patterns to detect successful updates ("Changes to Dependabot Pull Requests") and known authentication failures. This approach is fragile and could break if Dependabot's output format changes.
Specific concerns:
Line 139: The "Changes to Dependabot Pull Requests" string may not reliably indicate success across all Dependabot versions and configurations.
Line 143: The regex
.*private_source_authentication_failureassumes the error pattern appears on the same line as (or immediately after) the dependency name. If Dependabot's output format uses multi-line errors or different spacing, this pattern could fail to match or incorrectly match unrelated failures.Fragility: Any changes to Dependabot's output format could cause silent failures or false positives.
Suggestions for improvement:
- Consider parsing Dependabot's structured output or exit codes if available, rather than text pattern matching.
- Add inline comments documenting the expected output format and which Dependabot version(s) this was validated against.
- Consider capturing a sample of Dependabot output (sanitized) for debugging if the step fails in production.
Can you verify that these regex patterns match actual Dependabot CLI output for the versions you're using? If possible, consider creating a test matrix or documentation showing example output.
137-158: Document the success condition edge case.The logic treats an exit code of 0 as success (line 158) without checking whether the output contains known failures. This could mask issues where Dependabot partially succeeds but also encounters known private dependency authentication failures.
If this is intentional (i.e., Dependabot returns 0 on partial success), add a comment explaining this behavior. Otherwise, consider whether the known-failures check should also apply when exit code is 0.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
.github/workflows/extension-automated-release.yml(1 hunks)
🔇 Additional comments (2)
.github/workflows/extension-automated-release.yml (2)
102-108: Verify consistency ofrepositoriesparameter removal across get-token steps.The
repositoriesparameter has been removed from theget-tokenstep inrun-extensions-dependabot(lines 102-108), but it remains in other jobs (update-pomat line 190 andrelease-draft-releasesat line 302). This inconsistency should either be intentional or normalized.If intentional, document why this step alone doesn't need the repositories restriction. If not, consider whether removing it affects the security posture (least-privilege principle) or token access scope.
130-135: Output capturing approach is sound.The use of
set +e/set -eto capture both exit code and output (lines 130-135) is the correct pattern. Echoing the output immediately (line 135) maintains good observability for debugging workflow failures.
This pull request improves the robustness of the automated release workflow for extensions by enhancing error handling and logging during the Dependabot update process. The main focus is to ensure that known authentication failures with private dependencies do not cause the workflow to fail, while still surfacing unexpected errors.
Dependabot update workflow improvements:
.github/workflows/extension-automated-release.ymlto capture output and exit codes, allowing for more granular error handling and improved logging.com.simba.googlebigquery.jdbc:GoogleBigQueryJDBC42,com.liquibase:liquibase-extension-testing), allowing the workflow to continue if only these are affected, and providing clear warnings to update them manually if needed.repositoriesparameter from theapp-idstep, likely as part of workflow simplification.Summary by CodeRabbit