Fix release workflow for ae installer#65
Conversation
📝 WalkthroughUpdated the release workflow to support the ae installer end to end.
WalkthroughThis pull request adds support for building and releasing a new Changes
Sequence Diagram(s)sequenceDiagram
participant Release as release.yml
participant Docker as build-images job
participant Helm as publish-chart job
participant GHCR as GHCR Registry
Release->>Docker: build ae-installer image from Dockerfile
Docker->>GHCR: push ae-installer image
Release->>Helm: package wso2-ae-installer chart
Helm->>GHCR: push wso2-ae-installer-*.tgz
Related Issues: None specified. Related PRs: None specified. Suggested labels: ci, release, helm-charts Suggested reviewers: None specified. Poem 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/build-images.yml (1)
75-91: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winCheckout does not disable credential persistence.
The new
ae-installerjob's checkout step doesn't setpersist-credentials: false, matching the flag raised by static analysis. Same pattern exists in theasdlc-consolejob above, but since it's a build-only job with no need to push, disabling persistence reduces unnecessary credential exposure on the runner.🔒 Proposed fix
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-images.yml around lines 75 - 91, The checkout step in the ae-installer job is persisting Git credentials unnecessarily. Update the actions/checkout step in this job to explicitly disable credential persistence with persist-credentials set to false, matching the safe pattern used elsewhere in the workflow and keeping the build-only job from retaining push-capable credentials on the runner.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/build-images.yml:
- Around line 75-91: The checkout step in the ae-installer job is persisting Git
credentials unnecessarily. Update the actions/checkout step in this job to
explicitly disable credential persistence with persist-credentials set to false,
matching the safe pattern used elsewhere in the workflow and keeping the
build-only job from retaining push-capable credentials on the runner.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c0a4d173-bd22-4a22-a415-42647ad4e179
📒 Files selected for processing (3)
.github/scripts/update-versions.sh.github/workflows/build-images.yml.github/workflows/release.yml
Purpose
Goals
Approach
User stories
Release note
Documentation
Training
Certification
Marketing
Automation tests
Security checks
Samples
Related PRs
Migrations (if applicable)
Test environment
Learning