ci: ensure the check-for-changes checks previous deployed version

[arealmaas]

Description

Related Issue(s)

• Ensure proper diff when releasing to staging, yt and production #1333

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

• New Features

  • Introduced a new workflow for retrieving the latest deployed version information from GitHub.
  • Added new jobs to enhance version management during deployments.

• Bug Fixes

  • Improved job dependencies to ensure correct version retrieval before deployment.
  • Updated conditions for job execution to reflect infrastructure changes accurately.

• Documentation

  • Updated input parameters and outputs for the check-for-changes job to better differentiate between infrastructure and application changes.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The pull request introduces significant updates to multiple CI/CD workflow files within the GitHub Actions framework. Key changes include the addition of a new job, get-versions-from-github, which fetches the latest deployed version information and serves as a prerequisite for the check-for-changes job. New jobs for storing infrastructure and application versions are also implemented, enhancing the overall control flow by establishing dependencies among jobs to ensure correct version management during deployments.

Changes

File Path	Change Summary
.github/workflows/ci-cd-prod.yml	- Added jobs: get-versions-from-github, store-infra-version, store-apps-version
	- Updated job: check-for-changes (depends on get-versions-from-github)
	- Updated jobs: dry-run-deploy-infra, deploy-infra, dry-run-deploy-apps, deploy-apps (use version output from get-current-version)
.github/workflows/ci-cd-staging.yml	- Added jobs: get-versions-from-github, store-infra-version, store-apps-version
	- Updated job: publish (redefined position and dependencies)
.github/workflows/ci-cd-yt01.yml	- Added jobs: get-versions-from-github, store-infra-version, store-apps-version
	- Updated job: check-for-changes (depends on get-versions-from-github)
	- Updated jobs: publish, deploy-infra (use version output from get-current-version)
.github/workflows/dispatch-apps.yml	- Removed job: check-for-changes (now depends only on generate-git-short-sha and get-current-version)
.github/workflows/workflow-check-for-changes.yml	- Added inputs: infra_base_sha, apps_base_sha
	- Updated outputs in check-for-changes job to reference new filtering step filter-backend
.github/workflows/workflow-get-latest-deployed-version-info-from-github.yml	- Added workflow to retrieve latest deployed version info with outputs: infra_version_sha, apps_version_sha

Possibly related PRs

• chore: add additional filter for backend check changes #1170: Modifies the check-for-changes job to depend on outputs from get-versions-from-github, indicating a direct relationship in workflow changes.
• ci: ensure unique revisions for deployments #1211: Updates the deploy-infra job to check for hasInfraChanges, aligning with changes made in the main PR regarding job dependencies and conditions.
• ci: alert on pipelines failing #1246: Introduces a send-slack-message job, enhancing the notification mechanism for failures in the CI/CD process, similar to changes in the main PR.
• ci: add status for build and test #1284: Adds a status for the build and test job in the send-slack-message job, relating to overall enhancements in job reporting and notifications seen in the main PR.
• ci: rename jobs to something generic #1292: Renames jobs for clarity, relevant to the overall organization and structure of the CI/CD workflows, similar to changes made in the main PR.

Suggested reviewers

• oskogstad
• knuhau

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between f114ca3 and 33a986b.

📒 Files selected for processing (1)

• .github/workflows/ci-cd-yt01.yml (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci-cd-yt01.yml

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 10

🧹 Outside diff range and nitpick comments (4)

.github/workflows/dispatch-apps.yml (1)

31-33: Document the workflow's inputs and outputs

The new get-currently-released-version job's purpose is clear from its name, but its outputs and how they're used in the workflow should be documented.

Add a comment block above the job to document:

• What version information it retrieves
• What outputs it produces
• How these outputs are used in the workflow

+  # Retrieves the currently deployed version for the target environment
+  # Outputs:
+  #   - current_version: The version currently deployed in the target environment
+  # Used by:
+  #   - check-for-changes: To verify if deployment is needed
   get-currently-released-version:
     name: Get currently released version
     uses: ./.github/workflows/workflow-get-currently-released-version.yml

🧰 Tools

🪛 actionlint

33-33: could not read reusable workflow file for "./.github/workflows/workflow-get-currently-released-version.yml": open /cache/16/5149c710-f89f-4a8a-bbc4-e7120d25035d/home/jailuser/git/.github/workflows/workflow-get-currently-released-version.yml: no such file or directory

(workflow-call)

.github/workflows/workflow-check-for-changes.yml (1)

Line range hint 1-74: Well-architected separation of infrastructure and application change detection.

The workflow's new architecture effectively separates infrastructure and application change detection by:

1. Using distinct base SHAs for version comparison
2. Maintaining separate filtering steps
3. Properly organizing outputs based on change type

This separation allows for more precise control over what gets deployed and when, reducing the risk of unnecessary deployments.

Consider documenting this architecture decision in an ADR (Architecture Decision Record) to explain the rationale behind separating infrastructure and application change detection.

🧰 Tools

🪛 yamllint

[error] 78-78: trailing spaces

(trailing-spaces)

.github/workflows/ci-cd-yt01.yml (1)

21-25: LGTM! Robust version comparison implementation.

The changes ensure that the workflow compares against the last deployed version rather than an arbitrary base, which is a more reliable approach for detecting relevant changes.

Consider documenting this version comparison strategy in the repository's documentation to help other developers understand the CI/CD workflow's behavior.

.github/workflows/ci-cd-staging.yml (1)

21-21: Well-implemented version comparison logic.

The changes effectively implement the requirement to check against previously deployed versions by using the SHA outputs from the version retrieval job.

Consider documenting the version comparison strategy in the repository's documentation to help maintainers understand:

• How versions are tracked across environments
• When and why version comparisons are performed
• What triggers infrastructure vs. application deployments

Also applies to: 23-25

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e31c08b and 8400999.

📒 Files selected for processing (6)

• .github/workflows/ci-cd-prod.yml (3 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (3 hunks)
• .github/workflows/dispatch-apps.yml (1 hunks)
• .github/workflows/workflow-check-for-changes.yml (2 hunks)
• .github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1 hunks)

🧰 Additional context used

🪛 actionlint

.github/workflows/dispatch-apps.yml

33-33: could not read reusable workflow file for "./.github/workflows/workflow-get-currently-released-version.yml": open /cache/16/5149c710-f89f-4a8a-bbc4-e7120d25035d/home/jailuser/git/.github/workflows/workflow-get-currently-released-version.yml: no such file or directory

(workflow-call)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml

33-33: shellcheck reported issue in this script: SC2086:info:1:146: Double quote to prevent globbing and word splitting

(shellcheck)

---

38-38: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:1:145: Double quote to prevent globbing and word splitting

(shellcheck)

---

49-49: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (14)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml (2)

18-25: LGTM!

The job configuration and output mapping are well-structured.

---

10-16: Verify workflow output usage

Let's verify that the workflow outputs are properly consumed by the calling workflows.

✅ Verification successful

Based on the results, I can now generate the final response as we have clear evidence of how the workflow outputs are being used.

Workflow outputs are properly consumed across CI/CD workflows

The verification confirms that the workflow outputs infra_version_sha and apps_version_sha are:

• Called by three CI/CD workflows: ci-cd-yt01.yml, ci-cd-staging.yml, and ci-cd-prod.yml
• Correctly referenced in all workflows using the proper syntax: needs.get-versions-from-github.outputs.<output_name>
• Used consistently across all environments (yt01, staging, prod)

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the workflow outputs are properly used in other workflows

# Test: Search for workflow calls and output usage
echo "Checking workflow calls and output usage..."
rg -A 5 "uses: \./.github/workflows/workflow-get-latest-deployed-versions-from-github\.yml" .github/workflows/
rg "needs.*get-versions-from-github.*outputs\.(infra|apps)_version_sha" .github/workflows/

Length of output: 2141

.github/workflows/workflow-check-for-changes.yml (2)

5-13: LGTM! Well-structured input parameters.

The addition of separate base SHAs for infrastructure and application changes provides good separation of concerns and enables precise change detection against previously deployed versions.

---

39-44: Verify the output mappings are correctly configured.

The outputs are now split between filter and filter-backend steps. Let's verify the mapping is correct:

• Infrastructure changes (hasAzureChanges) → filter
• Application changes (backend, tests, schema, migration) → filter-backend

✅ Verification successful

Let me generate new shell scripts to better verify the output mappings.

This will help us see:

1. The complete workflow file to understand the context
2. The path patterns defined for each filter to verify if they align with the output mappings
3. Whether the outputs are correctly mapped to their respective filter steps based on the nature of the changes they track

---

Now I have enough information to verify the output mappings. Let me generate the final response.

Output mappings are correctly configured

The output mappings in the workflow file are properly aligned with their respective filter steps:

Infrastructure changes (using filter step):

• hasAzureChanges → correctly maps to steps.filter.outputs.azure_any_modified
• hasSlackNotifierChanges → correctly maps to steps.filter.outputs.slackNotifier_any_modified

Application changes (using filter-backend step):

• hasBackendChanges → correctly maps to steps.filter-backend.outputs.backend_any_modified
• hasTestChanges → correctly maps to steps.filter-backend.outputs.tests_any_modified
• hasSchemaChanges → correctly maps to steps.filter-backend.outputs.schema_any_modified
• hasMigrationChanges → correctly maps to steps.filter-backend.outputs.migration_any_modified

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the output mappings align with the file patterns in both filter steps

# Test 1: Check if any backend-related outputs reference the 'filter' step instead of 'filter-backend'
echo "Checking for incorrect backend output mappings..."
rg -A 1 'hasBackendChanges|hasTestChanges|hasSchemaChanges|hasMigrationChanges' | rg 'steps.filter.outputs'

# Test 2: Check if infrastructure-related outputs reference 'filter-backend' instead of 'filter'
echo "Checking for incorrect infrastructure output mappings..."
rg -A 1 'hasAzureChanges|hasSlackNotifierChanges' | rg 'steps.filter-backend.outputs'

Length of output: 425

---

Script:

#!/bin/bash
# Let's directly examine the workflow file content to verify the mappings

# Check the content of the workflow file
echo "=== Workflow file content ==="
cat .github/workflows/workflow-check-for-changes.yml

# Also check for any path filters defined
echo -e "\n=== Path filters defined ==="
rg "paths:" .github/workflows/workflow-check-for-changes.yml -A 10

Length of output: 3176

.github/workflows/ci-cd-yt01.yml (3)

94-103: ⚠️ Potential issue

Apply the same permissions and error handling improvements.

This job has the same requirements as the store-infra-version job above.

Please apply the same permissions and error handling improvements as suggested for the store-infra-version job.

---

13-18: LGTM! Verify the reusable workflow exists.

The version retrieval setup is well-structured and follows GitHub Actions best practices by using a reusable workflow.

Let's verify the referenced workflow file exists:

✅ Verification successful

Let me try a different approach to verify the existence of the reusable workflow file.

This script uses fd to search for the file and display its contents if found, which will give us more confidence about the workflow's existence and implementation.

---

✓ Reusable workflow exists and is properly implemented

The reusable workflow .github/workflows/workflow-get-latest-deployed-versions-from-github.yml exists and is well-structured with:

• Proper workflow_call trigger configuration
• Required environment input parameter
• Clear output definitions for both infra and apps versions
• Comprehensive implementation to fetch and process version information

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the reusable workflow file exists
if [ -f ".github/workflows/workflow-get-latest-deployed-versions-from-github.yml" ]; then
    echo "✓ Reusable workflow file exists"
else
    echo "✗ Missing reusable workflow file"
fi

Length of output: 248

---

Script:

#!/bin/bash
# Search for the workflow file using fd
fd "workflow-get-latest-deployed-versions-from-github.yml" .github/workflows/

# If found, show its content
if fd "workflow-get-latest-deployed-versions-from-github.yml" .github/workflows/ -x cat {};
then
    echo "File found and displayed above"
else
    echo "File not found"
fi

Length of output: 2257

---

Line range hint 13-103: Verify GitHub variable access across environments.

The workflow's version management implementation is solid, but we should verify that the GitHub variables are accessible in all required environments.

Let's check the variable accessibility:

✅ Verification successful

Let me try a different approach to verify the GitHub variables usage and workflow structure.

---

Based on the comprehensive workflow analysis, I can now provide a final verification response:

GitHub variable management is properly implemented with necessary safeguards

The workflow implementation is robust with:

• Proper version management through get-current-version and get-latest-deployed-versions-from-github workflows
• Clear output definitions in the dependent workflows
• Correct variable persistence through store-infra-version and store-apps-version jobs
• Appropriate conditional execution based on version and change detection

The initial concern about GitHub variable accessibility is addressed by the workflow design:

• Variables are written only after successful deployments
• The store-infra-version and store-apps-version jobs have proper conditional checks (if: ${{ needs.deploy-*.result == 'success' }})
• Version retrieval is handled by a dedicated reusable workflow with proper error handling

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify GitHub variable accessibility
# Note: This will only show if the variables exist, not their values

echo "Checking GitHub variables for YT01 environment..."
gh variable list --repo ${{ github.repository }} | grep -E "INFRA_VERSION_YT01|APPS_VERSION_YT01"

Length of output: 248

---

Script:

#!/bin/bash
# Let's check all workflow files that are referenced in ci-cd-yt01.yml
echo "Checking referenced workflow files..."
fd "workflow-.*\.yml" .github/workflows/

# Let's also verify the structure and dependencies of these workflows
echo -e "\nChecking workflow content for variable usage..."
for file in $(fd "workflow-.*\.yml" .github/workflows/); do
  echo -e "\n=== $file ==="
  grep -A 2 "outputs\|variables\|env:" "$file" || true
done

Length of output: 11700

.github/workflows/ci-cd-staging.yml (4)

59-69: LGTM! Publish job correctly positioned and configured.

The job maintains proper dependencies while being repositioned in the workflow sequence.

---

94-103: ⚠️ Potential issue

Add required permissions for GitHub CLI operation.

Similar to the infrastructure version storage job, this job needs GitHub variable write permissions.

Apply the same permission fix as suggested for the store-infra-version job.

---

Line range hint 13-103: Verify the complete job dependency chain.

The workflow changes implement comprehensive version tracking, but let's verify all job dependencies are correctly ordered.

#!/bin/bash
# Description: Verify job dependencies in the workflow file
# Extract and analyze job dependencies to ensure correct ordering

# Look for any circular dependencies or missing jobs in needs arrays
rg "needs: \[.*\]" .github/workflows/ci-cd-staging.yml -A 1

# Verify all referenced jobs exist
rg "^[[:space:]]+\w+:" .github/workflows/ci-cd-staging.yml

---

13-18: LGTM! Well-structured version retrieval implementation.

Good use of reusable workflow pattern. The job is correctly positioned as an initial step and properly parameterized for environment-specific usage.

Let's verify the referenced workflow exists:

✅ Verification successful

Let me generate another script to verify the existence and content of the reusable workflow:

This will help us verify both the existence and implementation of the reusable workflow that's being referenced. The previous output only showed us the dependencies and structure of the staging workflow, but we need to confirm the actual reusable workflow exists and is properly implemented.

---

Reusable workflow implementation verified and properly structured

The referenced workflow ./.github/workflows/workflow-get-latest-deployed-versions-from-github.yml exists and is correctly implemented with:

• Proper input parameters for environment specification
• Well-defined outputs for both infra and apps version SHAs
• Correct GitHub API usage to fetch version variables
• Appropriate git commands to resolve version tags to SHAs

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the reusable workflow file exists and contains version retrieval logic
fd -e yml -e yaml "workflow-get-latest-deployed-versions-from-github" .github/workflows/

Length of output: 7382

---

Script:

#!/bin/bash
# Check if the reusable workflow exists and examine its content
fd -e yml -e yaml "workflow-get-latest-deployed-versions-from-github" .github/workflows/ -x cat {}

Length of output: 2047

.github/workflows/ci-cd-prod.yml (3)

Line range hint 13-135: LGTM! Job dependencies are well-structured.

The changes to job dependencies create a clear and logical flow:

1. Get versions from GitHub
2. Check for changes using retrieved versions
3. Deploy and store new versions

The conditional logic ensures that jobs run only when necessary, and the workflow maintains backward compatibility.

---

126-135: ⚠️ Potential issue

Apply the same permissions and error handling improvements.

This job needs the same improvements as the store-infra-version job regarding permissions and error handling.

Please apply the same changes as suggested for the store-infra-version job.

---

13-18: LGTM! Version retrieval implementation looks solid.

The new version retrieval job and its integration with the check-for-changes job is well-structured. The environment parameter is correctly passed, and the output variables are properly referenced.

Let's verify the reusable workflow exists and has the expected interface:

Also applies to: 21-25

✅ Verification successful

Let me generate another script to verify the existence and interface of the reusable workflow file itself:

This will help us verify:

1. The reusable workflow file exists
2. It accepts the environment input parameter
3. It provides the expected outputs (infra_version_sha and apps_version_sha)

---

✅ Reusable workflow implementation is correct and properly integrated

The verification confirms that:

1. The reusable workflow file exists and is properly implemented
2. It correctly accepts the required environment input parameter
3. It provides the expected outputs (infra_version_sha and apps_version_sha)
4. The workflow is consistently used across all environments (prod, staging, yt01)
5. The job dependencies and output references in the calling workflows are correctly configured

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the reusable workflow file exists and contains the expected inputs/outputs
rg -A 10 "workflow-get-latest-deployed-versions-from-github.yml" .github/workflows/

Length of output: 2555

---

Script:

#!/bin/bash
# Check if the reusable workflow file exists and examine its content
cat .github/workflows/workflow-get-latest-deployed-versions-from-github.yml

Length of output: 2024

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (2)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1)

7-7: Improve environment parameter description

The description should explicitly list the allowed values to make it clearer for users.

-        description: "Environment to get latest deployed versions for (e.g., staging, prod, yt01)"
+        description: "Target environment (allowed values: staging, prod, yt01)"

.github/workflows/ci-cd-prod.yml (1)

Line range hint 13-135: Well-structured version management workflow.

The overall architecture of the version management system is well-designed with:

• Clear separation between infrastructure and application versions
• Proper job dependencies ensuring correct execution order
• Conditional execution based on detected changes
• Environment-specific version management

The implementation provides a robust foundation for tracking deployment versions.

Consider adding a cleanup job to maintain the version history, preventing the accumulation of old versions in GitHub variables.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 8400999 and f3c4172.

📒 Files selected for processing (5)

• .github/workflows/ci-cd-prod.yml (3 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (3 hunks)
• .github/workflows/workflow-check-for-changes.yml (2 hunks)
• .github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/workflow-check-for-changes.yml

🧰 Additional context used

🪛 actionlint

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml

33-33: shellcheck reported issue in this script: SC2086:info:1:168: Double quote to prevent globbing and word splitting

(shellcheck)

---

38-38: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:1:167: Double quote to prevent globbing and word splitting

(shellcheck)

---

49-49: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (11)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1)

19-24: LGTM! Job configuration follows best practices

The job outputs are properly defined and mapped to their respective step outputs.

.github/workflows/ci-cd-yt01.yml (4)

20-25: LGTM! Proper integration with version management.

The changes correctly implement the PR objective by ensuring that check-for-changes compares against the previously deployed versions.

---

60-69: ⚠️ Potential issue

Add missing permissions and error handling.

The job configuration needs the following improvements:

1. Add required permissions for GitHub CLI operations
2. Add error handling for the gh CLI command

Apply this diff to address the issues:

   store-infra-version:
     name: Store Latest Deployed Infra Version as GitHub Variable
     runs-on: ubuntu-latest
+    permissions:
+      repository-variables: write
     needs: [deploy-infra, get-current-version]
     if: ${{ needs.deploy-infra.result == 'success' }}
     steps:
       - name: Set GitHub variable for latest deployed infra version
         run: |
-          gh variable set LATEST_DEPLOYED_INFRA_VERSION "${{ needs.get-current-version.outputs.version }}" --repo ${{ github.repository }} --env yt01
+          if ! gh variable set LATEST_DEPLOYED_INFRA_VERSION "${{ needs.get-current-version.outputs.version }}" --repo ${{ github.repository }} --env yt01; then
+            echo "Failed to set GitHub variable for infra version"
+            exit 1
+          fi

---

94-103: ⚠️ Potential issue

Add missing permissions and error handling.

This job has the same issues as the store-infra-version job.

Apply this diff to address the issues:

   store-apps-version:
     name: Store Latest Deployed Apps Version as GitHub Variable
     runs-on: ubuntu-latest
+    permissions:
+      repository-variables: write
     needs: [deploy-apps, get-current-version]
     if: ${{ needs.deploy-apps.result == 'success' }}
     steps:
       - name: Set GitHub variable for latest deployed apps version
         run: |
-          gh variable set LATEST_DEPLOYED_APPS_VERSION "${{ needs.get-current-version.outputs.version }}" --repo ${{ github.repository }} --env yt01
+          if ! gh variable set LATEST_DEPLOYED_APPS_VERSION "${{ needs.get-current-version.outputs.version }}" --repo ${{ github.repository }} --env yt01; then
+            echo "Failed to set GitHub variable for apps version"
+            exit 1
+          fi

---

13-18: LGTM! Verify the reusable workflow exists.

The job configuration looks good, using a reusable workflow to fetch versions with proper environment specification.

Let's verify the referenced workflow file exists:

✅ Verification successful

✓ Reusable workflow exists and is properly referenced

The workflow file .github/workflows/workflow-get-latest-deployed-versions-from-github.yml exists and is consistently used across multiple environments (staging, yt01, prod), indicating proper reuse of the workflow.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the reusable workflow file exists
if ! [ -f .github/workflows/workflow-get-latest-deployed-versions-from-github.yml ]; then
    echo "Error: Referenced workflow file does not exist"
    exit 1
fi

Length of output: 84

---

Script:

#!/bin/bash
# Let's try using fd to search for the workflow file
fd "workflow-get-latest-deployed-versions-from-github.yml" .github/workflows/

# Also check with ripgrep to find any references to this workflow
rg -l "workflow-get-latest-deployed-versions-from-github" .github/workflows/

Length of output: 328

.github/workflows/ci-cd-staging.yml (4)

13-18: LGTM: Well-structured version retrieval job.

The job correctly uses a reusable workflow to fetch deployed versions and provides them as outputs for downstream jobs.

---

21-25: LGTM: Proper version comparison setup.

The job correctly uses the retrieved version SHAs to compare changes against the actual deployed versions, improving the accuracy of change detection.

---

49-58: Add required permissions for GitHub CLI operation.

The job is missing required permissions to set GitHub variables.

Add the following permission block to the job:

  store-infra-version:
    name: Store Latest Deployed Infra Version as GitHub Variable
    runs-on: ubuntu-latest
    needs: [deploy-infra, get-current-version]
    if: ${{ needs.deploy-infra.result == 'success' }}
+   permissions:
+     repository-variables: write
    steps:
      - name: Set GitHub variable for latest deployed infra version

---

59-69: LGTM: Job position change maintains workflow integrity.

The publish job's repositioning doesn't affect its functionality, and all dependencies are correctly maintained.

.github/workflows/ci-cd-prod.yml (2)

21-25: LGTM! Well-structured dependency and version comparison.

The changes correctly establish the dependency on version retrieval and properly utilize the version SHAs for change detection.

---

68-77: Previous review comments are still applicable.

The implementation needs the same improvements mentioned in the previous review regarding permissions and error handling.

[coderabbitai]

Actionable comments posted: 4

🧹 Outside diff range and nitpick comments (1)

.github/workflows/ci-cd-pull-request.yml (1)

8-51: Consider adding cleanup job.

The workflow sets mock versions but doesn't clean them up after testing. This could potentially affect subsequent workflow runs.

Consider adding a cleanup job that runs even if previous steps fail:

cleanup-mock-versions:
  name: Cleanup Mock Versions
  if: always()
  needs: [echo-verified-versions]
  runs-on: ubuntu-latest
  permissions:
    variables: write
  steps:
    - name: Remove Mock Variables
      run: |
        gh variable delete LATEST_DEPLOYED_INFRA_VERSION --repo ${{ github.repository }} --env test
        gh variable delete LATEST_DEPLOYED_APPS_VERSION --repo ${{ github.repository }} --env test

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between f3c4172 and 8e76b7b.

📒 Files selected for processing (1)

• .github/workflows/ci-cd-pull-request.yml (1 hunks)

[coderabbitai]

Actionable comments posted: 6

🧹 Outside diff range and nitpick comments (5)

.github/workflows/ci-cd-pull-request.yml (2)

18-18: Remove trailing whitespace.

There is trailing whitespace on line 18.

-    
+

🧰 Tools

🪛 yamllint

[error] 18-18: trailing spaces

(trailing-spaces)

---

Line range hint 1-3: Add workflow documentation.

Consider adding a comment block at the top of the workflow to explain:

• The purpose of this mock deployment workflow
• Why it's needed for pull requests
• How it relates to the actual deployment process

 name: CI/CD Pull Request
 
+# This workflow simulates the deployment process in pull requests by:
+# 1. Retrieving the latest deployed versions from GitHub variables
+# 2. Performing a mock deployment with test versions
+# 3. Verifying the version storage and retrieval mechanism
+# This ensures the version tracking system works correctly without actual deployments.
+
 on:
   pull_request:
     branches: [main]

🧰 Tools

🪛 yamllint

[error] 18-18: trailing spaces

(trailing-spaces)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1)

1-2: Consider adding workflow documentation.

Since this workflow plays a crucial role in version management and is a prerequisite for the check-for-changes job, consider adding a comment block at the top of the file explaining:

• The workflow's role in the broader CI/CD process
• How it integrates with other workflows
• The format and significance of the version variables it retrieves

Example:

# This reusable workflow retrieves the latest deployed versions of infrastructure and applications
# from GitHub Variables. It's used as a prerequisite for the check-for-changes job to determine
# what needs to be deployed.
#
# Integration:
# 1. Called by ci-cd-*.yml workflows before the check-for-changes job
# 2. Retrieves LATEST_DEPLOYED_*_VERSION variables set during previous deployments
# 3. Outputs the corresponding git SHAs for version comparison

.github/workflows/ci-cd-yt01.yml (1)

13-20: Add explicit permissions for GitHub token.

While the job structure is good, it's recommended to explicitly define the required permissions for the GitHub token to follow the principle of least privilege.

Add these permissions to the reusable workflow:

 get-versions-from-github:
   name: Get Latest Deployed Versions from GitHub Variables
+  permissions:
+    repository-variables: read
   uses: ./.github/workflows/workflow-get-latest-deployed-versions-from-github.yml

.github/workflows/ci-cd-staging.yml (1)

Line range hint 13-107: Well-structured version management implementation.

The workflow changes successfully implement version tracking and comparison by:

1. Retrieving previous versions at the start
2. Using these versions for change detection
3. Storing new versions after successful deployments

This creates a robust version management system that ensures proper tracking of deployed versions across environments.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 8e76b7b and e94ce27.

📒 Files selected for processing (5)

• .github/workflows/ci-cd-prod.yml (3 hunks)
• .github/workflows/ci-cd-pull-request.yml (1 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (3 hunks)
• .github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1 hunks)

🧰 Additional context used

🪛 yamllint

.github/workflows/ci-cd-pull-request.yml

[error] 18-18: trailing spaces

(trailing-spaces)

🪛 actionlint

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml

39-39: shellcheck reported issue in this script: SC2086:info:1:168: Double quote to prevent globbing and word splitting

(shellcheck)

---

44-44: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

---

50-50: shellcheck reported issue in this script: SC2086:info:1:167: Double quote to prevent globbing and word splitting

(shellcheck)

---

55-55: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (12)

.github/workflows/workflow-get-latest-deployed-versions-from-github.yml (1)

21-36: LGTM! Well-structured job setup.

The job configuration is correct with proper environment setup and full history checkout, which is necessary for version retrieval.

.github/workflows/ci-cd-yt01.yml (4)

22-27: LGTM! Well-structured version comparison.

The changes correctly implement version comparison by using the SHA outputs from the previous deployed versions.

---

62-73: ⚠️ Potential issue

Add error handling for GitHub CLI operation.

The GitHub CLI command should include error handling to ensure the version is set correctly.

---

Line range hint 8-9: Verify concurrency group configuration.

The current concurrency group ${{ github.workflow }}-${{ github.ref_name }} is good for preventing parallel runs of the same workflow on the same ref. However, since this workflow updates shared GitHub variables, consider if you need additional concurrency groups to prevent race conditions with other workflows that might update the same variables.

#!/bin/bash
# Description: Find all workflows that might update the same GitHub variables
# to identify potential race conditions.

echo "Searching for workflows that update LATEST_DEPLOYED_INFRA_VERSION or LATEST_DEPLOYED_APPS_VERSION..."
rg --type yaml 'LATEST_DEPLOYED_(INFRA|APPS)_VERSION' .github/workflows/

---

98-109: Verify consistent implementation across version storage operations.

This job has the same structure as store-infra-version. Let's verify if there are other version storage operations that need similar improvements.

✅ Verification successful

Consistent implementation confirmed across version storage operations

The search results show that the version storage pattern is consistently implemented across all CI/CD workflows:

• All environments (staging, yt01, prod, test) use the same pattern
• Both infrastructure and application version storage follow identical implementation
• The pattern is also consistently used in the workflow for retrieving versions

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find all GitHub variable set operations in workflow files
# to ensure consistent implementation across the codebase.

echo "Searching for GitHub variable set operations in workflow files..."
rg --type yaml 'gh variable set' .github/workflows/

Length of output: 2288

.github/workflows/ci-cd-staging.yml (5)

23-23: LGTM! Proper version comparison setup.

The job correctly uses the retrieved version SHAs to compare changes against previously deployed versions.

Also applies to: 25-27

---

51-62: Add required permissions for GitHub variables.

The job is missing required permissions to set GitHub variables, as noted in previous reviews.

---

63-73: LGTM! Proper job configuration.

The publish job is correctly configured with appropriate dependencies and conditions.

---

96-107: Add required permissions for GitHub variables.

The job is missing required permissions to set GitHub variables, as noted in previous reviews.

---

13-20: LGTM! Verify workflow file exists.

The new job correctly retrieves deployed versions from GitHub variables using a reusable workflow.

Let's verify the referenced workflow file exists:

✅ Verification successful

✓ Workflow file exists and is properly referenced

The reusable workflow file .github/workflows/workflow-get-latest-deployed-versions-from-github.yml exists in the repository and is correctly referenced in the staging CI/CD workflow.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the reusable workflow file exists
test -f .github/workflows/workflow-get-latest-deployed-versions-from-github.yml || echo "Missing workflow file"

Length of output: 81

---

Script:

#!/bin/bash
# Let's try using fd to search for the workflow file with a more flexible pattern
fd "workflow.*deployed.*versions.*github.*yml" .github/workflows/

# Also list all workflow files to see if it might have a different name
fd ".*\.ya?ml" .github/workflows/

# Use ripgrep to find any references to this workflow in other files
rg -l "workflow-get-latest-deployed-versions-from-github"

Length of output: 1334

.github/workflows/ci-cd-prod.yml (2)

22-27: LGTM! Changes align with PR objectives.

The modifications correctly integrate version checking against previously deployed versions, improving the reliability of change detection.

---

Line range hint 13-141: Verify the workflow's version management integration.

The workflow changes successfully implement version tracking and comparison, but please verify:

1. The reusable workflow .github/workflows/workflow-get-latest-deployed-versions-from-github.yml properly handles version retrieval failures
2. The version comparison in .github/workflows/workflow-check-for-changes.yml correctly uses the retrieved versions

✅ Verification successful

Version management integration is properly implemented

The workflow implementation shows robust version management with proper error handling:

1. The version retrieval workflow (workflow-get-latest-deployed-versions-from-github.yml) includes:

   • Fallback handling with empty string when variables don't exist
   • Proper SHA resolution from version tags
   • Clear output definitions for both infra and apps versions

2. The version comparison workflow (workflow-check-for-changes.yml) correctly:

   • Uses the retrieved SHAs as base references for change detection
   • Implements granular file change detection for different components
   • Properly propagates change detection results through outputs

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the existence and content of dependent workflows

# Check if the required workflow files exist
echo "Checking for required workflow files..."
for workflow in "workflow-get-latest-deployed-versions-from-github.yml" "workflow-check-for-changes.yml"; do
  if ! [ -f ".github/workflows/$workflow" ]; then
    echo "Missing required workflow: $workflow"
    exit 1
  fi
done

# Check version comparison logic in check-for-changes workflow
echo "Checking version comparison implementation..."
rg -A 5 "infra_version_sha|apps_version_sha" .github/workflows/workflow-check-for-changes.yml

Length of output: 646

---

Script:

#!/bin/bash
# Let's examine the content of both workflows to understand their implementation

echo "=== Content of workflow-get-latest-deployed-versions-from-github.yml ==="
cat .github/workflows/workflow-get-latest-deployed-versions-from-github.yml

echo -e "\n=== Content of workflow-check-for-changes.yml ==="
cat .github/workflows/workflow-check-for-changes.yml

Length of output: 5498

[arealmaas]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (2)

.github/workflows/workflow-get-latest-deployed-version-info-from-github.yml (1)

32-35: Add a comment explaining the fetch-depth requirement.

The fetch-depth: 0 is correctly set to ensure full git history for version lookups, but it would be helpful to document this requirement.

  - name: Checkout repository
    uses: actions/checkout@v4
    with:
+     # Fetch full history for git rev-list operations
      fetch-depth: 0

.github/workflows/ci-cd-yt01.yml (1)

Workflow structure has missing referenced files

The verification revealed that some workflow files referenced in the CI/CD workflow are missing from the repository:

• workflow-deploy-function.yml
• workflow-run-k6-tests.yml
• workflow-send-ci-cd-status-slack-message.yml

These files are referenced in the workflow but not present in the .github/workflows/ directory, which will cause the workflow to fail when these jobs are triggered.

🔗 Analysis chain

Line range hint 1-109: Verify workflow structure and dependencies.

The workflow structure looks good with proper job dependencies and version management integration. Let's verify there are no circular dependencies or missing workflow files.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify workflow structure and dependencies

# Check if all referenced workflow files exist
echo "Checking referenced workflow files..."
for workflow in \
  "workflow-get-latest-deployed-version-info-from-github.yml" \
  "workflow-check-for-changes.yml" \
  "workflow-get-current-version.yml" \
  "workflow-publish.yml" \
  "workflow-deploy-infra.yml" \
  "workflow-deploy-apps.yml" \
  "workflow-deploy-function.yml" \
  "workflow-run-k6-tests.yml" \
  "workflow-send-ci-cd-status-slack-message.yml"
do
  if [ ! -f ".github/workflows/$workflow" ]; then
    echo "Missing workflow file: $workflow"
    exit 1
  fi
done

# Check for potential circular dependencies in workflow calls
echo "Checking for circular dependencies..."
rg -l "uses: \\./.github/workflows/" .github/workflows/ | while read -r file; do
  echo "Analyzing: $file"
  rg --no-filename "uses: \\./.github/workflows/([^'\"]+)" -or '$1' "$file"
done

Length of output: 7763

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between fc2d532 and 216c120.

📒 Files selected for processing (5)

• .github/workflows/ci-cd-prod.yml (3 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (3 hunks)
• .github/workflows/dispatch-apps.yml (1 hunks)
• .github/workflows/workflow-get-latest-deployed-version-info-from-github.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/dispatch-apps.yml

🧰 Additional context used

🪛 actionlint

.github/workflows/workflow-get-latest-deployed-version-info-from-github.yml

40-40: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

---

47-47: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

🔇 Additional comments (13)

.github/workflows/workflow-get-latest-deployed-version-info-from-github.yml (2)

1-20: LGTM! Well-structured workflow definition.

The workflow metadata is well-organized with clear input validation, proper secret handling, and well-documented outputs.

---

1-49: Verify workflow integration in CI/CD configurations.

The workflow appears to be referenced by multiple CI/CD workflows. Let's verify the integration is consistent across all environments.

✅ Verification successful

Workflow integration is properly configured across all environments

The verification confirms that the workflow is correctly referenced in all expected CI/CD configurations:

• ci-cd-prod.yml: Uses correct environment "prod"
• ci-cd-staging.yml: Uses correct environment "staging"
• ci-cd-yt01.yml: Uses correct environment "yt01"

Each configuration properly provides the required inputs (environment) and secrets (GH_TOKEN) as specified in the workflow definition.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify workflow integration in CI/CD configurations
# Expected: Find references to this workflow in CI/CD files with correct inputs

echo "Checking workflow references in CI/CD configurations..."
rg -A 5 "workflow-get-latest-deployed-version-info-from-github" .github/workflows/ci-cd-*.yml

Length of output: 1624

🧰 Tools

🪛 actionlint

40-40: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

---

47-47: shellcheck reported issue in this script: SC2086:info:2:20: Double quote to prevent globbing and word splitting

(shellcheck)

.github/workflows/ci-cd-yt01.yml (1)

22-27: LGTM! Well-structured dependency chain.

The changes correctly integrate version comparison by using the SHA outputs from the get-versions-from-github job.

.github/workflows/ci-cd-staging.yml (5)

13-20: LGTM! Well-structured version fetching job.

The job correctly uses a reusable workflow with appropriate parameters and secrets for GitHub API operations.

---

23-23: LGTM! Proper version comparison setup.

The job correctly depends on and utilizes the version information from get-versions-from-github, enabling accurate change detection against the previously deployed version.

Also applies to: 25-27

---

51-62: Add required permissions for GitHub variable operations.

The job correctly stores the infrastructure version but is missing required permissions to set GitHub variables, as noted in a previous review.

---

63-73: LGTM! Well-structured publish job.

The job correctly uses a reusable workflow with appropriate dependencies, conditions, and version information.

---

96-107: ⚠️ Potential issue

Add required permissions and repository parameter.

Two issues need to be addressed:

1. Missing required permissions to set GitHub variables, as noted in a previous review.
2. The gh variable set command is missing the --repo parameter, unlike the infra version job.

Add the repository parameter to the command:

-          gh variable set LATEST_DEPLOYED_APPS_VERSION --body "${{ needs.get-current-version.outputs.version }}" --env staging
+          gh variable set LATEST_DEPLOYED_APPS_VERSION --body "${{ needs.get-current-version.outputs.version }}" --env staging --repo ${{ github.repository }}

.github/workflows/ci-cd-prod.yml (5)

13-20: LGTM with previous suggestions applied!

The job is correctly positioned as a prerequisite for the check-for-changes job, ensuring proper version comparison. Please implement the permissions improvements suggested in the previous review.

---

23-27: LGTM! Proper integration with version comparison.

The changes correctly integrate version comparison by:

1. Adding dependency on get-versions-from-github
2. Using the version SHA outputs for comparison

---

70-81: LGTM with previous suggestions applied!

The job is correctly positioned to run after successful infrastructure deployment. Please implement the error handling and permissions improvements suggested in the previous review.

---

130-141: LGTM with previous suggestions applied!

The job is correctly positioned to run after successful application deployment. Please implement the error handling and permissions improvements suggested in the previous review.

---

Line range hint 13-141: Verify the complete workflow execution.

The changes establish a robust version management system. Let's verify the workflow execution order and dependencies:

✅ Verification successful

Let me analyze the workflow dependencies further by checking the conditions and outputs usage.

---

Workflow execution order and dependencies are properly configured

The verification confirms:

• All referenced reusable workflows exist
• No circular dependencies are present
• Job dependencies follow a logical order:
  • Infrastructure deployment depends on version checks and change detection
  • App deployment depends on infrastructure deployment
  • Version storage jobs correctly depend on their respective deployment jobs
• Conditional execution is properly handled:
  • Changes are deployed only when relevant changes are detected or on manual trigger
  • Version storage only occurs after successful deployments
• Output references are valid and consistently used across jobs

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify workflow dependencies and job execution order

# Test 1: Check if the workflow file syntax is valid
echo "Validating workflow syntax..."
if ! gh workflow view "ci-cd-prod.yml" &>/dev/null; then
  echo "Error: Invalid workflow syntax"
  exit 1
fi

# Test 2: Check for circular dependencies
echo "Checking for circular dependencies..."
rg -A 1 "needs:" .github/workflows/ci-cd-prod.yml

# Test 3: Verify reusable workflow references
echo "Verifying reusable workflow references..."
for workflow in "workflow-get-latest-deployed-version-info-from-github.yml" "workflow-check-for-changes.yml" "workflow-deploy-infra.yml" "workflow-deploy-apps.yml"; do
  if ! [ -f ".github/workflows/$workflow" ]; then
    echo "Error: Referenced workflow $workflow not found"
    exit 1
  fi
done

Length of output: 2348

---

Script:

#!/bin/bash
# Check for output references and conditional dependencies
echo "Checking output references..."
rg "outputs\." .github/workflows/ci-cd-prod.yml

echo -e "\nChecking conditional job execution..."
rg "if: " .github/workflows/ci-cd-prod.yml

Length of output: 3031

[arealmaas]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (3)

.github/workflows/ci-cd-pull-request.yml (1)

49-49: LGTM! Consider documenting the semantic change.

The condition update aligns with the previous change and maintains workflow consistency.

Consider adding a comment in the workflow files or documentation to explain the semantic difference between hasInfraChanges and the previous hasAzureChanges for future maintainers.

  dry-run-deploy-infra:
    name: Dry run deploy infrastructure
+   # Note: hasInfraChanges replaces hasAzureChanges to better represent infrastructure change detection
    uses: ./.github/workflows/workflow-deploy-infra.yml

.github/workflows/ci-cd-staging.yml (1)

Line range hint 13-107: Consider documenting the version management strategy.

The workflow implements a sophisticated version management system with multiple storage and retrieval operations. Consider adding workflow-level documentation explaining:

• The purpose and flow of version management
• When and how versions are updated
• The relationship between infrastructure and application versions
• The impact on deployment decisions

This would help future maintainers understand the version management strategy.

.github/workflows/ci-cd-prod.yml (1)

Line range hint 13-141: Consider adding workflow documentation.

The workflow changes introduce sophisticated version tracking and comparison. Consider adding documentation to:

1. Explain the version tracking strategy
2. Document the GitHub variables being used
3. Describe the deployment conditions and their implications

This documentation could be added either:

• As comments in the workflow file
• In the repository's docs directory
• In a separate PR to the Altinn Studio documentation

🧰 Tools

🪛 yamllint

[error] 32-32: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 216c120 and f114ca3.

📒 Files selected for processing (6)

• .github/workflows/ci-cd-main.yml (1 hunks)
• .github/workflows/ci-cd-prod.yml (4 hunks)
• .github/workflows/ci-cd-pull-request.yml (2 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (5 hunks)
• .github/workflows/workflow-check-for-changes.yml (2 hunks)

🧰 Additional context used

📓 Learnings (1)

.github/workflows/ci-cd-yt01.yml (1)

Learnt from: arealmaas
PR: digdir/dialogporten#1346
File: .github/workflows/ci-cd-yt01.yml:98-109
Timestamp: 2024-10-29T14:05:09.791Z
Learning: In GitHub Actions workflows, the permission `administration: write` is required to modify repository variables.

🪛 yamllint

.github/workflows/ci-cd-prod.yml

[error] 32-32: trailing spaces

(trailing-spaces)

🪛 actionlint

.github/workflows/ci-cd-yt01.yml

79-79: unexpected end of input while parsing closing ')' of nexted expression (...). expecting ")"

(expression)

---

129-129: unexpected end of input while parsing closing ')' of nexted expression (...). expecting ")"

(expression)

🔇 Additional comments (20)

.github/workflows/workflow-check-for-changes.yml (5)

5-15: LGTM! Well-structured input parameters.

The new input parameters are properly defined with clear descriptions, appropriate defaults, and correct type specifications.

---

Line range hint 17-35: LGTM! Clear and consistent output definitions.

The renaming of hasAzureChanges to hasInfraChanges better reflects its purpose, and all outputs are properly mapped to their respective job outputs.

---

41-46: LGTM! Well-organized job output mappings.

The separation between infrastructure and application change detection is clear and properly implemented through distinct filter steps.

---

Line range hint 56-82: LGTM! Good separation of infrastructure and application change detection.

The implementation of separate base SHAs for infrastructure and application changes is a good approach for version control and change detection.

🧰 Tools

🪛 yamllint

[error] 80-80: trailing spaces

(trailing-spaces)

---

Line range hint 1-82: Verify the workflow usage in dependent workflows.

The changes support checking against previous deployed versions through the new base SHA inputs. Let's verify that the dependent workflows are properly passing these parameters.

✅ Verification successful

Base SHA parameters are correctly used in deployment workflows but missing in some cases

The verification reveals:

• Production, staging, and YT01 deployment workflows correctly use both infra_base_sha and apps_base_sha parameters
• Main, pull request, and release-please workflows don't pass these parameters, which is acceptable as they:
  • Don't need to compare against deployed versions
  • Are used for CI purposes where comparing against the PR base or main branch is sufficient

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the workflow is properly used in dependent workflows
# Expected: Find calls to this workflow with base SHA parameters

echo "Checking workflow usage in CI/CD workflows..."
rg -l "workflow-check-for-changes.yml" .github/workflows/ | while read -r file; do
  echo "=== $file ==="
  rg -A 10 "uses: ./.github/workflows/workflow-check-for-changes.yml" "$file"
done

Length of output: 4198

🧰 Tools

🪛 yamllint

[error] 80-80: trailing spaces

(trailing-spaces)

.github/workflows/ci-cd-pull-request.yml (1)

31-31: LGTM! Verify consistency across workflows.

The semantic change from hasAzureChanges to hasInfraChanges improves clarity and better represents the actual check being performed.

Let's verify this change is consistent across all workflow files:

✅ Verification successful

Change from hasAzureChanges to hasInfraChanges is correctly implemented and consistent

The verification shows that:

1. hasInfraChanges is consistently used across all workflow files (ci-cd-pull-request.yml, ci-cd-main.yml, ci-cd-prod.yml, ci-cd-staging.yml, ci-cd-yt01.yml)
2. No instances of the old hasAzureChanges remain in any workflow file
3. The output is properly defined in workflow-check-for-changes.yml and maps to steps.filter.outputs.azure_any_modified == 'true'

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for consistent usage of hasInfraChanges across workflows
# Expect: All infrastructure-related conditions use hasInfraChanges instead of hasAzureChanges

echo "Checking for any remaining hasAzureChanges in workflow files..."
rg "hasAzureChanges" .github/workflows/

Length of output: 176

---

Script:

#!/bin/bash
# Let's verify both the old and new patterns to ensure complete migration
# First, check all workflow files for both patterns
echo "=== Checking all workflow files for both patterns ==="
echo "Files containing 'hasInfraChanges':"
rg "hasInfraChanges" .github/workflows/ -l

echo -e "\nFiles containing infrastructure-related conditions:"
rg "has.*Changes.*true" .github/workflows/ -A 1 -B 1

# Also check the check-for-changes workflow that likely sets these outputs
echo -e "\n=== Checking check-for-changes workflow implementation ==="
fd "check-for-changes" .github/workflows/ --exec cat {}

Length of output: 16920

.github/workflows/ci-cd-yt01.yml (5)

13-20: LGTM with existing suggestions!

The job implementation looks good, pending the permissions update suggested in the previous review.

---

23-23: LGTM! Proper version comparison setup.

The changes correctly integrate version comparison by using the SHA outputs from the get-versions-from-github job.

Also applies to: 25-27

---

46-46: LGTM! Improved condition naming.

The condition now uses a more accurate name hasInfraChanges instead of hasAzureChanges.

---

62-73: LGTM with existing suggestions!

The job implementation looks good, pending the improvements suggested in the previous review regarding permissions, error handling, and timeout.

---

98-109: LGTM with existing suggestions!

The job implementation looks good, pending the improvements suggested in the previous review regarding permissions, error handling, and timeout.

.github/workflows/ci-cd-main.yml (1)

66-66: Verify consistent usage of hasInfraChanges output.

The change from hasAzureChanges to hasInfraChanges aligns with the standardization effort across workflow files. However, let's verify this change is consistently applied throughout the codebase.

✅ Verification successful

Change is consistently applied across all workflow files

The verification results show that:

• No instances of hasAzureChanges remain in any workflow files
• hasInfraChanges is consistently used across all CI/CD workflows (main, prod, staging, yt01, pull-request)
• The output is properly defined in the workflow-check-for-changes.yml file
• The condition patterns are uniform across different environments

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any remaining instances of hasAzureChanges and verify hasInfraChanges usage

echo "Checking for any remaining instances of hasAzureChanges..."
rg "hasAzureChanges" .github/workflows/

echo -e "\nVerifying consistent usage of hasInfraChanges..."
rg "hasInfraChanges" .github/workflows/

Length of output: 1643

.github/workflows/ci-cd-staging.yml (6)

13-20: LGTM! Well-structured version retrieval job.

The new job correctly uses a reusable workflow with proper parameter and secret handling.

---

23-23: LGTM! Improved version comparison logic.

The job now correctly uses the actual deployed version SHAs from GitHub for comparison, making the change detection more reliable.

Also applies to: 25-27

---

35-35: LGTM! More semantically accurate condition.

The condition now uses hasInfraChanges instead of hasAzureChanges, better reflecting the actual scope of changes being checked.

---

51-62: Missing required permissions for GitHub CLI operation.

This issue was previously identified in an earlier review.

---

63-73: LGTM! Improved job positioning and dependencies.

The publish job's new position and dependencies optimize the workflow execution while maintaining proper change detection.

---

96-107: Missing required permissions for GitHub CLI operation.

This issue was previously identified in an earlier review.

.github/workflows/ci-cd-prod.yml (2)

23-27: LGTM! Well-structured version comparison implementation.

The changes correctly implement the PR objective of checking against the previous deployed version by:

1. Adding dependency on version retrieval
2. Using the retrieved version SHAs for comparison

---

35-35: Verify the impact of condition change from hasAzureChanges to hasInfraChanges.

The condition for infrastructure deployment has been updated. Let's verify this change is consistent across all workflows and doesn't break existing behavior.

Also applies to: 54-54

✅ Verification successful

Based on the search results, I can generate the final response as we have sufficient information:

Change from hasAzureChanges to hasInfraChanges is consistent across all workflows

The search results confirm that:

• No instances of hasAzureChanges exist in any workflow files
• hasInfraChanges is consistently used across all workflow files (ci-cd-main.yml, ci-cd-pull-request.yml, ci-cd-yt01.yml, ci-cd-staging.yml, ci-cd-prod.yml)
• The output variable is properly defined in workflow-check-for-changes.yml and is set based on azure_any_modified flag

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check usage of hasAzureChanges vs hasInfraChanges across workflows
echo "Checking for hasAzureChanges usage:"
rg "hasAzureChanges" .github/workflows/
echo -e "\nChecking for hasInfraChanges usage:"
rg "hasInfraChanges" .github/workflows/

Length of output: 1571

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud