Pulumi preview and new helper action to save on job executions#123
Pulumi preview and new helper action to save on job executions#123
Conversation
This is useful for when you have both push and pull_request triggers enabled and want to allow for not running push jobs if a pull request is already open. Saving GHA minutes and helping to semi declutter the UI with a bunch of run executions (yes they will still show as skipped)
that so its not a link anymore
📝 WalkthroughWalkthroughAdds a new composite action to detect and skip duplicate CI runs for push events, extends the Pulumi ephemeral deploy action and workflow to optionally post Pulumi preview details to PRs, and removes a repository contents write permission from the devcontainer hash update action. Changes
Sequence Diagram(s)sequenceDiagram
participant GHA as GitHub Actions
participant GH as gh CLI
participant API as GitHub API
participant Output as Workflow Output
GHA->>GHA: Determine event type
alt Not a push event
GHA->>Output: set should-run = true
else Push event
GHA->>GH: gh pr list --head current-branch
GH->>API: request open PRs
API-->>GH: PR list
GH-->>GHA: PR number (or none)
alt PR exists
GHA->>Output: set should-run = false
else No PR
GHA->>Output: set should-run = true
end
end
sequenceDiagram
participant Workflow as Pulumi AWS Workflow
participant Action as Pulumi Ephemeral Deploy Action
participant Pulumi as Pulumi CLI
participant API as GitHub API
Workflow->>Action: invoke with show-preview-comment-on-pr
Action->>Pulumi: run pulumi preview --directory
Pulumi-->>Action: preview stdout
Action->>Action: capture stdout via command-output action
alt show-preview-comment-on-pr == true
Action->>API: post comment on PR with preview details
API-->>Action: comment created
else
Action->>Action: skip commenting step
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro 📒 Files selected for processing (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
🔇 Additional comments (2)
✏️ Tip: You can disable this entire section by setting Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Fix all issues with AI agents
In `@template/template/.github/actions/`{% if template_uses_pulumi
%}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base:
- Around line 81-88: The GitHub Action step using the untrusted
mathiasvr/command-output action (id pulumi-run) must be replaced with a direct
run step to avoid an unverified dependency and to preserve the original
command's exit code; remove the "uses: mathiasvr/command-output@..." and "id:
pulumi-run" lines and instead use a plain step with "name: Run CLI" and a "run:"
that executes the existing command (uv --directory ${{ github.workspace }}/${{
inputs.project-dir }} run python -m ${{ inputs.deploy-script-module-name }}.${{
inputs.deploy-script-name }} --stack=${{ inputs.stack-name }} ${{
inputs.cli-action }}) under "shell: bash" (optionally prefix with "set -euo
pipefail" to ensure failures propagate), or swap to a maintained/verified action
if you prefer.
In
`@template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base`:
- Around line 15-18: The workflow contains an unnecessary "Checkout code" step
using actions/checkout@{{ gha_checkout }} which isn't needed for the gh pr list
command; remove the entire checkout step (the block with name "Checkout code"
and uses: actions/checkout) so the action only relies on GH_TOKEN for GitHub CLI
access, speeding up the job and simplifying the action.yml.jinja-base.
- Around line 25-49: The script interpolates `${{ github.ref_name }}` directly
into the shell command (used in `gh pr list --head ...`), which can allow shell
injection; instead set a safe environment variable from the workflow context
(e.g., REF_NAME="${{ github.ref_name }}") and reference that variable in the
script, ensure you use double quotes around it when calling `gh pr list` and
when echoing, and use the same pattern for any other GitHub context values
(pr_json, pr_number) to avoid untrusted interpolation.
- Around line 9-10: The composite action contains an invalid permissions block
named "permissions" (pull-requests: read) which must be removed because
composite actions cannot declare permissions; delete the permissions block from
the action metadata and instead update the action's "description" field (or the
repository README) to note that callers must provide pull-requests: read
permission so the action can check PRs for the current branch.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-basetemplate/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-basetemplate/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base
🔇 Additional comments (5)
template/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base (2)
44-48: LGTM - New input parameter well-defined.The input definition follows the existing patterns in this file with appropriate type, default, and description.
90-101: Consider potential sensitive data exposure in PR comments.Pulumi preview output may contain sensitive information such as resource names, ARNs, configuration values, or diff details that could reveal infrastructure secrets. Posting this directly to PR comments makes it visible to anyone with repository read access.
A few considerations:
- Ensure the Pulumi stack doesn't output secrets in preview mode
- The
comment-tagapproach is good for updating existing comments rather than creating duplicatesAlso, the condition
inputs.show-preview-comment-on-pr == 'true'is correct for composite actions where boolean inputs are passed as strings.template/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base (3)
89-93: LGTM - New workflow input properly defined.The input follows the existing pattern with appropriate type, default value, and description.
107-107: LGTM - Permission correctly scoped.The
pull-requests: writepermission is appropriately added to support posting PR comments.
163-163: LGTM - Input correctly propagated.The boolean input from the workflow is properly passed to the composite action. GitHub Actions will handle the boolean-to-string conversion when passing to composite actions.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
...ctions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base
Show resolved
Hide resolved
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
Outdated
Show resolved
Hide resolved
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
Outdated
Show resolved
Hide resolved
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
Show resolved
Hide resolved
ejfine
left a comment
ejfine
left a comment
There was a problem hiding this comment.
two coderabbit things seem potentially valid?
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
Outdated
Show resolved
Hide resolved
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In
`@template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base`:
- Around line 26-33: Check the exit status of the gh pr list call that populates
pr_json and handle failures: after running the gh pr list command (the variable
pr_json), test its exit code and/or whether pr_json is valid JSON before
proceeding to extract pr_number; on error capture and emit a clear diagnostic
(to stderr or via echo) including gh's stderr output, and set a distinct failure
flag or explicit empty pr_number so the script documents the failure rather than
silently continuing (leave the existing fail-open behavior if desired, but
ensure the error is logged and a failure indicator variable is set so callers
can detect the problem).
♻️ Duplicate comments (1)
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base (1)
17-41: Script injection vulnerability remains unresolved.The direct interpolation of GitHub context values (
github.ref_name,github.repository,github.event_name) into the shell script was previously flagged. Branch names are user-controlled and can contain shell metacharacters leading to command injection. The recommended fix using environment variables from the past review should be applied.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (2)
template/.github/actions/update-devcontainer-hash/action.yml.jinja-basetemplate/template/.github/actions/check-skip-duplicates/action.yml.jinja-base
💤 Files with no reviewable changes (1)
- template/.github/actions/update-devcontainer-hash/action.yml.jinja-base
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: lint-matrix (ubuntu-24.04, 3.12.7, --data-file tests/copier_data/data2.yaml)
- GitHub Check: lint-matrix (ubuntu-24.04, 3.13.1, --data-file tests/copier_data/data2.yaml)
🔇 Additional comments (2)
template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base (2)
1-7: Action metadata is well-defined.The description clearly explains the use case, and the output is properly wired to the step output.
9-16: Composite action setup looks correct.The
GH_TOKENis properly configured for GitHub CLI authentication.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
| pr_json=$(gh pr list \ | ||
| --repo "${{ github.repository }}" \ | ||
| --head "${{ github.ref_name }}" \ | ||
| --state open \ | ||
| --json number \ | ||
| --limit 1) | ||
|
|
||
| pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""') |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider adding error handling for gh pr list failures.
If gh pr list fails (network error, rate limit, permission issue), the script silently continues with an empty result, defaulting to should_run=true. While fail-open is a safe default, silent failures could mask configuration problems.
♻️ Optional: Add basic error checking
# For push events, check if there's an open PR for this branch
- pr_json=$(gh pr list \
+ if ! pr_json=$(gh pr list \
--repo "${{ github.repository }}" \
--head "${{ github.ref_name }}" \
--state open \
--json number \
- --limit 1)
+ --limit 1); then
+ echo "::warning::Failed to query PRs, defaulting to run CI"
+ echo "should_run=true" >> $GITHUB_OUTPUT
+ exit 0
+ fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| pr_json=$(gh pr list \ | |
| --repo "${{ github.repository }}" \ | |
| --head "${{ github.ref_name }}" \ | |
| --state open \ | |
| --json number \ | |
| --limit 1) | |
| pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""') | |
| if ! pr_json=$(gh pr list \ | |
| --repo "${{ github.repository }}" \ | |
| --head "${{ github.ref_name }}" \ | |
| --state open \ | |
| --json number \ | |
| --limit 1); then | |
| echo "::warning::Failed to query PRs, defaulting to run CI" | |
| echo "should_run=true" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""') |
🤖 Prompt for AI Agents
In
`@template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base`
around lines 26 - 33, Check the exit status of the gh pr list call that
populates pr_json and handle failures: after running the gh pr list command (the
variable pr_json), test its exit code and/or whether pr_json is valid JSON
before proceeding to extract pr_number; on error capture and emit a clear
diagnostic (to stderr or via echo) including gh's stderr output, and set a
distinct failure flag or explicit empty pr_number so the script documents the
failure rather than silently continuing (leave the existing fail-open behavior
if desired, but ensure the error is logged and a failure indicator variable is
set so callers can detect the problem).
ejfine
left a comment
ejfine
left a comment
There was a problem hiding this comment.
assuming this all works in the actual CI job, then LGTM
…ons (#97) ## Link to Issue or Message thread LabAutomationAndScreening/copier-base-template#123 ## Why is this change necessary? Pull latest changes from the copier-base-template PR above ## How does this change address the issue? Integrates both the pulumi preview comments on PR and the new `check-skip-duplicate` action helper to help save on GHA minutes. ## What side effects does this change have? N/A ## How is this change tested? CI and propagating it down into actual repos that use it <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Option to post Pulumi preview comments on pull requests (SHOW_PREVIEW_COMMENT_ON_PR). * New CI job to skip duplicate runs and gate other jobs to avoid redundant executions. * **Chores** * Early-access flags added to templates. * Bumped devcontainer extensions, installer tool versions, dependency constraint, and pre-commit hook revisions. * Removed write permissions from a couple of helper actions. * **Security / Access** * View-only IAM policy extended to include EKS cluster read/list permissions. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Link to Issue or Message thread LabAutomationAndScreening/copier-base-template#123 ## Why is this change necessary? Pull latest template and use new skip duplicate check to save on GHA minutes. ## What side effects does this change have? N/A ## How is this change tested? CI <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** - CI now skips duplicate runs for open PRs and exposes a short-PR output for downstream workflows - Optional Pulumi preview comments can be posted to PRs * **Improvements** - Updated devcontainer, tooling and editor extensions to newer versions - Enhanced pre-commit failure reporting to show git diffs - Improved excludes for generated files and added template config fields (early_access, in_progress_fortune, python_version) - Added type/template ignore config * **Bug Fixes** - Pre-commit exit handling made reliable with proper exit codes <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2 participants
Why is this change necessary?
How does this change address the issue?
pushevent to set theshould-runvariable to true and if there is already a PR open for the commit that triggered the event it will set theshould-runto false.What side effects does this change have?
N/A
How is this change tested?
CI and then propgating the changes down into the repos that actually use the code.
Summary by CodeRabbit
New Features
Chores
✏️ Tip: You can customize this high-level summary in your review settings.