feat(repo): add diff checks in CI flows

[lifeiscontent]

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

References

Summary by CodeRabbit

• New Features

  • Release packaging now includes computed AIO versioning tied to releases or branch names and improved prerelease propagation.
  • Automatic SemVer validation blocks invalid release versions before publishing.

• Chores

  • Workflow concurrency added to cancel duplicate runs per branch.
  • Exposed more build signals/outputs and new build-related environment variables.
  • CI now adopts project Node config, enables Corepack/pnpm, fetches more history, and uses Turbo to run checks/builds only for affected apps.
  • PR/build trigger and path filters refined for faster, focused runs.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Warning

Rate limit exceeded

@lifeiscontent has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 26 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 2b1978a and 48b4f13.

📒 Files selected for processing (3)

• .github/workflows/build-branch.yml (4 hunks)
• .github/workflows/pull-request-build-lint-api.yml (1 hunks)
• .github/workflows/pull-request-build-lint-web-apps.yml (3 hunks)

Walkthrough

Adds workflow-level concurrency to multiple CI workflows; expands build-branch with new envs/outputs, SemVer release validation, and AIO versioning; switches web-apps PR workflow to Turbo-based affected checks with node/pnpm setup and fetch adjustments; PR lint-api gains concurrency and trigger formatting only.

Changes

Cohort / File(s)	Summary
Build branch: envs, outputs, AIO, validation .github/workflows/build-branch.yml	Adds workflow-level concurrency; introduces BUILD_TYPE, RELEASE_VERSION, IS_PRERELEASE, AIO_BUILD envs; expands branch_build_setup outputs (branch, buildx driver/version/platforms/endpoint, image names); computes/sanitizes TARGET_BRANCH and image names; enforces SemVer when BUILD_TYPE=Release; sets BUILD_RELEASE/BUILD_PRERELEASE/AIO_BUILD and emits release/aio_version; updates AIO build/push steps and reflows needs formatting.
PR - web apps: turbo, node/pnpm, fetch, paths .github/workflows/pull-request-build-lint-web-apps.yml	Adds workflow-level concurrency; reformats pull_request triggers and path filters; adds job env TURBO_SCM_BASE/TURBO_SCM_HEAD; increases checkout fetch-depth and adds blob:none filter; reads Node from .nvmrc; enables Corepack/pnpm; replaces per-app lint/build with pnpm turbo run (--affected) steps; adjusts step names and sequencing; adds paths-ignore.
PR - lint API: concurrency & formatting .github/workflows/pull-request-build-lint-api.yml	Adds top-level concurrency grouping by workflow+ref and cancel-in-progress; reformats pull_request branches/types to YAML block lists; no functional changes to job steps.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant Setup as branch_build_setup
  participant Env as Set Env Vars
  participant AIO as Prepare AIO Assets
  participant Build as Build & Push AIO Image
  participant Publish as Upload/Release

  GH->>Setup: run branch_build_setup (derive branch, buildx, image names)
  Setup-->>GH: outputs (gh_branch_name, buildx_*, image names)

  GH->>Env: Set Environment Variables
  Note right of Env: decide BuildX driver/version/platforms<br/>sanitize TARGET_BRANCH<br/>init BUILD_RELEASE/PRERELEASE/RELEASE_VERSION/AIO_BUILD<br/>SemVer validate on Release
  Env-->>GH: outputs (BUILD_RELEASE, BUILD_PRERELEASE, RELEASE_VERSION, AIO_BUILD)

  GH->>AIO: Prepare AIO Assets
  Note right of AIO: aio_version = Release version OR branch name
  AIO-->>GH: outputs (aio_version)

  GH->>Build: Build & Push AIO using emitted outputs
  Build-->>GH: images + packaged assets

  alt Release
    GH->>Publish: Upload assets / Publish Release
  else Non-Release
    GH--x Publish: skip publish
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: CI to include lint and format #7482 — modifies the same pull-request-build-lint-web-apps.yml to switch lint/build to Turbo/affected flows and adjust exclusions.

Suggested reviewers

• sriramveeraghanta

Poem

I thump my paw on YAML ground,
Concurrency carrots neatly bound.
Turbo breezes sweep the tree,
AIO hops in versioned glee.
SemVer-sky, builds take flight—🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/ci-diff-check

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR optimizes CI/CD workflows by implementing differential checking to run operations only on affected code and adding concurrency controls. The changes improve build efficiency by avoiding unnecessary processing of unchanged components.

• Converts workflows to use Turbo's differential filtering based on git changes
• Adds concurrency groups to prevent redundant workflow runs
• Standardizes YAML formatting across workflow files

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/pull-request-build-lint-web-apps.yml	Implements differential linting/building with Turbo filters and adds concurrency control
.github/workflows/pull-request-build-lint-api.yml	Adds concurrency control and standardizes YAML formatting
.github/workflows/build-branch.yml	Adds concurrency control and improves YAML formatting for job dependencies

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/build-branch.yml (2)

112-119: SemVer regex too restrictive; does not allow dot-separated pre-release or +build metadata.

Current: only hyphenated prerelease segments, no dots, no build metadata (both valid per SemVer). Replace with a canonical SemVer pattern.

Proposed fix:

-            semver_regex="^v([0-9]+)\.([0-9]+)\.([0-9]+)(-[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*)?$"
+            # SemVer: vMAJOR.MINOR.PATCH[-PRERELEASE][+BUILD]
+            semver_regex='^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(?:-[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?(?:\+[0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*)?$'

This accepts tags like v1.2.3-alpha.1 or v1.2.3+build.5.

---

392-401: Ensure permissions allow release creation.

As of recent GH hardening, default GITHUB_TOKEN permissions can be read-only. Set contents: write at job level for publish_release to be safe.

Proposed addition:

   publish_release:
     if: ${{ needs.branch_build_setup.outputs.build_type == 'Release' }}
     name: Build Release
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     needs:
       [
         branch_build_setup,
         branch_build_push_admin,
         branch_build_push_web,
         branch_build_push_space,
         branch_build_push_live,
         branch_build_push_api,
         branch_build_push_proxy,
       ]

🧹 Nitpick comments (11)

.github/workflows/pull-request-build-lint-api.yml (3)

17-19: Good use of workflow-level concurrency to dedupe runs per branch.

Grouping by “${{ github.workflow }}-${{ github.ref }}” with cancel-in-progress=true will prevent redundant runs on force-pushes. Consider whether you also want to dedupe across PR head refs (e.g., re-targeting) using head_ref; optional only.

Example alternative (optional):

-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true

---

26-29: Job gate may skip legitimate PR events with no requested reviewers.

The if condition requires requested_reviewers != null, which is often null on “opened” or “synchronize” before reviewers are set, causing the job to skip and delaying feedback. If intentional to save minutes, ignore; otherwise, simplify to run on non-draft PRs.

Suggested change:

-    if: |
-      github.event.pull_request.draft == false &&
-      github.event.pull_request.requested_reviewers != null
+    if: github.event.pull_request.draft == false

---

35-41: Step name mismatch and missing “diff check” to enforce no auto-fixes.

• The step name says “Install Pylint” but installs ruff.
• If you want CI to fail when ruff would modify files, add an explicit diff check after running with --fix (or drop --fix and fail on violations).

Proposed tweaks:

-      - name: Install Pylint
-        run: python -m pip install ruff
+      - name: Install Ruff
+        run: python -m pip install ruff

-      - name: Lint apps/api
-        run: ruff check --fix apps/api
+      - name: Lint apps/api (no uncommitted changes allowed)
+        run: |
+          ruff check --fix apps/api
+          # fail if any modifications were made (enforces clean tree)
+          git diff --quiet || { echo "Ruff produced changes. Please commit fixes."; git --no-pager diff; exit 1; }

.github/workflows/pull-request-build-lint-web-apps.yml (3)

30-33: Reviewer-gated job may skip useful runs.

Requiring requested_reviewers != null can prevent runs on newly opened PRs or bots. If the goal is simply to avoid draft PRs, drop the reviewers check.

-    if: |
-      github.event.pull_request.draft == false &&
-      github.event.pull_request.requested_reviewers != null
+    if: github.event.pull_request.draft == false

---

44-49: Package manager setup: consider caching pnpm store for speed.

Corepack enable is fine, but enabling Node’s cache for pnpm improves performance across reruns.

Proposed additions:

       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version-file: ".nvmrc"
+          cache: "pnpm"

       - name: Enable Corepack and pnpm
         run: corepack enable pnpm

---

50-57: Turbo filtered runs LGTM; consider quoting base SHA and surfacing no-op behavior.

Commands are correct for affected graph since base. Optionally add “--no-cache --summarize” or a pre-check step to echo the base SHA and ensure it exists, aiding diagnosability.

Example diagnostic step (optional):

+      - name: Show PR base SHA
+        run: echo "Base SHA: ${{ github.event.pull_request.base.sha }}"

.github/workflows/build-branch.yml (5)

79-89: Buildx driver selection logic LGTM; consider making endpoint configurable.

Hardcoding “makeplane/plane-dev” is fine internally, but a secret or env input would make this more portable across environments.

-            echo "BUILDX_ENDPOINT=makeplane/plane-dev" >> $GITHUB_OUTPUT
+            echo "BUILDX_ENDPOINT=${{ vars.BUILDX_ENDPOINT || 'makeplane/plane-dev' }}" >> $GITHUB_OUTPUT

Note: Requires defining an org/repo variable BUILDX_ENDPOINT.

---

101-107: Default values for push builds: avoid empty BUILD_TYPE/AIO_BUILD in outputs.

On push events, github.event.inputs.* are empty, so BUILD_TYPE and AIO_BUILD may be blank. Set sensible defaults to stabilize downstream conditionals and telemetry.

Apply:

-          echo "BUILD_TYPE=${{env.BUILD_TYPE}}" >> $GITHUB_OUTPUT
+          if [ -z "${{ env.BUILD_TYPE }}" ]; then
+            echo "BUILD_TYPE=Build" >> $GITHUB_OUTPUT
+          else
+            echo "BUILD_TYPE=${{ env.BUILD_TYPE }}" >> $GITHUB_OUTPUT
+          fi
@@
-          BUILD_AIO=${{ env.AIO_BUILD }}
+          if [ -z "${{ env.AIO_BUILD }}" ]; then
+            BUILD_AIO=false
+          else
+            BUILD_AIO=${{ env.AIO_BUILD }}
+          fi

---

127-128: Unconditionally enabling AIO on Release is fine; ensure docs reflect this.

Since BUILD_AIO is forced true for Release, the aio_build input is ignored in that mode. Clarify in workflow_dispatch input descriptions if needed.

---

292-296: Quote aio_version to avoid unexpected word-splitting (defensive).

gh_branch_name is sanitized earlier, but quoting is a safe default.

-          bash ./build.sh --release $aio_version
+          bash ./build.sh --release "$aio_version"

---

145-181: Align action versions across build-push steps (optional).

Most jobs use makeplane/actions/build-push@v1.0.0, AIO uses @v1.1.0. If v1.1.0 contains bug fixes you need, consider upgrading all for consistency; if not, pin the AIO job back to v1.0.0. Either way, explicitly intentional version skew is fine.

Also applies to: 211-269, 307-321

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5d1ad8a and 619cb0d.

📒 Files selected for processing (3)

• .github/workflows/build-branch.yml (4 hunks)
• .github/workflows/pull-request-build-lint-api.yml (1 hunks)
• .github/workflows/pull-request-build-lint-web-apps.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript)

🔇 Additional comments (8)

.github/workflows/pull-request-build-lint-api.yml (1)

6-13: Trigger list format LGTM; semantics unchanged.

Moving the pull_request.types to block list is fine and equivalent. No concerns.

.github/workflows/pull-request-build-lint-web-apps.yml (3)

6-13: Trigger list formatting LGTM.

No functional change; okay to proceed.

---

21-23: Concurrency group LGTM and consistent with other workflows.

This will cancel superseded runs on the same branch; good alignment with API workflow.

---

37-37: fetch-depth: 0 is appropriate for turbo’s base SHA filtering.

Full history ensures base.sha is present. Expect slightly longer checkout; acceptable trade-off here.

.github/workflows/build-branch.yml (4)

38-41: Concurrency block LGTM.

Prevents overlapping branch builds; aligns with PR workflows.

---

69-74: New outputs are helpful for downstream jobs.

Exposing build_type/prerelease/release_version/aio_build reduces duplication. Good move.

---

275-283: Expanded needs list LGTM for AIO job.

Serializing AIO after all component images ensures assets reflect latest images. Good.

---

330-337: Broadened needs for Upload Build Assets LGTM.

Ensures assets reflect all images built. No concerns.