chore: add gha for workflow worker

[vishnurk6247]

Summary by CodeRabbit

• Infrastructure & Deployment
  • Added automated build and deployment workflow for workflow runners to AWS and GCP environments.
  • Introduced GCP asset storage bucket configuration option for cloud integration.
  • Enhanced workflow container infrastructure with optimized Docker build process and multi-platform support.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request introduces infrastructure for containerizing and deploying a Wavefront workflow runner service. It adds a GitHub Actions workflow to build and push Docker images to GCP Artifact Registry, a Python 3.11-slim Dockerfile for the workflow runner, and GCP-specific configuration for cloud storage integration.

Changes

Cohort / File(s)	Summary
CI/CD & Container Infrastructure .github/workflows/build-workflow-worker-develop.yaml, wavefront/server/docker/workflow.Dockerfile	Introduces GitHub Actions workflow for building and pushing Docker images to GCP Artifact Registry with Docker Buildx, layer caching, and multi-platform support. Adds Dockerfile that builds a Python 3.11-slim image, installs dependencies via uv, and configures the workflow_job entrypoint.
Configuration wavefront/server/background_jobs/workflow_job/workflow_job/config.ini	Adds [gcp] configuration section with gcp_asset_storage_bucket property for GCP integration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify GitHub Actions workflow paths, environment variables, and GCP authentication steps
• Confirm Docker layer caching and Buildx configuration align with project standards
• Validate Dockerfile dependency structure and uv sync usage
• Ensure config.ini property aligns with application expectations

Poem

🐰 A container born from code so fine,
With Docker layers in a perfect line,
To GCP clouds the image takes flight,
Workflow runner ready, shining bright!
Infrastructure hops—deployment's delight! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The PR title 'chore: add gha for workflow worker' is vague and uses undefined abbreviations. 'gha' is unclear (likely GitHub Actions, but unexplained), and the title doesn't convey what the workflow actually does or which specific components are being added.	Use a more descriptive title that explains the actual change, such as 'chore: add GitHub Actions workflow for building and pushing workflow worker to GCP' or similar to clarify the scope and purpose.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/workflow-pipeline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Generally, the fix is to define a permissions: block that restricts the default GITHUB_TOKEN privileges to the minimum needed. For a build-and-push workflow that only checks out code and interacts with external services (GCP, Docker) using their own credentials, the job only needs read access to repository contents.

The best way to fix this without changing behavior is:

• Add a root-level permissions: block (between name: and on:) so it applies to all jobs.
• Set it to contents: read, which is sufficient for actions/checkout@v3 to read the repository.
• Do not add any write-scoped permissions, since the workflow doesn’t need to modify GitHub state.

Concretely, in .github/workflows/build-workflow-worker-develop.yaml, insert:

permissions:
  contents: read

directly after the name: (Develop) Build and Push Workflow Worker to AWS and GCP line. No imports or other definitions are required.

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (2)

wavefront/server/background_jobs/workflow_job/workflow_job/config.ini (1)

18-20: Consider consolidating duplicate GCP bucket configuration.

The new [gcp] section with gcp_asset_storage_bucket duplicates the bucket configuration already present in [gcp_config] (line 16). Both reference the same ${APPLICATION_BUCKET} environment variable, which may cause confusion about which section should be used for GCP configuration.

Consider either:

1. Using the existing [gcp_config] section's bucket property instead of creating a new section
2. Consolidating all GCP configuration into a single section
3. Clearly documenting why two separate GCP sections are needed if they serve different purposes

.github/workflows/build-workflow-worker-develop.yaml (1)

6-10: Consider moving hardcoded GCP configuration to repository variables.

The GCP project ID and region are hardcoded in the workflow. Consider using GitHub repository variables or environment-specific configuration to improve maintainability and make it easier to adapt for different environments.

Example:

env:
  PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}
  GCP_REGION: ${{ vars.GCP_REGION }}
  GAR_LOCATION: ${{ vars.GAR_LOCATION }}
  IMAGE_NAME: wavefront-workflow-worker

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 20ee522 and 91c2c84.

📒 Files selected for processing (3)

• .github/workflows/build-workflow-worker-develop.yaml (1 hunks)
• wavefront/server/background_jobs/workflow_job/workflow_job/config.ini (1 hunks)
• wavefront/server/docker/workflow.Dockerfile (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/build-workflow-worker-develop.yaml

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

22-22: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

26-26: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

30-30: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

47-47: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

52-52: the runner of "google-github-actions/setup-gcloud@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 GitHub Check: CodeQL

.github/workflows/build-workflow-worker-develop.yaml

[warning] 14-66: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit permissions block for security.

The workflow does not specify permissions for the GITHUB_TOKEN, which grants default write access. Following the principle of least privilege, you should explicitly define minimal permissions.

🔎 Proposed fix

 jobs:
   build-push-artifact:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read

Based on static analysis hints.

🤖 Prompt for AI Agents

In .github/workflows/build-workflow-worker-develop.yaml around lines 12 to 15
the workflow lacks an explicit permissions block for GITHUB_TOKEN; add a
permissions: mapping to enforce least privilege by declaring only the scopes the
job needs (for example: contents: read, packages: write, id-token: write only if
you use OIDC, and any other specific minimal scopes required by the job),
placing the permissions block at the workflow level (or job level if narrower
scope is required) so the token no longer has full default write access.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Update actions/checkout to v4.

The actions/checkout@v3 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix

       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: "actions/checkout@v3"
	- name: "Checkout"
	uses: "actions/checkout@v4"

🧰 Tools

🪛 actionlint (1.7.9)

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/build-workflow-worker-develop.yaml around line 18: the
workflow uses the outdated actions/checkout@v3 which is incompatible with
current runners; update the action reference to actions/checkout@v4 (replace the
v3 tag with v4) so the workflow uses the latest checkout action compatible with
modern GitHub Actions infrastructure.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Replace deprecated set-output commands.

The set-output workflow command was deprecated. Use GITHUB_OUTPUT environment file instead.

🔎 Proposed fix

       - name: Get commit hash
         id: get-commit-hash
-        run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"
+        run: echo "commit-hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
       - name: Get timestamp
         id: get-timestamp
-        run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
+        run: echo "timestamp=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_OUTPUT

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get commit hash
	id: get-commit-hash
	run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"
	- name: Get timestamp
	id: get-timestamp
	run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
	- name: Get commit hash
	id: get-commit-hash
	run: echo "commit-hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
	- name: Get timestamp
	id: get-timestamp
	run: echo "timestamp=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_OUTPUT

🧰 Tools

🪛 actionlint (1.7.9)

22-22: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

26-26: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Update actions/cache to v4.

The actions/cache@v3 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix

       - name: Cache Docker layers
         id: cache-docker-layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-docker-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-docker-

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Cache Docker layers
	id: cache-docker-layers
	uses: actions/cache@v3
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-docker-${{ github.sha }}
	restore-keys: |
	${{ runner.os }}-docker-
	- name: Cache Docker layers
	id: cache-docker-layers
	uses: actions/cache@v4
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-docker-${{ github.sha }}
	restore-keys: |
	${{ runner.os }}-docker-

🧰 Tools

🪛 actionlint (1.7.9)

30-30: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

In .github/workflows/build-workflow-worker-develop.yaml around lines 28 to 35
the workflow uses actions/cache@v3 which is outdated and incompatible with
current runners; update the action reference to actions/cache@v4 (replace the
uses value), keep existing inputs (path, key, restore-keys) unchanged, and
verify the workflow syntax after the change to ensure no input names have
changed between v3 and v4.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Update google-github-actions/auth to v2.

The google-github-actions/auth@v1 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix

       - id: "Auth-to-GCP"
-        uses: "google-github-actions/auth@v1"
+        uses: "google-github-actions/auth@v2"
         with:
           credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}"

Based on static analysis hints.

🧰 Tools

🪛 actionlint (1.7.9)

47-47: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/build-workflow-worker-develop.yaml lines 46-49: the workflow
uses the deprecated google-github-actions/auth@v1 action which is incompatible
with newer runners; update the action reference to google-github-actions/auth@v2
and adjust the inputs if necessary (v2 still accepts credentials_json but if you
move to workload identity you must replace credentials_json with
workload_identity_provider and service_account); change the uses line to
google-github-actions/auth@v2, verify the credentials input is correct for your
chosen auth method, and run the workflow to ensure no additional input changes
are required.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Update google-github-actions/setup-gcloud to v2.

The google-github-actions/setup-gcloud@v1 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix

       - name: "Set up Cloud SDK"
-        uses: "google-github-actions/setup-gcloud@v1"
+        uses: "google-github-actions/setup-gcloud@v2"

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: "Set up Cloud SDK"
	uses: "google-github-actions/setup-gcloud@v1"
	- name: "Set up Cloud SDK"
	uses: "google-github-actions/setup-gcloud@v2"

🧰 Tools

🪛 actionlint (1.7.9)

52-52: the runner of "google-github-actions/setup-gcloud@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/build-workflow-worker-develop.yaml around lines 51-52: the
workflow uses the deprecated google-github-actions/setup-gcloud@v1 action;
update the uses reference to google-github-actions/setup-gcloud@v2 and adjust
any inputs to the v2 schema if necessary (for example ensure credential inputs
and auth fields match v2 docs), then run a workflow lint/validation to confirm
compatibility.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Update uv to the latest stable version (currently 0.9.18).

The Dockerfile pins uv to 0.8.6, which is significantly outdated. The current latest version is 0.9.18. While 0.8.6 addressed a critical ZIP parsing vulnerability, newer versions include additional security patches and improvements. Upgrade to the latest stable release.

🤖 Prompt for AI Agents

In wavefront/server/docker/workflow.Dockerfile around line 5, the COPY line
references the old uv image tag 0.8.6; update that tag to the latest stable
0.9.18 (replace ghcr.io/astral-sh/uv:0.8.6 with ghcr.io/astral-sh/uv:0.9.18 on
the COPY line), then rebuild the image and run your test suite / smoke tests to
verify there are no compatibility issues.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in comment.

The comment has a typo: "dependecy" should be "dependency".

🔎 Proposed fix

-# Install dependencies (without dependecy resolution and no dev dependencies)
+# Install dependencies (without dependency resolution and no dev dependencies)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Install dependencies (without dependecy resolution and no dev dependencies)
	# Install dependencies (without dependency resolution and no dev dependencies)

🤖 Prompt for AI Agents

In wavefront/server/docker/workflow.Dockerfile around line 30, the comment
contains a typo: change "dependecy" to "dependency" so the line reads "Install
dependencies (without dependency resolution and no dev dependencies)"; update
the comment text accordingly.