Skip to content

chore: add gha for workflow worker #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vishnurk6247 merged 1 commit into from
Dec 19, 2025
Merged

chore: add gha for workflow worker #194

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/build-workflow-worker-develop.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: (Develop) Build and Push Workflow Worker to AWS and GCP

on:
workflow_dispatch:

env:
PROJECT_ID: aesy-330511
GCP_REGION: asia-south1
GAR_LOCATION: asia-south1-docker.pkg.dev/aesy-330511/root-hub
IMAGE_NAME: wavefront-workflow-worker

jobs:
build-push-artifact:
runs-on: ubuntu-latest

Comment on lines +12 to +15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add explicit permissions block for security.

The workflow does not specify permissions for the GITHUB_TOKEN, which grants default write access. Following the principle of least privilege, you should explicitly define minimal permissions.

🔎 Proposed fix 
 jobs:
   build-push-artifact:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read

Based on static analysis hints.

🤖 Prompt for AI Agents 
In .github/workflows/build-workflow-worker-develop.yaml around lines 12 to 15
the workflow lacks an explicit permissions block for GITHUB_TOKEN; add a
permissions: mapping to enforce least privilege by declaring only the scopes the
job needs (for example: contents: read, packages: write, id-token: write only if
you use OIDC, and any other specific minimal scopes required by the job),
placing the permissions block at the workflow level (or job level if narrower
scope is required) so the token no longer has full default write access.

steps:
- name: "Checkout"
uses: "actions/checkout@v3"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Update actions/checkout to v4.

The actions/checkout@v3 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix 
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@v4"

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: "actions/checkout@v3"
- name: "Checkout"
uses: "actions/checkout@v4"
🧰 Tools
🪛 actionlint (1.7.9)

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
.github/workflows/build-workflow-worker-develop.yaml around line 18: the
workflow uses the outdated actions/checkout@v3 which is incompatible with
current runners; update the action reference to actions/checkout@v4 (replace the
v3 tag with v4) so the workflow uses the latest checkout action compatible with
modern GitHub Actions infrastructure.


- name: Get commit hash
id: get-commit-hash
run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"

- name: Get timestamp
id: get-timestamp
run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
Comment on lines +20 to +26
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Replace deprecated set-output commands.

The set-output workflow command was deprecated. Use GITHUB_OUTPUT environment file instead.

🔎 Proposed fix 
       - name: Get commit hash
         id: get-commit-hash
-        run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"
+        run: echo "commit-hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
       - name: Get timestamp
         id: get-timestamp
-        run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
+        run: echo "timestamp=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_OUTPUT

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Get commit hash
id: get-commit-hash
run: echo "::set-output name=commit-hash::$(git rev-parse --short HEAD)"
- name: Get timestamp
id: get-timestamp
run: echo "::set-output name=timestamp::$(date +'%Y-%m-%d-%H-%M')"
- name: Get commit hash
id: get-commit-hash
run: echo "commit-hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Get timestamp
id: get-timestamp
run: echo "timestamp=$(date +'%Y-%m-%d-%H-%M')" >> $GITHUB_OUTPUT
🧰 Tools
🪛 actionlint (1.7.9)

22-22: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

26-26: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)


- name: Cache Docker layers
id: cache-docker-layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys: |
${{ runner.os }}-docker-
Comment on lines +28 to +35
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Update actions/cache to v4.

The actions/cache@v3 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix 
       - name: Cache Docker layers
         id: cache-docker-layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-docker-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-docker-

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Cache Docker layers
id: cache-docker-layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys: |
${{ runner.os }}-docker-
- name: Cache Docker layers
id: cache-docker-layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-docker-${{ github.sha }}
restore-keys: |
${{ runner.os }}-docker-
🧰 Tools
🪛 actionlint (1.7.9)

30-30: the runner of "actions/cache@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/build-workflow-worker-develop.yaml around lines 28 to 35
the workflow uses actions/cache@v3 which is outdated and incompatible with
current runners; update the action reference to actions/cache@v4 (replace the
uses value), keep existing inputs (path, key, restore-keys) unchanged, and
verify the workflow syntax after the change to ensure no input names have
changed between v3 and v4.


- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build Docker Image
id: build-image
run: |
docker build -f wavefront/server/docker/workflow.Dockerfile -t rootflo:${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }} .
echo "IMAGE_TAG=${{ steps.get-commit-hash.outputs.commit-hash }}-${{ steps.get-timestamp.outputs.timestamp }}" >> $GITHUB_ENV

- id: "Auth-to-GCP"
uses: "google-github-actions/auth@v1"
with:
credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}"
Comment on lines +46 to +49
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Update google-github-actions/auth to v2.

The google-github-actions/auth@v1 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix 
       - id: "Auth-to-GCP"
-        uses: "google-github-actions/auth@v1"
+        uses: "google-github-actions/auth@v2"
         with:
           credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}"

Based on static analysis hints.

🧰 Tools
🪛 actionlint (1.7.9)

47-47: the runner of "google-github-actions/auth@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
.github/workflows/build-workflow-worker-develop.yaml lines 46-49: the workflow
uses the deprecated google-github-actions/auth@v1 action which is incompatible
with newer runners; update the action reference to google-github-actions/auth@v2
and adjust the inputs if necessary (v2 still accepts credentials_json but if you
move to workload identity you must replace credentials_json with
workload_identity_provider and service_account); change the uses line to
google-github-actions/auth@v2, verify the credentials input is correct for your
chosen auth method, and run the workflow to ensure no additional input changes
are required.


- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
Comment on lines +51 to +52
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Update google-github-actions/setup-gcloud to v2.

The google-github-actions/setup-gcloud@v1 action is outdated and its runner is too old to run on current GitHub Actions infrastructure.

🔎 Proposed fix 
       - name: "Set up Cloud SDK"
-        uses: "google-github-actions/setup-gcloud@v1"
+        uses: "google-github-actions/setup-gcloud@v2"

Based on static analysis hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v2"
🧰 Tools
🪛 actionlint (1.7.9)

52-52: the runner of "google-github-actions/setup-gcloud@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
.github/workflows/build-workflow-worker-develop.yaml around lines 51-52: the
workflow uses the deprecated google-github-actions/setup-gcloud@v1 action;
update the uses reference to google-github-actions/setup-gcloud@v2 and adjust
any inputs to the v2 schema if necessary (for example ensure credential inputs
and auth fields match v2 docs), then run a workflow lint/validation to confirm
compatibility.


- name: "Docker auth for GCP"
run: |-
gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet

- name: Tag and push image to GCP Artifact Registry
run: |
docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
docker push ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}

- name: Cleanup Docker images
run: |
docker rmi rootflo:${{ env.IMAGE_TAG }} || true
docker rmi ${{ env.GAR_LOCATION }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} || true
Comment on lines +14 to +66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 5 months ago

Generally, the fix is to define a permissions: block that restricts the default GITHUB_TOKEN privileges to the minimum needed. For a build-and-push workflow that only checks out code and interacts with external services (GCP, Docker) using their own credentials, the job only needs read access to repository contents.

The best way to fix this without changing behavior is:

  • Add a root-level permissions: block (between name: and on:) so it applies to all jobs.
  • Set it to contents: read, which is sufficient for actions/checkout@v3 to read the repository.
  • Do not add any write-scoped permissions, since the workflow doesn’t need to modify GitHub state.

Concretely, in .github/workflows/build-workflow-worker-develop.yaml, insert:

permissions:
  contents: read

directly after the name: (Develop) Build and Push Workflow Worker to AWS and GCP line. No imports or other definitions are required.

Suggested changeset 1
.github/workflows/build-workflow-worker-develop.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build-workflow-worker-develop.yaml b/.github/workflows/build-workflow-worker-develop.yaml
--- a/.github/workflows/build-workflow-worker-develop.yaml
+++ b/.github/workflows/build-workflow-worker-develop.yaml
@@ -1,5 +1,8 @@
 name: (Develop) Build and Push Workflow Worker to AWS and GCP
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
EOF
@@ -1,5 +1,8 @@
name: (Develop) Build and Push Workflow Worker to AWS and GCP

permissions:
contents: read

on:
workflow_dispatch:

Copilot is powered by AI and may make mistakes. Always verify output.
3 changes: 3 additions & 0 deletions wavefront/server/background_jobs/workflow_job/workflow_job/config.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ pubsub_subscription_id = ${GCP_PUBSUB_SUBSCRIPTION_ID}
pubsub_topic_id = ${GCP_PUBSUB_TOPIC_ID}
bucket = ${APPLICATION_BUCKET}

[gcp]
gcp_asset_storage_bucket = ${APPLICATION_BUCKET}

[floware]
service_url = ${FLOWARE_SERVICE_URL}

Expand Down
36 changes: 36 additions & 0 deletions wavefront/server/docker/workflow.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
FROM python:3.11-slim

WORKDIR /app

COPY --from=ghcr.io/astral-sh/uv:0.8.6 /uv /uvx /bin/
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Update uv to the latest stable version (currently 0.9.18).

The Dockerfile pins uv to 0.8.6, which is significantly outdated. The current latest version is 0.9.18. While 0.8.6 addressed a critical ZIP parsing vulnerability, newer versions include additional security patches and improvements. Upgrade to the latest stable release.

🤖 Prompt for AI Agents 
In wavefront/server/docker/workflow.Dockerfile around line 5, the COPY line
references the old uv image tag 0.8.6; update that tag to the latest stable
0.9.18 (replace ghcr.io/astral-sh/uv:0.8.6 with ghcr.io/astral-sh/uv:0.9.18 on
the COPY line), then rebuild the image and run your test suite / smoke tests to
verify there are no compatibility issues.


RUN apt-get update && apt-get install -y \
git \
&& rm -rf /var/lib/apt/lists/*

COPY wavefront/server/pyproject.toml wavefront/server/uv.lock ./

COPY wavefront/server/background_jobs/workflow_job /app/background_jobs/workflow_job
COPY wavefront/server/packages/flo_cloud /app/packages/flo_cloud
COPY wavefront/server/packages/flo_utils /app/packages/flo_utils

COPY wavefront/server/modules/api_services_module /app/modules/api_services_module
COPY wavefront/server/modules/auth_module /app/modules/auth_module
COPY wavefront/server/modules/agents_module /app/modules/agents_module
COPY wavefront/server/modules/common_module /app/modules/common_module
COPY wavefront/server/modules/db_repo_module /app/modules/db_repo_module
COPY wavefront/server/modules/knowledge_base_module /app/modules/knowledge_base_module
COPY wavefront/server/modules/plugins_module /app/modules/plugins_module
COPY wavefront/server/modules/tools_module /app/modules/tools_module
COPY wavefront/server/modules/user_management_module /app/modules/user_management_module

COPY wavefront/server/plugins/datasource /app/plugins/datasource
COPY wavefront/server/plugins/authenticator /app/plugins/authenticator

# Install dependencies (without dependecy resolution and no dev dependencies)
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix typo in comment.

The comment has a typo: "dependecy" should be "dependency".

🔎 Proposed fix 
-# Install dependencies (without dependecy resolution and no dev dependencies)
+# Install dependencies (without dependency resolution and no dev dependencies)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install dependencies (without dependecy resolution and no dev dependencies)
# Install dependencies (without dependency resolution and no dev dependencies)
🤖 Prompt for AI Agents 
In wavefront/server/docker/workflow.Dockerfile around line 30, the comment
contains a typo: change "dependecy" to "dependency" so the line reads "Install
dependencies (without dependency resolution and no dev dependencies)"; update
the comment text accordingly.

RUN uv sync --package workflow_job --frozen --no-dev

# change WORKDIR
WORKDIR /app/background_jobs/workflow_job/workflow_job

CMD ["uv", "run", "main.py"]