fix(ci): repair timed-out SST ACM certificate state

[willwashburn]

Summary

• add a targeted pre-deploy guard for the production SST web workflow
• detect the SST-tracked CloudFront ACM certificate and clear only stale state when ACM reports it missing or FAILED with VALIDATION_TIMED_OUT
• run the guard before production sst deploy so the next deploy can create a fresh certificate after the earlier Cloudflare-token failure

Root Cause

The failing run at https://github.com/AgentWorkforce/relay/actions/runs/26252592498/job/77298304399 reused an ACM certificate that had already reached VALIDATION_TIMED_OUT. The first failure in the series created WebCdnSslCertificate, then failed during Cloudflare zone lookup because the token was invalid, leaving SST state with a cert that never validated.

Validation

• bash -n .github/scripts/repair-failed-sst-acm-cert.sh
• shellcheck .github/scripts/repair-failed-sst-acm-cert.sh
• actionlint .github/workflows/deploy-web.yml
• YAML parse for .github/workflows/deploy-web.yml
• Node smoke test for the SST state parser

[coderabbitai]

Warning

Rate limit exceeded

@willwashburn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 29 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 80201025-2593-4b93-9fcd-7ea0b05dda23

📥 Commits

Reviewing files that changed from the base of the PR and between e5554b5 and 0d716e4.

📒 Files selected for processing (2)

• .github/scripts/repair-failed-sst-acm-cert.sh
• .github/workflows/deploy-web.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/repair-sst-acm-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.