feat: add reusable Helm upgrade documentation workflow #364
Merged
Conversation
- Introduced `helm-upgrade-doc.yml` for generating UPGRADE-X.Y.md guides after Helm chart releases. - Implemented version detection and AI-powered documentation generation using OpenRouter or Anthropic APIs. - Created `helm-release-notification.md` for sending Slack notifications post Helm chart releases. - Added `helm-upgrade-doc.md` detailing the usage and features of the upgrade documentation workflow. - Developed `README.md` for the helm-upgrade-doc action, outlining inputs, outputs, and usage examples. - Created `action.yml` for the helm-upgrade-doc composite action, defining inputs and outputs. - Implemented `generate-doc.sh` script for handling the documentation generation logic.
…e documentation generation context
…ation instructions and preview changes
…tructions and formatting guidelines
…on hints and formatting guidelines
…mentation workflow
WalkthroughAdds two reusable workflows: Helm Release Notification (extracts tag/README metadata and posts Slack notifications or prints a dry-run) and Helm Upgrade Doc (composite action + script + reusable workflow that generate UPGRADE-X.Y.md via LLM, open GPG-signed PRs, and optionally notify Slack). Also adds label and documentation. ChangesHelm Release Notification Workflow
Helm Upgrade Doc Generation Workflow
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
lerian-studio
added
size/XL
Contributor
🔍 PR Validation Summary✅ PR Mergeable — no blocking failures
|
Contributor
🔍 Lint Analysis
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
🛡️ CodeQL Analysis ResultsLanguages analyzed: ✅ No security issues found. 🔍 View full scan logs | 🛡️ Security tab |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 14
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 23-50: The workflow accepts a dry_run input but doesn't expose
boolean outputs for callers to branch on; add workflow-level outputs (e.g.,
notification_sent and is_dry_run) under the reusable workflow declaration and
wire them to the job outputs from the job that performs the send/skip logic (set
the job outputs in the final step using GITHUB_OUTPUT or equivalent and map them
into the top-level outputs). Ensure the job that branches on dry_run (the
send/skip step referenced around the existing dry_run logic) sets
notification_sent=true/false and is_dry_run=true/false so callers can
conditionally act on those booleans.
- Around line 110-120: The script currently assumes LATEST_TAG (from git tag -l
"${CHART_NAME_RAW}-v*" ...) exists, so if LATEST_TAG is empty it writes empty
CHART_VERSION and invalid RELEASE_URL/COMMIT_URL; add a guard after computing
LATEST_TAG that checks if LATEST_TAG is empty or unset and if so emit a clear
error to stderr (mention CHART_NAME_RAW/LATEST_TAG), write a failing status
(exit 1) or set a specific fallback output, and stop the job before writing
chart_version/release_url/commit_url; ensure the check references the variables
LATEST_TAG, CHART_NAME_RAW, CHART_VERSION, RELEASE_URL and COMMIT_URL so the
flow stops and does not produce malformed Slack links.
- Around line 140-155: After extracting HEADER_LINE and DATA_LINE from
CHART_SECTION/README (and building README_ANCHOR/README_URL), validate that
HEADER_LINE and DATA_LINE are non-empty before writing to GITHUB_OUTPUT: if
either is empty, emit a clear workflow error via echo "::error::<message>"
referencing CHART_SECTION/README and exit 1 so the job fails early; otherwise
continue to echo "header_line=${HEADER_LINE}", "data_line=${DATA_LINE}", and
"readme_url=${README_URL}". Ensure checks reference the exact variables
HEADER_LINE and DATA_LINE and include the README URL/section context in the
error message for debugging.
- Around line 97-99: Remove the "Get latest changes" step (the git pull using
${{ github.ref_name }}) because it interpolates an unvalidated branch name and
is redundant when checkout already uses fetch-depth: 0; if you must keep it,
replace the direct interpolation by mapping github.ref_name into an env variable
and run git check-ref-format --allow-onelevel "$REF" to validate before
executing git pull "$REF" (quoted) to prevent injection. Also add explicit
boolean outputs to this reusable workflow (e.g., skip_enable: true/false) that
reflect conditional branches driven by the dry_run input so callers can evaluate
conditions reliably; update any jobs referencing the dry_run condition to
consume the new outputs.
- Around line 243-247: The curl call that sets RESPONSE currently uses -s and no
timeouts or retries; update the curl invocation that populates RESPONSE to
replace -s with --fail-with-body and add timeouts and retries: include
--connect-timeout 10, --max-time 30, and --retry 3 --retry-delay 2
--retry-all-errors so the chat.postMessage POST has connect/read time limits and
retry behavior while preserving error bodies for jq parsing; keep the existing
headers, --data "$SLACK_PAYLOAD", and URL intact when applying these flags.
In @.github/workflows/helm-upgrade-doc.yml:
- Line 83: The workflow currently references the composite action with a feature
branch ref
"LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@feat/helm-upgrade-doc"
which will break after the feature branch is deleted; update that uses: entry to
point to an absolute, long-lived ref such as "@develop" (or a stable tag like
"@v1" for production) so the composite action import remains valid after merge.
In `@docs/helm-release-notification.md`:
- Around line 31-37: Replace mutable develop tags with a stable release tag in
the production-facing examples: update any occurrences of the GitHub Actions
reference that use "@develop" in the docs/helm-release-notification.md examples
(notably the Basic usage block and the other examples around the previous
comment locations) to a stable semantic tag format like "@vX.Y.Z"; keep
"@develop" only for test/example variants and ensure all production snippets
reference the stable "@vX.Y.Z" pattern so readers see immutable release pins.
In `@docs/helm-upgrade-doc.md`:
- Line 128: The link text for the internal link pointing to
'../src/docs/helm-upgrade-doc/README.md' is incorrect ("helm-update-chart");
update the display text to "helm-upgrade-doc" so the link label matches the
target composite action and file (change the link line that currently reads
'[helm-update-chart](../src/docs/helm-upgrade-doc/README.md)' to use
'[helm-upgrade-doc](../src/docs/helm-upgrade-doc/README.md)').
- Around line 88-94: Update the inputs table to match the workflow interface by
replacing the outdated `chart_path` and `docs_path` rows with `charts_root` and
`docs_subdir` respectively, ensuring their Type, Default and Description reflect
the workflow's definitions (the workflow uses `charts_root` and `docs_subdir` at
lines where inputs are defined); keep other inputs (`runner_type`,
`openai_model`, `dry_run`) unchanged and verify the default values and
descriptions match the workflow.
- Around line 96-108: The secrets table in docs/helm-upgrade-doc.md is missing
the three Slack-related secrets used by the workflow
(.github/workflows/helm-upgrade-doc.yml): add entries for SLACK_BOT_TOKEN_HELM,
SLACK_CHANNEL_DEVOPS, and SLACK_GROUP_TECH_SUPPORT to the Secrets table with
short descriptions (e.g., Slack bot token for notifications; Slack channel for
DevOps PR notifications; Slack support group for tech-support alerts) so the PR
review notification feature is documented and discoverable.
In `@src/docs/helm-upgrade-doc/README.md`:
- Around line 28-33: The outputs table in README.md is missing the `chart-name`
output declared in the action metadata; add a new table row for `chart-name`
(matching the output key `chart-name` from src/docs/helm-upgrade-doc/action.yml)
and provide a short description such as "Name of the Helm chart" so the README
reflects the outputs defined in the action (`chart-name` referenced in
action.yml lines ~70-72).
- Around line 12-24: The inputs table in README.md must exactly mirror the
composite action's inputs in action.yml: remove the non-existent `base-ref` row,
add the missing inputs `anthropic-api-key`, `slack-bot-token`, `slack-channel`,
and `slack-group-ops`, and rename `chart-path` → `charts-root` and `docs-path` →
`docs-subdir`; for each input ensure the Name, Description, Required, and
Default columns match the corresponding entries in action.yml (use the exact
input names and required/default values from action.yml to update the table).
In `@src/docs/helm-upgrade-doc/scripts/generate-doc.sh`:
- Around line 53-57: The script currently hardcodes special-case chart names
(CHART_NAME values "plugin-access-manager" and "otel-collector-lerian") to set
PACKAGE_NAME, which will not scale; change generate-doc.sh to derive
PACKAGE_NAME instead by first checking for a packageName annotation in the
chart's Chart.yaml (or a separate mapping file) and falling back to the current
"${CHART_NAME}-helm" logic only if no annotation/mapping exists; update the code
that reads CHART_NAME and sets PACKAGE_NAME to parse Chart.yaml (or load a
mapping object) and honor a "packageName" field so you can remove the explicit
checks for plugin-access-manager and otel-collector-lerian.
- Around line 28-29: The diffs for VALUES_DIFF and TEMPLATE_DIFF are being
hard-truncated with head which can silently drop important changes; update the
script to detect when truncation occurs by counting lines (e.g., using git diff
piped to wc -l or storing full diff and comparing its line count to your
thresholds), and when the count exceeds the threshold emit a clear warning
message (to stderr or the action logs) that includes PREV_TAG, CURRENT_TAG and
CHART_PATH, or alternatively increase/remove the hard limit and document the
limitation in the README so operators know large diffs may be truncated; ensure
the variables VALUES_DIFF and TEMPLATE_DIFF still receive the intended content
after implementing the check.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: bae8b64e-1b63-41d3-a122-212e707a2229
📒 Files selected for processing (8)
.github/labels.yml.github/workflows/helm-release-notification.yml.github/workflows/helm-upgrade-doc.ymldocs/helm-release-notification.mddocs/helm-upgrade-doc.mdsrc/docs/helm-upgrade-doc/README.mdsrc/docs/helm-upgrade-doc/action.ymlsrc/docs/helm-upgrade-doc/scripts/generate-doc.sh
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/helm-upgrade-doc.yml (1)
83-83:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winLocal composite reference breaks external callers of this reusable workflow.
Line 83 uses
./src/docs/helm-upgrade-doc, which resolves in the caller repository workspace forworkflow_call. This is a caller-facing breaking defect: external repos will fail to resolve the action.Proposed fix
- - name: Generate Helm Upgrade Doc - uses: ./src/docs/helm-upgrade-doc + - name: Generate Helm Upgrade Doc + uses: LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@develop#!/bin/bash # Verify reusable workflows are not using local ./src composite refs # Expectation: no matches in non-self-* reusable workflows. fd -e yml .github/workflows | while read -r f; do if rg -n '^\s*workflow_call:' "$f" >/dev/null && [[ "$(basename "$f")" != self-* ]]; then rg -n '^\s*uses:\s*\./src/' "$f" && echo "^^ invalid local ref in reusable workflow: $f" fi doneBased on learnings: reusable workflows in this repository must use absolute external refs for internal composites because local
./paths resolve to the caller workspace.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-upgrade-doc.yml at line 83, The reusable workflow declared with workflow_call is using a local composite reference "uses: ./src/docs/helm-upgrade-doc", which breaks external callers because ./ resolves in the caller repo; replace that local relative reference with an absolute external action ref (owner/repo/path@ref or the canonical repo@sha) so callers can resolve it, updating the uses value where "uses: ./src/docs/helm-upgrade-doc" appears in the reusable workflow and ensuring any non-self-* reusable workflows do not contain "./src/" local refs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-upgrade-doc.yml:
- Around line 21-24: Update the reusable workflow input and any caller-provided
runner usage to enforce the approved runner: change the input variable
runner_type to have default 'blacksmith-4vcpu-ubuntu-2404' and disallow other
labels (remove or tighten any allowed-values that permit arbitrary labels); also
change any job definitions that use the input (e.g., runs-on: ${{
inputs.runner_type }}) to use 'blacksmith-4vcpu-ubuntu-2404' or validate the
input so only 'blacksmith-4vcpu-ubuntu-2404' is accepted, ensuring both the
'runner_type' input and its usage are locked to that exact runner name.
---
Duplicate comments:
In @.github/workflows/helm-upgrade-doc.yml:
- Line 83: The reusable workflow declared with workflow_call is using a local
composite reference "uses: ./src/docs/helm-upgrade-doc", which breaks external
callers because ./ resolves in the caller repo; replace that local relative
reference with an absolute external action ref (owner/repo/path@ref or the
canonical repo@sha) so callers can resolve it, updating the uses value where
"uses: ./src/docs/helm-upgrade-doc" appears in the reusable workflow and
ensuring any non-self-* reusable workflows do not contain "./src/" local refs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 606e24dc-475f-490b-93ea-aa1afa007a95
📒 Files selected for processing (1)
.github/workflows/helm-upgrade-doc.yml
lerian-studio
added
composite
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 41-44: The declared workflow input "oci_registry" is unused;
remove the entire oci_registry input block from the workflow inputs (the
description/type/default lines) to avoid confusion, and if callers expect an OCI
registry value update any docs or workflow callers accordingly; alternatively,
if the intent was to push/read chart packages, implement usage of the input
inside the release steps (reference the input as inputs.oci_registry) wherever
chart OCI operations occur (e.g., chart push/pull steps) so the variable is
actually consumed.
- Around line 153-155: The workflow writes to GITHUB_OUTPUT without quoting
which triggers shellcheck SC2086; update the three echo lines that set
HEADER_LINE, DATA_LINE, and README_URL so they quote the variable expansion for
the output file (use ">> \"$GITHUB_OUTPUT\"" instead of >> $GITHUB_OUTPUT) while
preserving the existing key=value format so HEADER_LINE, DATA_LINE, and
README_URL are exported correctly.
In `@docs/helm-upgrade-doc.md`:
- Around line 149-150: Several markdown headings ("### Major", "### Minor", "###
Patch") are missing the required blank line after them and trigger MD022; update
the document so that each occurrence of these headings has an empty line
immediately following the heading text (for example, add a single blank line
after the "### Major" heading in the ToC and similarly after each "### Minor"
and "### Patch" heading elsewhere) to satisfy the linter.
- Around line 46-47: Replace the mutable workflow ref uses:
LerianStudio/github-actions-shared-workflows/.github/workflows/helm-upgrade-doc.yml@v1
with a concrete, pinned stable tag (e.g., `@v1.0.0`) in this document and in the
other occurrences of the same `uses:` line (the instances noted in the review);
ensure all examples in docs/ are using explicit semver tags (not `@v1` or `@main`)
so the `uses:` entries are immutable and production-safe.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8d1fb1b6-a4b6-4c0a-8da2-89a773b897d1
📒 Files selected for processing (2)
.github/workflows/helm-release-notification.ymldocs/helm-upgrade-doc.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (8)
.github/workflows/helm-release-notification.yml (8)
23-50: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winExpose boolean workflow outputs for skip-enabling.
This workflow has conditional behavior (
dry_runinput) but does not expose outputs for callers to branch on (e.g.,notification_sent,is_dry_run). As per coding guidelines, reusable workflows with conditional work must expose boolean outputs for skip-enabling.Recommended implementation
Add workflow-level outputs after line 50:
outputs: notification_sent: description: 'Whether the Slack notification was sent' value: ${{ jobs.notify.outputs.notification_sent }} is_dry_run: description: 'Whether the workflow ran in dry-run mode' value: ${{ jobs.notify.outputs.is_dry_run }}Add job-level outputs after line 90:
outputs: notification_sent: ${{ steps.send.outputs.sent }} is_dry_run: ${{ inputs.dry_run }}Set step output in the "Send Slack notification" step (add
id: sendat line 177 and emitsent=trueafter line 255).As per coding guidelines: "Every reusable workflow and composite action with conditional work must expose boolean outputs for skip-enabling."
Also applies to: 87-89
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 23 - 50, Add boolean outputs so callers can branch on the workflow's conditional behavior: expose workflow-level outputs notification_sent and is_dry_run (mapping to jobs.notify.outputs.notification_sent and jobs.notify.outputs.is_dry_run), add job-level outputs on the notify job (notification_sent set to steps.send.outputs.sent and is_dry_run set to inputs.dry_run), and mark the "Send Slack notification" step with id: send and emit a boolean step output named sent (true when a real notification was sent, false for dry run) so the job and workflow outputs can reference it.
97-99:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winRemove
git pullstep—command injection risk from unvalidated branch name.Line 98 interpolates
github.ref_namedirectly into a shell command without validation or quoting. Thefetch-depth: 0checkout already provides full history, making this step redundant. If the step is necessary, validate the ref withgit check-ref-formatand map throughenv:.Recommended fix
- - name: Get latest changes - run: git pull origin ${{ github.ref_name }} -If this step is truly needed:
- name: Get latest changes env: REF_NAME: ${{ github.ref_name }} run: | git check-ref-format --allow-onelevel "$REF_NAME" || { echo "::error::Invalid ref name"; exit 1; } git pull origin "$REF_NAME"As per coding guidelines: "Validate branch names and label names before using in shell commands; always quote variables and map through
env:."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 97 - 99, Remove the risky unquoted interpolation in the "Get latest changes" step (the `git pull origin ${{ github.ref_name }}` line) since the checkout already used `fetch-depth: 0`; either delete this step or, if kept, map the ref through env (e.g., set REF_NAME: ${{ github.ref_name }}), validate it with `git check-ref-format --allow-onelevel "$REF_NAME"` and then call `git pull origin "$REF_NAME"` (always quote the variable and exit with an error on invalid ref).
248-252:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd timeout and retry configuration to Slack API call.
The
curlcommand lacks connect/read timeouts and retry logic. On transient network failures, the workflow may hang indefinitely or fail unnecessarily. Add resilience parameters.Proposed fix
- RESPONSE=$(curl -s -X POST \ + RESPONSE=$(curl -sS --fail-with-body \ + --connect-timeout 10 \ + --max-time 30 \ + --retry 3 \ + --retry-delay 2 \ + --retry-all-errors \ + -X POST \ -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ -H "Content-type: application/json; charset=utf-8" \ --data "$SLACK_PAYLOAD" \ "https://slack.com/api/chat.postMessage")🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 248 - 252, The curl invocation that sets RESPONSE (the POST to https://slack.com/api/chat.postMessage using SLACK_BOT_TOKEN and SLACK_PAYLOAD) needs connect/read timeouts and retry behavior added; update the curl flags to include a connection timeout (e.g., --connect-timeout), an overall request timeout (e.g., --max-time), and retry options (e.g., --retry, --retry-delay and/or --retry-max-time) so transient network errors are retried and the workflow won't hang indefinitely, and ensure the command still runs quietly (preserve -s) while returning non-zero on HTTP failures if desired.
41-44:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRemove unused input
oci_registry.This input is declared but never referenced in the workflow. Remove it to avoid caller confusion.
Proposed fix
- oci_registry: - description: 'OCI registry for chart packages (e.g., ghcr.io/lerianstudio)' - type: string - default: ''🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 41 - 44, Remove the unused workflow input named oci_registry from the helm release notification workflow by deleting the entire input block (the key "oci_registry" and its description/type/default) from the workflow inputs; search the workflow for any remaining references to oci_registry to ensure nothing else depends on it and, if callers or documentation mention it, update them accordingly so there are no dangling references.
143-159:⚠️ Potential issue | 🟠 Major | ⚡ Quick winValidate extracted README table lines before writing outputs.
Lines 143-149 may produce empty
HEADER_LINE/DATA_LINEif the section or table is not found in README. Without validation, these empty values are passed tojqat line 195, producing malformed Slack notifications. Add a guard to fail early.Proposed fix
if [ -n "$CHART_SECTION" ]; then HEADER_LINE=$(echo "$CHART_SECTION" | grep "| Chart Version |" | head -1) DATA_LINE=$(echo "$CHART_SECTION" | grep -A 2 "| Chart Version |" | tail -1) else HEADER_LINE=$(grep "| Chart Version |" README.md | head -1) DATA_LINE=$(grep -A 2 "| Chart Version |" README.md | tail -1) fi + if [ -z "${HEADER_LINE:-}" ] || [ -z "${DATA_LINE:-}" ]; then + echo "::error::Could not extract '| Chart Version |' table from README.md for chart pattern '${CHART_PATTERN}'" + exit 1 + fi # Build README anchor URL🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 143 - 159, Validate that HEADER_LINE and DATA_LINE are non-empty after extracting from CHART_SECTION or README.md and before writing to GITHUB_OUTPUT: check the values of HEADER_LINE and DATA_LINE and if either is empty, emit a clear error message to stderr (referencing README_URL and README_ANCHOR for context) and exit with a non-zero status to fail the workflow early; only append to GITHUB_OUTPUT when both HEADER_LINE and DATA_LINE are present. Ensure the validation happens immediately after the extraction block that sets HEADER_LINE/DATA_LINE (and before the block that writes to "$GITHUB_OUTPUT") so downstream jq processing is never given empty values.
156-159:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winQuote
$GITHUB_OUTPUTto satisfy ShellCheck (SC2086).The unquoted variable expansion triggers ShellCheck SC2086 (unquoted variable—risk of globbing/word-splitting).
Proposed fix
{ - echo "header_line=${HEADER_LINE}" - echo "data_line=${DATA_LINE}" - echo "readme_url=${README_URL}" - } >> "$GITHUB_OUTPUT" + echo "header_line=${HEADER_LINE}" + echo "data_line=${DATA_LINE}" + echo "readme_url=${README_URL}" + } >> "$GITHUB_OUTPUT"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 156 - 159, The shell step is triggering ShellCheck SC2086 due to an unquoted redirection target; update the append block that writes header_line, data_line and readme_url so the redirection target is quoted: change any occurrences of >> $GITHUB_OUTPUT to >> "$GITHUB_OUTPUT" (ensure this fix is applied in the block that echoes HEADER_LINE, DATA_LINE and README_URL).
112-123:⚠️ Potential issue | 🟠 Major | ⚡ Quick winValidate that
LATEST_TAGis non-empty before deriving URLs.If no tags match
${CHART_NAME_RAW}-v*,LATEST_TAGis empty and lines 113-115 produce emptyCHART_VERSIONand malformedRELEASE_URL/COMMIT_URL. This results in broken Slack notification links. Add explicit validation.Proposed fix
LATEST_TAG=$(git tag -l "${CHART_NAME_RAW}-v*" --sort=-v:refname | head -1) + if [ -z "${LATEST_TAG:-}" ]; then + echo "::error::No release tag found matching pattern '${CHART_NAME_RAW}-v*'" + exit 1 + fi CHART_VERSION="${LATEST_TAG/${CHART_NAME_RAW}-v/}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 112 - 123, The script currently derives CHART_VERSION, RELEASE_URL, and COMMIT_URL from LATEST_TAG without checking if LATEST_TAG is set; add a check using LATEST_TAG (the variable) and if it's empty either fail fast (exit non-zero with an error message) or populate safe defaults (e.g., CHART_VERSION="unknown" and empty or placeholder RELEASE_URL/COMMIT_URL) before writing to GITHUB_OUTPUT so you never emit malformed links; update the block that computes CHART_VERSION/RELEASE_URL/COMMIT_URL to perform the validation and then append only validated/safe values to GITHUB_OUTPUT.
89-89:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd explicit
permissionsblock to limit GITHUB_TOKEN scope.The workflow does not define a
permissionsblock, leaving GITHUB_TOKEN with default write permissions. For a notification workflow that only reads repository metadata, restrict tocontents: read.Proposed fix
notify: name: Send Slack Notification runs-on: ${{ inputs.runner_type }} + permissions: + contents: read steps:Based on CodeQL finding: actions/missing-workflow-permissions at line 89.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml at line 89, Add an explicit permissions block to restrict the GITHUB_TOKEN scope for the "Send Slack Notification" workflow: add a top-level or job-level permissions entry that sets contents: read (and no broader write scopes) so the notification workflow only has read access; update the workflow where the "Send Slack Notification" job is defined to include this permissions configuration.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-release-notification.yml:
- Line 133: Replace the sed invocations with bash parameter expansion: for
CHART_PATTERN, use parameter expansion to strip the "-helm" suffix and convert
hyphens to spaces (use the % or %% operator to remove the suffix and the //
operator to replace "-" with " "); for README_ANCHOR, capture the header into
README_ANCHOR, strip the "#### " prefix with the ${var#pattern} expansion,
convert to lowercase with ${var,,}, and then replace spaces with dashes using
${var// /-} so no sed/tr pipeline is needed (refer to CHART_PATTERN and
README_ANCHOR in the diff to locate the changes).
---
Duplicate comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 23-50: Add boolean outputs so callers can branch on the workflow's
conditional behavior: expose workflow-level outputs notification_sent and
is_dry_run (mapping to jobs.notify.outputs.notification_sent and
jobs.notify.outputs.is_dry_run), add job-level outputs on the notify job
(notification_sent set to steps.send.outputs.sent and is_dry_run set to
inputs.dry_run), and mark the "Send Slack notification" step with id: send and
emit a boolean step output named sent (true when a real notification was sent,
false for dry run) so the job and workflow outputs can reference it.
- Around line 97-99: Remove the risky unquoted interpolation in the "Get latest
changes" step (the `git pull origin ${{ github.ref_name }}` line) since the
checkout already used `fetch-depth: 0`; either delete this step or, if kept, map
the ref through env (e.g., set REF_NAME: ${{ github.ref_name }}), validate it
with `git check-ref-format --allow-onelevel "$REF_NAME"` and then call `git pull
origin "$REF_NAME"` (always quote the variable and exit with an error on invalid
ref).
- Around line 248-252: The curl invocation that sets RESPONSE (the POST to
https://slack.com/api/chat.postMessage using SLACK_BOT_TOKEN and SLACK_PAYLOAD)
needs connect/read timeouts and retry behavior added; update the curl flags to
include a connection timeout (e.g., --connect-timeout), an overall request
timeout (e.g., --max-time), and retry options (e.g., --retry, --retry-delay
and/or --retry-max-time) so transient network errors are retried and the
workflow won't hang indefinitely, and ensure the command still runs quietly
(preserve -s) while returning non-zero on HTTP failures if desired.
- Around line 41-44: Remove the unused workflow input named oci_registry from
the helm release notification workflow by deleting the entire input block (the
key "oci_registry" and its description/type/default) from the workflow inputs;
search the workflow for any remaining references to oci_registry to ensure
nothing else depends on it and, if callers or documentation mention it, update
them accordingly so there are no dangling references.
- Around line 143-159: Validate that HEADER_LINE and DATA_LINE are non-empty
after extracting from CHART_SECTION or README.md and before writing to
GITHUB_OUTPUT: check the values of HEADER_LINE and DATA_LINE and if either is
empty, emit a clear error message to stderr (referencing README_URL and
README_ANCHOR for context) and exit with a non-zero status to fail the workflow
early; only append to GITHUB_OUTPUT when both HEADER_LINE and DATA_LINE are
present. Ensure the validation happens immediately after the extraction block
that sets HEADER_LINE/DATA_LINE (and before the block that writes to
"$GITHUB_OUTPUT") so downstream jq processing is never given empty values.
- Around line 156-159: The shell step is triggering ShellCheck SC2086 due to an
unquoted redirection target; update the append block that writes header_line,
data_line and readme_url so the redirection target is quoted: change any
occurrences of >> $GITHUB_OUTPUT to >> "$GITHUB_OUTPUT" (ensure this fix is
applied in the block that echoes HEADER_LINE, DATA_LINE and README_URL).
- Around line 112-123: The script currently derives CHART_VERSION, RELEASE_URL,
and COMMIT_URL from LATEST_TAG without checking if LATEST_TAG is set; add a
check using LATEST_TAG (the variable) and if it's empty either fail fast (exit
non-zero with an error message) or populate safe defaults (e.g.,
CHART_VERSION="unknown" and empty or placeholder RELEASE_URL/COMMIT_URL) before
writing to GITHUB_OUTPUT so you never emit malformed links; update the block
that computes CHART_VERSION/RELEASE_URL/COMMIT_URL to perform the validation and
then append only validated/safe values to GITHUB_OUTPUT.
- Line 89: Add an explicit permissions block to restrict the GITHUB_TOKEN scope
for the "Send Slack Notification" workflow: add a top-level or job-level
permissions entry that sets contents: read (and no broader write scopes) so the
notification workflow only has read access; update the workflow where the "Send
Slack Notification" job is defined to include this permissions configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0c51a5fd-2629-4c90-8a2d-9c5780623d1a
📒 Files selected for processing (1)
.github/workflows/helm-release-notification.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (5)
.github/workflows/helm-upgrade-doc.yml (2)
82-83:⚠️ Potential issue | 🟠 Major | ⚡ Quick winReplace forbidden
@mainref for internal composite action.Line 83 uses
@main, which is explicitly disallowed for org-owned action refs in this repo. Use@developfor testing or a release tag (for example@v1) for stable consumption.Suggested fix
- - name: Generate Helm Upgrade Doc - uses: LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main + - name: Generate Helm Upgrade Doc + uses: LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@develop#!/bin/bash # Verify reusable workflows do not reference internal composites with forbidden `@main/`@master rg -nP "uses:\s*LerianStudio/github-actions-shared-workflows/src/[^@]+@(main|master)\b" .github/workflows/*.ymlAs per coding guidelines, “
LerianStudio/*actions must use release tags or@developfor testing; never@mainor@master.”🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-upgrade-doc.yml around lines 82 - 83, The workflow references an org-owned composite action with a forbidden `@main` ref: "LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main"; update that uses entry to point to a permitted ref (either `@develop` for testing or a specific release tag like `@v1`) so the line becomes a non-main ref for the composite action.
21-24:⚠️ Potential issue | 🟠 Major | ⚡ Quick winLock runner selection to the required Blacksmith label.
Line 21-24 allows caller-controlled
runner_type(defaultubuntu-latest), and Line 73 executes it directly. This violates runner policy for reusable workflows.Suggested fix
on: workflow_call: inputs: - runner_type: - description: Runner to use for the workflow - type: string - default: 'ubuntu-latest' + runner_type: + description: Deprecated compatibility input; must be blacksmith-4vcpu-ubuntu-2404 + type: string + default: 'blacksmith-4vcpu-ubuntu-2404' @@ jobs: upgrade-doc: name: Generate Helm Upgrade Doc - runs-on: ${{ inputs.runner_type }} + runs-on: blacksmith-4vcpu-ubuntu-2404 + steps: + - name: Validate runner_type input + if: ${{ inputs.runner_type != 'blacksmith-4vcpu-ubuntu-2404' }} + run: | + echo "::error::runner_type must be blacksmith-4vcpu-ubuntu-2404" + exit 1As per coding guidelines, “All jobs in reusable workflows must use
blacksmith-4vcpu-ubuntu-2404as the runner.”Also applies to: 73-73
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-upgrade-doc.yml around lines 21 - 24, The workflow currently exposes an input named runner_type with default 'ubuntu-latest' and then uses that value at runtime, which allows callers to pick arbitrary runners; change this so the workflow always uses the required Blacksmith runner: remove or stop exposing caller-controlled runner_type (or set its default and allowed value to 'blacksmith-4vcpu-ubuntu-2404' only) and replace any runtime use of runner_type with the literal 'blacksmith-4vcpu-ubuntu-2404' so jobs always run on that specific runner (update references to runner_type and the job that consumes it)..github/workflows/helm-release-notification.yml (3)
136-152:⚠️ Potential issue | 🟠 Major | ⚡ Quick winMissing validation for extracted README table lines.
If the README doesn't contain the expected
| Chart Version |table format,HEADER_LINEandDATA_LINEwill be empty, causing the jq command at line 188 to produce a malformed Slack table block. Add validation before writing to outputs:else HEADER_LINE=$(grep "| Chart Version |" README.md | head -1) DATA_LINE=$(grep -A 2 "| Chart Version |" README.md | tail -1) fi + + if [ -z "${HEADER_LINE:-}" ] || [ -z "${DATA_LINE:-}" ]; then + echo "::error::Could not extract '| Chart Version |' table from README.md" + exit 1 + fi # Build README anchor URL🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 136 - 152, The script currently assumes HEADER_LINE and DATA_LINE are populated and writes them to GITHUB_OUTPUT; add validation after extracting HEADER_LINE and DATA_LINE (and after building README_ANCHOR/README_URL) to check they are non-empty and match the expected table pattern (e.g., HEADER_LINE contains "| Chart Version |" and DATA_LINE contains a version cell) and if not either set safe default values or fail early with a clear error/exit 1; ensure the validation occurs before the block that writes to GITHUB_OUTPUT so downstream jq/Slack formatting (which consumes header_line and data_line) never receives empty/malformed values.
79-82:⚠️ Potential issue | 🟠 Major | ⚡ Quick winMissing
permissions:block and incorrect runner default.Two issues:
- No explicit
permissions:block declared. Add at workflow level:permissions: contents: read
- Runner should default to
blacksmith-4vcpu-ubuntu-2404per repo conventions, notubuntu-latest:runner_type: description: 'Runner to use for the workflow' type: string - default: 'ubuntu-latest' + default: 'blacksmith-4vcpu-ubuntu-2404'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 79 - 82, Add a workflow-level permissions block and set the runner default to the repo standard: declare permissions: contents: read at the top level of the workflow, and update the workflow inputs so inputs.runner_type defaults to "blacksmith-4vcpu-ubuntu-2404" (the notify job already uses runs-on: ${{ inputs.runner_type }}); ensure the notify job name/definition (notify) continues to reference that input.
22-46: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winExpose boolean outputs for conditional execution state.
This workflow has conditional behavior (
dry_runpath vs send path) but does not expose skip-enabling boolean outputs for callers to branch on. Add workflow-level outputs:on: workflow_call: inputs: # ... existing inputs ... outputs: notification_sent: description: 'Whether the notification was actually sent' value: ${{ jobs.notify.outputs.notification_sent }} is_dry_run: description: 'Whether dry_run mode was active' value: ${{ jobs.notify.outputs.is_dry_run }}Then wire job outputs from the
notifyjob.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 22 - 46, Add workflow-level outputs for callers to branch on by declaring outputs under on.workflow_call: expose notification_sent and is_dry_run (descriptions as suggested) and set their values to reference the notify job outputs (e.g., value: ${{ jobs.notify.outputs.notification_sent }} and ${{ jobs.notify.outputs.is_dry_run }}). Then update the notify job to emit those outputs using outputs: notification_sent and is_dry_run and set them inside the notify job steps (via echo "::set-output::notification_sent=..." or the recommended GitHub Actions environment file to write outputs) so callers can read ${ { jobs.<caller>.outputs.notification_sent } } and ${ { jobs.<caller>.outputs.is_dry_run } } accordingly; ensure this wiring uses the existing dry_run input and notify job name `notify`.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-upgrade-doc.yml:
- Around line 66-68: Change the workflow-level permissions to use contents: read
(instead of write) and remove broad write scopes from the top-level permissions
block; then add elevated permissions only to the specific job that needs them by
adding a job-level permissions stanza (e.g.,
jobs.<helm-upgrade-job>.permissions.contents: write and
jobs.<helm-upgrade-job>.permissions.pull-requests: write) so that only the
helm/upgrade job gets write access while the global default remains read-only.
---
Duplicate comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 136-152: The script currently assumes HEADER_LINE and DATA_LINE
are populated and writes them to GITHUB_OUTPUT; add validation after extracting
HEADER_LINE and DATA_LINE (and after building README_ANCHOR/README_URL) to check
they are non-empty and match the expected table pattern (e.g., HEADER_LINE
contains "| Chart Version |" and DATA_LINE contains a version cell) and if not
either set safe default values or fail early with a clear error/exit 1; ensure
the validation occurs before the block that writes to GITHUB_OUTPUT so
downstream jq/Slack formatting (which consumes header_line and data_line) never
receives empty/malformed values.
- Around line 79-82: Add a workflow-level permissions block and set the runner
default to the repo standard: declare permissions: contents: read at the top
level of the workflow, and update the workflow inputs so inputs.runner_type
defaults to "blacksmith-4vcpu-ubuntu-2404" (the notify job already uses runs-on:
${{ inputs.runner_type }}); ensure the notify job name/definition (notify)
continues to reference that input.
- Around line 22-46: Add workflow-level outputs for callers to branch on by
declaring outputs under on.workflow_call: expose notification_sent and
is_dry_run (descriptions as suggested) and set their values to reference the
notify job outputs (e.g., value: ${{ jobs.notify.outputs.notification_sent }}
and ${{ jobs.notify.outputs.is_dry_run }}). Then update the notify job to emit
those outputs using outputs: notification_sent and is_dry_run and set them
inside the notify job steps (via echo "::set-output::notification_sent=..." or
the recommended GitHub Actions environment file to write outputs) so callers can
read ${ { jobs.<caller>.outputs.notification_sent } } and ${ {
jobs.<caller>.outputs.is_dry_run } } accordingly; ensure this wiring uses the
existing dry_run input and notify job name `notify`.
In @.github/workflows/helm-upgrade-doc.yml:
- Around line 82-83: The workflow references an org-owned composite action with
a forbidden `@main` ref:
"LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main";
update that uses entry to point to a permitted ref (either `@develop` for testing
or a specific release tag like `@v1`) so the line becomes a non-main ref for the
composite action.
- Around line 21-24: The workflow currently exposes an input named runner_type
with default 'ubuntu-latest' and then uses that value at runtime, which allows
callers to pick arbitrary runners; change this so the workflow always uses the
required Blacksmith runner: remove or stop exposing caller-controlled
runner_type (or set its default and allowed value to
'blacksmith-4vcpu-ubuntu-2404' only) and replace any runtime use of runner_type
with the literal 'blacksmith-4vcpu-ubuntu-2404' so jobs always run on that
specific runner (update references to runner_type and the job that consumes it).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: de624d81-6629-4b05-ba6e-ad4e749db8a6
📒 Files selected for processing (2)
.github/workflows/helm-release-notification.yml.github/workflows/helm-upgrade-doc.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/helm-upgrade-doc.yml (1)
85-85:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the internal composite action to the repo’s approved long-lived ref.
Line 85 uses
@mainfor a composite action reference inside a reusable workflow. This is a mutable branch ref and not the expected pinning model here; use the floating major tag for internal composites.Suggested fix
- - name: Generate Helm Upgrade Doc - uses: LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main + - name: Generate Helm Upgrade Doc + uses: LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@v1Based on learnings: reusable workflows under
.github/workflowsmust reference internal composite actions via absolute external refs and use floating major tags (for example@v1) rather than branch refs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-upgrade-doc.yml at line 85, Change the composite action reference that currently uses the mutable branch ref "LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main" to an absolute external ref pinned to a floating major tag (e.g., replace "@main" with "@v1"); update the usage string "LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main" to "LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@v1" (or your repo's approved vN tag) so the reusable workflow uses a stable, approved long-lived ref.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/docs/helm-upgrade-doc/README.md`:
- Line 70: Replace the floating major tag in the reusable workflow example by
using an exact semver release tag: find the line containing "uses:
LerianStudio/github-actions-shared-workflows/.github/workflows/helm-upgrade-doc.yml@v1"
in the README and change "@v1" to a specific release tag like "@vX.Y.Z" (e.g.,
"@v1.2.0"); ensure the example uses the actual released tag you intend to pin so
it no longer floats.
---
Duplicate comments:
In @.github/workflows/helm-upgrade-doc.yml:
- Line 85: Change the composite action reference that currently uses the mutable
branch ref
"LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main" to
an absolute external ref pinned to a floating major tag (e.g., replace "@main"
with "@v1"); update the usage string
"LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@main" to
"LerianStudio/github-actions-shared-workflows/src/docs/helm-upgrade-doc@v1" (or
your repo's approved vN tag) so the reusable workflow uses a stable, approved
long-lived ref.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 83cdf3f8-b56b-4c5e-a8c0-382b16b96cd0
📒 Files selected for processing (2)
.github/workflows/helm-upgrade-doc.ymlsrc/docs/helm-upgrade-doc/README.md
bedatty
approved these changes
May 14, 2026
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/helm-upgrade-doc.yml (1)
21-24:⚠️ Potential issue | 🟠 Major | ⚡ Quick winLock runner selection; caller-controlled
runs-onviolates reusable workflow policy.Line 72 currently uses
inputs.runner_type, so callers can route execution to arbitrary labels (including non-approved/self-hosted runners). This conflicts with the repo requirement for a fixed Blacksmith runner.
If you removerunner_type, that is a breaking change for callers already passing it—either keep it as deprecated/ignored for compatibility or document the break explicitly.Proposed minimal fix
on: workflow_call: inputs: - runner_type: - description: Runner to use for the workflow - type: string - default: 'blacksmith-4vcpu-ubuntu-2404' + runner_type: + description: "[DEPRECATED] Runner override is ignored; workflow always uses blacksmith-4vcpu-ubuntu-2404" + type: string + default: 'blacksmith-4vcpu-ubuntu-2404' @@ jobs: upgrade-doc: name: Generate Helm Upgrade Doc - runs-on: ${{ inputs.runner_type }} + runs-on: blacksmith-4vcpu-ubuntu-2404As per coding guidelines, “All jobs in reusable workflows must use
blacksmith-4vcpu-ubuntu-2404as the runner.”Also applies to: 72-72
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-upgrade-doc.yml around lines 21 - 24, The workflow currently allows callers to control runs-on via inputs.runner_type; change the job(s) to hardcode runs-on: 'blacksmith-4vcpu-ubuntu-2404' instead of using inputs.runner_type, and keep the inputs.runner_type definition only for compatibility (document it as deprecated/ignored) so callers won’t break; update any job that references inputs.runner_type (the runs-on lines) to use the fixed 'blacksmith-4vcpu-ubuntu-2404' and remove any logic that forwards or validates inputs.runner_type.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/helm-upgrade-doc.yml:
- Around line 21-24: The workflow currently allows callers to control runs-on
via inputs.runner_type; change the job(s) to hardcode runs-on:
'blacksmith-4vcpu-ubuntu-2404' instead of using inputs.runner_type, and keep the
inputs.runner_type definition only for compatibility (document it as
deprecated/ignored) so callers won’t break; update any job that references
inputs.runner_type (the runs-on lines) to use the fixed
'blacksmith-4vcpu-ubuntu-2404' and remove any logic that forwards or validates
inputs.runner_type.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0279aa45-5004-459a-9078-50424792d27d
📒 Files selected for processing (1)
.github/workflows/helm-upgrade-doc.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 4
♻️ Duplicate comments (2)
.github/workflows/helm-release-notification.yml (2)
139-155:⚠️ Potential issue | 🟠 Major | ⚡ Quick winFail fast when README table extraction is empty.
If
HEADER_LINEorDATA_LINEis empty, the workflow still emits outputs and can send a malformed Slack table payload. Add an explicit guard before writing to$GITHUB_OUTPUT.Proposed guard
if [ -n "$CHART_SECTION" ]; then HEADER_LINE=$(echo "$CHART_SECTION" | grep "| Chart Version |" | head -1) DATA_LINE=$(echo "$CHART_SECTION" | grep -A 2 "| Chart Version |" | tail -1) else HEADER_LINE=$(grep "| Chart Version |" README.md | head -1) DATA_LINE=$(grep -A 2 "| Chart Version |" README.md | tail -1) fi + if [ -z "${HEADER_LINE:-}" ] || [ -z "${DATA_LINE:-}" ]; then + echo "::error::Could not extract '| Chart Version |' rows from README.md" + exit 1 + fi🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 139 - 155, Add a guard before writing to $GITHUB_OUTPUT that checks if HEADER_LINE or DATA_LINE (and optionally README_ANCHOR/README_URL) are empty; if any required value is missing, emit a clear error message to stderr and exit with a non-zero status so the job fails fast instead of producing malformed outputs. Update the block that currently echoes header_line/data_line/readme_url to first run a conditional such as checking [ -z "$HEADER_LINE" ] || [ -z "$DATA_LINE" ] (and/or README_ANCHOR) and call echo "Error: ... missing" >&2; exit 1 when true, otherwise proceed to append values to $GITHUB_OUTPUT.
23-46: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winExpose
has_<noun>boolean outputs for conditional workflow behavior.This workflow has conditional execution (
dry_runvs send) but does not publish reusable-workflow outputs for callers to branch on. Add string booleans ('true'/'false') usinghas_<noun>naming (for examplehas_notification).As per coding guidelines, reusable workflows with conditional work must expose boolean outputs for skip-enabling, with names following the
has_<noun>convention and values'true'/'false'.Also applies to: 82-85, 157-175
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/helm-release-notification.yml around lines 23 - 46, Add explicit boolean string outputs named with the has_<noun> convention so callers can branch on conditional behavior; declare outputs at the top-level outputs block (e.g., has_notification, has_dry_run, has_release) and set them to either 'true' or 'false' from the final job/step that decides action. Use the existing input dry_run and the jobs/steps that send Slack notifications or perform release logic (refer to the dry_run input and the notification/release jobs referenced in the diff) to set those outputs via a step that sets an output (steps.<id>.outputs.<name>) using GitHub Actions expressions like if: and the ternary to emit 'true'/'false'. Ensure every conditional path sets the corresponding has_<noun> output so callers of this reusable workflow can branch reliably.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 29-32: The workflow declares an unused input named chart_path
(inputs.chart_path) in the reusable workflow which is confusing; either remove
both declarations of chart_path or wire it into the steps that need the chart
location. To fix, search for the inputs block containing chart_path and either
(A) remove the chart_path entries at both locations (the two identical
declarations) and update any callers, or (B) update the job/step that packages
or publishes the chart (e.g., the helm package/push step) to reference the value
via inputs.chart_path or github.event.inputs.chart_path and use that path when
running helm commands or file lookups so the declared input is actually
consumed. Ensure only one canonical declaration remains if you keep it.
- Around line 56-78: Remove the workflow_dispatch block (the entire
"workflow_dispatch:" and its "inputs:" entries like chart_name, chart_path,
runner_type, slack_color, dry_run) from this reusable workflow so it no longer
exposes manual dispatch; instead keep the workflow as a reusable "workflow_call"
entrypoint and create a separate self-* manual workflow that calls this reusable
workflow and forwards those inputs (chart_name, chart_path, runner_type,
slack_color, dry_run) for testing. Ensure you delete the workflow_dispatch
section and confirm the reusable workflow only defines the inputs under
workflow_call (or none if already defined elsewhere) so manual triggers occur
via the separate self-* caller.
- Around line 33-36: The workflow currently exposes an input named runner_type
that lets callers pick the runner, which violates policy; remove the
caller-controlled input runner_type and replace any usage of the variable (e.g.,
jobs' runs-on: runner_type or uses of inputs.runner_type) with the fixed literal
'blacksmith-4vcpu-ubuntu-2404'; also remove or update the input declarations
named runner_type (the declarations at the top and the repeated ones) so callers
cannot override the runner and ensure all jobs use runs-on:
'blacksmith-4vcpu-ubuntu-2404'.
- Around line 157-171: The Dry run summary step is interpolating GitHub
expressions directly inside the run: shell block (e.g.,
steps.release.outputs.chart_name, steps.readme.outputs.readme_url,
inputs.slack_color, secrets.SLACK_MENTION_GROUP), which risks script-text
injection; fix it by mapping each expression to env variables under the same
step (e.g., CHART_NAME, CHART_VERSION, LATEST_TAG, RELEASE_URL, COMMIT_URL,
README_URL, SLACK_COLOR, SLACK_MENTION_GROUP, HEADER_LINE, DATA_LINE) and then
reference those shell env vars (e.g., "$CHART_NAME") inside the run: body
instead of using ${ { ... } } expressions directly; keep the step name "Dry run
summary" and the if: condition unchanged while ensuring
secrets.SLACK_MENTION_GROUP is routed through env rather than inline expression.
---
Duplicate comments:
In @.github/workflows/helm-release-notification.yml:
- Around line 139-155: Add a guard before writing to $GITHUB_OUTPUT that checks
if HEADER_LINE or DATA_LINE (and optionally README_ANCHOR/README_URL) are empty;
if any required value is missing, emit a clear error message to stderr and exit
with a non-zero status so the job fails fast instead of producing malformed
outputs. Update the block that currently echoes header_line/data_line/readme_url
to first run a conditional such as checking [ -z "$HEADER_LINE" ] || [ -z
"$DATA_LINE" ] (and/or README_ANCHOR) and call echo "Error: ... missing" >&2;
exit 1 when true, otherwise proceed to append values to $GITHUB_OUTPUT.
- Around line 23-46: Add explicit boolean string outputs named with the
has_<noun> convention so callers can branch on conditional behavior; declare
outputs at the top-level outputs block (e.g., has_notification, has_dry_run,
has_release) and set them to either 'true' or 'false' from the final job/step
that decides action. Use the existing input dry_run and the jobs/steps that send
Slack notifications or perform release logic (refer to the dry_run input and the
notification/release jobs referenced in the diff) to set those outputs via a
step that sets an output (steps.<id>.outputs.<name>) using GitHub Actions
expressions like if: and the ternary to emit 'true'/'false'. Ensure every
conditional path sets the corresponding has_<noun> output so callers of this
reusable workflow can branch reliably.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3baa0309-9563-4fd1-84ee-e000a5cf2330
📒 Files selected for processing (1)
.github/workflows/helm-release-notification.yml
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions Shared Workflows
Description
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None.
Testing
@this-branchor the beta tagCaller repo / workflow run:
Related Issues
Closes #
Summary by CodeRabbit
New Features
Documentation
Chores