Skip to content

Updated to 25.8.0. #1821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AlexSkrypnyk merged 1 commit into from
Jul 23, 2025
Merged

Updated to 25.8.0. #1821

AlexSkrypnyk merged 1 commit into from
Jul 23, 2025

Conversation

@AlexSkrypnyk
Copy link
Member

@AlexSkrypnyk AlexSkrypnyk commented Jul 23, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated Docker container image versions across CI/CD workflows for improved consistency.
    • Added installation of Ahoy CLI version 2.4.0 in testing and post-build jobs to enhance environment capabilities.

@github-project-automation github-project-automation bot moved this to BACKLOG in Vortex Jul 23, 2025
@coderabbitai
Copy link

coderabbitai bot commented Jul 23, 2025
edited
Loading

Walkthrough

The Docker image tag for the CI runner was updated from drevops/ci-runner:25.7.0 to drevops/ci-runner:25.8.0 across CircleCI and GitHub Actions workflow configurations. Additionally, Ahoy CLI version 2.4.0 installation steps were added to vortex test jobs. No other changes were made to job logic or environment variables.

Changes

Files/Paths Change Summary
.circleci/config.yml Updated Docker image tag from 25.7.0 to 25.8.0; added Ahoy CLI 2.4.0 installation step in vortex-dev-test-ci-postbuild job.
.github/workflows/build-test-deploy.yml Updated Docker image tag from 25.7.0 to 25.8.0 in database, build, and deploy jobs.
.github/workflows/vortex-test-common.yml Updated Docker image tag from 25.7.0 to 25.8.0 in vortex-test-common, vortex-test-workflow, and vortex-test-deployment jobs; added Ahoy CLI 2.4.0 installation step in these jobs.

Estimated code review effort

2 (~15 minutes)

Possibly related PRs

Suggested labels

PR: DO NOT MERGE

Poem

The runner hops from old to new,
25.8 leads the CI crew.
Ahoy is called, commands align,
Tests and builds now intertwine.
🐇 Pipelines fresh with every cue—
Our code leaps forward, swift and true!

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot temporarily deployed to commit July 23, 2025 12:05 Inactive
coderabbitai[bot]
coderabbitai bot reviewed Jul 23, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f5bf6d6 and 94f138b.

📒 Files selected for processing (3)
  • .circleci/config.yml (1 hunks)
  • .github/workflows/build-test-deploy.yml (3 hunks)
  • .github/workflows/vortex-test-common.yml (3 hunks)
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/build-test-deploy.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.github/workflows/vortex-test-common.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/build-test-deploy.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.github/workflows/vortex-test-common.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: build (0)
  • GitHub Check: build (1)
  • GitHub Check: vortex-test-installer (8.4)
  • GitHub Check: vortex-test-installer (8.2)
  • GitHub Check: vortex-test-installer (8.3)

.circleci/config.yml Outdated
Comment on lines 44 to 45
- image: drevops/ci-runner:canary
auth:
Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

CircleCI runner switched to canary – same reproducibility concern.

For consistency with the GitHub workflows (and to align with the PR intent), pin the image:

-      - image: drevops/ci-runner:canary
+      - image: drevops/ci-runner:25.78.0

If you keep canary, please rename all cache keys that still start with v25.7.0- to avoid mismatched metadata.

🏁 Script executed:

#!/bin/bash
# List CircleCI config to confirm image tag and existing cache keys
echo "Files under .circleci/:"
find . -maxdepth 2 -type f | sed 's/^/>> /'

echo -e "\n.circleci/config.yml (lines 30-60):"
sed -n '30,60p' .circleci/config.yml || echo "⚠️ .circleci/config.yml not found"

echo -e "\nImage references in .circleci/config.yml:"
grep -R "image: drevops/ci-runner" -n .circleci/config.yml || echo "⚠️ No ci-runner image found"

echo -e "\nCache keys referencing v25.7.0-:"
grep -R "v25\.7\.0-" -n .circleci || echo "⚠️ No cache keys with v25.7.0- found in .circleci/"

Length of output: 4367

Pin CircleCI runner image or update cache keys

The drevops/ci-runner:canary tag is non‐deterministic and undermines build reproducibility. You can either pin to a stable version or, if you must keep canary, ensure cache keys are updated to match.

• In .circleci/config.yml at line 44

-      - image: drevops/ci-runner:canary
+      - image: drevops/ci-runner:25.78.0

• If retaining :canary, rename all cache‐key prefixes from v25.7.0- to a matching identifier (lines 153, 156, 186, 234, 235), e.g.:

- key: v25.7.0-db11-…
+ key: v25.78.0-db11-…
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- image: drevops/ci-runner:canary
auth:
- image: drevops/ci-runner:25.78.0
auth:
🤖 Prompt for AI Agents 
In .circleci/config.yml at lines 44-45, the use of the non-deterministic image
tag 'drevops/ci-runner:canary' reduces build reproducibility. To fix this,
either pin the image to a stable version tag instead of 'canary' or, if you must
keep 'canary', update all cache key prefixes in the file (lines 153, 156, 186,
234, 235) to a new consistent identifier that matches the canary usage to ensure
cache validity.

.github/workflows/vortex-test-common.yml
Comment on lines 22 to 24
container:
image: drevops/ci-runner:25.7.0
image: drevops/ci-runner:canary
env:
Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin the runner image to an explicit version instead of canary.

drevops/ci-runner:canary moves every time a new build is published, which will make your CI runs non-deterministic and can silently introduce breaking changes.
Given the PR title “Updated to 25.78.0”, it looks like you actually want that specific release. Consider pinning the image to drevops/ci-runner:25.78.0 (or even better, a digest) to guarantee reproducible builds and simpler roll-backs.

-      image: drevops/ci-runner:canary
+      image: drevops/ci-runner:25.78.0

Same change is required for the other two jobs in this workflow.

Also applies to: 111-113, 171-173

🏁 Script executed:

#!/bin/bash
# Search for all uses of the canary tag in GitHub workflow files
rg -n "image: drevops/ci-runner:canary" .github/workflows

Length of output: 552

Pin all ci-runner:canary references to 25.78.0 for reproducible CI

The canary tag moves on every rebuild, leading to non-deterministic CI runs and potential silent breakages. Since this PR targets version 25.78.0, please update every occurrence:

• .github/workflows/vortex-test-common.yml
– lines 23, 112, 172
• .github/workflows/build-test-deploy.yml
– lines 59, 169, 387

Replace:

-      image: drevops/ci-runner:canary
+      image: drevops/ci-runner:25.78.0

(Or even better, pin by digest to guarantee exact builds.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
container:
image: drevops/ci-runner:25.7.0
image: drevops/ci-runner:canary
env:
container:
image: drevops/ci-runner:25.78.0
env:
🤖 Prompt for AI Agents 
In .github/workflows/vortex-test-common.yml at lines 23, 112, and 172, replace
all occurrences of the image tag "drevops/ci-runner:canary" with
"drevops/ci-runner:25.78.0" to ensure reproducible CI runs. This change pins the
image version explicitly instead of using the moving "canary" tag. Optionally,
consider pinning by digest for exact build guarantees.

@github-actions github-actions bot temporarily deployed to commit July 23, 2025 12:13 Inactive
coderabbitai[bot]
coderabbitai bot reviewed Jul 23, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/vortex-test-common.yml (1)

22-24: Pin drevops/ci-runner to 25.78.0 (or a digest) instead of using canary.

Using the moving canary tag makes CI non-deterministic and can silently introduce breaking changes.
The PR title already references 25.78.0, so switch all three jobs to that explicit tag (or even better, the image digest) for reproducible builds and simpler roll-backs.

Also applies to: 118-120, 185-187

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94f138b and c56e66a.

📒 Files selected for processing (1)
  • .github/workflows/vortex-test-common.yml (6 hunks)
🧠 Learnings (2)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
  • GitHub Check: build (1)
  • GitHub Check: build (0)
  • GitHub Check: vortex-test-workflow (3)
  • GitHub Check: vortex-test-workflow (2)
  • GitHub Check: vortex-test-workflow (1)
  • GitHub Check: vortex-test-workflow (0)
  • GitHub Check: vortex-test-deployment (1)
  • GitHub Check: vortex-test-deployment (0)
  • GitHub Check: vortex-test-common
  • GitHub Check: vortex-test-installer (8.2)
  • GitHub Check: vortex-test-installer (8.4)
  • GitHub Check: vortex-test-installer (8.3)
  • GitHub Check: vortex-test-docs

.github/workflows/vortex-test-common.yml
Comment on lines +83 to +88
- name: Install Ahoy
run: |
version=2.4.0 && \
set -x && curl -L -o "/usr/local/bin/ahoy" "https://github.com/ahoy-cli/ahoy/releases/download/v${version}/ahoy-bin-$(uname -s)-amd64" && \
chmod +x /usr/local/bin/ahoy && \
ahoy --version
Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Validate Ahoy download & consolidate the install step.

  1. Security: the script pipes a binary straight from GitHub without checksum or signature verification. Fetch the release’s SHA256 (or use GitHub’s signed assets) and verify before chmod +x to avoid supply-chain risks.
  2. Portability: the URL hard-codes amd64; GitHub’s ARM runners (e.g., ubuntu-latest on ARM) will break. Use $(uname -m) or map architectures explicitly.
  3. DRY: the same install block is duplicated in three jobs—extract to a reusable composite action or a reusable step (uses: syntax) to reduce copy/paste.

Example checksum verification diff for one job:

-  version=2.4.0 && \
-  set -x && curl -L -o "/usr/local/bin/ahoy" "https://github.com/ahoy-cli/ahoy/releases/download/v${version}/ahoy-bin-$(uname -s)-amd64" && \
-  chmod +x /usr/local/bin/ahoy && \
-  ahoy --version
+  set -euo pipefail
+  version=2.4.0
+  arch=$(uname -m)
+  url="https://github.com/ahoy-cli/ahoy/releases/download/v${version}/ahoy-bin-$(uname -s)-${arch}"
+  curl -L -o /tmp/ahoy "$url"
+  curl -L -o /tmp/ahoy.sha256 "$url.sha256"
+  sha256sum -c /tmp/ahoy.sha256
+  install -m 0755 /tmp/ahoy /usr/local/bin/ahoy
+  ahoy --version

Also applies to: 150-155, 224-229

🤖 Prompt for AI Agents 
In .github/workflows/vortex-test-common.yml around lines 83 to 88, improve the
Ahoy installation step by adding SHA256 checksum verification before making the
binary executable to enhance security. Replace the hardcoded "amd64"
architecture in the download URL with a dynamic detection using $(uname -m) or
an explicit mapping for supported architectures to ensure compatibility on ARM
runners. Finally, refactor the workflow to extract this installation logic into
a reusable composite action or reusable step to avoid duplication across
multiple jobs, specifically also addressing lines 150-155 and 224-229.

@AlexSkrypnyk AlexSkrypnyk force-pushed the feature/ci-runner-25.8.0 branch from c56e66a to fe68457 Compare July 23, 2025 12:21
@AlexSkrypnyk AlexSkrypnyk changed the title Updated to 25.78.0. Updated to 25.8.0. Jul 23, 2025
@github-actions github-actions bot temporarily deployed to commit July 23, 2025 12:23 Inactive
@codecov
Copy link

codecov bot commented Jul 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.51%. Comparing base (21ccb6f) to head (a986d57).
Report is 1 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #1821   +/-   ##
========================================
  Coverage    74.51%   74.51%           
========================================
  Files           84       84           
  Lines         4760     4760           
  Branches        35       35           
========================================
  Hits          3547     3547           
  Misses        1213     1213

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@AlexSkrypnyk AlexSkrypnyk force-pushed the feature/ci-runner-25.8.0 branch from fe68457 to 0957d5c Compare July 23, 2025 12:33
@github-actions github-actions bot temporarily deployed to commit July 23, 2025 12:36 Inactive
coderabbitai[bot]
coderabbitai bot reviewed Jul 23, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
.github/workflows/vortex-test-common.yml (1)

83-88: Install Ahoy step still pipes arbitrary binary without checksum & hard-codes amd64

Security & portability concerns raised in the previous review are still unaddressed.
Please add SHA-256 verification and an architecture map or use the project’s composite action.

Also applies to: 150-155, 224-229

.circleci/config.yml (2)

44-45: Cache keys out of sync with runner version 25.8.0 – will cause stale/incorrect hits

The runner image moved to 25.8.0 but cache prefixes remain v25.7.0-.
Update all five occurrences (153-157, 186, 234-236) or derive the prefix from an env var to keep CircleCI caches honest.

Also applies to: 153-157, 186-186, 234-236

494-500: Install Ahoy step: no checksum, amd64 only

Same concerns as the GitHub Actions workflow – please harden this step.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe68457 and 0957d5c.

⛔ Files ignored due to path filters (2)
  • .vortex/installer/tests/Fixtures/version_replacement/baseline/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/version_replacement/expected/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
📒 Files selected for processing (3)
  • .circleci/config.yml (2 hunks)
  • .github/workflows/build-test-deploy.yml (3 hunks)
  • .github/workflows/vortex-test-common.yml (6 hunks)
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/build-test-deploy.yml (1)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
  • GitHub Check: build (0)
  • GitHub Check: build (1)
  • GitHub Check: vortex-test-deployment (1)
  • GitHub Check: vortex-test-workflow (0)
  • GitHub Check: vortex-test-workflow (2)
  • GitHub Check: vortex-test-deployment (0)
  • GitHub Check: vortex-test-workflow (1)
  • GitHub Check: vortex-test-workflow (3)
  • GitHub Check: vortex-test-common
  • GitHub Check: vortex-test-installer (8.4)
  • GitHub Check: vortex-test-installer (8.2)
  • GitHub Check: vortex-test-installer (8.3)
  • GitHub Check: vortex-test-docs

.github/workflows/build-test-deploy.yml
Comment on lines 58 to 60
container:
image: drevops/ci-runner:25.7.0
image: drevops/ci-runner:25.8.0

Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Image bumped to 25.8.0 but cache-key prefix still hard-coded to 25.7.0 – cache poisoning risk

The runner now uses drevops/ci-runner:25.8.0, yet every DB-cache key keeps the v25.7.0- prefix.
If another branch/job is still on 25.7.0, you’ll get cross-pollination; worse, once you invalidate 25.8.0 layers you’ll keep hitting a stale 25.7.0 cache and silently skip DB refresh.

Patch one of the occurrences and grep-replace the rest (or inject a ${{ env.CI_RUNNER_VERSION }} variable):

-          key: v25.7.0-db11-${{ hashFiles('db_cache_branch') }}-${{ hashFiles('db_cache_fallback') }}-${{ hashFiles('db_cache_timestamp') }}
+          key: v25.8.0-db11-${{ hashFiles('db_cache_branch') }}-${{ hashFiles('db_cache_fallback') }}-${{ hashFiles('db_cache_timestamp') }}
...
-            v25.7.0-db11-${{ hashFiles('db_cache_branch') }}-${{ hashFiles('db_cache_fallback') }}-
+            v25.8.0-db11-${{ hashFiles('db_cache_branch') }}-${{ hashFiles('db_cache_fallback') }}-

Same adjustment is required on lines 153, 213 and 225-227.

Also applies to: 122-127, 153-153, 212-214, 225-227

🤖 Prompt for AI Agents 
In .github/workflows/build-test-deploy.yml around lines 58 to 60 and also at
lines 122-127, 153, 212-214, and 225-227, the cache-key prefix is hard-coded to
version 25.7.0 while the container image is updated to 25.8.0, causing a cache
poisoning risk. To fix this, replace the hard-coded version prefix in all
cache-key definitions with a dynamic reference using an environment variable
like ${{ env.CI_RUNNER_VERSION }} that matches the image version. This ensures
cache keys align with the actual runner version and prevents stale cache usage
across versions.

🧹 Nitpick (assertive)

Optional: pin by SHA-digest for fully reproducible CI

Even a semver tag can be force-pushed on Docker Hub. Consider replacing
drevops/ci-runner:25.8.0 with its immutable digest (e.g. @sha256:…) to make roll-backs & diff-bisection deterministic.

🤖 Prompt for AI Agents 
In .github/workflows/build-test-deploy.yml around lines 58 to 60, the Docker
image is currently referenced by a mutable semver tag drevops/ci-runner:25.8.0.
To ensure fully reproducible CI builds and enable deterministic roll-backs,
replace the image tag with its immutable SHA digest form (e.g.,
drevops/ci-runner@sha256:...). Obtain the correct SHA digest from the Docker
registry and update the image reference accordingly.

.github/workflows/vortex-test-common.yml
Comment on lines +23 to 24
image: drevops/ci-runner:25.8.0
env:
Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Nice upgrade – consider pinning by digest

All jobs now use the 25.8.0 runner – LGTM.
Same digest-pin recommendation as in the other workflow applies.

Also applies to: 118-120, 185-187

🤖 Prompt for AI Agents 
In .github/workflows/vortex-test-common.yml around lines 23-24, 118-120, and
185-187, the Docker image is specified using a tag (25.8.0) which can lead to
inconsistencies if the tag is updated. To fix this, replace the image tag with
the exact image digest to pin the version precisely. Retrieve the digest for
drevops/ci-runner:25.8.0 from the Docker registry and update the image field to
use the digest format (e.g., drevops/ci-runner@sha256:...). This ensures
consistent and reproducible builds.

@AlexSkrypnyk AlexSkrypnyk force-pushed the feature/ci-runner-25.8.0 branch from 0957d5c to 6dd92d4 Compare July 23, 2025 12:39
@AlexSkrypnyk AlexSkrypnyk force-pushed the feature/ci-runner-25.8.0 branch from 6dd92d4 to a986d57 Compare July 23, 2025 12:39
@AlexSkrypnyk AlexSkrypnyk moved this from BACKLOG to In progress in Vortex Jul 23, 2025
@AlexSkrypnyk AlexSkrypnyk added this to the 25.7.0 milestone Jul 23, 2025
@AlexSkrypnyk AlexSkrypnyk enabled auto-merge (rebase) July 23, 2025 12:40
@github-actions github-actions bot temporarily deployed to commit July 23, 2025 12:41 Inactive
coderabbitai[bot]
coderabbitai bot reviewed Jul 23, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (8)
.github/workflows/build-test-deploy.yml (3)

168-170: Same cache-key mismatch as above – please update or parameterise.

383-385: Same cache-key mismatch as above – please update or parameterise.

58-60: Cache keys still stuck on 25.7.0 → stale / cross-polluted caches
Runner image is now 25.8.0, yet every cache key (Restore DB cache, Save DB cache, etc.) still prefixes v25.7.0-…. The first restore on a fresh 25.8.0 build will hit an incompatible 25.7.0 layer and silently skip DB refresh.

Patch all keys (122-127, 153, 214-229) or, better, derive the prefix from a single env var:

-          key: v25.7.0-db11-${{ hashFiles('db_cache_branch') }}-...
+          key: v${{ env.CI_RUNNER_VERSION }}-db11-${{ hashFiles('db_cache_branch') }}-...

Add CI_RUNNER_VERSION: 25.8.0 to env: block next to TZ to keep things in sync.
Failing to align these will produce hard-to-trace CI flakiness.

.github/workflows/vortex-test-common.yml (4)

83-88: Ahoy install step: no checksum, hard-coded amd64, copy/paste
This repeats previous feedback:

  1. Supply-chain risk – download is executed blindfolded.
  2. Fails on ARM runners – URL is fixed to amd64.
  3. Duplicated in three jobs – extract to a composite action.

See earlier suggested snippet for SHA-256 verification + $(uname -m) handling.

23-24: Consider pinning by digest for reproducible CI
Same recommendation issued earlier – tag is mutable, digest is immutable.

118-120: Image-digest pinning – duplicate of the comment above.

185-187: Image-digest pinning – duplicate of the comment above.

.circleci/config.yml (1)

494-500: Ahoy install step: same security/portability duplication
No checksum verification, amd64 only, duplicated logic – see prior comment in GHA workflow.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0957d5c and a986d57.

📒 Files selected for processing (3)
  • .circleci/config.yml (2 hunks)
  • .github/workflows/build-test-deploy.yml (3 hunks)
  • .github/workflows/vortex-test-common.yml (6 hunks)
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/build-test-deploy.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot
.github/workflows/build-test-deploy.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.circleci/config.yml (2)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

.github/workflows/vortex-test-common.yml (4)

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Docker images are updated for containers via RenovateBot

Learnt from: AlexSkrypnyk
PR: #1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as required=true in Docker build mounts. The conditional check if [ -s /run/secrets/github_token ] is the preferred approach to allow builds to proceed without a token when needed.

Learnt from: CR
PR: drevops/vortex#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T15:00:28.327Z
Learning: Composer dependencies are updated automatically with compatibility checks via RenovateBot

Learnt from: AlexSkrypnyk
PR: drevops/vortex#0
File: :0-0
Timestamp: 2025-05-29T12:15:32.188Z
Learning: Do not review files in .vortex/installer/tests/Fixtures/install directory as they are test fixtures.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: build (0)
  • GitHub Check: build (1)
  • GitHub Check: vortex-test-workflow (0)
  • GitHub Check: vortex-test-common
  • GitHub Check: vortex-test-deployment (0)
  • GitHub Check: vortex-test-workflow (1)
  • GitHub Check: vortex-test-workflow (3)
  • GitHub Check: vortex-test-deployment (1)
  • GitHub Check: vortex-test-workflow (2)

.circleci/config.yml
Comment on lines +44 to 45
- image: drevops/ci-runner:25.8.0
auth:
Copy link

@coderabbitai coderabbitai bot Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Cache prefix/version drift (25.8.0 vs 25.7.0) will poison CircleCI caches
Runner bumped to 25.8.0, but all cache keys (153, 156, 186, 234, 235) still read v25.7.0-….

Quick-fix (example for one section):

-            - v25.7.0-db11-{{ checksum "/tmp/db_cache_branch" }}-{{ checksum "/tmp/db_cache_fallback" }}-{{ checksum "/tmp/db_cache_timestamp" }}
+            - v25.8.0-db11-{{ checksum "/tmp/db_cache_branch" }}-{{ checksum "/tmp/db_cache_fallback" }}-{{ checksum "/tmp/db_cache_timestamp" }}

Prefer injecting a single CI_RUNNER_VERSION parameter and interpolating it to avoid this recurring drift.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .circleci/config.yml around lines 44 to 45, the Docker image version is
updated to 25.8.0 but the cache keys still reference version 25.7.0, causing
cache poisoning. Fix this by defining a single CI_RUNNER_VERSION parameter with
the value 25.8.0 and update all cache keys to interpolate this variable instead
of hardcoding the version. This ensures consistency and prevents version drift
in cache keys.

@AlexSkrypnyk AlexSkrypnyk merged commit 84d15c0 into develop Jul 23, 2025
30 checks passed
@AlexSkrypnyk AlexSkrypnyk deleted the feature/ci-runner-25.8.0 branch July 23, 2025 13:02
@github-project-automation github-project-automation bot moved this from In progress to Release queue in Vortex Jul 23, 2025
@AlexSkrypnyk AlexSkrypnyk moved this from Release queue to Released in 25.7.0 in Vortex Jul 26, 2025
@coderabbitai coderabbitai bot mentioned this pull request Sep 1, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Sep 12, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Sep 25, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Oct 30, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Dec 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@AlexSkrypnyk AlexSkrypnyk

Labels

None yet

Projects

Vortex
Archived in project

Milestone

25.7.0

Development

Successfully merging this pull request may close these issues.

2 participants

@AlexSkrypnyk