Updated to CI Runner 25.10.0

[AlexSkrypnyk]

Closes #

Summary by CodeRabbit

• Chores
  • Updated CI/CD runner images to newer versions and switched some workflow containers to the canary image.
  • Bumped cache/version prefixes used for database caching across build and test workflows so cached artifacts align with the new runner versions.
  • Kept workflow behavior unchanged beyond image and cache-key updates.

[coderabbitai]

Walkthrough

The PR updates CI/CD configuration files to bump drevops/ci-runner image references (from pinned v25.9.0 to v25.10.0 or canary) and increments database cache key/version prefixes to v25.10.0; no workflow logic or control flow changes.

Changes

Cohort / File(s)	Change Summary
CircleCI config ​.circleci/config.yml	Bumps runner image tag from drevops/ci-runner:25.9.0 to drevops/ci-runner:25.10.0 and updates database cache key prefixes to v25.10.0 in restore/save/cache steps and related echo lines.
GitHub Actions — build/test/deploy .github/workflows/build-test-deploy.yml	Replaces pinned container image digest tag with drevops/ci-runner:25.10.0@sha256:03f272... (updated from v25.9.0 digest) and updates database cache key prefixes and printed cache-key strings to v25.10.0.
GitHub Actions — common workflows .github/workflows/vortex-test-common.yml	Changes three workflow container references from the pinned digest/tag to use the drevops/ci-runner:canary image; no other step or env changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Mostly homogeneous string replacements across three workflow files.
• Items to check during review:
  • Cache key/version consistency between CircleCI and GitHub Actions files.
  • Intentional use of canary in vortex-test-common.yml vs. pinned version elsewhere.
  • Verify updated digest in build-test-deploy.yml matches expected image.

Possibly related PRs

• Updated CI runner to 25.7.0 #1782: Modifies the same CI workflow files and updates drevops/ci-runner image tags and cache key/version strings.
• Updated deps and CI caches. #1959: Updates database cache key/version prefixes and cache key strings in overlapping CI configuration files.
• Updated CI Runner to 25.5.0. #1629: Performs similar drevops/ci-runner image tag updates across the same CI/CD workflow files.

Suggested labels

AUTOMERGE

Poem

🐰 I hopped through configs, soft and steady,
Bumped the runner, made the keys ready,
Canary hums and caches align,
CI carrots gleam—tests will dine!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Updated to CI Runner 25.10.0" accurately and clearly reflects the main change in the changeset. All modifications across the three files (.circleci/config.yml, .github/workflows/build-test-deploy.yml, and .github/workflows/vortex-test-common.yml) are directly related to updating the CI runner image from version 25.9.0 to 25.10.0, along with corresponding cache key updates. The title is specific and concise enough that a developer scanning commit history would immediately understand the primary change, and it avoids vague terminology like "misc updates" or generic descriptors.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/ci-runner-25.10

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4dd8578 and 162769f.

📒 Files selected for processing (3)

• .circleci/config.yml (4 hunks)
• .github/workflows/build-test-deploy.yml (7 hunks)
• .github/workflows/vortex-test-common.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: build (0)
• GitHub Check: build (1)
• GitHub Check: vortex-test-deployment (0)
• GitHub Check: vortex-test-deployment (1)
• GitHub Check: vortex-test-workflow (2)
• GitHub Check: vortex-test-workflow (1)
• GitHub Check: vortex-test-workflow (4)
• GitHub Check: vortex-test-workflow (0)
• GitHub Check: vortex-test-workflow (3)
• GitHub Check: vortex-test-common
• GitHub Check: vortex-test-installer (8.2)
• GitHub Check: vortex-test-installer (8.3)
• GitHub Check: vortex-test-installer (8.4)
• GitHub Check: vortex-test-docs

🔇 Additional comments (7)

.circleci/config.yml (3)

44-44: ✓ Appropriate version pinning in CircleCI config.

The image reference correctly uses the pinned version drevops/ci-runner:25.10.0 instead of a moving tag, ensuring reproducible builds.

---

157-161: ✓ Cache key versions consistently updated across database job.

Database cache keys are properly bumped from v25.8.x to v25.10.0 in both restore and save operations, maintaining consistency in the caching strategy.

Also applies to: 190-190

---

239-240: ✓ Cache key versions properly updated in build job.

Database cache keys in the build job correctly reference the v25.10.0 prefix for consistency with the database job.

.github/workflows/build-test-deploy.yml (4)

63-63: ✓ Excellent image pinning strategy with SHA256 digests.

All three container image references use pinned version tags with explicit SHA256 digests (drevops/ci-runner:25.10.0@sha256:...), ensuring reproducible and immutable builds. This is the most robust approach to image management.

Also applies to: 179-179, 417-417

---

125-125: ✓ Cache keys properly versioned in database job.

Database cache restoration keys correctly use v25.10.0-db11 prefix for consistency with the version bump.

Also applies to: 129-129

---

161-161: ✓ Cache save key correctly updated.

Database cache save operation uses the appropriate v25.10.0-db11 versioned key.

---

226-226: ✓ Cache keys consistently updated in build job.

All database cache references in the build job matrix use the v25.10.0-db11 prefix, maintaining cache consistency across jobs.

Also applies to: 238-238, 240-240

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-test-deploy.yml (1)

1-50: PR description is incomplete.

The PR description contains only "Closes #" with no issue number specified. This makes it difficult to understand the business context or motivation for upgrading to CI Runner 25.10.0 and switching to the canary tag.

Recommendation: Provide a complete PR description explaining:

• Why the version bump is necessary
• Why the move from pinned digests to canary is appropriate (if intentional)
• Any breaking changes or new capabilities in v25.10.0
• Testing/validation performed

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1db9f7a and 4dd8578.

📒 Files selected for processing (3)

• .circleci/config.yml (4 hunks)
• .github/workflows/build-test-deploy.yml (7 hunks)
• .github/workflows/vortex-test-common.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: vortex-test-installer (8.4)
• GitHub Check: vortex-test-installer (8.3)
• GitHub Check: vortex-test-installer (8.2)
• GitHub Check: vortex-test-workflow (3)
• GitHub Check: vortex-test-workflow (0)
• GitHub Check: vortex-test-deployment (1)
• GitHub Check: vortex-test-common
• GitHub Check: vortex-test-workflow (2)
• GitHub Check: vortex-test-workflow (1)
• GitHub Check: vortex-test-deployment (0)
• GitHub Check: database
• GitHub Check: vortex-test-workflow (4)
• GitHub Check: vortex-test-docs

🔇 Additional comments (3)

.circleci/config.yml (1)

157-157: Cache key versioning is consistent.

All database-related cache operations across the CircleCI workflow have been updated to the v25.10.0 prefix. The cache keys, restore-keys, and fallback strategies are consistent and properly aligned.

Also applies to: 160-160, 190-190, 239-239, 240-240

.github/workflows/build-test-deploy.yml (2)

125-125: Cache key versioning is consistent and properly updated.

All database-related cache operations (restore_cache, save_cache, and diagnostic echo statements) have been consistently updated to use the v25.10.0 prefix, including fallback restore-keys. The version bump is applied uniformly across all cache-related steps.

Also applies to: 129-129, 161-161, 226-226, 238-238, 240-240

---

63-63: Verify the intent behind switching to the canary tag and consider using the pinned version mentioned in the commit message.

The review comment accurately identifies that all three CI jobs (database at line 63, build at 179, deploy at 417) were recently switched from pinned image tags with SHA256 digests (e.g., drevops/ci-runner:25.9.0@sha256:...) to the moving canary tag. This change introduces reproducibility concerns—moving tags can resolve to different images between runs, increasing flakiness risk.

However, the commit message states "Updated to CI Runner 25.10.0," while the actual image tag was changed to canary rather than a pinned 25.10.0. The cache keys were updated to v25.10.0, suggesting the original intent aligned with the review's recommendation. Consider clarifying: was the canary tag choice intentional, or should images be reverted to pinned versions (e.g., drevops/ci-runner:25.10.0@sha256:...) as the commit message implies?

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Reconsider using the moving canary tag for CI/CD workflows.

Switching from pinned SHA digests (e.g., drevops/ci-runner:25.9.0@sha256:...) to the moving canary tag introduces instability risk. Canary images are pre-release and can break unpredictably between runs, causing flaky CI failures unrelated to code changes. This is particularly risky for production CI/CD pipelines.

Recommendation: Use a stable, pinned image tag (e.g., drevops/ci-runner:25.10.0) or a specific SHA digest instead of canary.

Also applies to: 122-122, 191-191

---

I'll verify this review comment by examining the workflow file and researching the drevops/ci-runner image.

[/run_scripts]

Based on my research, I've found key information about the concern raised:

The drevops/ci-runner uses canary versioning where changes are released as a canary version, confirming the canary tag exists. Additionally, Docker and CI/CD best practices strongly support the concern: you should always pin a specific version of an image, as using a tag like docker:latest provides no control over which version is used and can cause incompatibility problems when new versions are released.

Now let me verify the actual workflow file to confirm the specific lines mentioned in the review.

---

🏁 Script executed:

#!/bin/bash
# Check the workflow file for canary tag usage at specified lines
if [ -f ".github/workflows/vortex-test-common.yml" ]; then
  echo "=== File content at lines 20-25 ==="
  sed -n '20,25p' ".github/workflows/vortex-test-common.yml"
  echo ""
  echo "=== File content at lines 119-125 ==="
  sed -n '119,125p' ".github/workflows/vortex-test-common.yml"
  echo ""
  echo "=== File content at lines 188-194 ==="
  sed -n '188,194p' ".github/workflows/vortex-test-common.yml"
  echo ""
  echo "=== Count of 'canary' occurrences ==="
  grep -c "canary" ".github/workflows/vortex-test-common.yml" || echo "0 matches"
else
  echo "File not found: .github/workflows/vortex-test-common.yml"
fi

Length of output: 668

---

I need to search more specifically for information about the drevops/ci-runner canary tag to understand what it actually represents.<!-- [scratchpad_update]
[task verify_review_comment 2/2 verify_canary_tag_nature COMPLETE]
[critical_findings]
Found key information in drevops/ci-runner GitHub documentation:

• "Renovate bot is used to update dependencies. It creates a PR with the changes and automatically merges it if CI passes. These changes are then released as a canary version."
• Official documentation confirms canary versions exist
• But still NO mention of a "canary" Docker tag specifically
• Documentation only shows YY.m.patch tags and test-ci tag in examples
• No documentation indicating the workflow uses canary tag at lines 23, 122, 191
  [analysis_canary_concept]
• Found reference to actions-runner-controller:canary in issue [8.x] Fix link to Pygmy Documentation #427
• Quote from maintainer: "In general don't run the canary image unless you know why you are running it... It's an especially unstable development image as any push to master that isn't for the runners will trigger a build and a publish to Dockerhub."
• This confirms canary tags in general CI/CD context are unstable
• General Docker best practices from multiple sources: use specific version tags, avoid latest and similar moving tags
• GitLab documentation: "If tags like docker:stable are used, you have no control over what version is going to be used and this can lead to unpredictable behavior, especially when new versions are released."
  [conclusion]
• Review comment factually correct: workflow uses canary tag at specified lines
• General concern about canary tags is valid based on Docker/CI best practices
• However: drevops/ci-runner documentation does NOT explicitly document a "canary" tag as unstable
• The concern may be based on general canary tag practices rather than drevops-specific knowledge
• The recommendation to use pinned versions (e.g., 25.10.0) aligns with best practices
  [final_determination]
• Workflow file confirmed to use drevops/ci-runner:canary at lines 23, 122, 191
• General concern about canary tags is valid per Docker/CI best practices
• Review comment's recommendation is sound and actionable
• Tags are appropriate for a or determination
  [scratchpad_end] -->

Based on my verification, I've confirmed that the workflow file .github/workflows/vortex-test-common.yml does contain canary versions released in the drevops/ci-runner project. While releases are scheduled at minimum once per month with YY.m.patch tags, the project documentation also confirms that changes are then released as a canary version.

The review comment's concern aligns with established CI/CD best practices: you should always pin a specific version of the image, and if you use a tag like docker:latest, you have no control over which version is used, which can cause incompatibility problems when new versions are released.

Pin the container image to a stable version instead of using the canary tag.

Replace drevops/ci-runner:canary with a specific stable version tag (e.g., drevops/ci-runner:25.10.0) at lines 23, 122, and 191 to ensure consistent and predictable CI/CD behavior across workflow runs.

🤖 Prompt for AI Agents

.github/workflows/vortex-test-common.yml lines 23, 122 and 191: the workflow
uses the mutable image tag drevops/ci-runner:canary which can lead to
unpredictable CI runs; change each occurrence to a specific stable version tag
(for example drevops/ci-runner:25.10.0) by replacing :canary with the chosen
YY.m.patch release tag and ensure the chosen version is updated deliberately via
dependency updates rather than left as a moving tag.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.05%. Comparing base (1db9f7a) to head (162769f).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #2065   +/-   ##
========================================
  Coverage    64.05%   64.05%           
========================================
  Files           92       92           
  Lines         5692     5692           
  Branches        44       44           
========================================
  Hits          3646     3646           
  Misses        2046     2046           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.