Skip AWS auth in docs preview when docs build fails#3269
Conversation
Align the aws-auth step with Upload to S3 so OIDC is only requested after a successful local docs build, avoiding unnecessary credential setup when the build or path validation did not succeed. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
📝 WalkthroughWalkthroughThe change tightens the execution conditions for a step in the 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/docs-preview-local.yml (1)
329-352:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
aws-authis stricter thanUpload to S3, creating a credential gap.The PR objective is to align
aws-authwith theUpload to S3conditions, but the new condition is actually more restrictive:aws-authrequiressteps.internal-validate-path-prefixes.outcome == 'success'whileUpload to S3does not.When
internal-docs-buildsucceeds butinternal-validate-path-prefixesfails:
aws-auth→ skipped (credentials never configured)Upload to S3→ runs (itsifis satisfied) → fails with an AWS auth errorTo fix the asymmetry, either add the path-prefix check to the S3 step (if uploading without a valid prefix is undesirable) or drop it from
aws-auth:🐛 Option A — guard S3 upload with the same path-prefix requirement
- name: Upload to S3 id: s3-upload if: > env.MATCH == 'true' && !cancelled() && steps.internal-docs-build.outputs.skip != 'true' && steps.internal-docs-build.outcome == 'success' + && steps.internal-validate-path-prefixes.outcome == 'success'🐛 Option B — remove the path-prefix gate from aws-auth to match S3 exactly
- uses: elastic/docs-builder/.github/actions/aws-auth@main if: > env.MATCH == 'true' && !cancelled() && needs.check.outputs.any_modified != 'false' && steps.internal-docs-build.outputs.skip != 'true' && steps.internal-docs-build.outcome == 'success' - && steps.internal-validate-path-prefixes.outcome == 'success'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs-preview-local.yml around lines 329 - 352, The aws-auth action is gated by steps.internal-validate-path-prefixes.outcome == 'success' while the "Upload to S3" step is not, causing an auth gap; fix by making the condition logic symmetric: either add the same path-prefix check to the Upload to S3 step's if (include && steps.internal-validate-path-prefixes.outcome == 'success') so it only runs when prefixes validate, or remove the path-prefix requirement from the aws-auth action's if so it matches the Upload to S3 step; update the conditional on the aws-auth invocation or the s3-upload step respectively (referencing aws-auth, the "Upload to S3" step/id s3-upload, and steps.internal-validate-path-prefixes) to ensure both steps have identical guards.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/docs-preview-local.yml:
- Around line 329-352: The aws-auth action is gated by
steps.internal-validate-path-prefixes.outcome == 'success' while the "Upload to
S3" step is not, causing an auth gap; fix by making the condition logic
symmetric: either add the same path-prefix check to the Upload to S3 step's if
(include && steps.internal-validate-path-prefixes.outcome == 'success') so it
only runs when prefixes validate, or remove the path-prefix requirement from the
aws-auth action's if so it matches the Upload to S3 step; update the conditional
on the aws-auth invocation or the s3-upload step respectively (referencing
aws-auth, the "Upload to S3" step/id s3-upload, and
steps.internal-validate-path-prefixes) to ensure both steps have identical
guards.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 839c7736-f326-4725-8afd-f781a8359aef
📒 Files selected for processing (1)
.github/workflows/docs-preview-local.yml
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
2 participants
Why
The docs preview workflow could still run the
aws-authstep when the local documentation build had not succeeded, which requests OIDC and configures AWS credentials unnecessarily and can be confusing when debugging failed builds.What
The
aws-authstep conditions are aligned with the Upload to S3 step: AWS authentication only runs when the build completed successfully (not skipped),MATCHapplies, and path-prefix validation succeeded, so credential setup matches the cases where we actually sync to S3.Made with Cursor