chore: publish pre-releases after each commit

[benoitf]

related to #145

[coderabbitai]

Warning

Rate limit exceeded

@benoitf has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 24 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 24 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5ff2a62-1c71-418d-81dd-82d4c18d4f18

📥 Commits

Reviewing files that changed from the base of the PR and between 2ef2054 and ee67772.

📒 Files selected for processing (1)

• .github/workflows/next-build.yml

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/next-build.yml) to compute a prerelease version from pkg/version/version.go, update .goreleaser.yaml, create and push an annotated tag to a prerelease repo, and invoke GoReleaser to publish prerelease artifacts.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration /.github/workflows/next-build.yml	Adds a new workflow triggered by workflow_dispatch and pushes to main. Checks out code, sets up Go, computes a composite prerelease version from pkg/version/version.go + date + short SHA, patches .goreleaser.yaml, creates an annotated tag, pushes it to kortex-cli-prereleases, checks out that repo ref, and runs GoReleaser (release --clean) using the bot token.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Source as Repo (kortex-cli)
    participant Prerelease as Repo (kortex-cli-prereleases)
    participant GoReleaser as GoReleaser Action / goreleaser

    Runner->>Source: checkout (full history)
    Runner->>Source: read `pkg/version/version.go` → extract Version
    Runner->>Runner: compute VERSION = BASE_VERSION + DATE + SHORT_SHA
    Runner->>Source: modify `.goreleaser.yaml` (prerelease name, auto-prerelease, disable changelog)
    Runner->>Source: git tag annotated vVERSION
    Runner->>Prerelease: add remote (bot token) & push tag
    Runner->>Prerelease: checkout pushed ref
    Runner->>GoReleaser: invoke `goreleaser release --clean` (GITHUB_TOKEN)
    GoReleaser->>Prerelease: publish artifacts/releases

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci(release): add job to bump next version after release #138 — Alters CI workflows that read/derive version from pkg/version/version.go, related to version computation in this workflow.
• ci(release): add goreleaser config and GitHub Actions workflow #113 — Adds/changes CI release pipeline invoking GoReleaser and .goreleaser.yaml modifications, closely related to release automation.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: publish pre-releases after each commit' directly matches the main purpose of the changeset, which adds a GitHub Actions workflow to automatically publish pre-releases.
Description check	✅ Passed	The description references GitHub issue #145 which is directly related to the pre-release publishing workflow being added in this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/next-build.yml:
- Around line 60-64: The tag creation/push is not idempotent: update the
workflow to guard git tag/git push so reruns don't fail if the tag already
exists on the prereleases remote. Before creating/pushing "v${{
steps.version.outputs.version }}" use git ls-remote --tags prereleases
refs/tags/<tag> to check if the tag exists; only run git tag and git push
prereleases if the tag is absent, otherwise skip (or optionally delete the
remote tag first then recreate if you need to overwrite). Apply this logic
around the git tag, git remote add prereleases, and git push prereleases
commands referenced in the diff so rerunning the job won’t error when the tag
already exists.
- Around line 34-38: The checkout step currently passes the high-privilege
KORTEX_BOT_TOKEN to actions/checkout (uses: actions/checkout@...), which
persists credentials to git config for later steps; remove the token from that
checkout and add persist-credentials: false to the same checkout step to prevent
credential persistence, then add a targeted step just before tag creation (where
tag creation is performed) that supplies KORTEX_BOT_TOKEN (or re-checks out with
actions/checkout and the token) so only the tag-creation step has the elevated
token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 22ff17da-0bf2-4b84-ac26-4393d2f46a8d

📥 Commits

Reviewing files that changed from the base of the PR and between 09ed161 and 55f9f8f.

📒 Files selected for processing (1)

• .github/workflows/next-build.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the checkout step currently injects bot credentials and does not disable persistence.
rg -n -C2 'name: Checkout code|actions/checkout@|token:|persist-credentials' .github/workflows/next-build.yml

Repository: kortex-hub/kortex-cli

Length of output: 598

---

Remove high-privilege token from checkout and disable credential persistence.

Line 37 passes KORTEX_BOT_TOKEN to actions/checkout; by default, this is persisted in git config for all subsequent steps. The token is only needed later for tag creation (line 63-64), not for the initial checkout. This unnecessarily broadens credential exposure across the workflow.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ secrets.KORTEX_BOT_TOKEN }}
           fetch-depth: 0
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	token: ${{ secrets.KORTEX_BOT_TOKEN }}
	fetch-depth: 0
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/next-build.yml around lines 34 - 38, The checkout step
currently passes the high-privilege KORTEX_BOT_TOKEN to actions/checkout (uses:
actions/checkout@...), which persists credentials to git config for later steps;
remove the token from that checkout and add persist-credentials: false to the
same checkout step to prevent credential persistence, then add a targeted step
just before tag creation (where tag creation is performed) that supplies
KORTEX_BOT_TOKEN (or re-checks out with actions/checkout and the token) so only
the tag-creation step has the elevated token.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make tag publishing idempotent for reruns.

Lines 62-64 will fail if the same tag already exists in kortex-cli-prereleases (e.g., manual rerun on the same commit/version). Guard this path to avoid unnecessary red runs.

Suggested idempotent push logic

       - name: Create tag and push to prereleases repo
         run: |
-          git tag "v${{ steps.version.outputs.version }}"
+          TAG="v${{ steps.version.outputs.version }}"
           git remote add prereleases https://x-access-token:${KORTEX_BOT_TOKEN}@github.com/kortex-hub/kortex-cli-prereleases
-          git push prereleases "v${{ steps.version.outputs.version }}"
+          if git ls-remote --tags prereleases "refs/tags/${TAG}" | grep -q "${TAG}"; then
+            echo "Tag ${TAG} already exists in prereleases repo; skipping push."
+            exit 0
+          fi
+          git tag "${TAG}"
+          git push prereleases "${TAG}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/next-build.yml around lines 60 - 64, The tag creation/push
is not idempotent: update the workflow to guard git tag/git push so reruns don't
fail if the tag already exists on the prereleases remote. Before
creating/pushing "v${{ steps.version.outputs.version }}" use git ls-remote
--tags prereleases refs/tags/<tag> to check if the tag exists; only run git tag
and git push prereleases if the tag is absent, otherwise skip (or optionally
delete the remote tag first then recreate if you need to overwrite). Apply this
logic around the git tag, git remote add prereleases, and git push prereleases
commands referenced in the diff so rerunning the job won’t error when the tag
already exists.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/next-build.yml (2)

34-38: ⚠️ Potential issue | 🟠 Major

Limit checkout credential scope and disable persistence.

Line 37 injects KORTEX_BOT_TOKEN into the initial checkout, and checkout persists credentials by default. That broadens token exposure across later steps unnecessarily.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ secrets.KORTEX_BOT_TOKEN }}
           fetch-depth: 0
+          persist-credentials: false

#!/bin/bash
# Verify whether high-privilege token is used in initial checkout and whether credentials are persisted.
rg -n -C2 'name: Checkout code|actions/checkout@|token:|persist-credentials' .github/workflows/next-build.yml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/next-build.yml around lines 34 - 38, The checkout step
currently uses actions/checkout@de0fac2... with token: ${{
secrets.KORTEX_BOT_TOKEN }} and by default persists credentials; change the
initial checkout to avoid injecting the high-privilege KORTEX_BOT_TOKEN and
disable credential persistence by adding persist-credentials: false (or supply a
minimal-scope token if absolutely required), and if you need KORTEX_BOT_TOKEN
for later steps, perform a secondary checkout (or a dedicated checkout step)
that supplies KORTEX_BOT_TOKEN only for that step so the secret is not present
for the whole job; update the step referencing
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the token
KORTEX_BOT_TOKEN accordingly.

---

67-69: ⚠️ Potential issue | 🟡 Minor

Make tag push idempotent for reruns.

Lines 67-69 will fail when the same tag already exists in kortex-cli-prereleases (e.g., rerun on same commit/day). Guard tag creation/push with a remote tag existence check.

Suggested fix

-          git tag "v${{ steps.version.outputs.version }}"
           git remote add prereleases https://x-access-token:${KORTEX_BOT_TOKEN}@github.com/kortex-hub/kortex-cli-prereleases
-          git push prereleases "v${{ steps.version.outputs.version }}"
+          TAG="v${{ steps.version.outputs.version }}"
+          if git ls-remote --tags prereleases "refs/tags/${TAG}" | grep -q "${TAG}"; then
+            echo "Tag ${TAG} already exists in prereleases repo; skipping push."
+            exit 0
+          fi
+          git tag "${TAG}"
+          git push prereleases "${TAG}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/next-build.yml around lines 67 - 69, The steps currently
always create and push a tag (git tag "v${{ steps.version.outputs.version }}" /
git remote add prereleases ... / git push prereleases "v${{
steps.version.outputs.version }}"), which fails if that tag already exists;
update the workflow to first check the prereleases remote for the tag (e.g., use
git ls-remote --tags prereleases refs/tags/v${{ steps.version.outputs.version }}
or an equivalent check) and only run git tag and git push when the tag is
absent, otherwise skip tagging/pushing to make the job idempotent on reruns.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/next-build.yml:
- Around line 73-77: The checkout ref uses ${{ steps.version.outputs.version }}
but the workflow creates and pushes a tag named v${{
steps.version.outputs.version }}, causing a mismatch; update the
actions/checkout step (the ref value referenced in the checkout block using
actions/checkout@...) to use the tag name—prefix the version with "v" (e.g.,
v${{ steps.version.outputs.version }}) or point to the tag ref (refs/tags/v${{
steps.version.outputs.version }}) so the checkout matches the created tag.

---

Duplicate comments:
In @.github/workflows/next-build.yml:
- Around line 34-38: The checkout step currently uses
actions/checkout@de0fac2... with token: ${{ secrets.KORTEX_BOT_TOKEN }} and by
default persists credentials; change the initial checkout to avoid injecting the
high-privilege KORTEX_BOT_TOKEN and disable credential persistence by adding
persist-credentials: false (or supply a minimal-scope token if absolutely
required), and if you need KORTEX_BOT_TOKEN for later steps, perform a secondary
checkout (or a dedicated checkout step) that supplies KORTEX_BOT_TOKEN only for
that step so the secret is not present for the whole job; update the step
referencing actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the
token KORTEX_BOT_TOKEN accordingly.
- Around line 67-69: The steps currently always create and push a tag (git tag
"v${{ steps.version.outputs.version }}" / git remote add prereleases ... / git
push prereleases "v${{ steps.version.outputs.version }}"), which fails if that
tag already exists; update the workflow to first check the prereleases remote
for the tag (e.g., use git ls-remote --tags prereleases refs/tags/v${{
steps.version.outputs.version }} or an equivalent check) and only run git tag
and git push when the tag is absent, otherwise skip tagging/pushing to make the
job idempotent on reruns.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca6e5a84-11e9-4bee-bb3e-eadb45333adb

📥 Commits

Reviewing files that changed from the base of the PR and between 55f9f8f and 2ef2054.

📒 Files selected for processing (1)

• .github/workflows/next-build.yml