chore: improve build and test pipeline and the release ochestrator

[mevan-karu]

$subject

Related to - openchoreo/openchoreo#3341

Summary by CodeRabbit

• Chores
  • Optimized CI/CD pipeline for faster, more efficient builds.
  • Enhanced build workflow with improved caching to prevent unnecessary image rebuilds.
  • Restructured release workflow with enhanced validation checks for safer deployments.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates two GitHub Actions workflows. Build-and-test adds pull-request-aware concurrency grouping and a pre-build check for commit images in GHCR to skip redundant builds. Release-orchestrator refactors from a single job into separate validate, branch, and tag jobs, with the validate job always running to expose shared outputs and preconditions for downstream jobs.

Changes

CI/CD Workflow Improvements

Layer / File(s)	Summary
Build-and-test concurrency and image caching .github/workflows/build-and-test.yml	Concurrency group now includes pull-request number when available for better workflow collision detection; new image existence check inspects GHCR for commit-specific tags and skips the build step if the image already exists.
Release orchestrator validate job structure and outputs .github/workflows/release-orchestrator.yml	New validate job replaces monolithic orchestration and always runs to resolve inputs, compute version and checkout SHA, and expose these as job-level outputs for downstream jobs; token generation and repository checkout move into this job.
Release orchestrator validation logic .github/workflows/release-orchestrator.yml	Validate job adds precondition checks: detecting whether release-vX.Y branch exists, resolving the target commit (from explicit input, existing branch, or checkout SHA), and polling the container registry to confirm the source image exists for the target commit.
Release orchestrator branch and tag jobs .github/workflows/release-orchestrator.yml	New branch job conditionally creates and pushes the release-vX.Y branch for stable releases when not already present; new tag job depends on both validate and branch, uses always() with failure guards to allow tagging when branch is skipped, and creates annotated tags at the validate-resolved commit using validate outputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Concurrency now knows the PR,
Images checked before we build so far,
Release jobs split with care,
Validate, branch, and tag—
Each step knows what to do up there! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is minimal and largely incomplete, containing only a placeholder subject line and a related issue link.	Provide a comprehensive description following the repository template, including Purpose, Goals, Approach, User stories, Release note, and other relevant sections. Explain the concurrency handling improvements in detail.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title mentions improving the build/test pipeline and release orchestrator, which aligns with the workflow changes, but contains a typo ('ochestrator' instead of 'orchestrator').
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/build-and-test.yml (1)

194-204: ⚡ Quick win

Reuse the SHA from the tag step to avoid duplication.

The SHA is calculated twice—once in the "Set image tag" step (line 186) and again here (line 197). This duplication violates DRY and could theoretically lead to inconsistency if the git state changes between steps.

♻️ Proposed fix to reuse the SHA output

       - name: Check if image already exists
         id: check-image
         run: |
-          SHA=$(git rev-parse --short=8 HEAD)
+          SHA="${{ steps.tag.outputs.GIT_SHA_SHORT }}"
           if docker buildx imagetools inspect "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${SHA}" >/dev/null 2>&1; then
             echo "Image ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${SHA} already exists. Skipping build."
             echo "skip=true" >> $GITHUB_OUTPUT
           else
             echo "Image not found. Proceeding with build."
             echo "skip=false" >> $GITHUB_OUTPUT
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-and-test.yml around lines 194 - 204, The "Check if
image already exists" step (id: check-image) recalculates the git SHA instead of
reusing the SHA produced by the earlier "Set image tag" step; update the
check-image step to reference the SHA output from the set-image-tag step (e.g.
${{ steps.set-image-tag.outputs.sha }}) when forming the image tag (instead of
running git rev-parse again) so the build uses the single canonical SHA output
and avoid duplication; ensure the referenced step id matches the actual id of
the "Set image tag" step and keep using ${{ env.REGISTRY }}/${{ env.IMAGE_NAME
}}:${{ steps.set-image-tag.outputs.sha }} in the docker imagetools inspect and
the messages.

.github/workflows/release-orchestrator.yml (1)

217-217: 💤 Low value

Optional: reduce fetch-depth for the branch and tag jobs.

Both branch and tag jobs only need the resolved SHA to create a local branch / annotated tag and push it — full history isn't required. fetch-depth: 1 (the default) should suffice and avoids cloning the entire history on every release run. The same applies to the tag job at line 257. The validate job still needs fetch-depth: 0 for git ls-remote / git rev-parse correctness.

♻️ Proposed diff for both jobs

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ needs.validate.outputs.checkout-sha }}
-          fetch-depth: 0
+          fetch-depth: 1

And in the tag job:

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ needs.validate.outputs.target-commit }}
-          fetch-depth: 0
+          fetch-depth: 1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-orchestrator.yml at line 217, Update the checkout
steps in the branch and tag jobs to use a shallower clone by changing
fetch-depth from 0 to 1 (i.e., set fetch-depth: 1 on the actions/checkout step
in the jobs named "branch" and "tag"); leave the validate job's fetch-depth at 0
so git ls-remote / git rev-parse behavior is preserved. Ensure both job
definitions explicitly include the updated fetch-depth under the checkout step
so only the needed commit SHA is fetched.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/build-and-test.yml:
- Around line 194-204: The "Check if image already exists" step (id:
check-image) recalculates the git SHA instead of reusing the SHA produced by the
earlier "Set image tag" step; update the check-image step to reference the SHA
output from the set-image-tag step (e.g. ${{ steps.set-image-tag.outputs.sha }})
when forming the image tag (instead of running git rev-parse again) so the build
uses the single canonical SHA output and avoid duplication; ensure the
referenced step id matches the actual id of the "Set image tag" step and keep
using ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{
steps.set-image-tag.outputs.sha }} in the docker imagetools inspect and the
messages.

In @.github/workflows/release-orchestrator.yml:
- Line 217: Update the checkout steps in the branch and tag jobs to use a
shallower clone by changing fetch-depth from 0 to 1 (i.e., set fetch-depth: 1 on
the actions/checkout step in the jobs named "branch" and "tag"); leave the
validate job's fetch-depth at 0 so git ls-remote / git rev-parse behavior is
preserved. Ensure both job definitions explicitly include the updated
fetch-depth under the checkout step so only the needed commit SHA is fetched.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a1fee32e-617e-4eb5-8b29-8cbebb0695b2

📥 Commits

Reviewing files that changed from the base of the PR and between 7830db7 and a367001.

📒 Files selected for processing (2)

• .github/workflows/build-and-test.yml
• .github/workflows/release-orchestrator.yml

[LakshanSS]

Suggested improvement:

  run: |                                                                                                                                                                                        
      SHA=$(git rev-parse --short=8 HEAD)                                                                                                                                                         
      IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${SHA}"                                                                                                                                    
      echo "Checking if image exists: ${IMAGE}"                                                                                                                                                   
      if docker buildx imagetools inspect "${IMAGE}" 2>&1; then                                                                                                                                   
        echo "Image ${IMAGE} already exists. Skipping build."                                                                                                                                     
        echo "skip=true" >> $GITHUB_OUTPUT                                                                                                                                                        
      else                                                                                                                                                                                        
        echo "Image not found. Proceeding with build."                                                                                                                                            
        echo "skip=false" >> $GITHUB_OUTPUT                                                                                                                                                       
      fi  

[LakshanSS]

Approved with a minor suggestion