ci: ensure image is built and published once

[arealmaas]

Description

Ensure that the image is build and published once per version. So when the release PR is merged into main, and release please notices that it should create a release, it builds and publishes the image and that's it. Removed the build and publish step in the staging/yt01 workflows.

There might be a race-condition if the build/publish step takes a long time, and the trigger for staging and yt01 workflows are releases that have been created in github. So an improvement would be looking into a solution for that. Using some other trigger..

Related Issue(s)

• #{issue number}

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

• New Features

  • Introduced new job publish-main to enhance deployment logic.
  • Added output variable release_created to improve release tracking.

• Bug Fixes

  • Streamlined workflows by removing the publish job, simplifying job dependencies.

• Documentation

  • Updated job dependencies and conditions for improved clarity and organization across CI/CD workflows.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces several modifications to the CI/CD workflow configurations across multiple YAML files. Key changes include the removal of the publish job, which involved building and publishing Docker images, and the addition of a new job publish-main in the main workflow. Job dependencies have been updated to reflect these changes, with conditions for executing jobs now focusing on the release creation status. The overall organization of jobs has been refined to improve clarity and control flow.

Changes

File	Change Summary
.github/workflows/ci-cd-main.yml	- Added output variable release_created in release-please job. - Renamed publish to publish-release. - Introduced new job publish-main. - Updated dependencies and execution conditions for several jobs based on release status.
.github/workflows/ci-cd-staging.yml	- Removed publish job. - Updated deploy-apps and send-slack-message-on-failure job dependencies to exclude publish.
.github/workflows/ci-cd-yt01.yml	- Removed publish job. - Updated deploy-apps and send-slack-message-on-failure job dependencies to exclude publish.

Possibly related PRs

• ci: send message on release created and successfully validated #1185: Introduces a new job to send Slack messages when a release is created, related to updates in Slack notification jobs.
• ci: ensure unique revisions for deployments #1211: Ensures unique revisions for deployments, connecting to the focus on job dependencies and execution conditions.
• ci: alert on pipelines failing #1246: Adds a notification mechanism for pipeline failures, aligning with updates to Slack messaging jobs.
• ci(slackbot): clean up slack alerts #1272: Modifies the Slack alert structure, relevant to updates in Slack messaging jobs.
• ci: add status for build and test #1284: Enhances the CI process by adding a status for build and test, connecting to updates on job dependencies.
• chore(ci): Deploy schema after apps #1285: Updates job dependencies in the CI/CD workflow, relevant to changes in job organization.
• ci: ensure publishing of npm schema happens regardless of if app deploy is skipped #1289: Ensures npm schema is published regardless of app deployment status, relating to execution conditions.
• ci: ensure the check-for-changes checks previous deployed version #1346: Enhances the check-for-changes functionality, relevant to updates on job dependencies.
• ci: ensure we store the versions as gh variables #1405: Ensures version information is stored as GitHub variables, connecting to updates on job dependencies.
• ci: ensure version is stored when deploying apps #1481: Addresses storage of version information during deployments, relevant to job execution conditions.

Suggested reviewers

• oskogstad

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

.github/workflows/ci-cd-yt01.yml (1)

Line range hint 1-143: Consider implementing robust image coordination mechanism

While centralizing image building in the main workflow reduces redundancy, the distributed nature of deployments across different environments (staging, yt01) requires careful coordination. Consider these architectural improvements:

1. Implement a shared status mechanism (e.g., using GitHub deployment status API) to track image availability
2. Add explicit wait/retry logic in deployment workflows
3. Consider using image tags or SHA digests instead of relying on version labels for more deterministic deployments

This would help prevent race conditions and ensure reliable deployments across environments.

.github/workflows/ci-cd-staging.yml (1)

Line range hint 1-152: Consider addressing the potential race condition

While the removal of redundant image builds is a good improvement, the PR objectives mention a potential race condition when staging/yt01 workflows are triggered by GitHub releases. This could be problematic if the build and publish process in the main workflow takes longer than expected.

Consider implementing one of these solutions:

1. Add a wait step in staging/yt01 workflows that checks for image availability before proceeding with deployment
2. Implement a semaphore or lock mechanism using GitHub environment protection rules
3. Use artifact dependencies between workflows to ensure proper sequencing

Would you like me to provide a detailed implementation for any of these approaches?

.github/workflows/ci-cd-main.yml (2)

48-58: Well-structured separation of release and main publishing

The split into publish-release and publish-main jobs effectively implements the single-build objective while maintaining clear separation of concerns. The mutually exclusive conditions ensure images are built only once.

Consider adding a comment in the workflow file explaining the purpose of each publish job and their triggering conditions. This would help future maintainers understand the workflow's design.

+    # Triggered when a new release is created by release-please
     name: Build and publish release docker images

+    # Triggered for non-release changes to main branch
     name: Build and publish main docker images

Also applies to: 59-69

---

168-169: Address TODO for handling multiple publish statuses

The current implementation only reports the release publish status. This should be enhanced to handle both publish job statuses.

Would you like me to help implement a solution that properly handles both publish-release and publish-main statuses in the Slack notification? This could include:

1. Adding separate status outputs for each publish job
2. Implementing conditional logic to show the relevant status

Also applies to: 181-182

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 12e4b0b and c8f4011.

📒 Files selected for processing (3)

• .github/workflows/ci-cd-main.yml (9 hunks)
• .github/workflows/ci-cd-staging.yml (2 hunks)
• .github/workflows/ci-cd-yt01.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/ci-cd-main.yml

63-63: property "release-please" is not defined in object type {build-and-test: {outputs: {}; result: string}; check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; generate-git-short-sha: {outputs: {gitshortsha: string}; result: string}; get-current-version: {outputs: {version: string}; result: string}}

(expression)

---

73-73: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; generate-git-short-sha: {outputs: {gitshortsha: string}; result: string}; get-current-version: {outputs: {version: string}; result: string}}

(expression)

---

99-99: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; deploy-infra: {outputs: {}; result: string}; generate-git-short-sha: {outputs: {gitshortsha: string}; result: string}; get-current-version: {outputs: {version: string}; result: string}; publish-main: {outputs: {}; result: string}}

(expression)

---

120-120: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}}

(expression)

---

136-136: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; deploy-apps: {outputs: {deployment_executed: string}; result: string}; generate-git-short-sha: {outputs: {gitshortsha: string}; result: string}; get-current-version: {outputs: {version: string}; result: string}}

(expression)

---

146-146: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; deploy-apps: {outputs: {deployment_executed: string}; result: string}}

(expression)

🔇 Additional comments (6)

.github/workflows/ci-cd-yt01.yml (2)

133-133: LGTM: Failure notification dependencies updated correctly

The updated job dependencies correctly reflect the workflow changes, ensuring that failure notifications will trigger for all critical deployment and test steps.

---

66-66: Verify image availability before deployment

The removal of the publish job dependency aligns with the goal of building images once. However, this creates a potential race condition where the deployment might start before the image is available from the main workflow.

Consider these mitigations:

1. Add a step to verify image existence before deployment
2. Implement a retry mechanism in case the image isn't immediately available

✅ Verification successful

Image availability is handled correctly - no changes needed

The removal of the publish job dependency is safe because:

1. The main workflow publishes images before any environment deployments start
2. The deployment uses the same version tag that was published in the main workflow
3. Azure Container Apps handles image pull retries automatically if the image isn't immediately available

The race condition concern is mitigated by the natural workflow sequence - main workflow publishes before environment-specific workflows run.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for related changes in other workflow files to ensure consistent image handling

# Check for image verification steps in the deploy-apps workflow
rg -A 10 "workflow-deploy-apps.yml" .github/workflows/

Length of output: 9526

---

Script:

#!/bin/bash
# Let's check the workflow-deploy-apps.yml file to see if it has any image verification steps
rg -l "workflow-deploy-apps.yml" .github/workflows/

# If found, let's examine its content for image verification
cat .github/workflows/workflow-deploy-apps.yml

Length of output: 12824

---

Script:

#!/bin/bash
# Let's check the main workflow to understand how the image is published and how it relates to the yt01 workflow
rg -A 10 "publish" .github/workflows/ci-cd-main.yml

# Also check if there's any image verification in the bicep templates
rg -l "image:" .azure/applications/

Length of output: 4338

.github/workflows/ci-cd-staging.yml (2)

66-66: LGTM! Dependencies correctly updated for deploy-apps job

The removal of the publish job dependency aligns with the PR objective of eliminating redundant image builds. This change maintains the essential dependencies while streamlining the workflow.

---

142-142: LGTM! Failure notification dependencies properly updated

The send-slack-message-on-failure job dependencies have been correctly updated to reflect the current workflow structure, ensuring proper failure notifications while removing the redundant publish job dependency.

.github/workflows/ci-cd-main.yml (2)

73-73: Consistent conditional execution based on release status

The conditions across deployment jobs are consistently implemented to run only when there's no release. This aligns with the workflow's objective.

Note: You can safely ignore the static analysis warnings about undefined "release-please" property. These are false positives as the release-please job and its outputs are properly defined in the workflow.

Also applies to: 99-99, 120-120, 136-136, 146-146

🧰 Tools

🪛 actionlint (1.7.4)

73-73: property "release-please" is not defined in object type {check-for-changes: {outputs: {hasbackendchanges: string; hasinfrachanges: string; hasmigrationchanges: string; hasschemachanges: string; hasslacknotifierchanges: string; hastestchanges: string}; result: string}; generate-git-short-sha: {outputs: {gitshortsha: string}; result: string}; get-current-version: {outputs: {version: string}; result: string}}

(expression)

---

21-22: LGTM: Release output addition enables conditional workflows

The addition of release_created output is well-implemented and crucial for controlling downstream jobs.

Let's verify the release-please action's output usage:

✅ Verification successful

✅ Release output is correctly implemented and consistently used

The release_created output from the release-please job is properly implemented and consistently used throughout the workflow to control job execution:

• Used to trigger release-specific jobs when true
• Controls main branch deployments when false
• Properly referenced in all conditional statements using the correct syntax needs.release-please.outputs.release_created

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify release-please action output usage
# Check if the release_created output is consistently used across the workflow

rg -l "release-please.outputs.release_created" .github/workflows/

Length of output: 98

---

Script:

#!/bin/bash
# Let's check how the release_created output is used in the workflow
rg -A 2 "release-please.outputs.release_created" .github/workflows/ci-cd-main.yml

Length of output: 1931