ci: include build.yml in Thailand dedup filter to mirror base triggers#36
Conversation
The build-thailand.yml push-path dedup guard skips the overlay build when build.yml will rebuild the base for the same push (deferring to the chained workflow_run, which overlays the fresh base). Its base-paths filter listed the base *content* paths but omitted `.github/workflows/build.yml` — itself a build.yml trigger. So a push that changed only build.yml's workflow file (e.g. PR #35's merge) ran build.yml AND a redundant Thailand overlay that pinned a soon-stale `latest`, later corrected by the workflow_run run. Harmless when base content is unchanged (the overlay is byte-equivalent), but a wasted build and a brief window of a throwaway digest on agent-sandbox-thailand:latest. Add `.github/workflows/build.yml` so the filter mirrors build.yml's push `paths:` exactly; the push overlay now defers whenever the base is rebuilt. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@coderabbitai full review |
✅ Action performedFull review finished. |
WalkthroughThe Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/build-thailand.yml (1)
58-60:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDisable credential persistence in checkout step.
actions/checkoutdefaults to persistingGITHUB_TOKENin local git config for later steps. Setpersist-credentials: falseto reduce token exposure in downstream tooling/artifacts.Suggested patch
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + persist-credentials: false # Build from the same commit the base image was built from on the # workflow_run path; otherwise the pushed / dispatched ref. ref: ${{ github.event.workflow_run.head_sha || github.ref }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-thailand.yml around lines 58 - 60, The actions/checkout step in the build-thailand.yml workflow is missing the persist-credentials configuration, which allows the GITHUB_TOKEN to remain in the local git config and potentially be exposed to downstream tools. Add persist-credentials: false to the with section of the actions/checkout step to disable token persistence and reduce security exposure.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/build-thailand.yml:
- Around line 58-60: The actions/checkout step in the build-thailand.yml
workflow is missing the persist-credentials configuration, which allows the
GITHUB_TOKEN to remain in the local git config and potentially be exposed to
downstream tools. Add persist-credentials: false to the with section of the
actions/checkout step to disable token persistence and reduce security exposure.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fe5127b8-55c0-4b47-8826-435d0b5bcbc0
📒 Files selected for processing (1)
.github/workflows/build-thailand.yml
Problem
build-thailand.yml's push-path dedup guard ("Detect base-relevant changes") is meant to skip the Thai overlay build wheneverbuild.ymlwill rebuild the base for the same push — deferring to the chainedworkflow_runrun, which overlays the fresh base. But its filter listed only the base content paths and omitted.github/workflows/build.yml, which is itself abuild.ymltrigger.Observed on PR #35's merge (commit
f6de284)That merge changed
.github/workflows/build.yml(+Dockerfile.thailand) but no base-content paths. Result:The push overlay ran redundantly and briefly pinned a soon-stale
latest, corrected ~2.3 min later by theworkflow_runrun. All three runs succeeded and the final state was correct — this was wasted work + a transient throwaway digest, not a correctness bug (when base content is unchanged the overlay is byte-equivalent; when it does change, the existing content paths already catch it).Fix
Add
.github/workflows/build.ymlto the dedup filter so it mirrorsbuild.yml's pushpaths:exactly. Now the Thai push overlay defers toworkflow_runwhenever the base is rebuilt — including a workflow-file-only change — eliminating the duplicate build and the transient stale-latestwindow (and the small race that could bite under runner contention).Verified: filter now equals
build.ymlpush paths (Dockerfile,skills/**,plugins/**,agent/**,entrypoint.sh,.github/workflows/build.yml); actionlint clean; YAML valid.🤖 Generated with Claude Code
Summary by CodeRabbit