Skip to content

ci: include build.yml in Thailand dedup filter to mirror base triggers#36

Merged
sangwa merged 1 commit into
mainfrom
ci/dedup-build-workflow-path
Jun 19, 2026
Merged

ci: include build.yml in Thailand dedup filter to mirror base triggers#36
sangwa merged 1 commit into
mainfrom
ci/dedup-build-workflow-path

Conversation

@sangwa

@sangwa sangwa commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Problem

build-thailand.yml's push-path dedup guard ("Detect base-relevant changes") is meant to skip the Thai overlay build whenever build.yml will rebuild the base for the same push — deferring to the chained workflow_run run, which overlays the fresh base. But its filter listed only the base content paths and omitted .github/workflows/build.yml, which is itself a build.yml trigger.

Observed on PR #35's merge (commit f6de284)

That merge changed .github/workflows/build.yml (+ Dockerfile.thailand) but no base-content paths. Result:

10:20:57  thai [push]         → thai:{sha,latest} = ee2671c5   (overlay of OLD latest)
10:21:59  base build [push]   → agent-sandbox:{sha,latest}     (fresh base)
10:23:17  thai [workflow_run] → thai:{sha,latest} = 0b6a10c2   (overlay of fresh base) ← wins

The push overlay ran redundantly and briefly pinned a soon-stale latest, corrected ~2.3 min later by the workflow_run run. All three runs succeeded and the final state was correct — this was wasted work + a transient throwaway digest, not a correctness bug (when base content is unchanged the overlay is byte-equivalent; when it does change, the existing content paths already catch it).

Fix

Add .github/workflows/build.yml to the dedup filter so it mirrors build.yml's push paths: exactly. Now the Thai push overlay defers to workflow_run whenever the base is rebuilt — including a workflow-file-only change — eliminating the duplicate build and the transient stale-latest window (and the small race that could bite under runner contention).

Verified: filter now equals build.yml push paths (Dockerfile, skills/**, plugins/**, agent/**, entrypoint.sh, .github/workflows/build.yml); actionlint clean; YAML valid.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Improved internal build process configuration to ensure consistent workflow execution and prevent stale build artifacts.

The build-thailand.yml push-path dedup guard skips the overlay build when
build.yml will rebuild the base for the same push (deferring to the chained
workflow_run, which overlays the fresh base). Its base-paths filter listed the
base *content* paths but omitted `.github/workflows/build.yml` — itself a
build.yml trigger.

So a push that changed only build.yml's workflow file (e.g. PR #35's merge) ran
build.yml AND a redundant Thailand overlay that pinned a soon-stale `latest`,
later corrected by the workflow_run run. Harmless when base content is
unchanged (the overlay is byte-equivalent), but a wasted build and a brief
window of a throwaway digest on agent-sandbox-thailand:latest.

Add `.github/workflows/build.yml` so the filter mirrors build.yml's push
`paths:` exactly; the push overlay now defers whenever the base is rebuilt.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sangwa

sangwa commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Walkthrough

The build-thailand.yml workflow receives two small updates. First, the inline comments for the push-only path-change scenario are revised to explicitly state that the Thailand workflow's base-path list must mirror build.yml's push paths: exactly, including the build.yml file itself, to prevent overlaying a stale latest tag and to correctly defer to the chained workflow_run. Second, .github/workflows/build.yml is added to the Detect base-relevant changes path filter, so modifications to the base build workflow are treated as base-relevant and skip overlay building.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • EternisAI/agent-sandbox#35: Rewrote build-thailand.yml to introduce base-relevant path filtering and workflow chaining, which is the direct predecessor of this fix adding build.yml to that same filter.

Poem

🐇 A path was missing, the filter incomplete,
build.yml itself had slipped past, oh the feat!
Now mirrored exactly, the lists align true,
No stale latest shall sneak through the queue.
Hippity-hop, the workflow is neat! 🌸

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding .github/workflows/build.yml to the Thailand dedup filter to mirror base triggers.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/dedup-build-workflow-path

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/build-thailand.yml (1)

58-60: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step.

actions/checkout defaults to persisting GITHUB_TOKEN in local git config for later steps. Set persist-credentials: false to reduce token exposure in downstream tooling/artifacts.

Suggested patch
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
+          persist-credentials: false
           # Build from the same commit the base image was built from on the
           # workflow_run path; otherwise the pushed / dispatched ref.
           ref: ${{ github.event.workflow_run.head_sha || github.ref }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-thailand.yml around lines 58 - 60, The
actions/checkout step in the build-thailand.yml workflow is missing the
persist-credentials configuration, which allows the GITHUB_TOKEN to remain in
the local git config and potentially be exposed to downstream tools. Add
persist-credentials: false to the with section of the actions/checkout step to
disable token persistence and reduce security exposure.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/build-thailand.yml:
- Around line 58-60: The actions/checkout step in the build-thailand.yml
workflow is missing the persist-credentials configuration, which allows the
GITHUB_TOKEN to remain in the local git config and potentially be exposed to
downstream tools. Add persist-credentials: false to the with section of the
actions/checkout step to disable token persistence and reduce security exposure.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fe5127b8-55c0-4b47-8826-435d0b5bcbc0

📥 Commits

Reviewing files that changed from the base of the PR and between f6de284 and e12d894.

📒 Files selected for processing (1)
  • .github/workflows/build-thailand.yml

@sangwa sangwa merged commit 63a37c6 into main Jun 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant