ADFA-2499 Correctly compress release assets

[hal-eisen-adfa]

No description provided.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Release Notes - ADFA-2499: Correctly compress release assets

Changes

• Refactored release asset compression workflow - Replaced the previous MD5 generation and upload approach with a new "Compress and Prepare Release Assets" step in the GitHub Actions workflow
• Implemented Brotli compression for release assets - All release assets (gradle binaries, Maven repository, documentation database, and architecture-specific SDKs) are now compressed using Brotli compression before upload
• Flattened release directory structure - Created a temporary flattened release directory structure with subdirectories for v7 and v8 instead of nested hierarchy (previously: assets/release/common/data/common/... → now: release/v7/, release/v8/, and root level)
• Per-file MD5 checksum generation - Each compressed .br file now generates an accompanying .md5 checksum file for integrity verification
• Added source file existence validation - Introduced compress_file() function that validates source files exist before compression, preventing empty .br files from being created
• Special handling for plugin artifacts - Plugin artifacts are copied from the Gradle build output (which pre-compresses them) with corresponding MD5 checksums generated
• SCP-based server upload - Replaced previous upload mechanism with SCP directory recursion (scp -r) to the GreenGeeks server
• Conditional execution - Workflow now gracefully handles missing SCP_HOST variable with a warning and early exit instead of failing

Risks & Best Practice Violations

• ⚠️ Limited Error Handling - No retry mechanism for SCP upload failures; if upload fails, the workflow continues without notification. Consider adding error checks and notifications after SCP command
• ⚠️ Security: Insecure SSH Configuration - SSH connections use StrictHostKeyChecking=no, which disables host key verification and increases susceptibility to man-in-the-middle attacks. Recommend using a known_hosts pre-populated approach
• ⚠️ Deprecated Hash Algorithm - MD5 checksums are cryptographically broken; for integrity purposes, consider SHA-256 or similar modern alternatives
• ⚠️ Dependency on CLI Tools - Relies on brotli CLI tool being available on the self-hosted runner; no graceful fallback if tool is missing. Consider adding pre-flight CLI availability check
• ⚠️ No Post-Upload Verification - No validation performed after SCP upload to confirm files were transferred successfully or match checksums
• ⚠️ Hardcoded File Paths - Asset paths are hardcoded in the workflow script; changes to Gradle output structure will break the workflow without updates
• ⚠️ Missing Error Exit Code Check - The compress_file() function only logs warnings for missing source files but continues execution; consider failing fast if critical assets are missing
• ⚠️ Sensitive Directory Permissions - Temporary directory cleanup may not execute if workflow is cancelled, potentially leaving unencrypted assets on disk

Walkthrough

The workflow replaces MD5 generation and direct asset uploading with a new compression-based pipeline. It now validates SCP configuration, creates a flattened temporary release structure, compresses selected assets using Brotli, generates accompanying MD5 checksums, and uploads the prepared structure via SCP before cleanup.

Changes

Cohort / File(s)

Summary

CI/CD Workflow Restructuring .github/workflows/generate_assets.yml

Refactored release asset preparation workflow: replaced directory-based MD5 generation with per-file Brotli compression and MD5 checksum generation; introduced conditional SCP_HOST validation with warning fallback; created flattened temporary release structure (TEMP_DIR/release/{v7,v8}); added plugin-artifacts.zip.br handling; replaced upload logic with explicit scp command; updated logging semantics from "uploading" to "preparing".

Sequence Diagram

sequenceDiagram
    actor GHA as GitHub Actions
    participant FS as Filesystem
    participant ENC as Compression<br/>(Brotli)
    participant CHK as MD5 Checksum
    participant SCP as SCP Server

    GHA->>GHA: Validate SCP_HOST configured
    alt SCP_HOST not set
        GHA->>GHA: Log warning, skip preparation
    else SCP_HOST set
        GHA->>FS: Create TEMP_DIR/release/{v7,v8}
        GHA->>FS: Identify v7 assets
        loop For each v7 asset
            GHA->>ENC: Compress asset → .br
            ENC->>FS: Write compressed file
            GHA->>CHK: Generate MD5 checksum
            CHK->>FS: Write .md5 alongside .br
        end
        GHA->>FS: Identify v8 assets
        loop For each v8 asset
            GHA->>ENC: Compress asset → .br
            ENC->>FS: Write compressed file
            GHA->>CHK: Generate MD5 checksum
            CHK->>FS: Write .md5 alongside .br
        end
        GHA->>FS: Check for plugin-artifacts.zip.br
        alt Plugin artifacts exist
            GHA->>FS: Copy plugin-artifacts.zip.br
            GHA->>CHK: Generate/copy MD5
            CHK->>FS: Write plugin-artifacts.zip.br.md5
        end
        GHA->>GHA: Log "preparing release assets"
        GHA->>SCP: Upload TEMP_DIR/release via scp
        SCP->>SCP: Receive release structure
        GHA->>FS: Cleanup TEMP_DIR
        GHA->>GHA: Log completion
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Compressed whispers on the wind,
Brotli squeezes assets slim,
MD5 checksums guard the way,
SCP carries them astray,
From workflow dreams to server's keep! ✨

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c16deb7 and f8cbe2b.

📒 Files selected for processing (1)

• .github/workflows/generate_assets.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}