ci: restrict image publish/deploy to canonical repo and main branch

[NiveditJain]

• Add repo guard to publish and release workflows
• Ensure deploy workflow only runs in canonical repo
• Align with Image build pipelines should run only when merged to main of exospherehost/exospherehost #69 to prevent publishing from forks/PRs

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Tightened CI/CD workflows so publish/deploy jobs run only in the official repository. Affects API server deployment, image publishing and Kubernetes deploys for the API server, dashboard, landing page, and state manager, plus publish/release jobs for the Python SDK and dashboard.
  • In forks or other repositories, these jobs are skipped; other steps (e.g., tests) are unchanged.
  • Ensures releases and deployments originate only from the official source; no functional changes to the apps.

Walkthrough

Adds repository-gating conditions to selected GitHub Actions jobs so they run only when github.repository equals 'exospherehost/exospherehost'. Affected workflows span deploy, publish, and release pipelines. No other steps, permissions, or configurations are changed.

Changes

Cohort / File(s)	Summary of Changes
Kubernetes Deploy Workflow .github/workflows/deploy-kubernetes.yml	Added job-level condition on deploy-api-server: if: github.repository == 'exospherehost/exospherehost'.
Publish Workflows .github/workflows/publish-api-server.yml, .github/workflows/publish-dashboard.yml, .github/workflows/publish-landing-page.yml, .github/workflows/publish-python-sdk.yml, .github/workflows/publish-state-mangaer.yml	Added repo guard conditions: - publish-api-server: publish-image, deploy-to-k8s gated. - publish-dashboard: publish-image gated. - publish-landing-page: publish-image, deploy-to-k8s gated. - publish-python-sdk: publish job gated. - publish-state-mangaer: publish-image gated.
Release Workflows .github/workflows/release-dashboard.yml, .github/workflows/release-python-sdk.yml, .github/workflows/release-state-manager.yml	Added repo guard conditions: - release-dashboard: publish-image gated. - release-python-sdk: publish job gated. - release-state-manager: publish-image gated.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as Developer
    participant GH as GitHub Actions
    participant WF as Workflow
    participant J as Job (publish/deploy)
    participant S as Steps

    Dev->>GH: Push/Tag/Dispatch
    GH->>WF: Start workflow
    WF->>J: Evaluate job condition
    alt github.repository == 'exospherehost/exospherehost'
        J->>S: Execute job steps
        S-->>J: Success/Failure
    else Not canonical repository
        J-->>WF: Skip job
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Image build pipelines should run only when merged to main of exospherehost/exospherehost #69 — Implements repository-gating for publish/deploy jobs exactly as proposed.

Possibly related PRs

• Update GitHub Actions workflows to use 'beta-latest' tag for images and add new workflows for releasing dashboard and Python SDK #278 — Touches the same workflow jobs (e.g., publish-image in publish-dashboard and publish-state-mangaer), indicating overlapping CI/CD control-flow changes.

Poem

I hop through YAML fields at night,
Flipping tiny guards just right—
If repo’s true, the jobs ignite;
Else I nap till morning light.
Thump-thump! Pipelines snug and tight. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/guard-publish-to-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/release-python-sdk.yml (1)

24-24: Align uv action versions.

Use a single version across jobs for determinism.

-      - name: Install uv
-        uses: astral-sh/setup-uv@v2
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6

Also applies to: 70-71

.github/workflows/publish-api-server.yml (1)

48-50: docker/metadata-action tag syntax: remove spaces after commas.

Current lines likely won't parse.

-            type=raw, value=latest
-            type=sha, value=${{ env.SHA_TAG }}
+            type=raw,value=latest
+            type=sha,value=${{ env.SHA_TAG }}

.github/workflows/publish-state-mangaer.yml (2)

1-1: Typo in filename: “mangaer”.

Consider renaming to publish-state-manager.yml for consistency.

---

105-106: docker/metadata-action tag syntax: remove spaces after commas.

Fix to ensure tags are generated.

-            type=raw, value=beta-latest
-            type=sha, value=${{ env.SHA_TAG }}
+            type=raw,value=beta-latest
+            type=sha,value=${{ env.SHA_TAG }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b6f1db8 and 554de2e.

📒 Files selected for processing (9)

• .github/workflows/deploy-kubernetes.yml (1 hunks)
• .github/workflows/publish-api-server.yml (2 hunks)
• .github/workflows/publish-dashboard.yml (1 hunks)
• .github/workflows/publish-landing-page.yml (2 hunks)
• .github/workflows/publish-python-sdk.yml (1 hunks)
• .github/workflows/publish-state-mangaer.yml (1 hunks)
• .github/workflows/release-dashboard.yml (1 hunks)
• .github/workflows/release-python-sdk.yml (1 hunks)
• .github/workflows/release-state-manager.yml (1 hunks)

[coderabbitai]

🛠️ Refactor suggestion

Restrict workflow_dispatch runs to main as well.

This workflow is dispatch-only; add a ref guard to avoid accidental non-main deploys, and use explicit expression syntax.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: ${{ github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' }}

🤖 Prompt for AI Agents

.github/workflows/deploy-kubernetes.yml around line 9: the current if condition
only checks the repository and allows workflow_dispatch runs from any ref;
update the condition to explicitly require this to be a workflow_dispatch event
and require the ref to be the main branch (refs/heads/main) in addition to the
repository check, using the explicit logical expression form (combine
repository, event_name == workflow_dispatch, and ref == refs/heads/main) so
dispatch-only runs are guarded to main only.

[coderabbitai]

🛠️ Refactor suggestion

Gate is correct; add branch constraints for release/dispatch.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: github.repository == 'exospherehost/exospherehost' &&
	(github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
	(github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')

🤖 Prompt for AI Agents

In .github/workflows/publish-api-server.yml around line 20, the current gate
only checks the repository; update the if to also restrict runs to release
branches and manual dispatches. Change the condition to require
github.repository == 'exospherehost/exospherehost' AND (startsWith(github.ref,
'refs/heads/release/') OR github.event_name == 'workflow_dispatch'), so the
workflow only runs for release/* branches or when manually dispatched in that
repo.

[coderabbitai]

🛠️ Refactor suggestion

Mirror the same guard on deploy job.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')

🤖 Prompt for AI Agents

In .github/workflows/publish-api-server.yml around line 62, the "deploy" job is
missing the same repository guard used elsewhere; add the line "if:
github.repository == 'exospherehost/exospherehost'" to the deploy job definition
(preserving YAML indentation) or combine it with any existing if condition using
&& so the deploy job only runs for that repository.

[coderabbitai]

🧹 Nitpick (assertive)

Repo gate looks right; prefer explicit expression syntax for consistency.

Functionally OK; this is a style/readability nit that aligns with Actions examples.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: ${{ github.repository == 'exospherehost/exospherehost' }}

🤖 Prompt for AI Agents

.github/workflows/publish-dashboard.yml around line 20: the if condition uses a
raw string instead of the explicit Actions expression syntax; change it to use
the expression wrapper so the condition reads using ${{ ... }} (e.g. if: ${{
github.repository == 'exospherehost/exospherehost' }}) to match repository-wide
style and examples.

[coderabbitai]

🧹 Nitpick (assertive)

Good repo gate; wrap in expression syntax and (optionally) guard manual runs to main.

Using explicit expression syntax improves readability and parity with docs. Since this workflow supports workflow_dispatch, consider ensuring manual runs happen only on main.

Apply:

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}

🤖 Prompt for AI Agents

.github/workflows/publish-landing-page.yml around line 20: the conditional uses
plain YAML boolean style; wrap the repository check in GitHub Actions expression
syntax and optionally restrict manual workflow_dispatch runs to main. Replace
the line with an expression using ${{ ... }} for the repo comparison, and if you
want to guard manual runs add an OR condition that allows non-dispatch events or
requires github.ref == 'refs/heads/main' when github.event_name ==
'workflow_dispatch' so manual triggers only run on main.

[coderabbitai]

🧹 Nitpick (assertive)

Use explicit expression syntax for the repo gate.

Keeps conditions uniform across workflows.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' }}

🤖 Prompt for AI Agents

In .github/workflows/publish-python-sdk.yml around line 69, the workflow uses a
bare condition `if: github.repository == 'exospherehost/exospherehost'`; change
it to the explicit GitHub Actions expression syntax by wrapping the condition in
${{ ... }}, e.g. use `if: ${{ github.repository == 'exospherehost/exospherehost'
}}`, so the condition is evaluated consistently with other workflows.

[coderabbitai]

🛠️ Refactor suggestion

Gate is good; add branch constraints for release/dispatch.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: github.repository == 'exospherehost/exospherehost' &&
	(github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
	(github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')

🤖 Prompt for AI Agents

.github/workflows/publish-state-mangaer.yml around line 77: the workflow gate
only checks the repository and needs branch constraints for release/dispatch;
update the if conditional to require the repo AND that github.ref starts with
refs/heads/release or refs/heads/dispatch (e.g., github.repository ==
'exospherehost/exospherehost' && (startsWith(github.ref, 'refs/heads/release')
|| startsWith(github.ref, 'refs/heads/dispatch'))), ensuring the job only runs
for those branch namespaces.

[coderabbitai]

🛠️ Refactor suggestion

Repo gate approved; also limit to main-targeted releases.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

🤖 Prompt for AI Agents

In .github/workflows/release-dashboard.yml around line 15, the current workflow
gate only checks the repository; update the if condition to also ensure the
release targets main. Replace the existing if with a combined condition that
keeps the repo check and adds a target-check such as: github.repository ==
'exospherehost/exospherehost' && (github.event_name != 'release' ||
github.event.release.target_commitish == 'main') so the job runs only for this
repo and only for releases targeting main.

[coderabbitai]

🛠️ Refactor suggestion

Good guard; add main-branch constraint for releases.

Ensure releases publish only when the tag targets main.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

🤖 Prompt for AI Agents

.github/workflows/release-python-sdk.yml around line 65: the current guard only
checks repository equality but does not ensure tags are created from main; add a
check that the run is for a tag and that the tag's commit exists on main before
publishing. Change the if to require github.repository ==
'exospherehost/exospherehost' && startsWith(github.ref, 'refs/tags/'), and add
an early job/step (run before publish) that fetches origin/main (git fetch
origin main --depth=1) and verifies that git branch --contains $GITHUB_SHA --all
or git merge-base --is-ancestor $GITHUB_SHA origin/main; if that check fails,
exit non-zero or set an output/condition to skip the release job so only tags
that point at main will publish.

[coderabbitai]

🛠️ Refactor suggestion

Repo gate looks right; also require releases from main.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: github.repository == 'exospherehost/exospherehost'
	if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'

🤖 Prompt for AI Agents

.github/workflows/release-state-manager.yml around line 70: the current if only
gates by repository; change it to also require that the workflow was triggered
by a release on main by updating the if to combine checks (repository ==
'exospherehost/exospherehost' AND event_name == 'release' AND ref ==
'refs/heads/main'), so the job runs only for release events originating from the
main branch.