Conversation
WalkthroughUpdated the GitHub Actions workflow for production deployment by bumping actions/checkout from v3 to v5 in .github/workflows/deploy-oss.yml. No other steps or logic were changed. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests
Comment |
|
Related Documentation Checked 10 published document(s). No updates required. How did I do? Any feedback? |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/deploy-oss.yml (1)
46-53: Use key‑based SSH auth and pin host keys; avoid “password” fields for keys.You’re passing a secret named SSH_KEY into
password. Prefer private key inputs and host key pinning for both actions. Also separate SSH auth from sudo creds. (github.com)- with: - local: ./build - remote: /tmp/${{ env.BOX_NAME }} - host: ${{ secrets.HOST }} - username: ${{ secrets.USER }} - password: ${{ secrets.SSH_KEY }} + with: + local: ./build + remote: /tmp/${{ env.BOX_NAME }} + host: ${{ secrets.HOST }} + username: ${{ secrets.USER }} + privateKey: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }} + passphrase: ${{ secrets.DEPLOY_SSH_PASSPHRASE }}- with: - host: ${{ secrets.HOST }} - username: ${{ secrets.USER }} - password: ${{ secrets.SSH_KEY }} + with: + host: ${{ secrets.HOST }} + username: ${{ secrets.USER }} + key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }} + passphrase: ${{ secrets.DEPLOY_SSH_PASSPHRASE }} + fingerprint: ${{ secrets.HOST_SSH_FINGERPRINT }}Optional: keep a separate secret for
sudo(don’t reuse SSH creds) and consider avoiding sudo by granting the deploy user minimal required privileges.Also applies to: 55-60
🧹 Nitpick comments (2)
.github/workflows/deploy-oss.yml (2)
25-26: Update Docker setup actions to v3 (current recommended).Both actions have v3 as the current line; upgrade for maintained features and fixes.
- - uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v2 + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3Refs show v3 in examples/readme. (github.com)
29-29: Consider bumping docker/build-push-action to v6.v6 is the current stable and aligns with newer cache/back-end requirements and docs. This future‑proofs builds (e.g., GA cache API v2 era). (docs.docker.com)
- uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/deploy-oss.yml(1 hunks)
🔇 Additional comments (1)
.github/workflows/deploy-oss.yml (1)
23-23: Good bump to actions/checkout v5; verify runner compatibility if self‑hosted.V5 is live and uses the Node 24 runtime; it requires Actions Runner ≥ v2.327.1. On GitHub‑hosted runners you’re fine; for any self‑hosted, confirm runner version. (github.com)
1 participant
Summary by CodeRabbit