fix: ECR mirroring only overrides existing images#300
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the CircleCI configuration by replacing the force: true parameter with overwrite_only_existing: true in several ECR mirroring steps. It also updates the codacy orb to a development version. The reviewer correctly notes that using a development version of the orb is risky for production workflows and recommends using a stable release version instead.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
This makes it impossible to delete an image currently in production but the trade-off is that we get an updated DB only if we are using the latest version of Trivy. The experience is not very different from today where we update the latest image and if we are not using it in codacy-tools the update is not actually used by our users, so basically we are not losing anything
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR attempts to improve the safety of ECR mirroring by using the 'overwrite_only_existing: true' parameter and updating the 'codacy/base' orb to version 13.0.4. While Codacy's static analysis indicates the code is 'up to standards', a critical functional issue was identified: the use of 'overwrite_only_existing' effectively disables the mirroring of all new releases, as version-specific tags will not yet exist in the destination repository at the time of the push. This creates a significant gap in the implementation of the mirroring process for integration, staging, and production environments.
About this PR
- The chosen mirroring strategy (overwrite_only_existing: true) is applied across all environment jobs. This suggests a systemic misunderstanding of the parameter's behavior, which will likely block all automated ECR publications of new tags.
Test suggestions
- Found recommended test scenario: Verify that 'mirror_to_ecr_integration' job uses 'overwrite_only_existing: true'
- Found recommended test scenario: Verify that 'mirror_to_ecr_staging' job uses 'overwrite_only_existing: true'
- Found recommended test scenario: Verify that 'mirror_to_ecr_production' job uses 'overwrite_only_existing: true'
- Found recommended test scenario: Verify that 'codacy/base' orb is updated to 13.0.4
Low confidence findings
- The CI configuration currently uses a hardcoded Trivy version (v0.70.0). To ensure the 'updated DB' functionality mentioned in the PR description remains effective, this version may require periodic manual updates to maintain compatibility with newer Trivy features.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
2 participants
This makes it impossible to delete an image currently in production but the trade-off is that we get an updated DB only if we are using the latest version of Trivy. The experience is not very different from today where we update the latest image and if we are not using it in codacy-tools the update is not actually used by our users, so basically we are not losing anything