fix: chores and reliability fixes (#123-#125, #128, #132, #137-#139)#141
Conversation
- #123: rename release-please.yml → changeset-version.yml; update RELEASING.md - #124: pin alpine base image to digest in Dockerfile.goreleaser - #125: add go-licenses NOTICE generation to release pipeline and goreleaser archives - #128: audit events for secret.Store Create and Delete (Actor field, transactional EmitTx) - #132: retry smtp.SendMail up to 3× in TestEmailReceive_FetchesUnseenMessages - #137: numeric UID (10001) in Dockerfile and Helm podSecurityContext so runAsNonRoot resolves - #138: remove worker/reaper liveness checkers from /readyz; probe checks DB only - #139: revert unauthenticated /metrics; add comment explaining bearer-token Prometheus path; annotate serviceMonitor.bearerTokenSecret in values.yaml Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (3)
📝 WalkthroughWalkthroughAdds NOTICE generation to the release workflow and includes NOTICE in goreleaser archives; pins container base and uses numeric UID/GID; documents Prometheus bearer token usage; adds Store.Actor and transactional audit events for credential ops; simplifies /readyz to DB-only; retries SMTP in an email integration test. ChangesRelease, Deployment, and Audit Infrastructure
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 17dc0f2b31
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/release-engine.yml (1)
47-51: ⚡ Quick winPin
go-licensesin CI for reproducible builds.
@latestis non-deterministic; the latest stable release isv2.0.1, so pin to that version.📌 Proposed fix to pin go-licenses version
- name: Generate NOTICE run: | - go install github.com/google/go-licenses@latest + go install github.com/google/go-licenses@v2.0.1 go-licenses report ./... > NOTICE working-directory: packages/engine🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-engine.yml around lines 47 - 51, The CI step "Generate NOTICE" installs go-licenses with an unstable `@latest` tag; update the step to pin the tool to v2.0.1 by changing the go install invocation for github.com/google/go-licenses to use `@v2.0.1` (the "Generate NOTICE" job/run that executes "go install github.com/google/go-licenses@latest" and then "go-licenses report ./... > NOTICE" in the packages/engine working-directory).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/engine/Dockerfile.goreleaser`:
- Line 1: The pinned Alpine image digest in the Dockerfile (the FROM directive
in packages/engine/Dockerfile.goreleaser) is incorrect for alpine:3.21; update
the FROM line to either use the correct Docker Hub digest for alpine:3.21
(sha256:1f390db9d9746cc317e16a98a8be2854c599abcbf04d45b6320b040e72034e33), or
remove the digest and/or explicitly add a platform (e.g.,
--platform=linux/amd64) to ensure you pull the intended manifest; adjust the
FROM directive accordingly so the image digest matches the intended
architecture/manifest.
In `@packages/engine/internal/server/server.go`:
- Line 241: The inline comment "Health endpoints (registered after engine
components so checkers are populated)." is stale because /readyz no longer uses
liveness checkers; update the comment near the health endpoints registration to
remove the "so checkers are populated" rationale and make it accurate (e.g.,
"Health endpoints (registered after engine components)." or similar) and ensure
any mention of /readyz and checkers is corrected to reflect the current
behavior.
---
Nitpick comments:
In @.github/workflows/release-engine.yml:
- Around line 47-51: The CI step "Generate NOTICE" installs go-licenses with an
unstable `@latest` tag; update the step to pin the tool to v2.0.1 by changing the
go install invocation for github.com/google/go-licenses to use `@v2.0.1` (the
"Generate NOTICE" job/run that executes "go install
github.com/google/go-licenses@latest" and then "go-licenses report ./... >
NOTICE" in the packages/engine working-directory).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8264f82f-8ca8-4022-8545-b01404db6282
📒 Files selected for processing (10)
.github/workflows/changeset-version.yml.github/workflows/release-engine.ymlRELEASING.mdpackages/engine/.goreleaser.yamlpackages/engine/Dockerfile.goreleaserpackages/engine/internal/auth/middleware.gopackages/engine/internal/connector/email_receive_test.gopackages/engine/internal/secret/store.gopackages/engine/internal/server/server.gopackages/helm-chart/values.yaml
- Pin alpine:3.21 to correct digest (1f390db) in Dockerfile.goreleaser - Pin go-licenses to @v2.0.1 instead of @latest in release-engine.yml - Update stale comment in server.go: /readyz no longer uses worker/reaper liveness checkers; explain the intentional design decision Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Summary
release-please.yml→changeset-version.yml; update all references inRELEASING.mdalpine:3.21to digestsha256:48b0309ca...inDockerfile.goreleasergo-licenses reportstep to release pipeline; bundle generatedNOTICEin goreleaser archivessecret.Store.Createandsecret.Store.Delete(transactionalEmitTx, newActorfield)smtp.SendMailin 3-attempt retry loop inTestEmailReceive_FetchesUnseenMessages10001inadduserandUSER 10001:10001in Dockerfile; addrunAsUser/runAsGroup: 10001to HelmpodSecurityContext/readyz; probe now checks DB connectivity only, eliminating false-positive flaps/metricsbehind auth to protect workflow-name labels; annotateserviceMonitor.bearerTokenSecretinvalues.yamlwith usage exampleTest plan
go build ./...andgo vet ./...pass cleansecret.Storetests pass with audit event coverageTestEmailReceive_FetchesUnseenMessagesno longer flakes on SMTP EOFrunAsNonRoot: true+ numeric UID withoutrunAsUseradmission error/readyzreturns 200 while worker/reaper are between poll cycles🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Documentation
Chores