Dev

[BeforeLights]

Summary by CodeRabbit

• Chores
  • Deployment workflow now runs only for pushes to main and manual dispatches targeting main.
  • The deploy process sends the commit SHA to the server and verifies the remote main branch matches that SHA before proceeding.
  • If the remote SHA is outdated, the deployment is skipped to avoid deploying mismatched code.
  • When the SHA matches, the server resets to that commit and continues the usual build, rollout, and health check steps.

[qodo-code-review]

Review Summary by Qodo

Deploy verified workflow commit to production safely

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Restrict deployment to main branch only
• Deploy verified workflow commit SHA instead of latest
• Add commit verification before deployment
• Fetch all refs with prune for accurate state

Diagram

flowchart LR
  A["Deploy Trigger"] --> B["Check Branch == main"]
  B --> C["Fetch All Refs"]
  C --> D["Verify Commit SHA"]
  D --> E["Reset to Verified SHA"]
  E --> F["Deploy"]

Loading

File Changes

1. .github/workflows/deploy-lightsail.yml ✨ Enhancement +6/-4

Restrict deployment to main and verify commit SHA

• Added branch check to restrict deployments to main branch only
• Pass github.sha as COMMIT_SHA environment variable
• Replace hardcoded origin/main with verified COMMIT_SHA in git reset
• Change git fetch origin main to git fetch --prune origin for complete ref sync
• Add commit verification step using git cat-file before reset

.github/workflows/deploy-lightsail.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Old commit deploy possible ✓ Resolved 🐞 Bug ☼ Reliability

Description

The deploy script only checks that COMMIT_SHA is an ancestor of origin/main and then hard-resets to
COMMIT_SHA, so re-running an older workflow run can deploy outdated code even when main has
advanced. This can unintentionally roll production back while still passing the new “verified”
check.

Code

.github/workflows/deploy-lightsail.yml[R75-80]

+            git fetch --prune origin +refs/heads/main:refs/remotes/origin/main
+            if ! git merge-base --is-ancestor "$COMMIT_SHA" origin/main; then
+              echo "Commit $COMMIT_SHA is not on origin/main after fetch; refusing to deploy unverified code. Re-run the workflow for the current main commit." >&2
+              exit 1
+            fi
+            git reset --hard "$COMMIT_SHA"

Evidence

The workflow allows manual runs (workflow_dispatch) and the deploy job runs for main, then on the
server it fetches origin/main, checks only ancestry membership, and resets to the run’s COMMIT_SHA;
ancestry membership still holds for older commits that remain in main history.

.github/workflows/deploy-lightsail.yml[10-12]
.github/workflows/deploy-lightsail.yml[52-52]
.github/workflows/deploy-lightsail.yml[75-80]
.github/workflows/deploy-lightsail.yml[77-78]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The remote deploy script validates `COMMIT_SHA` using `git merge-base --is-ancestor`, which allows deploying any historical commit that’s still in `origin/main` history. This makes it possible to roll production back by re-running an old workflow execution.
### Issue Context
This workflow runs on `workflow_dispatch` and `push`. Re-running an older workflow execution will keep the original `github.sha`, so the current check will still pass as long as that SHA remains an ancestor of `origin/main`.
### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[75-80]
### Suggested change
After fetching, compute `REMOTE_MAIN_SHA=$(git rev-parse origin/main)` and enforce:
- `if [ "$COMMIT_SHA" != "$REMOTE_MAIN_SHA" ]; then ... exit 1; fi`
If the intent is to allow deploying older main commits, keep the ancestry check but update the error message to match the actual policy (and consider adding an explicit input/approval gate for deploying non-tip commits).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Brittle SHA-based deploy ✓ Resolved 🐞 Bug ☼ Reliability

Description

The deploy job hard-resets the server checkout to $COMMIT_SHA and will abort if that SHA is not
present locally after fetch; this can break production deploys when the triggering commit is no
longer fetchable from the remote (e.g., main history rewrite/force-push).

Code

.github/workflows/deploy-lightsail.yml[R64-77]

+          COMMIT_SHA: ${{ github.sha }}
   with:
     host: ${{ secrets.LIGHTSAIL_HOST }}
     username: ${{ secrets.LIGHTSAIL_USER }}
     key: ${{ secrets.LIGHTSAIL_SSH_KEY }}
-          envs: APP_DIR,BACKEND_URL
+          envs: APP_DIR,BACKEND_URL,COMMIT_SHA
     script_stop: true
     script: |
       set -eu
       cd "$APP_DIR"
-            git fetch origin main
-            git reset --hard origin/main
+            git fetch --prune origin
+            git cat-file -e "$COMMIT_SHA^{commit}"
+            git reset --hard "$COMMIT_SHA"

Evidence

The workflow passes COMMIT_SHA from the workflow run and then (a) runs a generic fetch, (b)
asserts the commit exists, and (c) resets to it. Because the script is set -eu and `script_stop:
true`, any missing commit object causes an immediate hard failure of the production deployment.

.github/workflows/deploy-lightsail.yml[60-77]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Production deploys can fail if `$COMMIT_SHA` isn’t available locally after the fetch (for example, if the branch history was rewritten and the SHA is no longer reachable from remote refs). The script currently hard-fails on that condition.
### Issue Context
The deploy script uses `set -eu` and `script_stop: true`, so `git cat-file -e ...` failing will stop the deployment.
### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[71-77]
### Suggested fix options (choose one)
1) **Fallback to `origin/main` if SHA missing** (maximizes production reliability):
- Fetch `origin/main` explicitly
- If `git cat-file -e "$COMMIT_SHA^{commit}"` fails, log and `git reset --hard origin/main`
2) **Make the fetch explicitly target the needed refs** and keep deterministic deploys:
- Fetch `origin/main` explicitly (so the commit is available when it’s reachable)
- Keep the SHA reset, but add a clear error message instructing to re-run deployment if the SHA is no longer reachable
Example sketch:

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Deploy requires main tip 🐞 Bug ☼ Reliability

Description

The deploy script exits unless COMMIT_SHA exactly matches the current origin/main HEAD, which
blocks intentional redeploy/rollback to an earlier main commit and causes older queued deploy runs
to fail once main advances.

Code

.github/workflows/deploy-lightsail.yml[R75-81]

+            git fetch --prune origin +refs/heads/main:refs/remotes/origin/main
+            MAIN_SHA="$(git rev-parse origin/main)"
+            if [ "$COMMIT_SHA" != "$MAIN_SHA" ]; then
+              echo "Verified commit $COMMIT_SHA is not current origin/main $MAIN_SHA; refusing to deploy an outdated commit. Re-run the workflow for the current main commit." >&2
+              exit 1
+            fi
+            git reset --hard "$COMMIT_SHA"

Evidence

The SSH deploy step forwards COMMIT_SHA from github.sha and compares it to `git rev-parse
origin/main`; any mismatch exits with status 1. Because the workflow uses a single concurrency group
with cancel-in-progress: false, multiple push-triggered deploys can queue and then the earlier
ones will deterministically fail if a newer commit reaches origin/main before they run.

.github/workflows/deploy-lightsail.yml[52-57]
.github/workflows/deploy-lightsail.yml[61-81]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The deploy job hard-fails unless the workflow SHA equals the *current* `origin/main` tip. This prevents deploying older commits (e.g., rollback) and makes queued deploy runs fail whenever `origin/main` advances before they execute.
### Issue Context
Current logic:
- `COMMIT_SHA` is set to `${{ github.sha }}`
- The script fetches `origin/main`, computes `MAIN_SHA`, and exits if `COMMIT_SHA != MAIN_SHA`.
- Concurrency is `cancel-in-progress: false`, so older runs can still execute later and hit this failure.
### Fix options (pick desired behavior)
1) **If the goal is “deploy only latest main”**: set concurrency to cancel stale runs so older ones don’t run and fail.
 - Set `cancel-in-progress: true` for the `lightsail-production` concurrency group.
2) **If the goal is “deploy the workflow’s SHA as long as it’s on main”**: allow non-tip SHAs by verifying membership instead of equality.
 - Example approach: fetch `origin/main`, then check `git merge-base --is-ancestor "$COMMIT_SHA" origin/main` (or otherwise verify the commit exists and is reachable), and only fail if not.
### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[54-57]
- .github/workflows/deploy-lightsail.yml[75-81]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Overbroad git fetch ✓ Resolved 🐞 Bug ➹ Performance

Description

The deploy script now runs git fetch --prune origin without a refspec, which fetches/prunes all
remote-tracking refs instead of only updating origin/main, adding unnecessary network and runtime
cost to every production deployment.

Code

.github/workflows/deploy-lightsail.yml[75]

+            git fetch --prune origin

Evidence

The deploy step explicitly runs an unscoped fetch; previously only main needed to be updated to
deploy production. Fetching all refs can be materially slower as the repo grows or accumulates many
branches/tags.

.github/workflows/deploy-lightsail.yml[71-77]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The deploy script fetches all remote refs (`git fetch --prune origin`) even though deployments are restricted to `main`. This increases network I/O and time for every production deploy.
### Issue Context
Deployment is gated to `github.ref == 'refs/heads/main'`, so only `origin/main` needs to be updated for the reset/build.
### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[71-77]
### Suggested change
Replace:
- `git fetch --prune origin`
With a ref-scoped fetch, e.g.:
- `git fetch --prune origin +refs/heads/main:refs/remotes/origin/main`
(Or `git fetch --prune origin main` if you’re OK with Git using configured refspecs.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ac01edc1-276c-41ca-8e6f-b9586afe5543

📥 Commits

Reviewing files that changed from the base of the PR and between 29c335a and 1c43b14.

📒 Files selected for processing (1)

• .github/workflows/deploy-lightsail.yml

---

📝 Walkthrough

Walkthrough

The workflow restricts deploys to refs/heads/main for push and workflow_dispatch, injects COMMIT_SHA into the SSH deploy step, and the remote script fetches/prunes main, compares origin/main's SHA to COMMIT_SHA, and only resets to COMMIT_SHA when they match.

Changes

Deployment Safety via Branch Gating and Commit Pinning

Layer / File(s)	Summary
Workflow Trigger Adjustments .github/workflows/deploy-lightsail.yml	The pull_request trigger branch list was changed to include only main (removed dev).
Deploy Job Condition Gating .github/workflows/deploy-lightsail.yml	The deploy job now requires the event be push or workflow_dispatch and github.ref == refs/heads/main.
SSH Step: COMMIT_SHA Injection .github/workflows/deploy-lightsail.yml	The SSH step now forwards COMMIT_SHA to the remote environment and includes it in envs passed to the remote script.
Remote Git Verify & Reset .github/workflows/deploy-lightsail.yml	Remote script fetches/prunes main into origin/main, computes its SHA, exits if it doesn't equal COMMIT_SHA, and hard-resets to COMMIT_SHA when they match before continuing build/deploy steps.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant GitHubActions
  participant RemoteHost
  Client->>GitHubActions: push / workflow_dispatch / open PR
  GitHubActions->>GitHubActions: evaluate triggers & deploy job condition (refs/heads/main)
  GitHubActions->>RemoteHost: SSH deploy step (COMMIT_SHA env)
  RemoteHost->>RemoteHost: git fetch --prune origin main
  RemoteHost->>RemoteHost: compute origin_main SHA and compare to COMMIT_SHA
  alt match
    RemoteHost->>RemoteHost: git reset --hard COMMIT_SHA and continue deploy
  else mismatch
    RemoteHost->>RemoteHost: log skipped deploy and exit
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Nail-Addison/nail-star#6: Modifies the GitHub Actions Lightsail deployment workflow and remote deploy logic.
• Nail-Addison/nail-star#8: Updates deploy workflow triggers and job conditionals related to this workflow.

Poem

🐰 I hopped through commits, steady and bright,
Pinned the SHA true, held fast through the night.
Gated to main, I checked every line,
Fetched and compared, then reset to the sign.
Lightsail sails on with the commit in sight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "Dev" is generic and vague, using a non-descriptive term that does not convey meaningful information about the changeset's primary purpose.	Replace the title with a descriptive summary that reflects the main change, such as "Fail stale deploy runs" or "Add stale commit detection to Lightsail deployment workflow".

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-lightsail.yml:
- Around line 76-80: The ancestor check using "git merge-base --is-ancestor"
allows stale commits; replace it with an explicit SHA equality check by
resolving the tip of origin/main (e.g., obtain origin_main_sha via "git
rev-parse origin/main" after fetch) and compare it to COMMIT_SHA, failing with a
clear message if they differ; update the error text and then run "git reset
--hard \"$COMMIT_SHA\"" only when COMMIT_SHA equals origin_main_sha so only the
current main tip can be deployed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b548a9a-62b1-42c0-b07b-dc6b70419911

📥 Commits

Reviewing files that changed from the base of the PR and between 4d3df9e and 738e8d1.

📒 Files selected for processing (1)

• .github/workflows/deploy-lightsail.yml

[BeforeLights]

/review -i

[qodo-code-review]

Persistent review updated to latest commit 738e8d1

[BeforeLights]

/review -i

[qodo-code-review]

Persistent review updated to latest commit 03f76cd

[BeforeLights]

/review -i

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[BeforeLights]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-lightsail.yml:
- Around line 78-80: The deploy script's early-return on commit mismatch
currently exits with success; change the if-block that compares COMMIT_SHA and
MAIN_SHA to return a non-zero exit so the job fails fast: in the if branch that
echoes "Skipping deploy for outdated commit $COMMIT_SHA; current origin/main is
$MAIN_SHA." replace the successful exit (exit 0) with a failing exit (e.g., exit
1) so the workflow job fails when the SHA check detects an outdated commit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fc43451d-f7a0-4045-9236-7a1af11c8366

📥 Commits

Reviewing files that changed from the base of the PR and between ea95ab3 and 29c335a.

📒 Files selected for processing (1)

• .github/workflows/deploy-lightsail.yml