Sync feature/nest-zappa-migration with main

[rudransh-shrivastava]

Sync feature/nest-zappa-migration

Proposed change

Resolves #(put the issue number here)

Add the PR description here.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Important

Review skipped

Too many files!

This PR contains 168 files, which is 18 over the limit of 150.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR validation failed: No linked issue and no valid closing issue reference in PR description

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

1 issue found across 172 files

Confidence score: 4/5

• Single medium-severity CI configuration concern; overall risk appears low and safe to merge with a small permissions cleanup.
• scan-staging-images in .github/workflows/run-ci-cd.yaml requests contents: write even though actions/upload-artifact doesn’t need it, which could be over-privileged compared to the production scan job.
• Pay close attention to .github/workflows/run-ci-cd.yaml - remove unnecessary contents: write permissions in the staging scan job.

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:586">
P2: Unnecessary permission escalation: `scan-staging-images` uses `actions/upload-artifact` which doesn't require `contents: write`. Unlike the production scan job (which uses `gh release upload`), this job should keep `contents: read` to follow the principle of least privilege.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Unnecessary permission escalation: scan-staging-images uses actions/upload-artifact which doesn't require contents: write. Unlike the production scan job (which uses gh release upload), this job should keep contents: read to follow the principle of least privilege.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/run-ci-cd.yaml, line 586:

<comment>Unnecessary permission escalation: `scan-staging-images` uses `actions/upload-artifact` which doesn't require `contents: write`. Unlike the production scan job (which uses `gh release upload`), this job should keep `contents: read` to follow the principle of least privilege.</comment>

<file context>
@@ -579,8 +579,11 @@ jobs:
+      RELEASE_VERSION: ${{ needs.set-release-version.outputs.release_version }}
     permissions:
-      contents: read
+      contents: write
     runs-on: ubuntu-latest
     steps:
</file context>

Suggested change

	contents: write
	contents: read

[codecov]

Codecov Report

❌ Patch coverage is 90.90909% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.32%. Comparing base (95e284a) to head (5555949).
⚠️ Report is 19 commits behind head on feature/nest-zappa-migration.

Files with missing lines	Patch %	Lines
.../apps/mentorship/api/internal/mutations/program.py	0.00%	2 Missing ⚠️
...d/apps/mentorship/api/internal/mutations/module.py	0.00%	1 Missing ⚠️
backend/apps/slack/apps.py	50.00%	1 Missing ⚠️

Additional details and impacted files

@@                       Coverage Diff                        @@
##           feature/nest-zappa-migration    #3933      +/-   ##
================================================================
- Coverage                         95.38%   93.32%   -2.07%     
================================================================
  Files                               464      513      +49     
  Lines                             14554    15827    +1273     
  Branches                           2017     2134     +117     
================================================================
+ Hits                              13883    14770     +887     
- Misses                              328      695     +367     
- Partials                            343      362      +19     

Flag	Coverage Δ
backend	92.88% <90.69%> (-2.79%)	⬇️
frontend	94.64% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
backend/apps/ai/common/utils.py	90.00% <ø> (-0.48%)	⬇️
backend/apps/ai/models/chunk.py	100.00% <ø> (ø)
backend/apps/ai/models/context.py	100.00% <ø> (ø)
backend/apps/api/models/api_key.py	89.28% <ø> (ø)
...mon/management/commands/algolia_update_replicas.py	100.00% <100.00%> (ø)
...mon/management/commands/algolia_update_synonyms.py	100.00% <100.00%> (ø)
...ckend/apps/common/management/commands/dump_data.py	91.37% <100.00%> (ø)
...kend/apps/common/management/commands/purge_data.py	100.00% <100.00%> (ø)
backend/apps/core/models/prompt.py	100.00% <ø> (ø)
...gement/commands/github_add_related_repositories.py	95.55% <100.00%> (ø)
... and 70 more

... and 32 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 95e284a...5555949. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.