ci(nexus): add --repo flag to gh release download

[alandtse]

Summary

prepare-artifacts has no checkout step, so there is no .git directory on the runner. Without --repo, gh release download falls back to inferring the repository from git, which fails with:

fatal: not a git repository (or any of the parent directories): .git

Fix: pass --repo "$GITHUB_REPOSITORY" explicitly so the download works on a bare runner.

Observed in run 25238941523 — all 13 prepare-artifacts matrix jobs failed at the download step.

Test plan

• Re-run the Nexus upload workflow for v1.5.0 and confirm all prepare-artifacts jobs download assets successfully

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Release automation only attempts uploads for artifacts present in the release, always includes the core package, and downloads assets from the correct repository.
  • Dry-run adds a Nexus version check and appends a detailed markdown summary to the workflow log.
  • Upload summary now provides per-feature planned versions, Nexus links, and notes safe re-runs.
  • CI build path for VS2022 is enabled for more non-tag event types.
• Bug Fixes
  • More accurate artifact matching using package metadata and improved changelog assembly with deduplicated commits and clearer precedence.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 72961213-9d77-4be1-ae7a-1794bbb84243

📥 Commits

Reviewing files that changed from the base of the PR and between 3dd8ff2 and 068b9bd.

📒 Files selected for processing (3)

• .github/workflows/build.yaml
• .github/workflows/upload-nexus.yaml
• tools/feature_version_audit.py

---

📝 Walkthrough

Walkthrough

The CI upload workflow now resolves a GitHub release by tag, filters planned Nexus uploads to assets present in that release, downloads release assets from the correct repo, adds a dry-run Nexus-versions check, enables existing-version checks for the uploader, and replaces the shell summary with a Python-rendered per-feature report. The feature audit tool now prioritizes INI-derived artifact patterns using mod_filename.

Changes

Nexus upload + release-driven matrix

Layer / File(s)	Summary
Release fetch .github/workflows/upload-nexus.yaml	Fetch a single release by tag (repos/$GITHUB_REPOSITORY/releases/tags/$RELEASE_TAG) into release.json and extract body for changelog injection.
Release asset discovery .github/workflows/upload-nexus.yaml	Read release.assets[], collect asset names, and define artifact_in_release(row) using fnmatch against those asset names.
Matrix filtering .github/workflows/upload-nexus.yaml	Build upload_data only for rows where auto_upload=true AND artifact_in_release(row); write nexus-upload-matrix.json / nexus-upload-state.json and set has_uploads.
Release asset download .github/workflows/upload-nexus.yaml	gh release download now includes --repo "$GITHUB_REPOSITORY" to target the current repository.
Dry-run Nexus check job .github/workflows/upload-nexus.yaml	Add check-nexus-versions job (runs on dry-run when has_uploads) that queries Nexus per planned feature using UNEX_APIKEY and appends a markdown table of planned vs existing/recent versions or auth/error notes to GITHUB_STEP_SUMMARY.
Upload invocation .github/workflows/upload-nexus.yaml	Call reusable upload-to-nexus with check_existing: true and change changelog precedence to prefer inputs.changelog over matrix value.
Upload summary generation .github/workflows/upload-nexus.yaml	upload-summary now depends on check-nexus-versions and uses a Python renderer that reads needs.upload-to-nexus.result and upload_matrix to render per-feature markdown (success view table or failure listing with planned artifact names and re-run notes).

Artifact pattern derivation (feature audit tool)

Layer / File(s)	Summary
INI read / filename derivation tools/feature_version_audit.py	Read INI metadata first and compute mod_filename (from metadata) to use when deriving artifact patterns.
Artifact pattern precedence tools/feature_version_audit.py	Set artifact_pattern precedence to: ini_metadata["artifact_pattern"] → info["artifact_pattern"] → fallback derived from mod_filename (mod_filename.replace(' ', '.')-*.7z); changelog directory resolution now uses find_feature_dir(name) with fallback.
Changelog extraction tools/feature_version_audit.py	get_feature_changelog() fetches subject+body per commit (unit-sep delimiter), deduplicates by subject, and evaluates breaking-change regex against combined subject+body.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Release as GitHub Release
    participant Matrix as Matrix Builder
    participant Nexus as Nexus API
    participant Upload as upload-to-nexus
    participant Summary as Python Summary

    GH->>Release: GET repos/.../releases/tags/$RELEASE_TAG
    Release-->>GH: release.body + assets[]
    GH->>Matrix: build upload matrix, inject core changelog, filter by artifact_in_release
    GH->>Nexus: check-nexus-versions dry-run queries per planned feature (UNEX_APIKEY)
    Nexus-->>GH: existing/recent versions or auth/error
    GH->>Upload: invoke upload-to-nexus (check_existing: true, changelog precedence)
    Upload->>Nexus: check existing versions, upload artifacts
    Upload-->>GH: upload results
    GH->>Summary: run Python report (needs.upload-to-nexus.result + upload_matrix)
    Summary-->>GH: append per-feature markdown to step summary

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• ci(nexus): fix GITHUB_OUTPUT delimiter and auto-generate changelogs #2254: Overlaps CI and feature-version tooling changes (release body injection, per-feature changelogs).
• ci: fix nexus upload pipeline and release auto-trigger #2252: Modifies release-resolution and upload-matrix validation in upload-nexus workflow.
• ci: fix nexus upload and skip vs2022 for releases #2250: Prior changes to upload-matrix handling and workflow heredoc logic.

Suggested reviewers

• SkrubbySkrubInAShrub
• doodlum
• davo0411

Poem

🐰 I hopped through YAML, fetched the tagged delight,

Matched assets by name beneath the release light.
I asked Nexus kindly what versions may be,
Python stitched a summary for each feature to see.
Hooray — uploads gated, and the matrix is right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title refers to adding the --repo flag to gh release download, which is one specific change mentioned in the raw summary, but the changeset includes multiple other substantial modifications to workflows and feature auditing logic.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 actionlint (1.7.12)

.github/workflows/build.yaml

could not read ".github/workflows/build.yaml": open .github/workflows/build.yaml: no such file or directory

.github/workflows/upload-nexus.yaml

could not read ".github/workflows/upload-nexus.yaml": open .github/workflows/upload-nexus.yaml: no such file or directory

🔧 YAMLlint (1.38.0)

.github/workflows/upload-nexus.yaml

[Errno 2] No such file or directory: '.github/workflows/upload-nexus.yaml'

.github/workflows/build.yaml

[Errno 2] No such file or directory: '.github/workflows/build.yaml'

🔧 Checkov (3.2.525)

.github/workflows/build.yaml

2026-05-02 04:18:17,004 [MainThread ] [ERROR] Template file not found: .github/workflows/build.yaml
2026-05-02 04:18:17,017 [MainThread ] [ERROR] Template file not found: .github/workflows/build.yaml
2026-05-02 04:18:17,055 [MainThread ] [ERROR] Template file not found: .github/workflows/build.yaml
2026-05-02 04:18:17,101 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/build.yaml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^

... [truncated 9063 characters] ...

anning: could not process file .github/workflows/build.yaml
2026-05-02 04:18:17,165 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/build.yaml'

.github/workflows/upload-nexus.yaml

2026-05-02 04:18:17,000 [MainThread ] [ERROR] Template file not found: .github/workflows/upload-nexus.yaml
2026-05-02 04:18:17,006 [MainThread ] [ERROR] Template file not found: .github/workflows/upload-nexus.yaml
2026-05-02 04:18:17,076 [MainThread ] [ERROR] Template file not found: .github/workflows/upload-nexus.yaml
2026-05-02 04:18:17,093 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/upload-nexus.yaml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 9182 characters] ...

or directory: '.github/workflows/upload-nexus.yaml'
2026-05-02 04:18:17,157 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/upload-nexus.yaml'

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No actionable suggestions for changed features.

[github-actions]

✅ A pre-release build is available for this PR:
Download

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/upload-nexus.yaml:
- Around line 176-196: Resolve the release by tag (not by the first-page
releases.json) and require the asset check for core too: replace the current
releases.json-based lookup with a tag-specific release fetch (use the GH API
repos/:owner/:repo/releases/tags/:tag or ensure releases.json contains the tag
response) so that release is populated from RELEASE_TAG, compute asset_names
from that resolved release, and change artifact_in_release (and the upload_data
filter) to stop hardcoding True for 'core'—have it apply the same
artifact_pattern/asset_name matching for all rows so uploads are only allowed
when the matching artifact actually exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: efb92c5a-b726-408c-9979-bcb9684eb5ee

📥 Commits

Reviewing files that changed from the base of the PR and between e1a703e and 93fb5a1.

📒 Files selected for processing (1)

• .github/workflows/upload-nexus.yaml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/upload-nexus.yaml (1)

148-151: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail the workflow when the tag lookup fails, and make this the single source of truth.

Because Line 101 still checks publication state via the paginated repos/.../releases list, older published tags can still be rejected before this block runs. On top of that, this new fallback turns any gh api failure into {}, so Lines 158 and 182 quietly produce an empty changelog/asset list and has_uploads=false instead of surfacing the real error. Fetch the tag once, fail on error, and read draft, body, and assets from that same response.

Suggested fix

-                  # Fetch the specific release by tag — avoids pagination issues with
-                  # the releases list endpoint (default page size is 30).
-                  gh api "repos/$GITHUB_REPOSITORY/releases/tags/$RELEASE_TAG" \
-                    2>/dev/null > release.json || echo '{}' > release.json
+                  # Fetch the specific release by tag and use it for all release metadata checks.
+                  gh api "repos/$GITHUB_REPOSITORY/releases/tags/$RELEASE_TAG" \
+                    > release.json || {
+                      echo "ERROR: failed to resolve release metadata for $RELEASE_TAG" >&2
+                      exit 1
+                    }

Then replace the earlier paginated draft check with fields from release.json so the workflow does not depend on two different release lookups.

GitHub REST API docs: does GET /repos/{owner}/{repo}/releases paginate by default, and does GET /repos/{owner}/{repo}/releases/tags/{tag} return the specific release payload including draft/prerelease/body/assets?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/upload-nexus.yaml around lines 148 - 151, The gh api call
that writes release.json should fail the job instead of falling back to '{}' and
you should use that single JSON response as the source of truth; replace the
current line `gh api "repos/$GITHUB_REPOSITORY/releases/tags/$RELEASE_TAG"
2>/dev/null > release.json || echo '{}' > release.json` with a strict command
that exits on non‑zero (or capture stderr and exit if empty), then parse draft,
body and assets from release.json to set has_uploads/published checks; also
remove or replace the earlier paginated `repos/.../releases` lookup and its
draft check so all logic (draft/prerelease/publication, changelog/body, and
assets list) reads from release.json (using RELEASE_TAG, release.json,
has_uploads and the gh api call as anchors).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/upload-nexus.yaml:
- Around line 148-151: The gh api call that writes release.json should fail the
job instead of falling back to '{}' and you should use that single JSON response
as the source of truth; replace the current line `gh api
"repos/$GITHUB_REPOSITORY/releases/tags/$RELEASE_TAG" 2>/dev/null > release.json
|| echo '{}' > release.json` with a strict command that exits on non‑zero (or
capture stderr and exit if empty), then parse draft, body and assets from
release.json to set has_uploads/published checks; also remove or replace the
earlier paginated `repos/.../releases` lookup and its draft check so all logic
(draft/prerelease/publication, changelog/body, and assets list) reads from
release.json (using RELEASE_TAG, release.json, has_uploads and the gh api call
as anchors).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 112d0aae-dc1b-4c1e-bc4f-b981df6bb301

📥 Commits

Reviewing files that changed from the base of the PR and between 93fb5a1 and 3dd8ff2.

📒 Files selected for processing (1)

• .github/workflows/upload-nexus.yaml