ci: trim whitespace from R2 secrets and improve debug logging

[Pratham-Mishra04]

Trim whitespace from R2 secrets and improve environment variable validation

This PR addresses an issue with R2 credentials in our release workflow by:

1. Adding whitespace trimming for R2 environment variables in the transports-release workflow
2. Enhancing the upload-builds.mjs script with better environment variable validation:
   • Displays the length of each credential
   • Shows first/last few characters of credentials (partially masked)
   • Detects and warns about common issues like newlines or trailing spaces

These changes will help prevent authentication failures caused by invisible whitespace characters in secrets.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Improved validation and debugging messages for environment variables in the upload process.
  • Enhanced handling of whitespace in environment variables used during the build upload step to prevent errors.

Walkthrough

The changes introduce stricter handling and validation of environment variables used in the build upload process. In the workflow file, whitespace is explicitly trimmed from relevant environment variables before use. The upload script now provides detailed debug output, masking variable values, checking for whitespace or newlines, and exiting immediately if a required variable is missing.

Changes

File(s)	Change Summary
.github/workflows/transports-release.yml	Added explicit trimming of whitespace from R2 environment variables before upload step.
ci/scripts/upload-builds.mjs	Enhanced environment variable validation with detailed debug output, masking, and whitespace warnings.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions
    participant upload-builds.mjs

    GitHub Actions->>GitHub Actions: Trim whitespace from R2 env vars
    GitHub Actions->>upload-builds.mjs: Run upload script with cleaned env vars
    upload-builds.mjs->>upload-builds.mjs: Validate each env var
    alt Variable missing
        upload-builds.mjs->>GitHub Actions: Log missing variable, exit
    else Variable present
        upload-builds.mjs->>GitHub Actions: Log masked value, check for whitespace/newlines
        upload-builds.mjs->>GitHub Actions: Warn if whitespace/newlines found
        upload-builds.mjs->>GitHub Actions: Continue process
    end

Loading

Estimated code review effort

2 (~15 minutes)

Possibly related PRs

• ci: improve upload-builds script with fresh streams and env validation #188: Enhanced environment variable validation in the same upload-builds.mjs script, focusing on presence checks.

Suggested reviewers

• akshaydeo
• danpiths
• SamstyleGhost

Poem

A rabbit hopped through CI's land,
Trimming spaces with a gentle hand.
Variables checked, each one in sight,
Masked and logged to debug right.
With whitespace gone, the builds upload—
Hoppy scripts on a cleaner road! 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 498a7e2 and a26916d.

📒 Files selected for processing (2)

• .github/workflows/transports-release.yml (1 hunks)
• ci/scripts/upload-builds.mjs (1 hunks)

🧠 Learnings (2)

📓 Common learnings

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#158
File: .github/workflows/transports-release.yml:30-43
Timestamp: 2025-07-18T11:12:28.861Z
Learning: Pratham-Mishra04 relies on branch protection rules and mandatory code reviews for security in the bifrost repository, preferring process controls over technical security measures like environment variable isolation for GitHub Actions workflows. All commits are reviewed before merging to main branch.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#103
File: .github/workflows/transport-dependency-update.yml:30-36
Timestamp: 2025-06-19T16:57:25.177Z
Learning: In the bifrost repository, Pratham-Mishra04 prefers to keep GitHub Actions workflows lean and trusts their controlled tagging process for core releases, avoiding unnecessary validation steps that they consider overkill.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#84
File: transports/bifrost-http/main.go:2-2
Timestamp: 2025-06-15T16:05:13.489Z
Learning: For the Bifrost project, HTTP transport integration routers for new providers (like Mistral and Ollama) are implemented in separate PRs from the core provider support, following a focused PR strategy.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#141
File: core/bifrost.go:198-272
Timestamp: 2025-07-08T18:30:08.258Z
Learning: Pratham-Mishra04 follows a pattern of implementing core functionality first and deferring non-critical improvements (like race condition fixes, optimizations) to later PRs. This is a reasonable development approach that prioritizes getting the main feature working before addressing edge cases.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#159
File: ci/npx/package.json:22-23
Timestamp: 2025-07-18T11:07:56.674Z
Learning: In the Bifrost project, Pratham-Mishra04 publishes the npm package by running `npm publish` from inside the `ci/npx` directory rather than from the repository root, and prefers not to use a `files` field to restrict the published package contents.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#159
File: ci/npx/bin.js:93-108
Timestamp: 2025-07-18T10:58:16.118Z
Learning: In the Bifrost project, Pratham-Mishra04 relies on infrastructure-level security (private bucket hosting with verification) for binary distribution rather than implementing client-side integrity checks in the npx wrapper script. They consider this approach sufficient for their threat model.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#131
File: transports/bifrost-http/lib/config.go:35-68
Timestamp: 2025-06-26T07:37:24.385Z
Learning: In the Bifrost project's MCP configuration handling, empty environment variables should be treated as missing/invalid rather than as valid empty values. The current implementation using `os.Getenv(envKey); envValue != ""` to check for non-empty values is the desired behavior.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#97
File: transports/Dockerfile:37-42
Timestamp: 2025-06-19T09:06:25.750Z
Learning: In Docker configurations for this project, plugin-specific environment variables (like MAXIM_LOG_REPO_ID) should not be included in the Dockerfile's ENV section. The architectural goal is to keep Docker images plugin-agnostic and externalize all plugin configuration to runtime via docker run -e flags, rather than baking plugin config into the image.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#158
File: ci/scripts/upload-builds.mjs:57-85
Timestamp: 2025-07-18T11:01:07.321Z
Learning: The Bifrost project's upload-builds.mjs script handles around 10 uploads only, making the current serial approach with 500ms delays acceptable for the pipeline performance (total ~5 seconds delay).

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#55
File: core/tests/e2e_tool_test.go:29-30
Timestamp: 2025-06-04T04:58:12.239Z
Learning: In the Bifrost project, environment variables should be used only for secrets (like API keys), not for general configuration. Test parameters like provider and model can be hardcoded at the start of test files for predictability and consistency.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#55
File: core/providers/anthropic.go:358-388
Timestamp: 2025-06-04T05:37:59.699Z
Learning: User Pratham-Mishra04 prefers not to extract small code duplications (around 2 lines) into helper functions, considering the overhead not worth it for such minor repetition.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#102
File: README.md:62-66
Timestamp: 2025-06-19T17:03:03.639Z
Learning: Pratham-Mishra04 prefers using the implicit 'latest' tag for the maximhq/bifrost Docker image rather than pinning to specific versions.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#143
File: core/mcp.go:155-196
Timestamp: 2025-07-08T15:33:47.698Z
Learning: Pratham-Mishra04 prefers not to add explanatory comments for obvious code patterns, such as the unlock/lock strategy around network I/O operations, considering them self-explanatory to experienced developers.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#138
File: docs/usage/go-package/mcp.md:408-412
Timestamp: 2025-07-01T12:40:08.576Z
Learning: Pratham-Mishra04 is okay with keeping bullet list formatting that uses colons after dashes in markdown documentation, even if it triggers linter warnings, preferring functionality over strict formatting rules.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#150
File: transports/bifrost-http/lib/store.go:370-466
Timestamp: 2025-07-09T04:58:08.229Z
Learning: Pratham-Mishra04 prefers not to add logging or error handling for unreachable code paths in the Bifrost project. When provider types or similar entities are predefined in the system, defensive programming like logging in default cases is considered unnecessary overhead.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#162
File: tests/core-providers/scenarios/chat_completion_stream.go:103-105
Timestamp: 2025-07-16T04:26:09.288Z
Learning: Pratham-Mishra04 prefers to keep test code simple when it serves its basic functional purpose. For tests that are meant to validate core functionality (like verifying streaming works), they consider hard-coded reasonable limits acceptable rather than making them configurable.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#148
File: transports/bifrost-http/lib/store.go:880-910
Timestamp: 2025-07-08T17:14:21.544Z
Learning: Pratham-Mishra04 prefers resilient system design where missing environment variables for MCP connections should not cause complete system failure. The system should continue processing other MCP connections even when some fail, maintaining partial functionality rather than implementing fail-fast behavior.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#138
File: transports/README.md:26-28
Timestamp: 2025-07-01T12:45:06.906Z
Learning: Pratham-Mishra04 prefers keeping documentation examples simple and concise, trusting users to handle production-specific considerations like version pinning themselves rather than cluttering examples with additional notes.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#148
File: transports/bifrost-http/lib/store.go:1081-1098
Timestamp: 2025-07-08T17:16:50.811Z
Learning: Pratham-Mishra04 prefers practical redaction approaches over theoretical security improvements when the threat model is low-risk, such as admin-only interfaces in the Bifrost project. Fixed-length redaction is acceptable when only trusted administrators will see the redacted values.

ci/scripts/upload-builds.mjs (2)

Learnt from: Pratham-Mishra04
PR: #158
File: ci/scripts/upload-builds.mjs:57-85
Timestamp: 2025-07-18T11:01:07.321Z
Learning: The Bifrost project's upload-builds.mjs script handles around 10 uploads only, making the current serial approach with 500ms delays acceptable for the pipeline performance (total ~5 seconds delay).

Learnt from: Pratham-Mishra04
PR: #131
File: transports/bifrost-http/lib/config.go:35-68
Timestamp: 2025-06-26T07:37:24.385Z
Learning: In the Bifrost project's MCP configuration handling, empty environment variables should be treated as missing/invalid rather than as valid empty values. The current implementation using os.Getenv(envKey); envValue != "" to check for non-empty values is the desired behavior.

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#158
File: .github/workflows/transports-release.yml:30-43
Timestamp: 2025-07-18T11:12:28.861Z
Learning: Pratham-Mishra04 relies on branch protection rules and mandatory code reviews for security in the bifrost repository, preferring process controls over technical security measures like environment variable isolation for GitHub Actions workflows. All commits are reviewed before merging to main branch.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#103
File: .github/workflows/transport-dependency-update.yml:30-36
Timestamp: 2025-06-19T16:57:25.177Z
Learning: In the bifrost repository, Pratham-Mishra04 prefers to keep GitHub Actions workflows lean and trusts their controlled tagging process for core releases, avoiding unnecessary validation steps that they consider overkill.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#84
File: transports/bifrost-http/main.go:2-2
Timestamp: 2025-06-15T16:05:13.489Z
Learning: For the Bifrost project, HTTP transport integration routers for new providers (like Mistral and Ollama) are implemented in separate PRs from the core provider support, following a focused PR strategy.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#141
File: core/bifrost.go:198-272
Timestamp: 2025-07-08T18:30:08.258Z
Learning: Pratham-Mishra04 follows a pattern of implementing core functionality first and deferring non-critical improvements (like race condition fixes, optimizations) to later PRs. This is a reasonable development approach that prioritizes getting the main feature working before addressing edge cases.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#159
File: ci/npx/package.json:22-23
Timestamp: 2025-07-18T11:07:56.674Z
Learning: In the Bifrost project, Pratham-Mishra04 publishes the npm package by running `npm publish` from inside the `ci/npx` directory rather than from the repository root, and prefers not to use a `files` field to restrict the published package contents.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#159
File: ci/npx/bin.js:93-108
Timestamp: 2025-07-18T10:58:16.118Z
Learning: In the Bifrost project, Pratham-Mishra04 relies on infrastructure-level security (private bucket hosting with verification) for binary distribution rather than implementing client-side integrity checks in the npx wrapper script. They consider this approach sufficient for their threat model.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#131
File: transports/bifrost-http/lib/config.go:35-68
Timestamp: 2025-06-26T07:37:24.385Z
Learning: In the Bifrost project's MCP configuration handling, empty environment variables should be treated as missing/invalid rather than as valid empty values. The current implementation using `os.Getenv(envKey); envValue != ""` to check for non-empty values is the desired behavior.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#97
File: transports/Dockerfile:37-42
Timestamp: 2025-06-19T09:06:25.750Z
Learning: In Docker configurations for this project, plugin-specific environment variables (like MAXIM_LOG_REPO_ID) should not be included in the Dockerfile's ENV section. The architectural goal is to keep Docker images plugin-agnostic and externalize all plugin configuration to runtime via docker run -e flags, rather than baking plugin config into the image.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#158
File: ci/scripts/upload-builds.mjs:57-85
Timestamp: 2025-07-18T11:01:07.321Z
Learning: The Bifrost project's upload-builds.mjs script handles around 10 uploads only, making the current serial approach with 500ms delays acceptable for the pipeline performance (total ~5 seconds delay).

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#55
File: core/tests/e2e_tool_test.go:29-30
Timestamp: 2025-06-04T04:58:12.239Z
Learning: In the Bifrost project, environment variables should be used only for secrets (like API keys), not for general configuration. Test parameters like provider and model can be hardcoded at the start of test files for predictability and consistency.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#55
File: core/providers/anthropic.go:358-388
Timestamp: 2025-06-04T05:37:59.699Z
Learning: User Pratham-Mishra04 prefers not to extract small code duplications (around 2 lines) into helper functions, considering the overhead not worth it for such minor repetition.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#102
File: README.md:62-66
Timestamp: 2025-06-19T17:03:03.639Z
Learning: Pratham-Mishra04 prefers using the implicit 'latest' tag for the maximhq/bifrost Docker image rather than pinning to specific versions.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#143
File: core/mcp.go:155-196
Timestamp: 2025-07-08T15:33:47.698Z
Learning: Pratham-Mishra04 prefers not to add explanatory comments for obvious code patterns, such as the unlock/lock strategy around network I/O operations, considering them self-explanatory to experienced developers.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#138
File: docs/usage/go-package/mcp.md:408-412
Timestamp: 2025-07-01T12:40:08.576Z
Learning: Pratham-Mishra04 is okay with keeping bullet list formatting that uses colons after dashes in markdown documentation, even if it triggers linter warnings, preferring functionality over strict formatting rules.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#150
File: transports/bifrost-http/lib/store.go:370-466
Timestamp: 2025-07-09T04:58:08.229Z
Learning: Pratham-Mishra04 prefers not to add logging or error handling for unreachable code paths in the Bifrost project. When provider types or similar entities are predefined in the system, defensive programming like logging in default cases is considered unnecessary overhead.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#162
File: tests/core-providers/scenarios/chat_completion_stream.go:103-105
Timestamp: 2025-07-16T04:26:09.288Z
Learning: Pratham-Mishra04 prefers to keep test code simple when it serves its basic functional purpose. For tests that are meant to validate core functionality (like verifying streaming works), they consider hard-coded reasonable limits acceptable rather than making them configurable.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#148
File: transports/bifrost-http/lib/store.go:880-910
Timestamp: 2025-07-08T17:14:21.544Z
Learning: Pratham-Mishra04 prefers resilient system design where missing environment variables for MCP connections should not cause complete system failure. The system should continue processing other MCP connections even when some fail, maintaining partial functionality rather than implementing fail-fast behavior.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#138
File: transports/README.md:26-28
Timestamp: 2025-07-01T12:45:06.906Z
Learning: Pratham-Mishra04 prefers keeping documentation examples simple and concise, trusting users to handle production-specific considerations like version pinning themselves rather than cluttering examples with additional notes.

Learnt from: Pratham-Mishra04
PR: maximhq/bifrost#148
File: transports/bifrost-http/lib/store.go:1081-1098
Timestamp: 2025-07-08T17:16:50.811Z
Learning: Pratham-Mishra04 prefers practical redaction approaches over theoretical security improvements when the threat model is low-risk, such as admin-only interfaces in the Bifrost project. Fixed-length redaction is acceptable when only trusted administrators will see the redacted values.

ci/scripts/upload-builds.mjs (2)

Learnt from: Pratham-Mishra04
PR: #158
File: ci/scripts/upload-builds.mjs:57-85
Timestamp: 2025-07-18T11:01:07.321Z
Learning: The Bifrost project's upload-builds.mjs script handles around 10 uploads only, making the current serial approach with 500ms delays acceptable for the pipeline performance (total ~5 seconds delay).

Learnt from: Pratham-Mishra04
PR: #131
File: transports/bifrost-http/lib/config.go:35-68
Timestamp: 2025-06-26T07:37:24.385Z
Learning: In the Bifrost project's MCP configuration handling, empty environment variables should be treated as missing/invalid rather than as valid empty values. The current implementation using os.Getenv(envKey); envValue != "" to check for non-empty values is the desired behavior.

🔇 Additional comments (2)

ci/scripts/upload-builds.mjs (1)

63-83: Excellent debug logging implementation for credential validation.

The enhanced environment variable validation provides comprehensive debugging while maintaining security:

• Masked value display: Shows enough information to verify credentials without exposing sensitive data
• Length validation: Helps identify truncated or malformed secrets
• Whitespace detection: Directly addresses the PR's objective by flagging common formatting issues
• Immediate failure: Fail-fast approach prevents unnecessary processing with invalid credentials

The masking strategy (first 2 + last 2 characters for longer values) strikes a good balance between debugging utility and security.

.github/workflows/transports-release.yml (1)

148-151: Clean and effective whitespace trimming for R2 credentials.

The implementation correctly addresses the authentication failure issues by:

• Comprehensive cleaning: tr -d '[:space:]' removes all whitespace characters (spaces, tabs, newlines)
• Proper re-export: Variables are cleanly re-exported for downstream usage
• Targeted application: Applied specifically to the R2 credentials that were causing issues

This pairs perfectly with the enhanced validation in upload-builds.mjs to provide both prevention and detection of credential formatting issues.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 07-23-fix_upload_build_script_fixes

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Pratham-Mishra04]

• ci: trim whitespace from R2 secrets and improve debug logging #189 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.