fix(ci): unblock deploy pipeline — lint, test, and marketing build#3577
fix(ci): unblock deploy pipeline — lint, test, and marketing build#3577
Conversation
📝 WalkthroughWalkthroughTwo GitHub Actions workflows are updated to pass the Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR fixes three independent CI/deploy blockers that have caused 33 consecutive production deploy failures since Apr 16: a Biome lint indentation regression in Key changes:
Confidence Score: 4/5Safe to merge for unblocking CI; one targeted follow-up is needed to align the preview marketing deploy with the per-PR Neon branch pattern used by all other preview jobs. Three of the four changes are clean, targeted, and clearly correct. The lint fix, test update, and production workflow change are all sound. The preview workflow change resolves the immediate crash (undefined DATABASE_URL) and will fix the marketing deploy, but it inconsistently uses a static secret instead of the per-PR Neon branch URL that every other preview service uses. This is a P1 concern (potential production DB access from preview), but it doesn't regress anything that was working before and unblocks 33 consecutive failures, so a 4 is appropriate.
|
| Filename | Overview |
|---|---|
| .github/workflows/deploy-preview.yml | Adds DATABASE_URL/DATABASE_URL_UNPOOLED to the marketing deploy job, but sources them from static secrets rather than the per-PR Neon branch artifact used by all other preview jobs — potentially connecting marketing previews to the production database. |
| .github/workflows/deploy-production.yml | Adds DATABASE_URL and DATABASE_URL_UNPOOLED from secrets to the production marketing deploy job; correct for production since there is only one database. |
| apps/desktop/src/main/lib/notifications/notification-manager.test.ts | Updates two test assertions to match the new notification strings ("Awaiting Response" / "is waiting for your reply" and "Agent Complete" / "has finished its task"), unblocking CI. |
| apps/desktop/src/lib/trpc/routers/workspaces/utils/git.ts | One-line Biome lint fix: corrects indentation of a ternary continuation at line 1794–1795 to satisfy the linter after the PR #3232 regression. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
DB[deploy-database\nCreates per-PR Neon branch\nUploads database-status artifact]
DB --> API[deploy-api\nDownloads artifact\nUses per-PR DATABASE_URL ✅]
DB --> WEB[deploy-web\nDownloads artifact\nUses per-PR DATABASE_URL ✅]
DB --> ADMIN[deploy-admin\nDownloads artifact\nUses per-PR DATABASE_URL ✅]
DB --> MKT[deploy-marketing\nNo artifact download\nUses static secrets.DATABASE_URL ⚠️]
style MKT fill:#ffcccc,stroke:#cc0000
Prompt To Fix All With AI
This is a comment left during a code review.
Path: .github/workflows/deploy-preview.yml
Line: 445-446
Comment:
**Preview marketing uses production DB instead of per-PR Neon branch**
The marketing deploy job in the preview workflow uses `secrets.DATABASE_URL` (a static, presumably production-pointing secret) rather than the dynamic per-PR Neon branch URL created by the `deploy-database` job.
Every other preview service (API at line 171, web at line 336–337, admin at line 555–556) downloads the `database-status` artifact and sets the URL from the per-PR branch:
```yaml
- name: Download database info
uses: actions/download-artifact@v4
with:
name: database-status
- name: Load database URL
run: |
source database-status.env
echo "DATABASE_URL=$DATABASE_URL" >> $GITHUB_ENV
echo "DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED" >> $GITHUB_ENV
```
But the marketing job skips those steps and pulls from a static secret instead. This means preview marketing deployments will connect to the shared/production database rather than the isolated per-PR preview branch, which could expose production data in previews or, worse, allow preview writes to reach production data. If this is intentional (e.g., marketing is read-only), a comment explaining the reasoning would be helpful.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "fix(ci): unblock deploy pipeline — lint,..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| DATABASE_URL: ${{ secrets.DATABASE_URL }} | ||
| DATABASE_URL_UNPOOLED: ${{ secrets.DATABASE_URL_UNPOOLED }} |
There was a problem hiding this comment.
The marketing deploy job in the preview workflow uses secrets.DATABASE_URL (a static, presumably production-pointing secret) rather than the dynamic per-PR Neon branch URL created by the deploy-database job.
Every other preview service (API at line 171, web at line 336–337, admin at line 555–556) downloads the database-status artifact and sets the URL from the per-PR branch:
- name: Download database info
uses: actions/download-artifact@v4
with:
name: database-status
- name: Load database URL
run: |
source database-status.env
echo "DATABASE_URL=$DATABASE_URL" >> $GITHUB_ENV
echo "DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED" >> $GITHUB_ENVBut the marketing job skips those steps and pulls from a static secret instead. This means preview marketing deployments will connect to the shared/production database rather than the isolated per-PR preview branch, which could expose production data in previews or, worse, allow preview writes to reach production data. If this is intentional (e.g., marketing is read-only), a comment explaining the reasoning would be helpful.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/deploy-preview.yml
Line: 445-446
Comment:
**Preview marketing uses production DB instead of per-PR Neon branch**
The marketing deploy job in the preview workflow uses `secrets.DATABASE_URL` (a static, presumably production-pointing secret) rather than the dynamic per-PR Neon branch URL created by the `deploy-database` job.
Every other preview service (API at line 171, web at line 336–337, admin at line 555–556) downloads the `database-status` artifact and sets the URL from the per-PR branch:
```yaml
- name: Download database info
uses: actions/download-artifact@v4
with:
name: database-status
- name: Load database URL
run: |
source database-status.env
echo "DATABASE_URL=$DATABASE_URL" >> $GITHUB_ENV
echo "DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED" >> $GITHUB_ENV
```
But the marketing job skips those steps and pulls from a static secret instead. This means preview marketing deployments will connect to the shared/production database rather than the isolated per-PR preview branch, which could expose production data in previews or, worse, allow preview writes to reach production data. If this is intentional (e.g., marketing is read-only), a comment explaining the reasoning would be helpful.
How can I resolve this? If you propose a fix, please make it concise.![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/deploy-preview.yml:
- Around line 445-446: The preview deploy is sourcing DATABASE_URL and
DATABASE_URL_UNPOOLED from secrets instead of the per-PR Neon branch artifact;
update the job to consume the deploy-database artifact's database-status.env (as
the API/Web/Admin preview jobs do) and set DATABASE_URL and
DATABASE_URL_UNPOOLED from that env file instead of ${{ secrets.DATABASE_URL }}
/ ${{ secrets.DATABASE_URL_UNPOOLED }}; ensure the job has a step that downloads
the deploy-database artifact and uses the env file, and make the same change for
the other occurrence noted (the lines around the second DATABASE_URL /
DATABASE_URL_UNPOOLED pair).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 66a3503d-c644-4a5d-b786-09cb9e34bdfc
📒 Files selected for processing (4)
.github/workflows/deploy-preview.yml.github/workflows/deploy-production.ymlapps/desktop/src/lib/trpc/routers/workspaces/utils/git.tsapps/desktop/src/main/lib/notifications/notification-manager.test.ts
| DATABASE_URL: ${{ secrets.DATABASE_URL }} | ||
| DATABASE_URL_UNPOOLED: ${{ secrets.DATABASE_URL_UNPOOLED }} |
There was a problem hiding this comment.
Use the PR Neon branch for preview marketing DB envs.
Line 445 sources the preview marketing DB from secrets instead of the deploy-database artifact, so this deploy can bypass the per-PR Neon branch and miss PR-specific migrations/isolation. Since this job already depends on deploy-database, load database-status.env like the API/Web/Admin preview jobs.
🔧 Proposed fix
- name: Setup Bun
id: setup-bun
uses: oven-sh/setup-bun@v2
with:
bun-version-file: .bun-version
+ - name: Download database info
+ uses: actions/download-artifact@v4
+ with:
+ name: database-status
+
+ - name: Load database URL
+ run: |
+ source database-status.env
+ echo "DATABASE_URL=$DATABASE_URL" >> $GITHUB_ENV
+ echo "DATABASE_URL_UNPOOLED=$DATABASE_URL_UNPOOLED" >> $GITHUB_ENV
+
- name: Cache dependencies
uses: actions/cache@v4
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-${{ steps.setup-bun.outputs.bun-revision }}-${{ hashFiles('bun.lock') }}
@@
- DATABASE_URL: ${{ secrets.DATABASE_URL }}
- DATABASE_URL_UNPOOLED: ${{ secrets.DATABASE_URL_UNPOOLED }}
+ DATABASE_URL: ${{ env.DATABASE_URL }}
+ DATABASE_URL_UNPOOLED: ${{ env.DATABASE_URL_UNPOOLED }}Also applies to: 470-471
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/deploy-preview.yml around lines 445 - 446, The preview
deploy is sourcing DATABASE_URL and DATABASE_URL_UNPOOLED from secrets instead
of the per-PR Neon branch artifact; update the job to consume the
deploy-database artifact's database-status.env (as the API/Web/Admin preview
jobs do) and set DATABASE_URL and DATABASE_URL_UNPOOLED from that env file
instead of ${{ secrets.DATABASE_URL }} / ${{ secrets.DATABASE_URL_UNPOOLED }};
ensure the job has a step that downloads the deploy-database artifact and uses
the env file, and make the same change for the other occurrence noted (the lines
around the second DATABASE_URL / DATABASE_URL_UNPOOLED pair).
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
🚀 Preview Deployment🔗 Preview Links
Preview updates automatically with new commits |
Kitenite
force-pushed
the
fix/ci-deploy-pipeline
branch
from
8a99a84 to
ab1b641
Compare
Kitenite
changed the title
Kitenite
force-pushed
the
fix/ci-deploy-pipeline
branch
from
ab1b641 to
2f78ce0
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/deploy-preview.yml (1)
464-470:⚠️ Potential issue | 🟠 MajorDon’t point preview marketing at the shared database secret.
Line 464 sources
DATABASE_URLfrom secrets even though this job depends on the per-PR Neon branch. That bypasses preview isolation and can run PR code against shared/prod data. Given this PR’s stated approach, remove the DB injection; if marketing truly needs runtime DB access, loaddatabase-status.envand use the per-PR URL instead.🔧 Proposed fix matching the dynamic-import/no-DB-credentials objective
- DATABASE_URL: ${{ secrets.DATABASE_URL }} run: | vercel pull --yes --environment=preview --token=$VERCEL_TOKEN vercel build --token=$VERCEL_TOKEN VERCEL_URL=$(vercel deploy --prebuilt --archive=tgz --token=$VERCEL_TOKEN \ --env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \ - --env DATABASE_URL=$DATABASE_URL \ --env NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/deploy-preview.yml around lines 464 - 470, The deploy step is injecting the shared secret DATABASE_URL into preview deploys; remove the --env DATABASE_URL=$DATABASE_URL argument from the vercel deploy invocation (the lines creating VERCEL_URL and the vercel deploy call) so previews do not point at the shared DB, and if runtime DB access is required load the per-PR URL from database-status.env and pass that value instead (or omit DB injection entirely) so the deploy uses the per-PR Neon branch URL rather than the secret.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/deploy-production.yml:
- Around line 323-329: The workflow is passing DATABASE_URL into the marketing
Vercel deploy which reintroduces production DB exposure; remove the --env
DATABASE_URL=$DATABASE_URL flag from the vercel deploy invocation (and any
DATABASE_URL entries in the surrounding env mapping) so only BETTER_AUTH_SECRET
is forwarded, and confirm the marketing runtime (build/deploy logic) gracefully
handles missing DB credentials when auth/server DB code is dynamically omitted;
locate the vercel deploy command and the env block that currently reference
DATABASE_URL to make this change.
---
Duplicate comments:
In @.github/workflows/deploy-preview.yml:
- Around line 464-470: The deploy step is injecting the shared secret
DATABASE_URL into preview deploys; remove the --env DATABASE_URL=$DATABASE_URL
argument from the vercel deploy invocation (the lines creating VERCEL_URL and
the vercel deploy call) so previews do not point at the shared DB, and if
runtime DB access is required load the per-PR URL from database-status.env and
pass that value instead (or omit DB injection entirely) so the deploy uses the
per-PR Neon branch URL rather than the secret.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c510b8df-215b-4325-8425-de1a057f8316
📒 Files selected for processing (5)
.github/workflows/deploy-preview.yml.github/workflows/deploy-production.ymlapps/desktop/src/lib/trpc/routers/workspaces/utils/git.tsapps/desktop/src/main/lib/notifications/notification-manager.test.tsapps/marketing/src/app/components/CTAButtons/CTAButtons.tsx
✅ Files skipped from review due to trivial changes (3)
- apps/desktop/src/lib/trpc/routers/workspaces/utils/git.ts
- apps/desktop/src/main/lib/notifications/notification-manager.test.ts
- apps/marketing/src/app/components/CTAButtons/CTAButtons.tsx
| DATABASE_URL: ${{ secrets.DATABASE_URL }} | ||
| run: | | ||
| vercel pull --yes --environment=production --token=$VERCEL_TOKEN | ||
| vercel build --prod --token=$VERCEL_TOKEN | ||
| vercel deploy --prod --prebuilt --archive=tgz --token=$VERCEL_TOKEN \ | ||
| --env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \ | ||
| --env DATABASE_URL=$DATABASE_URL \ |
There was a problem hiding this comment.
Remove the production DB secret from the marketing deploy.
This reintroduces DATABASE_URL into the marketing workflow, which expands secret exposure and conflicts with the stated dynamic-import fix that avoids adding DB credentials. If the marketing runtime should fail gracefully when auth/server DB code is unavailable, don’t pass the app database URL here.
🔧 Proposed fix
- DATABASE_URL: ${{ secrets.DATABASE_URL }}
run: |
vercel pull --yes --environment=production --token=$VERCEL_TOKEN
vercel build --prod --token=$VERCEL_TOKEN
vercel deploy --prod --prebuilt --archive=tgz --token=$VERCEL_TOKEN \
--env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \
- --env DATABASE_URL=$DATABASE_URL \
--env NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL \📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| DATABASE_URL: ${{ secrets.DATABASE_URL }} | |
| run: | | |
| vercel pull --yes --environment=production --token=$VERCEL_TOKEN | |
| vercel build --prod --token=$VERCEL_TOKEN | |
| vercel deploy --prod --prebuilt --archive=tgz --token=$VERCEL_TOKEN \ | |
| --env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \ | |
| --env DATABASE_URL=$DATABASE_URL \ | |
| run: | | |
| vercel pull --yes --environment=production --token=$VERCEL_TOKEN | |
| vercel build --prod --token=$VERCEL_TOKEN | |
| vercel deploy --prod --prebuilt --archive=tgz --token=$VERCEL_TOKEN \ | |
| --env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \ |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/deploy-production.yml around lines 323 - 329, The workflow
is passing DATABASE_URL into the marketing Vercel deploy which reintroduces
production DB exposure; remove the --env DATABASE_URL=$DATABASE_URL flag from
the vercel deploy invocation (and any DATABASE_URL entries in the surrounding
env mapping) so only BETTER_AUTH_SECRET is forwarded, and confirm the marketing
runtime (build/deploy logic) gracefully handles missing DB credentials when
auth/server DB code is dynamically omitted; locate the vercel deploy command and
the env block that currently reference DATABASE_URL to make this change.
Add DATABASE_URL to marketing deploy steps in both production and preview workflows so the auth session check works at runtime and logged-in users correctly see the Dashboard link. Co-Authored-By: Mastra Code (anthropic/claude-opus-4-6) <noreply@mastra.ai>
Kitenite
force-pushed
the
fix/ci-deploy-pipeline
branch
from
2f78ce0 to
c222ccf
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/deploy-production.yml (1)
323-329:⚠️ Potential issue | 🟠 MajorDATABASE_URL in marketing deploy contradicts the stated fix.
The PR description explicitly says it does not add
DATABASE_URLto marketing workflows and relies on the dynamic-import fix inCTAButtonsto defer DB init to runtime. But this hunk injectsDATABASE_URLinto the marketing job env (Line 323) and forwards it via--env DATABASE_URL=$DATABASE_URL(Line 329), which both expands production DB secret exposure into the marketing surface and defeats the purpose of the dynamic-import change. If the dynamic import works, this is unnecessary; if it doesn't, fix the runtime code rather than leaking credentials.🔧 Proposed fix
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - DATABASE_URL: ${{ secrets.DATABASE_URL }} run: | vercel pull --yes --environment=production --token=$VERCEL_TOKEN vercel build --prod --token=$VERCEL_TOKEN vercel deploy --prod --prebuilt --archive=tgz --token=$VERCEL_TOKEN \ --env BETTER_AUTH_SECRET=$BETTER_AUTH_SECRET \ - --env DATABASE_URL=$DATABASE_URL \ --env NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/deploy-production.yml around lines 323 - 329, This change reintroduces the DATABASE_URL secret into the marketing deployment and the vercel deploy command, contradicting the intended fix; remove the DATABASE_URL environment mapping and the --env DATABASE_URL=$DATABASE_URL flag from the marketing job (the vercel pull/build/deploy block) so the production DB secret is not forwarded, and keep reliance on the CTAButtons dynamic-import runtime fix; if deployment still needs a build-time value, instead ensure CTAButtons defers DB init at runtime rather than adding DATABASE_URL back into the vercel deploy invocation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/deploy-production.yml:
- Around line 323-329: This change reintroduces the DATABASE_URL secret into the
marketing deployment and the vercel deploy command, contradicting the intended
fix; remove the DATABASE_URL environment mapping and the --env
DATABASE_URL=$DATABASE_URL flag from the marketing job (the vercel
pull/build/deploy block) so the production DB secret is not forwarded, and keep
reliance on the CTAButtons dynamic-import runtime fix; if deployment still needs
a build-time value, instead ensure CTAButtons defers DB init at runtime rather
than adding DATABASE_URL back into the vercel deploy invocation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 12ba2047-373b-417a-b095-4f85aa5d7d81
📒 Files selected for processing (2)
.github/workflows/deploy-preview.yml.github/workflows/deploy-production.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/deploy-preview.yml
1 participant
Summary
Fixes three issues blocking CI and marketing site deployment.
Changes
Biome lint fix —
git.tsline 1794 ternary exceeded line length (regression from PR fix: fall back to FETCH_HEAD when gh pr checkout fails for branch names with / #3232)Stale test fix —
NotificationManagertest expected old notification strings ("Input Needed" / "needs your attention") but the implementation now uses ("Awaiting Response" / "is waiting for your reply")Marketing build fix —
CTAButtonshad a top-levelimport { auth } from "@superset/auth/server"which triggered the full auth → db →neon()module chain at evaluation time. During Next.js static page generation (e.g./_not-found),DATABASE_URLisn't available andneon()throws. Converted to a dynamic import inside the existing try-catch so the DB init is deferred to runtime and fails gracefully when there's no session to check.NOT done: adding DATABASE_URL to marketing workflows
The marketing site doesn't need direct DB access — it only uses auth to check session status for the CTA button. A dynamic import is the correct fix rather than exposing database credentials to the marketing deploy.
Test Plan
git.tsSummary by CodeRabbit