fix(ci): change less important jobs to gha runners

[imeyer]

What does this PR do?

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps use understand why this PR exists

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• Chores
  • Updated all GitHub Actions workflows to use the default GitHub-hosted runner environment for improved consistency.
  • Minor formatting adjustments in workflow configuration files.
  • Updated output message in the test process to simplify information displayed to users.
  • Adjusted test workflow timeout durations for better efficiency.
  • Switched a service in the deployment configuration to use a fixed pre-built container image.
  • Removed a service from the deployment configuration for streamlined setup.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1dbfd5c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This change updates multiple GitHub Actions workflow files to switch the runner environment from a custom self-hosted runner labeled blacksmith-4vcpu-ubuntu-2404 to the standard GitHub-hosted runner ubuntu-latest. Additionally, there are minor formatting changes in some workflow files, timeout adjustments in two test workflows, and a simplification of an output message in the Go Makefile. The Docker Compose configuration for the planetscale service was also updated to use a pre-built image instead of a local build.

Changes

Cohort / File(s)	Change Summary
Workflow Runner Environment Updates .github/workflows/agent_build_publish.yaml, .github/workflows/apply-issue-labels-to-pr.yml, .github/workflows/autofix.ci.yaml, .github/workflows/build.yaml, .github/workflows/check_quotas.yml, .github/workflows/deploy.yaml, .github/workflows/deploy_trigger.yaml, .github/workflows/ghcr_retention_policy.yaml, .github/workflows/job_build_agent_image.yaml, .github/workflows/job_deploy_api_canary.yaml, .github/workflows/job_deploy_api_enterprise.yaml, .github/workflows/job_deploy_api_production.yaml, .github/workflows/job_deploy_api_staging.yaml, .github/workflows/job_deploy_logdrain_production.yaml, .github/workflows/job_deploy_workflows.yaml, .github/workflows/job_detect_changes.yaml, .github/workflows/job_test_api_canary.yaml, .github/workflows/job_test_api_staging.yaml, .github/workflows/job_test_unit.yaml, .github/workflows/release.yaml, .github/workflows/runbook-freshness-check.yaml, .github/workflows/semantic-pull-requests.yaml	Changed the runs-on attribute from a custom self-hosted runner to ubuntu-latest in all listed workflows. Some files also include minor formatting updates.
Workflow Timeout Adjustments and Runner Upgrades .github/workflows/job_test_api_local.yaml, .github/workflows/job_test_go_api_local.yaml	Adjusted timeout durations: reduced from 60 to 25 minutes for API Test Local job; increased from 15 to 25 minutes for Test Go API Local job. Changed runner to more powerful variants for these jobs and added Docker Buildx setup steps.
Makefile Output Message Update go/Makefile	Simplified the output message for the test-full target by removing notes about test duration and alternative commands.
Docker Compose Service Update deployment/docker-compose.yaml	Changed the planetscale service to use a fixed pre-built image (ghcr.io/planetscale/cli:v0.0.12) instead of building locally; removed the chproxy service; reformatted Clickhouse healthcheck command without functional change.

Sequence Diagram(s)

Not applicable—changes are limited to configuration updates and do not affect control flow or feature logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Possibly related PRs

• ci: Update ghcr_retention_policy.yaml #3448: Also modifies .github/workflows/ghcr_retention_policy.yaml, but focuses on pruning parameters and dry-run mode, not runner environment.

Suggested reviewers

• perkinsjr
• mcstepp
• MichaelUnkey
• ogzhanolguncu
• chronark

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2526ce2 and 1dbfd5c.

📒 Files selected for processing (2)

• .github/workflows/job_test_api_local.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (2 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.198Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3765
File: .github/workflows/job_detect_changes.yaml:43-43
Timestamp: 2025-08-08T19:52:42.073Z
Learning: In the unkeyed/unkey repository, the workflows `.github/workflows/job_test_api_local.yaml` and `.github/workflows/job_test_go_api_local.yaml` should keep their Blacksmith self-hosted runners (blacksmith-4vcpu-ubuntu-2404 and blacksmith-8vcpu-ubuntu-2404 respectively) as these are performance-critical test jobs that require dedicated resources.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:37-40
Timestamp: 2025-08-08T16:07:48.284Z
Learning: Repo unkeyed/unkey — pnpm immutable installs are enforced by setting the CI environment variable; any truthy value (e.g., "1" or "true") is acceptable. Do not require the literal string "true". Applies to .github/actions/setup-node/action.yaml and all workflows using pnpm install.

Learnt from: MichaelUnkey
PR: unkeyed/unkey#3103
File: apps/dashboard/app/(app)/settings/general/page.tsx:36-36
Timestamp: 2025-04-14T13:39:22.635Z
Learning: The Unkey team uses Linear for issue tracking rather than GitHub Issues.

📚 Learning: 2025-08-08T19:52:42.073Z

Learnt from: imeyer
PR: unkeyed/unkey#3765
File: .github/workflows/job_detect_changes.yaml:43-43
Timestamp: 2025-08-08T19:52:42.073Z
Learning: In the unkeyed/unkey repository, the workflows `.github/workflows/job_test_api_local.yaml` and `.github/workflows/job_test_go_api_local.yaml` should keep their Blacksmith self-hosted runners (blacksmith-4vcpu-ubuntu-2404 and blacksmith-8vcpu-ubuntu-2404 respectively) as these are performance-critical test jobs that require dedicated resources.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-08-08T14:58:20.118Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Use `make build` to test that the binary builds.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_test_api_local.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

🪛 actionlint (1.7.7)

.github/workflows/job_test_go_api_local.yaml

9-9: label "blacksmith-16vcpu-ubuntu-2404" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/job_test_api_local.yaml

10-10: label "blacksmith-8vcpu-ubuntu-2404" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build / Build
• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

.github/workflows/job_test_go_api_local.yaml (1)

10-10: Confirm timeout bump is sufficient and not excessive

Timeout increased to 25m. Please confirm recent average runtime and 95p so we’re not flirting with flakes or over-allocating.

If helpful, I can provide a script to pull recent run durations via gh and summarize percentiles.

.github/workflows/job_test_api_local.yaml (2)

9-9: Timeout cut to 25m — confirm historical headroom

Reducing from 60m to 25m risks flakes if env is loaded or retries occur. Please confirm recent durations (p95/p99) for this job.

I can provide a gh-based script to summarize last N run times for this workflow/job if you want automated confirmation.

---

13-14: Confirm necessity of Buildx setup

The docker compose up step will build images for all services with a build: context, and enabling DOCKER_BUILDKIT=1 and COMPOSE_DOCKER_CLI_BUILD=1 is sufficient for using BuildKit when the Buildx plugin is already present. If your self-hosted runner (blacksmith-8vcpu-ubuntu-2404) already includes the Buildx plugin and has a default builder, you can remove this setup to speed up the workflow. Otherwise, omitting it will cause image builds to fail.

Please verify on the runner that docker buildx version returns a valid version before deleting these lines.

• File: .github/workflows/job_test_api_local.yaml
• Lines: 13–14

-      - name: Set up Docker Buildx
-        uses: useblacksmith/setup-docker-builder@v1

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch push-oqnvvutwsyyv

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
dashboard	⬜️ Ignored (Inspect)	Visit Preview		Aug 8, 2025 8:19pm
engineering	⬜️ Ignored (Inspect)	Visit Preview		Aug 8, 2025 8:19pm

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[coderabbitai]

Actionable comments posted: 14

🔭 Outside diff range comments (1)

.github/workflows/job_deploy_api_enterprise.yaml (1)

38-41: Nit: normalize expression spacing in sed replacements

Standardize expression spacing for readability and to avoid accidental whitespace in replacements.

-          sed -i 's/__CUSTOM_NAME__/${{matrix.workers.name }}/g' ./wrangler.custom.toml
-          sed -i 's/__CUSTOM_DOMAIN__/${{matrix.workers.domain}}/g' ./wrangler.custom.toml
+          sed -i 's/__CUSTOM_NAME__/${{ matrix.workers.name }}/g' ./wrangler.custom.toml
+          sed -i 's/__CUSTOM_DOMAIN__/${{ matrix.workers.domain }}/g' ./wrangler.custom.toml

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7226cd7 and 3015826.

📒 Files selected for processing (25)

• .github/workflows/agent_build_publish.yaml (1 hunks)
• .github/workflows/apply-issue-labels-to-pr.yml (1 hunks)
• .github/workflows/autofix.ci.yaml (2 hunks)
• .github/workflows/build.yaml (1 hunks)
• .github/workflows/check_quotas.yml (1 hunks)
• .github/workflows/deploy.yaml (1 hunks)
• .github/workflows/deploy_trigger.yaml (1 hunks)
• .github/workflows/ghcr_retention_policy.yaml (1 hunks)
• .github/workflows/job_build_agent_image.yaml (1 hunks)
• .github/workflows/job_deploy_api_canary.yaml (1 hunks)
• .github/workflows/job_deploy_api_enterprise.yaml (1 hunks)
• .github/workflows/job_deploy_api_production.yaml (1 hunks)
• .github/workflows/job_deploy_api_staging.yaml (1 hunks)
• .github/workflows/job_deploy_logdrain_production.yaml (1 hunks)
• .github/workflows/job_deploy_workflows.yaml (1 hunks)
• .github/workflows/job_detect_changes.yaml (1 hunks)
• .github/workflows/job_test_api_canary.yaml (1 hunks)
• .github/workflows/job_test_api_local.yaml (1 hunks)
• .github/workflows/job_test_api_staging.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (1 hunks)
• .github/workflows/job_test_unit.yaml (1 hunks)
• .github/workflows/release.yaml (2 hunks)
• .github/workflows/runbook-freshness-check.yaml (1 hunks)
• .github/workflows/semantic-pull-requests.yaml (1 hunks)
• go/Makefile (1 hunks)

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.198Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Use `make build` to test that the binary builds.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/*/Makefile : Service-level makefile should be `<service>/Makefile`.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/Makefile : Global makefile should be `Makefile` at the repository root.

Applied to files:

• go/Makefile

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• go/Makefile
• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Use table-driven tests in Go

Applied to files:

• go/Makefile
• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-08-08T14:58:20.118Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:22-27
Timestamp: 2025-08-08T14:58:20.118Z
Learning: Preference: Keep Node version hardcoded to lts/* in .github/actions/setup-node/action.yaml; do not add a node_version input to this composite action unless requirements change.

Applied to files:

• .github/workflows/agent_build_publish.yaml
• .github/workflows/job_deploy_api_staging.yaml
• .github/workflows/job_test_unit.yaml
• .github/workflows/release.yaml
• .github/workflows/job_deploy_logdrain_production.yaml
• .github/workflows/job_deploy_api_production.yaml
• .github/workflows/job_deploy_workflows.yaml
• .github/workflows/autofix.ci.yaml
• .github/workflows/job_deploy_api_canary.yaml
• .github/workflows/job_build_agent_image.yaml

📚 Learning: 2025-08-08T15:37:14.711Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Applied to files:

• .github/workflows/release.yaml
• .github/workflows/autofix.ci.yaml

📚 Learning: 2025-08-08T16:07:48.284Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:37-40
Timestamp: 2025-08-08T16:07:48.284Z
Learning: Repo unkeyed/unkey — pnpm immutable installs are enforced by setting the CI environment variable; any truthy value (e.g., "1" or "true") is acceptable. Do not require the literal string "true". Applies to .github/actions/setup-node/action.yaml and all workflows using pnpm install.

Applied to files:

• .github/workflows/release.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Run the linter and pnpm build after all TODOs

Applied to files:

• .github/workflows/autofix.ci.yaml

🪛 YAMLlint (1.37.1)

.github/workflows/job_deploy_api_enterprise.yaml

[error] 19-19: too many spaces inside braces

(braces)

---

[error] 19-19: too many spaces inside braces

(braces)

---

[error] 20-20: too many spaces inside braces

(braces)

---

[error] 20-20: too many spaces inside braces

(braces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build
• GitHub Check: Test API / API Test Local
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (14)

.github/workflows/job_test_go_api_local.yaml (1)

10-10: Verify workflow duration headroom

The duration-check script returned no successful runs—please manually verify that recent p95 execution times for “Test Go API Local” stay well under 25 minutes. If the p95 is ≥ ~20 m, consider one of the following:

• Bump the workflow-level timeout from 25 m to 30 m
• Or add a step-level timeout (e.g., 22 m) on the “Test” step so logs/artifacts still upload on timeout

Optional diff if bumping to 30 m:

- timeout-minutes: 25
+ timeout-minutes: 30

.github/workflows/job_test_api_local.yaml (1)

9-9: Verify timeout for full-stack API tests

25 minutes may be tight under load—please confirm historical runtimes (p95) for the “Test API Local” workflow:

• Location: .github/workflows/job_test_api_local.yaml:9 (timeout-minutes: 25)
• If p95 ≳ 25 m:
  • Keep 25 m but add step‐level timeouts (e.g., Build ≤ 12 m, Test ≤ 10 m) so “Dump logs”/“Upload logs” still run; or
  • Bump to 30–35 m:

    -timeout-minutes: 25
    +timeout-minutes: 30

• Confirm this job intentionally stays on the Blacksmith runner. If you plan to migrate to GitHub-hosted runners later, consider adding:

  concurrency:
    cancel-in-progress: true

.github/workflows/job_test_unit.yaml (1)

9-9: Runner switch to ubuntu-latest: looks good for unit tests

No self-hosted specifics in this job. Using the repo’s setup-node action aligns with the “keep Node at lts/*” preference; pnpm/CI semantics remain unchanged.

If unit tests were previously relying on higher CPU/memory from self-hosted runners, watch for timeouts. Consider adding job-level timeout-minutes if flakiness appears.

.github/workflows/job_deploy_api_staging.yaml (1)

12-12: Runner switch: verify wrangler install path on GH-hosted

setup-wrangler should provision on ubuntu-latest without relying on preinstalled tools. No other changes needed.

If deploy time increases on GH-hosted, consider adding caching in setup-wrangler (if not already handled) to speed up installs.

.github/workflows/semantic-pull-requests.yaml (1)

15-15: Runner change LGTM.

No functional changes to the validation logic; safe to run on ubuntu-latest.

.github/workflows/deploy.yaml (1)

65-65: Add retry logic to the deploy step and confirm Mintlify API IP restrictions

• GitHub-hosted runners use dynamic egress IPs, so if Mintlify employs an IP allowlist you’ll need to:
  • Confirm with Mintlify support or in their official docs that requests from GH-hosted runners aren’t blocked.
  • If they do restrict by IP, either request a static range or switch to a self-hosted runner with a fixed IP.

Harden the redeploy call against transient failures:

- name: Redeploy
  run: |
    n=0
    until [ $n -ge 5 ]; do
      curl --fail --retry 0 --max-time 30 --request POST \
        --url https://api.mintlify.com/v1/project/update/648b83e0e20b94f5a3e41a70 \
        --header "Authorization: Bearer ${{ secrets.MINTLIFY_API_KEY }}}" && break
      n=$((n+1))
      sleep $((2**n))
    done

.github/workflows/runbook-freshness-check.yaml (2)

20-20: Cron quote style change is a no-op. LGTM.
No functional impact moving from single to double quotes for the cron string.

---

24-24: Runner switch to ubuntu-latest confirmed – monitor the first scheduled execution.

The workflow (.github/workflows/runbook-freshness-check.yaml → runs-on: ubuntu-latest) uses only actions/checkout (sparse), git log, and actions/github-script, all of which are fully compatible with ubuntu-latest. This change is low risk, but please:

• Watch the initial run for any unexpected path or Git environment quirks
• If anything pops up, open a follow-up issue using our standard template (I can draft it)

.github/workflows/ghcr_retention_policy.yaml (1)

11-11: Runner migration looks safe.
GHCR operations via PAT are public-network; ubuntu-latest is appropriate, and this is currently dry-run.

.github/workflows/deploy_trigger.yaml (1)

6-6: LGTM on runner change.
Node is set up explicitly before pnpx; no private network dependencies here.

.github/workflows/autofix.ci.yaml (1)

11-11: autofix job: runner change looks good.
Toolchain is explicitly provisioned (Node 22 + pnpm). No concerns.

.github/workflows/job_test_api_canary.yaml (1)

24-24: Runner switch LGTM. Watch for runtime changes on 2 vCPU; pinning is optional.

• Approve ubuntu-latest change.
• GH-hosted ubuntu-latest typically provides 2 vCPU vs previous 4 vCPU self-hosted; 9-way sharding helps, but total wall time may change. Monitor for increased duration/flakiness and adjust shard count/timeouts if needed.
• Optional: Pin to ubuntu-24.04 for reproducibility.

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04

After first CI run, please compare job durations vs prior baseline and confirm they remain within SLOs, especially for shards that historically run longest.

.github/workflows/job_deploy_workflows.yaml (1)

12-12: Runner switch LGTM

Switching to ubuntu-latest is appropriate and consistent with the PR goal. Composite actions (setup-node, setup-wrangler) should work on Ubuntu 24.04 images provided by GHA.

.github/workflows/job_deploy_api_enterprise.yaml (1)

12-12: Runner switch LGTM

Moving this job to ubuntu-latest matches the migration plan and should be fine for wrangler + pnpm flows.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

deployment/docker-compose.yaml (1)

30-44: Add a Docker healthcheck for ps-http-sim to stabilize depends_on: service_healthy

Since ps-http-sim doesn’t document a built-in /health or /ready endpoint, you won’t get reliable gating by default. To make your local bring-up less flaky, add an explicit healthcheck that:

• Verifies the service’s HTTP status (e.g. root / or another known-good path)
• Uses a tool available in the container (or installs one)
• Configures sensible interval, timeout, retries, and start_period

File: deployment/docker-compose.yaml
Lines: ~30–44 (ps-http-sim service)

Suggestion:

  ps-http-sim:
    image: ghcr.io/mattrobenolt/ps-http-sim:v0.0.12
    command:
      - -listen-port=3900
      - -mysql-dbname=unkey
      - -mysql-addr=mysql
      - -mysql-max-rows=100000
      - -mysql-idle-timeout=1s
    depends_on:
      mysql:
        condition: service_healthy
    ports:
      - "3900:3900"
    healthcheck:
      test: ["CMD", "curl", "--fail", "http://localhost:3900/"]
      interval: 10s
      timeout: 2s
      retries: 5
      start_period: 5s

• If curl isn’t in the image, either install it via a small wrapper or use a minimal HTTP probe binary.
• Adjust the path (/ above) if you have a more appropriate endpoint.
• Update any services (e.g. api, dashboard) that depend on ps-http-sim to use condition: service_healthy.
• Consider upstreaming a dedicated /health or /ready endpoint in ps-http-sim for future stability.

♻️ Duplicate comments (1)

go/Makefile (1)

46-46: Keep the local “faster loop” hint (conditionally on CI).

Retain the helpful hint locally; keep CI output terse. See past suggestion; still applicable.

-	@echo "Running full tests..."
+	@if [ -z "$$CI" ]; then echo "Running full tests (may take a while). For a quicker local loop, run 'make test-unit'."; else echo "Running full tests..."; fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3015826 and 920b9ac.

📒 Files selected for processing (2)

• deployment/docker-compose.yaml (2 hunks)
• go/Makefile (2 hunks)

🧰 Additional context used

🧠 Learnings (16)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.198Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:37-40
Timestamp: 2025-08-08T16:07:48.284Z
Learning: Repo unkeyed/unkey — pnpm immutable installs are enforced by setting the CI environment variable; any truthy value (e.g., "1" or "true") is acceptable. Do not require the literal string "true". Applies to .github/actions/setup-node/action.yaml and all workflows using pnpm install.

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/*/Makefile : Service-level makefile should be `<service>/Makefile`.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/*.go : When a service's `*.go` code changes significantly, increase the patch-level version number.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Use `make build` to test that the binary builds.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Use `make install` to build and install the binary with systemd unit from `$SERVICE/contrib/systemd`.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/Makefile : Global makefile should be `Makefile` at the repository root.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Update relevant anchors when modifying associated code.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Never use `go build` for any of the `assetmanagerd`, `billaged`, `builderd`, `metald` binaries.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Make sure to add relevant anchor comments whenever a file or piece of code is too complex, very important, confusing, or could have a bug.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Use `AIDEV-NOTE:`, `AIDEV-TODO:`, `AIDEV-BUSINESS_RULE:`, or `AIDEV-QUESTION:` (all-caps prefix) as anchor comments aimed at AI and developers.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/**/*.{go,js,ts,tsx,py,sh,md,txt,json,yaml,yml,ini,env,conf,html,css,scss,xml,c,h,cpp,java,rb,rs,php,pl,sql} : Do not remove `AIDEV-*`s without explicit human instruction.

Applied to files:

• go/Makefile

📚 Learning: 2025-07-22T09:02:12.495Z

Learnt from: chronark
PR: unkeyed/unkey#3638
File: deployment/docker-compose.yaml:81-94
Timestamp: 2025-07-22T09:02:12.495Z
Learning: The docker-compose.yaml file in deployment/ is specifically for development environments, not production. Kafka and other service configurations in this file should be optimized for development convenience rather than production security/hardening.

Applied to files:

• go/Makefile
• deployment/docker-compose.yaml

📚 Learning: 2025-08-07T17:18:12.801Z

Learnt from: imeyer
PR: unkeyed/unkey#3750
File: deployment/docker-compose.yaml:15-15
Timestamp: 2025-08-07T17:18:12.801Z
Learning: In deployment/docker-compose.yaml, the MySQL service uses --skip-log-bin flag to disable binary logging for local development environments. This is intentional to reduce disk I/O and storage overhead during development, as there are no replication or CDC components that would require binlog in the local dev setup.

Applied to files:

• go/Makefile
• deployment/docker-compose.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• go/Makefile

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• go/Makefile

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Use table-driven tests in Go

Applied to files:

• go/Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

go/Makefile (1)

27-27: Including planetscale in infra bootstrapping looks good.

Aligns Makefile with compose; ensures API/dashboard deps are available during local runs.

deployment/docker-compose.yaml (1)

150-162: Healthcheck reformat is a no-op; YAML remains valid.

Functional equivalence preserved; readability improved.

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (08/08/25)

1 gif was posted to this PR based on Andreas Thomas's automation.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (2)

deployment/docker-compose.yaml (1)

198-201: Remove unused CLICKHOUSE_INSERT_URL and retain CLICKHOUSE_PROXY_TOKEN

It looks like CLICKHOUSE_INSERT_URL isn’t referenced by the API code (only by docs), so it can be dropped from the Wrangler CLI. The CLICKHOUSE_PROXY_TOKEN var is still consumed in env.ts and init.ts to authenticate chproxy endpoints and should remain.

• deployment/docker-compose.yaml: remove the unused insert URL var
• apps/engineering/content/docs/architecture/services/clickhouse-proxy.mdx: remove or update references to CLICKHOUSE_INSERT_URL

Suggested diff:

     "--var=CLICKHOUSE_URL:http://default:password@clickhouse:8123",
-    "--var=CLICKHOUSE_INSERT_URL:http://apiv2:7070",
     "--var=CLICKHOUSE_PROXY_TOKEN:chproxy-test-token-123",

.github/workflows/job_test_api_local.yaml (1)

60-69: Add a final cleanup step to tear down containers and volumes on self-hosted

Self-hosted runners persist state across jobs. Add an always() cleanup to avoid leaking containers/volumes and consuming disk.

Apply:

       - name: Upload logs
         uses: actions/upload-artifact@v4
         if: always()
         with:
           name: ${{github.run_id}}-${{github.run_number}}-api.logs
           path: docker.logs
           retention-days: 7
+
+      - name: Tear down containers and volumes
+        if: always()
+        run: |
+          docker compose -f ./deployment/docker-compose.yaml down --volumes --remove-orphans
+          docker system prune -af --volumes

♻️ Duplicate comments (1)

deployment/docker-compose.yaml (1)

30-30: Pin planetscale image to a digest for reproducibility; ensure GHCR access is configured

Good move to a prebuilt image. For deterministic dev/CI runs, pin to the known digest that was pulled successfully.

-    image: ghcr.io/mattrobenolt/ps-http-sim:v0.0.12
+    image: ghcr.io/mattrobenolt/ps-http-sim@sha256:fb624c2f615cd53910be07a5c6a62ddf54936a2e1c7322c8398fa2b5dd601c41

If CI/dev machines need GHCR auth, document or wire in docker login for those environments.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 920b9ac and 2526ce2.

📒 Files selected for processing (3)

• .github/workflows/job_test_api_local.yaml (1 hunks)
• .github/workflows/job_test_go_api_local.yaml (2 hunks)
• deployment/docker-compose.yaml (2 hunks)

🧰 Additional context used

🧠 Learnings (14)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.198Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Learnt from: imeyer
PR: unkeyed/unkey#3765
File: .github/workflows/job_detect_changes.yaml:43-43
Timestamp: 2025-08-08T19:52:42.073Z
Learning: In the unkeyed/unkey repository, the workflows `.github/workflows/job_test_api_local.yaml` and `.github/workflows/job_test_go_api_local.yaml` should keep their Blacksmith self-hosted runners (blacksmith-4vcpu-ubuntu-2404 and blacksmith-8vcpu-ubuntu-2404 respectively) as these are performance-critical test jobs that require dedicated resources.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:37-40
Timestamp: 2025-08-08T16:07:48.284Z
Learning: Repo unkeyed/unkey — pnpm immutable installs are enforced by setting the CI environment variable; any truthy value (e.g., "1" or "true") is acceptable. Do not require the literal string "true". Applies to .github/actions/setup-node/action.yaml and all workflows using pnpm install.

Learnt from: MichaelUnkey
PR: unkeyed/unkey#3103
File: apps/dashboard/app/(app)/settings/general/page.tsx:36-36
Timestamp: 2025-04-14T13:39:22.635Z
Learning: The Unkey team uses Linear for issue tracking rather than GitHub Issues.

📚 Learning: 2025-08-08T19:52:42.073Z

Learnt from: imeyer
PR: unkeyed/unkey#3765
File: .github/workflows/job_detect_changes.yaml:43-43
Timestamp: 2025-08-08T19:52:42.073Z
Learning: In the unkeyed/unkey repository, the workflows `.github/workflows/job_test_api_local.yaml` and `.github/workflows/job_test_go_api_local.yaml` should keep their Blacksmith self-hosted runners (blacksmith-4vcpu-ubuntu-2404 and blacksmith-8vcpu-ubuntu-2404 respectively) as these are performance-critical test jobs that require dedicated resources.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml
• .github/workflows/job_test_api_local.yaml
• deployment/docker-compose.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Organize Go integration tests with real dependencies

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-08-04T07:44:39.438Z

Learnt from: CR
PR: unkeyed/unkey#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T07:44:39.438Z
Learning: Applies to **/*_test.go : Use table-driven tests in Go

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-21T18:05:58.236Z

Learnt from: CR
PR: unkeyed/unkey#0
File: go/deploy/CLAUDE.md:0-0
Timestamp: 2025-07-21T18:05:58.236Z
Learning: Applies to go/deploy/deploy/{assetmanagerd,billaged,builderd,metald}/**/Makefile : Use `make build` to test that the binary builds.

Applied to files:

• .github/workflows/job_test_go_api_local.yaml

📚 Learning: 2025-07-22T09:02:12.495Z

Learnt from: chronark
PR: unkeyed/unkey#3638
File: deployment/docker-compose.yaml:81-94
Timestamp: 2025-07-22T09:02:12.495Z
Learning: The docker-compose.yaml file in deployment/ is specifically for development environments, not production. Kafka and other service configurations in this file should be optimized for development convenience rather than production security/hardening.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-07T17:18:12.801Z

Learnt from: imeyer
PR: unkeyed/unkey#3750
File: deployment/docker-compose.yaml:15-15
Timestamp: 2025-08-07T17:18:12.801Z
Learning: In deployment/docker-compose.yaml, the MySQL service uses --skip-log-bin flag to disable binary logging for local development environments. This is intentional to reduce disk I/O and storage overhead during development, as there are no replication or CDC components that would require binlog in the local dev setup.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T14:59:52.245Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.245Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T15:37:14.711Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/build.yaml:14-17
Timestamp: 2025-08-08T15:37:14.711Z
Learning: Repo: unkeyed/unkey — CI behavior: We rely on CI=true to make pnpm install behave as --frozen-lockfile. Don’t suggest adding --frozen-lockfile in .github/actions/setup-node/action.yaml or workflows like .github/workflows/build.yaml.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T16:10:00.198Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.198Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T16:07:48.284Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:37-40
Timestamp: 2025-08-08T16:07:48.284Z
Learning: Repo unkeyed/unkey — pnpm immutable installs are enforced by setting the CI environment variable; any truthy value (e.g., "1" or "true") is acceptable. Do not require the literal string "true". Applies to .github/actions/setup-node/action.yaml and all workflows using pnpm install.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-08-08T15:10:46.393Z

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.393Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

Applied to files:

• deployment/docker-compose.yaml

📚 Learning: 2025-07-16T09:18:45.379Z

Learnt from: ogzhanolguncu
PR: unkeyed/unkey#3564
File: go/cmd/cli/commands/deploy/deploy.go:153-158
Timestamp: 2025-07-16T09:18:45.379Z
Learning: In the go/cmd/cli/commands/deploy/ CLI codebase, ogzhanolguncu prefers to allow deployment to continue even when Docker push fails (around lines 153-158 in deploy.go) because the team is working locally and needs this behavior for local development workflows where registry access might not be available.

Applied to files:

• deployment/docker-compose.yaml

🪛 actionlint (1.7.7)

.github/workflows/job_test_api_local.yaml

10-10: label "blacksmith-4vcpu-ubuntu-2404" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Test Go API Local / Test
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (6)

deployment/docker-compose.yaml (2)

131-143: LGTM: healthcheck reformat only

This is a formatting change; semantics unchanged. Readability is improved.

---

74-74: Retain UNKEY_CHPROXY_AUTH_TOKEN – it’s actively used by the API service

The environment variable UNKEY_CHPROXY_AUTH_TOKEN is consumed by the API’s CLI setup and internal chproxy endpoints. Removing it will break these routes unless you also strip out all chproxy-related code and docs.

Key references:

• go/cmd/api/main.go (cli.EnvVar("UNKEY_CHPROXY_AUTH_TOKEN") → “chproxy-auth-token” flag)
• apps/engineering/content/docs/cli/run/api/index.mdx (documents the env var)
• go/pkg/prometheus/metrics/chproxy.go & go/apps/api/routes/* (internal chproxy routes)

If you truly intend to deprecate chproxy functionality, first remove or refactor the above code paths and update the OpenAPI specs and docs.

Likely an incorrect or invalid review comment.

.github/workflows/job_test_go_api_local.yaml (1)

10-10: Timeout raised to 25m — confirm based on historical runtime

25 minutes sounds reasonable for full Go API tests on the 8vcpu Blacksmith runner. Please confirm this comfortably covers P95 of recent runs to avoid flakiness.

.github/workflows/job_test_api_local.yaml (3)

9-9: Timeout reduced to 25m — verify it won’t cause flakiness

Going from 60 to 25 minutes is a big cut. Please confirm this still covers typical end-to-end local API test durations (including image builds and migrations).

---

13-14: Buildx before compose up: LGTM

Buildx setup prior to docker compose up is appropriate for BuildKit-enabled builds. No concerns.

---

10-10: Note on actionlint warning for custom labels

actionlint warns about unknown label "blacksmith-4vcpu-ubuntu-2404". Either add 'self-hosted' as above or configure actionlint to recognize this custom label. The former is simpler.