Skip to content

sync-azure if release success#7

Merged
newbe36524 merged 2 commits intomainfrom
fix/build
Feb 7, 2026
Merged

sync-azure if release success#7
newbe36524 merged 2 commits intomainfrom
fix/build

Conversation

@newbe36524
Copy link
Contributor

@newbe36524 newbe36524 commented Feb 7, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Added automatic release synchronization to cloud storage when version tags are published.
    • Refactored CI workflows to use a reusable, modular sync component for improved maintainability.
    • Decoupled cloud storage operations into an independent workflow and added validation to ensure required secrets are present.
    • Support retained for manual dispatch with explicit release selection and clear messaging when falling back to the latest release.

@coderabbitai
Copy link

coderabbitai bot commented Feb 7, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added a tag-conditional sync-azure job to the build workflow that calls a reusable Azure sync workflow; the reusable workflow now accepts a release_tag input (falls back to latest release), validates the SAS secret, and preserves manual dispatch.

Changes

Cohort / File(s) Summary
Build workflow job
/.github/workflows/build.yml		 Added sync-azure job that runs after build-summary only for tags (refs/tags/v*), calls ./.github/workflows/sync-azure-storage.yml as a reusable workflow, passes release_tag: ${{ github.ref_name }}, and inherits secrets.
Azure sync reusable workflow
/.github/workflows/sync-azure-storage.yml		 Converted trigger to workflow_call with release_tag input and kept workflow_dispatch; updated tag-determination to use inputs.release_tag (fallback: fetch latest release via gh), added early validation of AZURE_BLOB_SAS_URL secret, and retained tag/status outputs.

Sequence Diagram(s)

sequenceDiagram
  participant Build as Build workflow
  participant Reusable as Azure sync workflow
  participant GH as GitHub Releases API
  participant Azure as Azure Blob Storage

  Build->>Reusable: workflow_call(release_tag = github.ref_name) [on tag]
  Reusable->>Reusable: validate AZURE_BLOB_SAS_URL secret
  alt release_tag provided
    Reusable->>Reusable: use inputs.release_tag
  else no release_tag
    Reusable->>GH: query latest release (gh)
    GH-->>Reusable: latest tag
  end
  Reusable->>Azure: upload assets using SAS URL
  Azure-->>Reusable: upload status
  Reusable-->>Build: outputs (tag, status)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped from build to tag tonight,

Passing my token, swift and light.
I checked the SAS, then danced and stored,
From release tag the blobs explored.
A tiny sync, a rabbit's delight. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'sync-azure if release success' is partially related to the changeset—it mentions the sync-azure workflow being added, but is vague about what 'if release success' means and doesn't clarify the main change of adding conditional Azure sync on release tags. Consider a clearer title like 'Add sync-azure workflow job on release tag' or 'Trigger Azure storage sync on release tags' to better convey the main change.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/build

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 7, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/sync-azure-storage.yml (1)

77-77: ⚠️ Potential issue | 🟠 Major

Regex for SAS token extraction appears incorrect.

The sed pattern 's|[^?]*\(?\.*\)|\1|p' uses \.* which matches zero or more literal dots, not "everything after ?". This will likely capture only ? or ?. sequences rather than the full SAS token.

Proposed fix 
-          SAS_TOKEN=$(echo "$SAS_URL" | sed -n 's|[^?]*\(?\.*\)|\1|p')
+          SAS_TOKEN=$(echo "$SAS_URL" | sed -n 's|[^?]*\(?.*\)|\1|p')

Or more simply using parameter expansion:

-          SAS_TOKEN=$(echo "$SAS_URL" | sed -n 's|[^?]*\(?\.*\)|\1|p')
+          SAS_TOKEN="${SAS_URL#*\?}"
+          SAS_TOKEN="?${SAS_TOKEN}"
🤖 Fix all issues with AI agents 
In @.github/workflows/sync-azure-storage.yml:
- Around line 5-12: The workflow currently defines a required input release_tag
only under workflow_call, but workflow_dispatch has no inputs so triggering
manually yields an empty inputs.release_tag and later fails; add a release_tag
input to the workflow_dispatch invocation (match description/required/type to
the existing release_tag) or alternatively guard steps that use
inputs.release_tag, updating the workflow_dispatch section to declare
release_tag (string, required true) so inputs.release_tag is populated when
using workflow_dispatch.
🧹 Nitpick comments (3)
.github/workflows/sync-azure-storage.yml (2)

33-39: Missing validation for empty release_tag.

If inputs.release_tag is empty or invalid, the workflow will proceed and fail at the gh release download step with an unclear error. Add early validation to provide a clear error message.

Proposed fix 
       - name: Determine release tag
         id: release_info
         run: |
           # From workflow_call input
           RELEASE_TAG="${{ inputs.release_tag }}"
+          if [ -z "$RELEASE_TAG" ]; then
+            echo "::error::release_tag input is required but was empty"
+            exit 1
+          fi
           echo "tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
           echo "Release tag: ${RELEASE_TAG}"

79-79: SAS token stored in plaintext file without restricted permissions.

The SAS token is written to /tmp/sas_token.txt with default permissions, potentially readable by other processes. While GitHub Actions runners are ephemeral, it's still a good practice to restrict access.

Proposed fix 
           # Store token as file to avoid issues with special characters
+          umask 077
           echo "$SAS_TOKEN" > /tmp/sas_token.txt
.github/workflows/build.yml (1)

288-295: Sync job may run even when builds have failed.

The sync-azure job depends on build-summary, which has if: always() (line 269). When build-summary fails (due to a failed build), jobs that depend on it are skipped by default. However, the intent seems to be "sync only after successful builds."

For clarity and to explicitly guard against syncing after failed builds, consider adding a success check:

Proposed fix 
   sync-azure:
     name: Sync to Azure Storage
     needs: build-summary
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') && needs.build-summary.result == 'success'
     uses: ./.github/workflows/sync-azure-storage.yml
     with:
       release_tag: ${{ github.ref_name }}
     secrets: inherit

coderabbitai[bot]
coderabbitai bot reviewed Feb 7, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
.github/workflows/sync-azure-storage.yml (3)

30-36: ⚠️ Potential issue | 🟡 Minor

Secret value expanded in shell conditional.

Directly embedding ${{ secrets.AZURE_BLOB_SAS_URL }} in the shell script expands the secret into the script text. While GitHub masks secrets in logs, this pattern can leak secrets in certain error scenarios. Use an environment variable instead.

Proposed fix 
      - name: Validate SAS URL secret
+       env:
+         AZURE_BLOB_SAS_URL: ${{ secrets.AZURE_BLOB_SAS_URL }}
        run: |
-         if [ -z "${{ secrets.AZURE_BLOB_SAS_URL }}" ]; then
+         if [ -z "$AZURE_BLOB_SAS_URL" ]; then
            echo "::error::AZURE_BLOB_SAS_URL secret not found. Please configure it in GitHub Secrets."
            exit 1
          fi
          echo "SAS URL secret found"

88-91: ⚠️ Potential issue | 🔴 Critical

Regex bug: \.* matches literal dots, not any characters.

The sed pattern 's|[^?]*\(?\.*\)|\1|p' uses \.* which matches zero or more literal . characters, not "any character". This will fail to extract the full SAS token if it contains characters other than dots after the ?.

Proposed fix 
          # Get the SAS token (everything after ?)
-         SAS_TOKEN=$(echo "$SAS_URL" | sed -n 's|[^?]*\(?\.*\)|\1|p')
+         SAS_TOKEN=$(echo "$SAS_URL" | sed -n 's|[^?]*\(?.*\)|\1|p')

72-75: ⚠️ Potential issue | 🟡 Minor

Use environment variable for secret instead of direct expansion.

Same concern as the validation step—expand the secret via an env block rather than inline expansion.

Proposed fix 
      - name: Parse SAS URL and extract storage info
        id: sas_info
+       env:
+         SAS_URL: ${{ secrets.AZURE_BLOB_SAS_URL }}
        run: |
-         SAS_URL="${{ secrets.AZURE_BLOB_SAS_URL }}"
+         # SAS_URL is provided via env
🧹 Nitpick comments (3)
.github/workflows/sync-azure-storage.yml (3)

38-51: Add error handling for gh release view.

If no releases exist in the repository, gh release view will fail but the error may not be clear. Consider adding explicit error handling.

Proposed improvement 
      - name: Determine release tag
        id: release_info
        run: |
          # From workflow_call input, or fetch latest for manual dispatch
          if [ -n "${{ inputs.release_tag }}" ]; then
            RELEASE_TAG="${{ inputs.release_tag }}"
          else
-           RELEASE_TAG=$(gh release view --json tagName -q .tagName)
+           RELEASE_TAG=$(gh release view --json tagName -q .tagName) || {
+             echo "::error::No releases found in repository. Please create a release first or specify a release_tag."
+             exit 1
+           }
            echo "No tag specified, using latest release: ${RELEASE_TAG}"
          fi
          echo "tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
          echo "Release tag: ${RELEASE_TAG}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

120-121: Unused variable BLOB_URL.

BLOB_URL is constructed but never used—the actual upload uses az storage blob upload with --sas-token. Remove this dead code.

Proposed fix 
              echo "Uploading: ${filename}"
 
-             # Build the blob URL with SAS token
-             BLOB_URL="https://${ACCOUNT}.blob.core.windows.net/${CONTAINER}/${BLOB_PATH}${filename}${SAS_TOKEN}"
-
              # Upload using az storage blob upload with SAS authentication

197-198: if: success() is redundant.

Steps run on success by default; the explicit if: success() condition can be removed.

Proposed fix 
      - name: Verify upload
-       if: success()
        run: |

@newbe36524 newbe36524 merged commit 4bd9228 into main Feb 7, 2026
2 checks passed
@newbe36524 newbe36524 deleted the fix/build branch February 7, 2026 11:52
This was referenced Feb 10, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@newbe36524