Skip to content

ci: restrict image publish/deploy to canonical repo and main branch #329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NiveditJain merged 1 commit into from
Aug 31, 2025
Merged

ci: restrict image publish/deploy to canonical repo and main branch #329

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/deploy-kubernetes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
jobs:
deploy-api-server:
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Restrict workflow_dispatch runs to main as well.

This workflow is dispatch-only; add a ref guard to avoid accidental non-main deploys, and use explicit expression syntax.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: ${{ github.repository == 'exospherehost/exospherehost' && github.ref == 'refs/heads/main' }}
🤖 Prompt for AI Agents 
.github/workflows/deploy-kubernetes.yml around line 9: the current if condition
only checks the repository and allows workflow_dispatch runs from any ref;
update the condition to explicitly require this to be a workflow_dispatch event
and require the ref to be the main branch (refs/heads/main) in addition to the
repository check, using the explicit logical expression form (combine
repository, event_name == workflow_dispatch, and ref == refs/heads/main) so
dispatch-only runs are guarded to main only.

environment:
name: deploy-kubernetes
steps:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish-api-server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ env:
jobs:
publish-image:
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Gate is correct; add branch constraints for release/dispatch.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: github.repository == 'exospherehost/exospherehost' &&
(github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
(github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')
🤖 Prompt for AI Agents 
In .github/workflows/publish-api-server.yml around line 20, the current gate
only checks the repository; update the if to also restrict runs to release
branches and manual dispatches. Change the condition to require
github.repository == 'exospherehost/exospherehost' AND (startsWith(github.ref,
'refs/heads/release/') OR github.event_name == 'workflow_dispatch'), so the
workflow only runs for release/* branches or when manually dispatched in that
repo.


permissions:
contents: read
Expand Down Expand Up @@ -58,6 +59,7 @@ jobs:
deploy-to-k8s:
needs: publish-image
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Mirror the same guard on deploy job.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')
🤖 Prompt for AI Agents 
In .github/workflows/publish-api-server.yml around line 62, the "deploy" job is
missing the same repository guard used elsewhere; add the line "if:
github.repository == 'exospherehost/exospherehost'" to the deploy job definition
(preserving YAML indentation) or combine it with any existing if condition using
&& so the deploy job only runs for that repository.


steps:
- name: Deploy to K8s
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/publish-dashboard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ env:
jobs:
publish-image:
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Repo gate looks right; prefer explicit expression syntax for consistency.

Functionally OK; this is a style/readability nit that aligns with Actions examples.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: ${{ github.repository == 'exospherehost/exospherehost' }}
🤖 Prompt for AI Agents 
.github/workflows/publish-dashboard.yml around line 20: the if condition uses a
raw string instead of the explicit Actions expression syntax; change it to use
the expression wrapper so the condition reads using ${{ ... }} (e.g. if: ${{
github.repository == 'exospherehost/exospherehost' }}) to match repository-wide
style and examples.


permissions:
contents: read
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish-landing-page.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ env:
jobs:
publish-image:
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Good repo gate; wrap in expression syntax and (optionally) guard manual runs to main.

Using explicit expression syntax improves readability and parity with docs. Since this workflow supports workflow_dispatch, consider ensuring manual runs happen only on main.

Apply:

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}
🤖 Prompt for AI Agents 
.github/workflows/publish-landing-page.yml around line 20: the conditional uses
plain YAML boolean style; wrap the repository check in GitHub Actions expression
syntax and optionally restrict manual workflow_dispatch runs to main. Replace
the line with an expression using ${{ ... }} for the repo comparison, and if you
want to guard manual runs add an OR condition that allows non-dispatch events or
requires github.ref == 'refs/heads/main' when github.event_name ==
'workflow_dispatch' so manual triggers only run on main.


permissions:
contents: read
Expand Down Expand Up @@ -59,6 +60,7 @@ jobs:
deploy-to-k8s:
needs: publish-image
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Mirror the same gating refinement on deploy job.

Keep repo guard and add a main-branch check for manual runs; also use explicit expression syntax.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: ${{ github.repository == 'exospherehost/exospherehost' && (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main') }}
🤖 Prompt for AI Agents 
.github/workflows/publish-landing-page.yml around line 63: the current job
gating uses a bare if: github.repository == 'exospherehost/exospherehost' —
update it to mirror the deploy job refinement by keeping the repository guard
and adding an explicit main-branch check for manual (workflow_dispatch) runs,
and use the explicit expression syntax (${{ ... }}). Concretely, replace the
current bare condition with an expression that requires github.repository ==
'exospherehost/exospherehost' AND either the event is not workflow_dispatch OR
github.ref == 'refs/heads/main' so manual runs are limited to main while normal
events still run.

steps:
- name: Deploy to K8s
run: |
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/publish-python-sdk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ jobs:
defaults:
run:
working-directory: python-sdk
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Use explicit expression syntax for the repo gate.

Keeps conditions uniform across workflows.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: ${{ github.repository == 'exospherehost/exospherehost' }}
🤖 Prompt for AI Agents 
In .github/workflows/publish-python-sdk.yml around line 69, the workflow uses a
bare condition `if: github.repository == 'exospherehost/exospherehost'`; change
it to the explicit GitHub Actions expression syntax by wrapping the condition in
${{ ... }}, e.g. use `if: ${{ github.repository == 'exospherehost/exospherehost'
}}`, so the condition is evaluated consistently with other workflows.


steps:
- uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/publish-state-mangaer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ jobs:
publish-image:
runs-on: ubuntu-latest
needs: test
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Gate is good; add branch constraints for release/dispatch.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' &&
+        (github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
+        (github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: github.repository == 'exospherehost/exospherehost' &&
(github.event_name != 'release' || github.event.release.target_commitish == 'main') &&
(github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main')
🤖 Prompt for AI Agents 
.github/workflows/publish-state-mangaer.yml around line 77: the workflow gate
only checks the repository and needs branch constraints for release/dispatch;
update the if conditional to require the repo AND that github.ref starts with
refs/heads/release or refs/heads/dispatch (e.g., github.repository ==
'exospherehost/exospherehost' && (startsWith(github.ref, 'refs/heads/release')
|| startsWith(github.ref, 'refs/heads/dispatch'))), ensuring the job only runs
for those branch namespaces.


permissions:
contents: read
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release-dashboard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ env:
jobs:
publish-image:
runs-on: ubuntu-latest
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Repo gate approved; also limit to main-targeted releases.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
🤖 Prompt for AI Agents 
In .github/workflows/release-dashboard.yml around line 15, the current workflow
gate only checks the repository; update the if condition to also ensure the
release targets main. Replace the existing if with a combined condition that
keeps the repo check and adds a target-check such as: github.repository ==
'exospherehost/exospherehost' && (github.event_name != 'release' ||
github.event.release.target_commitish == 'main') so the job runs only for this
repo and only for releases targeting main.


permissions:
contents: read
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release-python-sdk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ jobs:
defaults:
run:
working-directory: python-sdk
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Good guard; add main-branch constraint for releases.

Ensure releases publish only when the tag targets main.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
🤖 Prompt for AI Agents 
.github/workflows/release-python-sdk.yml around line 65: the current guard only
checks repository equality but does not ensure tags are created from main; add a
check that the run is for a tag and that the tag's commit exists on main before
publishing. Change the if to require github.repository ==
'exospherehost/exospherehost' && startsWith(github.ref, 'refs/tags/'), and add
an early job/step (run before publish) that fetches origin/main (git fetch
origin main --depth=1) and verifies that git branch --contains $GITHUB_SHA --all
or git merge-base --is-ancestor $GITHUB_SHA origin/main; if that check fails,
exit non-zero or set an output/condition to skip the release job so only tags
that point at main will publish.


steps:
- uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release-state-manager.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ jobs:
publish-image:
runs-on: ubuntu-latest
needs: test
if: github.repository == 'exospherehost/exospherehost'
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Repo gate looks right; also require releases from main.

-    if: github.repository == 'exospherehost/exospherehost'
+    if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: github.repository == 'exospherehost/exospherehost'
if: github.repository == 'exospherehost/exospherehost' && github.event.release.target_commitish == 'main'
🤖 Prompt for AI Agents 
.github/workflows/release-state-manager.yml around line 70: the current if only
gates by repository; change it to also require that the workflow was triggered
by a release on main by updating the if to combine checks (repository ==
'exospherehost/exospherehost' AND event_name == 'release' AND ref ==
'refs/heads/main'), so the job runs only for release events originating from the
main branch.


permissions:
contents: read
Expand Down