feat: add autdev pr

[waxb]

We'd love to see more contributions

Read how you can contribute to the project.

Please attach an issue link which your PR solves otherwise your work may be rejected.

Summary by CodeRabbit

• New Features

  • Automated deployment of Azure Container Apps environments for each pull request, providing unique preview URLs and resource details directly in PR comments.
  • Automatic cleanup of all Azure resources and container images associated with a pull request when it is closed, with confirmation posted in the PR.
  • Enhanced API service startup to securely fetch and inject secrets dynamically at runtime.

• Chores

  • Introduced a new workflow to streamline and manage PR-based Azure deployments and resource lifecycle.

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between a36df65 and d887012.

📒 Files selected for processing (1)

• .github/workflows/azure-pr-deploy.yml (1 hunks)

 ______________________________________________________________________________________________________________________________________________________________
< Find bugs once. Once a human tester finds a bug, it should be the last time a human tester finds that bug. Automatic tests should check for it from then on. >
 --------------------------------------------------------------------------------------------------------------------------------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

"""

Walkthrough

A new GitHub Actions workflow, azure-pr-deploy.yml, was added to automate deployment and cleanup of Azure Container Apps environments per pull request. The workflow triggers on PR events to deploy resources and post deployment details, and cleans up Azure resources and container images when PRs are closed. Additionally, the API service Dockerfile was updated to install the Infisical CLI and use a new startup script that fetches secrets dynamically at container runtime.

Changes

File(s)	Change Summary
.github/workflows/azure-pr-deploy.yml	Added workflow to deploy and clean up Azure Container Apps environments per PR with detailed PR comments.
apps/api/Dockerfile, apps/api/start.sh	Modified Dockerfile to install Infisical CLI and replaced direct binary start with a startup script that fetches secrets from Infisical before running the service.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub PR
    participant GitHub Actions
    participant Azure
    participant PR Comment

    GitHub PR->>GitHub Actions: PR opened/reopened/synchronized
    GitHub Actions->>Azure: Login and setup
    GitHub Actions->>Azure: Build & push Docker image
    GitHub Actions->>Azure: Create resource group & container app
    Azure-->>GitHub Actions: Return deployed API URL
    GitHub Actions->>PR Comment: Post deployment details

    GitHub PR->>GitHub Actions: PR closed
    GitHub Actions->>Azure: Login
    GitHub Actions->>Azure: Delete resource group & image
    GitHub Actions->>PR Comment: Post cleanup confirmation

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇
A hop and a skip, a PR appears,
Azure deploys with automated cheers.
Secrets fetched fresh as the container wakes,
Dynamic and safe, no static stakes.
When the work is done and the PR is closed,
The cleanup is swift—no resources exposed!
Rabbits rejoice in the clouds’ azure hues.

"""

Tip

You can disable sequence diagrams in the walkthrough.

Disable the reviews.sequence_diagrams setting in your project's settings in CodeRabbit to disable sequence diagrams in the walkthrough.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch waxb/feat/add-autodev-pr

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

🧹 Brease PR Environment Cleaned Up

All Azure resources for this PR have been deleted:

• Resource Group: rg-brease-pr-20
• Container image: brease-api:pr-20

✅ Cleanup completed successfully.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

.github/workflows/azure-pr-deploy.yml (3)

140-150: --no-wait may publish misleading “cleanup completed” messages
Deletion happens asynchronously; a user clicking the resource group minutes later will still see it. Either call az group wait --deleted after the delete or drop --no-wait so the comment reflects actual state.

---

152-160: Image cleanup may leave orphan manifests
az acr repository delete --tag removes only the specific tag; the manifest remains if other tags (e.g., latest) reference it. Consider --yes --manifest to ensure the blob is removed and storage costs are avoided.

---

28-128: Trailing whitespace & missing EOF newline flagged by YAML-lint
Clean up trailing spaces and ensure the file ends with a newline to keep lint pipelines green.

Also applies to: 167-172

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38efcff and ff5d0e1.

📒 Files selected for processing (1)

• .github/workflows/azure-pr-deploy.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 108-108: trailing spaces

(trailing-spaces)

---

[error] 112-112: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 122-122: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 167-167: trailing spaces

(trailing-spaces)

---

[error] 171-171: trailing spaces

(trailing-spaces)

---

[error] 172-172: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: deploy
• GitHub Check: Analyze (go)

[coderabbitai]

⚠️ Potential issue

Unrestricted PR trigger exposes Azure resources to untrusted fork code
Running this workflow for every pull_request event allows code from forks to execute arbitrary az * commands with the federated service-principal, giving write access to the subscription. Restrict deployments to trusted actors, e.g.

-on:
-  pull_request:
-    types: [opened, reopened, synchronize, closed]
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, closed]
+    # Only run when the PR originates from this repo (not forks)
+    branches: [main]            # adjust to default branch

or gate the jobs behind a protected environment that requires manual approval.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	types: [opened, reopened, synchronize, closed]
	on:
	pull_request:
	types: [opened, reopened, synchronize, closed]
	# Only run when the PR originates from this repo (not forks)
	branches: [main] # adjust to default branch

🤖 Prompt for AI Agents

In .github/workflows/azure-pr-deploy.yml around lines 3 to 6, the workflow
triggers on all pull_request events, which allows untrusted fork code to run
Azure commands with elevated permissions. To fix this, restrict the workflow
trigger to trusted actors only by adding a condition that checks the pull
request author or use a protected environment with manual approval to gate
deployment jobs. This prevents unauthorized code from executing sensitive Azure
commands.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (3)

.github/workflows/azure-pr-deploy.yml (3)

3-6: Workflow runs for untrusted forks – restrict trigger or require an approval

---

40-46: Service-principal IDs are hard-coded – move to repo secrets

---

61-73: az group/app env create are not idempotent – handle re-runs gracefully

🧹 Nitpick comments (1)

.github/workflows/azure-pr-deploy.yml (1)

113-131: Minor: trailing whitespace violates YAML linting rules

Several comment lines contain stray spaces, causing the YAML-Lint errors reported by CI. Strip them to keep the workflow green.

Also applies to: 172-177

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff5d0e1 and 4c069bb.

📒 Files selected for processing (2)

• .github/workflows/azure-pr-deploy.yml (1 hunks)
• apps/api/Dockerfile (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 113-113: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 122-122: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 172-172: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 177-177: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: deploy
• GitHub Check: Analyze (javascript)
• GitHub Check: Analyze (go)

[coderabbitai]

⚠️ Potential issue

Avoid piping remote installer to bash; pin & verify Infisical CLI package

curl … | bash executes unauthenticated code during every build, opening the door to supply-chain hijacking.
• Fetch the GPG key, add the signed .deb, or at minimum pin an exact version (infisical=1.7.3-1).
• Validate checksums before install.

-    && curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical \
+    && curl -fsSL https://dl.cloudsmith.io/public/infisical/infisical-cli/gpg.key | gpg --dearmor -o /usr/share/keyrings/infisical.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/infisical.gpg] https://dl.cloudsmith.io/public/infisical/infisical-cli/deb/debian bookworm main" \
+        > /etc/apt/sources.list.d/infisical.list \
+    && apt-get update \
+    && apt-get install -y infisical=1.7.3-1 \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Update package lists and install ca-certificates and Infisical CLI
	RUN apt-get clean && \
	rm -rf /var/lib/apt/lists/* && \
	apt-get update --fix-missing && apt-get install -y \
	ca-certificates \
	curl \
	bash \
	&& curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
	&& apt-get update && apt-get install -y infisical \
	&& rm -rf /var/lib/apt/lists/*
	# Update package lists and install ca-certificates and Infisical CLI
	RUN apt-get clean && \
	rm -rf /var/lib/apt/lists/* && \
	apt-get update --fix-missing && apt-get install -y \
	ca-certificates \
	curl \
	bash \
	&& curl -fsSL https://dl.cloudsmith.io/public/infisical/infisical-cli/gpg.key \
	| gpg --dearmor -o /usr/share/keyrings/infisical.gpg \
	&& echo "deb [signed-by=/usr/share/keyrings/infisical.gpg] \
	https://dl.cloudsmith.io/public/infisical/infisical-cli/deb/debian \
	bookworm main" \
	> /etc/apt/sources.list.d/infisical.list \
	&& apt-get update \
	&& apt-get install -y infisical=1.7.3-1 \
	&& rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

In apps/api/Dockerfile around lines 13 to 22, avoid using `curl ... | bash` to
install the Infisical CLI as it executes unauthenticated code. Instead, fetch
and add the GPG key securely, add the Infisical repository with a pinned
version, and validate package checksums before installation. This ensures the
package authenticity and prevents supply-chain attacks.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (5)

.github/workflows/azure-pr-deploy.yml (5)

3-6: Restrict workflow trigger to trusted PRs or protect via environment

Running the workflow for all pull_request events lets untrusted-fork code execute privileged az commands with your federated service principal. Limit the trigger to internal PRs (or require a protected environment) to prevent supply-chain abuse.

 on:
   pull_request:
     types: [opened, reopened, synchronize, closed]
+    # Only run when the PR comes from the same repository, not forks
+    branches: [main]          # adjust to default branch
+    # Alternatively, move the jobs under a protected `environment`

---

40-46: Hard-coded service-principal IDs violate secret-management policy

client-id, tenant-id, and subscription-id are committed in plain text. Rotate them immediately and inject via repository/org secrets instead.

-          client-id: 2bfd5f96-2fa1-44ff-af35-17722c04027f
-          tenant-id: 760d74d4-e9ad-46f8-bbae-e20bce9596ab
-          subscription-id: 5533053b-de97-432f-908a-c7018c458532
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

---

138-142: Credentials leaked in cleanup job as well

Cleanup repeats the same hard-coded IDs. Apply the same secret-based fix here.

-          client-id: 2bfd5f96-2fa1-44ff-af35-17722c04027f
-          tenant-id: 760d74d4-e9ad-46f8-bbae-e20bce9596ab
-          subscription-id: 5533053b-de97-432f-908a-c7018c458532
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

---

88-95: Secrets exposed as plain env-vars & flagged by gitleaks

INFISICAL_CLIENT_SECRET (line 94) and Azure IDs are visible via az containerapp revision show, breaching zero-trust. Load them as Container App secrets and reference with secretref:.

-            --env-vars \
-              PORT=4400 \
-              NODE_ENV=staging \
-              INFISICAL_PROJECT_ID=642ed4939db25595ac7eb9cd \
-              INFISICAL_ENVIRONMENT=staging \
-              INFISICAL_CLIENT_ID=cd3cc75e-d3bc-4b42-ba5d-6b68f56afa78 \
-              INFISICAL_CLIENT_SECRET=b8791a2f3571a3a24c8d938c627f31490427b7466ef7e335782bd1023d145b9a
+            --secrets \
+              infisicalClientId=${{ secrets.INFISICAL_CLIENT_ID }} \
+              infisicalClientSecret=${{ secrets.INFISICAL_CLIENT_SECRET }} \
+            --env-vars \
+              PORT=4400 \
+              NODE_ENV=staging \
+              INFISICAL_PROJECT_ID=642ed4939db25595ac7eb9cd \
+              INFISICAL_ENVIRONMENT=staging \
+              INFISICAL_CLIENT_ID=secretref:infisicalClientId \
+              INFISICAL_CLIENT_SECRET=secretref:infisicalClientSecret

---

61-73: Make resource creation idempotent to support re-runs

az group create and az containerapp env create fail when resources already exist, breaking retryability. Guard with ... show || ... create (or --exists).

-az group create \
-  --name ${{ env.AZURE_RESOURCE_GROUP }} \
-  --location ${{ env.AZURE_LOCATION }}
+az group show --name ${{ env.AZURE_RESOURCE_GROUP }} \
+  --query name --output tsv 2>/dev/null || \
+az group create \
+  --name ${{ env.AZURE_RESOURCE_GROUP }} \
+  --location ${{ env.AZURE_LOCATION }}

-az containerapp env create \
-  --name ${{ env.CONTAINER_APP_ENVIRONMENT }} \
-  --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
-  --location ${{ env.AZURE_LOCATION }}
+az containerapp env show \
+  --name ${{ env.CONTAINER_APP_ENVIRONMENT }} \
+  --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+  --query name --output tsv 2>/dev/null || \
+az containerapp env create \
+  --name ${{ env.CONTAINER_APP_ENVIRONMENT }} \
+  --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+  --location ${{ env.AZURE_LOCATION }}

🧹 Nitpick comments (1)

.github/workflows/azure-pr-deploy.yml (1)

28-28: Clean up trailing whitespace and add final newline

Minor YAML-lint violations can be fixed automatically; keeps diffs clean.

-            ## 🚀 Brease PR Environment Deployed Successfully!·
+            ## 🚀 Brease PR Environment Deployed Successfully!
...
-            > ✅ Cleanup completed successfully.·
+            > ✅ Cleanup completed successfully.
+

Also applies to: 112-112, 116-116, 121-121, 126-126, 130-130, 171-171, 175-176

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c069bb and 459ae0c.

📒 Files selected for processing (2)

• .github/workflows/azure-pr-deploy.yml (1 hunks)
• apps/api/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/Dockerfile

🧰 Additional context used

🪛 Gitleaks (8.27.2)

.github/workflows/azure-pr-deploy.yml

94-94: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 112-112: trailing spaces

(trailing-spaces)

---

[error] 116-116: trailing spaces

(trailing-spaces)

---

[error] 121-121: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 130-130: trailing spaces

(trailing-spaces)

---

[error] 171-171: trailing spaces

(trailing-spaces)

---

[error] 175-175: trailing spaces

(trailing-spaces)

---

[error] 176-176: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: deploy
• GitHub Check: Analyze (go)

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (3)

.github/workflows/azure-pr-deploy.yml (3)

3-6: Restrict workflow trigger to trusted refs

Running on every pull_request (incl. forks) gives untrusted code write access to the subscription. Limit to internal branches or gate behind a protected environment.

---

43-46: Service-principal IDs should come from secrets, not code

Hard-coding blocks rotation and leaks metadata; use ${{ secrets.* }} instead.

---

145-147: Same issue in cleanup job — replace with secrets

🧹 Nitpick comments (2)

apps/api/start.sh (1)

5-5: Quote params & place command after --

-infisical run --projectId=$INFISICAL_PROJECT_ID --env=staging brease
+infisical run --projectId="$INFISICAL_PROJECT_ID" --env=staging -- brease

.github/workflows/azure-pr-deploy.yml (1)

104-109: Quote vars in az containerapp show (SC2086)

-URL=$(az containerapp show \
-  --name ${{ env.API_APP_NAME }} \
-  --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+URL=$(az containerapp show \
+  --name "${{ env.API_APP_NAME }}" \
+  --resource-group "${{ env.AZURE_RESOURCE_GROUP }}" \

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 459ae0c and 2e424d2.

📒 Files selected for processing (3)

• .github/workflows/azure-pr-deploy.yml (1 hunks)
• apps/api/Dockerfile (1 hunks)
• apps/api/start.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/Dockerfile

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/azure-pr-deploy.yml

103-103: shellcheck reported issue in this script: SC2086:info:6:28: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 Gitleaks (8.27.2)

.github/workflows/azure-pr-deploy.yml

99-99: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 121-121: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 135-135: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

---

[error] 181-181: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Shellcheck (0.10.0)

apps/api/start.sh

[warning] 4-4: Declare and assign separately to avoid masking return values.

(SC2155)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: deploy
• GitHub Check: Analyze (go)

[coderabbitai]

🛠️ Refactor suggestion

Harden the script with set -euo pipefail

Fail fast on unset variables and pipe errors for more predictable behaviour.

-set -e
+set -euo pipefail

🤖 Prompt for AI Agents

In apps/api/start.sh at line 2, replace the current 'set -e' command with 'set
-euo pipefail' to make the script fail fast on unset variables and pipe errors,
improving its robustness and predictability.

[coderabbitai]

🛠️ Refactor suggestion

Fix SC2155 and quote sensitive expansions

Declare then export and always quote to avoid word-splitting / injection.

-export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --plain --silent)
+INFISICAL_TOKEN=$(infisical login \
+  --method=universal-auth \
+  --client-id="$INFISICAL_CLIENT_ID" \
+  --client-secret="$INFISICAL_CLIENT_SECRET" \
+  --plain --silent)
+export INFISICAL_TOKEN

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --plain --silent)
	INFISICAL_TOKEN=$(infisical login \
	--method=universal-auth \
	--client-id="$INFISICAL_CLIENT_ID" \
	--client-secret="$INFISICAL_CLIENT_SECRET" \
	--plain --silent)
	export INFISICAL_TOKEN

🧰 Tools

🪛 Shellcheck (0.10.0)

[warning] 4-4: Declare and assign separately to avoid masking return values.

(SC2155)

🤖 Prompt for AI Agents

In apps/api/start.sh at line 4, the export statement combines declaration and
export, which triggers SC2155, and the variable expansion is unquoted, risking
word-splitting or injection. Fix this by first declaring the variable on a
separate line, quoting the command substitution to prevent word-splitting, and
then exporting the variable on the next line.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.github/workflows/azure-pr-deploy.yml (2)

3-6: Workflow still runs on untrusted fork PRs

Same concern raised previously: exposing Azure credentials to forked PRs is a high-risk vector. Restrict the trigger or gate with protected environments.

---

40-46: Service-principal identifiers are hard-coded

Client-id / tenant-id / subscription-id must come from repository or org secrets to allow rotation and avoid accidental disclosure.

🧹 Nitpick comments (1)

.github/workflows/azure-pr-deploy.yml (1)

61-66: Make resource-group creation idempotent

az group create exits non-zero only on real errors, but flooding logs with “already exists” is noisy. A quick guard avoids that and saves ~10 s per run:

if ! az group exists --name "$AZURE_RESOURCE_GROUP"; then
  az group create --name "$AZURE_RESOURCE_GROUP" --location "$AZURE_LOCATION"
fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 459ae0c and 2e424d2.

📒 Files selected for processing (3)

• .github/workflows/azure-pr-deploy.yml (1 hunks)
• apps/api/Dockerfile (1 hunks)
• apps/api/start.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/Dockerfile

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/azure-pr-deploy.yml

103-103: shellcheck reported issue in this script: SC2086:info:6:28: Double quote to prevent globbing and word splitting

(shellcheck)

🪛 Gitleaks (8.27.2)

.github/workflows/azure-pr-deploy.yml

99-99: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 28-28: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 121-121: trailing spaces

(trailing-spaces)

---

[error] 126-126: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 135-135: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 180-180: trailing spaces

(trailing-spaces)

---

[error] 181-181: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Shellcheck (0.10.0)

apps/api/start.sh

[warning] 4-4: Declare and assign separately to avoid masking return values.

(SC2155)

[coderabbitai]

🛠️ Refactor suggestion

Quote variables & split assignment to avoid masked return value

Capturing the token in the same export statement both masks infisical login’s exit status (SC2155) and leaves expansions un-quoted, which will break if any variable contains whitespace. Recommend:

-export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --plain --silent)
+INFISICAL_TOKEN="$(infisical login \
+  --method=universal-auth \
+  --client-id="$INFISICAL_CLIENT_ID" \
+  --client-secret="$INFISICAL_CLIENT_SECRET" \
+  --plain --silent)"
+export INFISICAL_TOKEN

Adds quoting, preserves exit-code, and keeps the script safety guarantees already implied by set -e.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --plain --silent)
	INFISICAL_TOKEN="$(infisical login \
	--method=universal-auth \
	--client-id="$INFISICAL_CLIENT_ID" \
	--client-secret="$INFISICAL_CLIENT_SECRET" \
	--plain --silent)"
	export INFISICAL_TOKEN

🧰 Tools

🪛 Shellcheck (0.10.0)

[warning] 4-4: Declare and assign separately to avoid masking return values.

(SC2155)

🤖 Prompt for AI Agents

In apps/api/start.sh at line 4, the export statement combines variable
assignment and command substitution without quoting, which masks the exit status
and risks word splitting. To fix this, split the assignment and export into two
separate commands, assign the output of the infisical login command to the
variable with proper double quotes around the command substitution to preserve
whitespace, then export the variable on the next line. This preserves the exit
code and ensures safe handling of the token value.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (4)

.github/workflows/azure-pr-deploy.yml (4)

3-6: Unrestricted PR trigger still exposes subscription – restrict or gate.
The workflow continues to run on any pull_request event, including from forks, letting untrusted code execute privileged Azure commands. Please scope the trigger to trusted branches / actors or protect the job behind a required-approval environment.

 on:
   pull_request:
-    types: [opened, reopened, synchronize, closed]
+    types: [opened, reopened, synchronize, closed]
+    # Only run for PRs raised from this repository (adjust default branch)
+    branches: [main]

---

42-45: Service-principal IDs are hard-coded – move to GitHub secrets.
client-id, tenant-id, and subscription-id must be injected from ${{ secrets.* }} to avoid credential leakage and ease rotation.

Same issue exists in both deploy and cleanup jobs.

Also applies to: 129-131

---

81-85: INFISICAL credentials committed in plain text – immediate secret leak.
Both INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET are public in the repo. Anyone can impersonate the machine identity and exfiltrate all secrets.

Move them to Container-App --secrets and reference with secretref::

-              INFISICAL_CLIENT_ID=cd3cc75e-d3bc-4b42-ba5d-6b68f56afa78 \
-              INFISICAL_CLIENT_SECRET=b8791a2f3571a3a24c8d938c627f31490427b7466ef7e335782bd1023d145b9a
+            --secrets \
+              infisicalClientId=${{ secrets.INFISICAL_CLIENT_ID }} \
+              infisicalClientSecret=${{ secrets.INFISICAL_CLIENT_SECRET }} \
+            --env-vars \
+              INFISICAL_CLIENT_ID=secretref:infisicalClientId \
+              INFISICAL_CLIENT_SECRET=secretref:infisicalClientSecret

Rotate the leaked credentials immediately.

---

62-67: az group create is not idempotent – add existence check.
Re-runs fail if the RG already exists (e.g., previous run cancelled). Guard the command:

-az group create \
-  --name ${{ env.AZURE_RESOURCE_GROUP }} \
-  --location ${{ env.AZURE_LOCATION }}
+if ! az group exists --name ${{ env.AZURE_RESOURCE_GROUP }}; then
+  az group create \
+    --name ${{ env.AZURE_RESOURCE_GROUP }} \
+    --location ${{ env.AZURE_LOCATION }}
+fi

🧹 Nitpick comments (1)

.github/workflows/azure-pr-deploy.yml (1)

96-121: Trailing spaces & missing EOF newline flagged by YAMLlint.
Minor but CI may fail. Strip trailing blanks and ensure the file ends with \n.

Also applies to: 159-165

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e424d2 and 095f8c0.

📒 Files selected for processing (1)

• .github/workflows/azure-pr-deploy.yml (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.27.2)

.github/workflows/azure-pr-deploy.yml

84-84: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 102-102: trailing spaces

(trailing-spaces)

---

[error] 106-106: trailing spaces

(trailing-spaces)

---

[error] 110-110: trailing spaces

(trailing-spaces)

---

[error] 115-115: trailing spaces

(trailing-spaces)

---

[error] 119-119: trailing spaces

(trailing-spaces)

---

[error] 160-160: trailing spaces

(trailing-spaces)

---

[error] 164-164: trailing spaces

(trailing-spaces)

---

[error] 165-165: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: deploy
• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript)

[nadilas]

• feat: add autdev pr #20 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/azure-pr-deploy.yml (1)

3-6: Restrict PR trigger to trusted sources (repeat finding)
Workflow still runs for every pull_request event, so code from forks can execute privileged Azure commands. Please gate the workflow (e.g. branches: [main] or a protected environment) before merging.

🧹 Nitpick comments (1)

.github/workflows/azure-pr-deploy.yml (1)

27-27: Clean up trailing whitespace and missing EOF newline
YAML-lint flags these lines; trimming whitespace avoids noisy CI failures.

-      
+

Add a single blank line at the very end of the file as well.

Also applies to: 105-105, 109-109, 113-113, 118-118, 122-122, 163-163, 167-168

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 095f8c0 and 9d55a2f.

📒 Files selected for processing (1)

• .github/workflows/azure-pr-deploy.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 105-105: trailing spaces

(trailing-spaces)

---

[error] 109-109: trailing spaces

(trailing-spaces)

---

[error] 113-113: trailing spaces

(trailing-spaces)

---

[error] 118-118: trailing spaces

(trailing-spaces)

---

[error] 122-122: trailing spaces

(trailing-spaces)

---

[error] 163-163: trailing spaces

(trailing-spaces)

---

[error] 167-167: trailing spaces

(trailing-spaces)

---

[error] 168-168: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (javascript)
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

.github/workflows/azure-pr-deploy.yml (2)

40-45: Service-principal IDs now pulled from secrets – nice hardening
Hard-coding was removed in favour of secrets.*; this closes the credential-leak issue raised earlier.

---

78-88: Verify whether INFISICAL_PROJECT_ID should also be secret-scoped
INFISICAL_PROJECT_ID looks like an internal identifier. If exposing it publicly has no downside, leave as-is. Otherwise inject through --secrets just like the client credentials.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/azure-pr-deploy.yml (1)

3-6: Unrestricted PR trigger still exposes Azure subscription to forked PRs
Previous feedback to restrict the workflow trigger (or gate it behind an approved environment) has not been incorporated. Malicious code in a fork can still obtain a federated OIDC token and run arbitrary az commands with contributor-level privileges.

🧹 Nitpick comments (2)

.github/workflows/azure-pr-deploy.yml (2)

13-16: Separate ACR name from registry FQDN for consistency & DRYness
You hard-code dotinc in the az acr login step (l.49-50) while AZURE_CONTAINER_REGISTRY contains the FQDN dotinc.azurecr.io. Relying on two different literals is brittle and diverges if the registry name ever changes.

 env:
-  AZURE_CONTAINER_REGISTRY: dotinc.azurecr.io
+  AZURE_ACR_NAME: dotinc
+  AZURE_CONTAINER_REGISTRY: ${{ env.AZURE_ACR_NAME }}.azurecr.io

and later:

-      - name: Log in to Azure Container Registry
-        run: az acr login --name dotinc
+      - name: Log in to Azure Container Registry
+        run: az acr login --name ${{ env.AZURE_ACR_NAME }}

---

27-27: YAML-lint: trailing whitespace & missing final newline
CI linting already flags these lines. Strip the trailing spaces and ensure the file ends with a single newline to keep the workflow green.

-      api-url: ${{ steps.get-api-url.outputs.url }}␠
+      api-url: ${{ steps.get-api-url.outputs.url }}
…
-            ## 🚀 Brease PR Environment Deployed Successfully!␠
+            ## 🚀 Brease PR Environment Deployed Successfully!
…
-            > 💡 This environment will be automatically cleaned up when the PR is merged or closed.␠
+            > 💡 This environment will be automatically cleaned up when the PR is merged or closed.
…
-            > ✅ Cleanup completed successfully.␠
+            > ✅ Cleanup completed successfully.
+

Also applies to: 117-117, 121-121, 125-125, 130-130, 134-134, 175-180

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d55a2f and adfd94a.

📒 Files selected for processing (2)

• .github/workflows/azure-pr-deploy.yml (1 hunks)
• apps/api/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/api/Dockerfile

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[error] 121-121: trailing spaces

(trailing-spaces)

---

[error] 125-125: trailing spaces

(trailing-spaces)

---

[error] 130-130: trailing spaces

(trailing-spaces)

---

[error] 134-134: trailing spaces

(trailing-spaces)

---

[error] 175-175: trailing spaces

(trailing-spaces)

---

[error] 179-179: trailing spaces

(trailing-spaces)

---

[error] 180-180: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: deploy

[coderabbitai]

🛠️ Refactor suggestion

az containerapp show can race with provisioning – add retry
Immediately querying the FQDN sometimes returns an empty string while DNS & ingress settle. A short retry loop (or az rest --retry-interval) prevents posting an empty URL to the PR comment.

-  URL=$(az containerapp show \
+  for i in {1..10}; do
+    URL=$(az containerapp show \
       --name ${{ env.API_APP_NAME }} \
       --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
       --query properties.configuration.ingress.fqdn \
       --output tsv)
+    [ -n "$URL" ] && break
+    sleep 15
+  done
   echo "url=https://$URL" >> $GITHUB_OUTPUT

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Get API URL
	id: get-api-url
	run: |
	URL=$(az containerapp show \
	--name ${{ env.API_APP_NAME }} \
	--resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
	--query properties.configuration.ingress.fqdn \
	--output tsv)
	echo "url=https://$URL" >> $GITHUB_OUTPUT
	- name: Get API URL
	id: get-api-url
	run: |
	for i in {1..10}; do
	URL=$(az containerapp show \
	--name ${{ env.API_APP_NAME }} \
	--resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
	--query properties.configuration.ingress.fqdn \
	--output tsv)
	[ -n "$URL" ] && break
	sleep 15
	done
	echo "url=https://$URL" >> $GITHUB_OUTPUT

🤖 Prompt for AI Agents

In .github/workflows/azure-pr-deploy.yml around lines 100 to 110, the az
containerapp show command can return an empty FQDN due to provisioning delays.
To fix this, wrap the command in a retry loop that attempts the query multiple
times with a short delay between tries, ensuring the URL is not empty before
echoing it to GITHUB_OUTPUT. This prevents posting an empty URL to the PR
comment.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

.github/workflows/azure-pr-deploy.yml (3)

3-6: Unrestricted PR trigger still exposes Azure resources to forked PRs
The workflow continues to run for every pull_request event, giving untrusted fork code write access to the subscription. Restrict the trigger to trusted actors or gate the deploy job behind a protected environment.

-on:
-  pull_request:
-    types: [opened, reopened, synchronize, closed]
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, closed]
+    # Ensure only in-repo PRs can deploy
+    branches: [main]          # adjust to your default branch

---

74-79: az group create is not idempotent – reruns will fail
On re-runs the command errors if the group already exists. Add an existence check (or --exists) to make the step idempotent.

-az group create \
-  --name ${{ env.AZURE_RESOURCE_GROUP }} \
-  --location ${{ env.AZURE_LOCATION }}
+if ! az group exists --name ${{ env.AZURE_RESOURCE_GROUP }}; then
+  az group create \
+    --name ${{ env.AZURE_RESOURCE_GROUP }} \
+    --location ${{ env.AZURE_LOCATION }}
+fi

---

90-97: Secrets still injected as plain environment variables
INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET remain readable via az containerapp revision show. Move them to Container-App secrets and reference with secretref:.

-            --env-vars \
-              ... \
-              INFISICAL_CLIENT_ID=${{ secrets.INFISICAL_CLIENT_ID }} \
-              INFISICAL_CLIENT_SECRET=${{ secrets.INFISICAL_CLIENT_SECRET }} \
+            --secrets \
+              infisicalClientId=${{ secrets.INFISICAL_CLIENT_ID }} \
+              infisicalClientSecret=${{ secrets.INFISICAL_CLIENT_SECRET }} \
+            --env-vars \
+              ... \
+              INFISICAL_CLIENT_ID=secretref:infisicalClientId \
+              INFISICAL_CLIENT_SECRET=secretref:infisicalClientSecret \

🧹 Nitpick comments (2)

.github/workflows/azure-pr-deploy.yml (2)

100-106: Single shot az containerapp show races with provisioning – add retry
A fresh deployment often returns an empty FQDN. Wrap the query in a small retry loop to avoid posting blank URLs.

-URL=$(az containerapp show \
-  --name ${{ env.API_APP_NAME }} \
-  --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
-  --query properties.configuration.ingress.fqdn \
-  --output tsv)
+for i in {1..10}; do
+  URL=$(az containerapp show \
+    --name ${{ env.API_APP_NAME }} \
+    --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+    --query properties.configuration.ingress.fqdn \
+    --output tsv)
+  [ -n "$URL" ] && break
+  sleep 15
+done

---

27-131: Minor style: remove trailing whitespace & add final newline
YAMLlint flags multiple trailing-space errors (lines 27, 114, 118, 122, 127, 131, 172, 176) and a missing newline at EOF. Trimming these keeps the workflow tidy and prevents CI lint failures.

-      api-url: ${{ steps.get-api-url.outputs.url }}␠
+      api-url: ${{ steps.get-api-url.outputs.url }}
…
-            ## 🚀 Brease PR Environment Deployed Successfully!␠
+            ## 🚀 Brease PR Environment Deployed Successfully!
…
-            > 💡 This environment will be automatically cleaned up when the PR is merged or closed.␠
+            > 💡 This environment will be automatically cleaned up when the PR is merged or closed.
+

Also applies to: 172-177

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adfd94a and a36df65.

📒 Files selected for processing (1)

• .github/workflows/azure-pr-deploy.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/azure-pr-deploy.yml

[error] 27-27: trailing spaces

(trailing-spaces)

---

[error] 114-114: trailing spaces

(trailing-spaces)

---

[error] 118-118: trailing spaces

(trailing-spaces)

---

[error] 122-122: trailing spaces

(trailing-spaces)

---

[error] 127-127: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 172-172: trailing spaces

(trailing-spaces)

---

[error] 176-176: trailing spaces

(trailing-spaces)

---

[error] 177-177: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: deploy
• GitHub Check: Analyze (javascript)
• GitHub Check: Analyze (go)