Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: astral-sh/setup-uv@v5 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| fetch-depth: 0 | ||
|
|
||
| - name: Configure AWS credentials (OIDC) | ||
| uses: aws-actions/configure-aws-credentials@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| role-to-assume: ${{ secrets.AWS_E2E_ROLE_ARN }} | ||
| aws-region: us-east-1 | ||
|
|
||
| - uses: astral-sh/setup-uv@v5 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
|
|
||
| - name: Authenticate to GCP | ||
| id: auth | ||
| uses: google-github-actions/auth@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | ||
|
|
||
| - name: Set up gcloud CLI | ||
| uses: google-github-actions/setup-gcloud@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| - name: Set up gcloud CLI | ||
| uses: google-github-actions/setup-gcloud@v2 | ||
|
|
||
| - uses: astral-sh/setup-uv@v5 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
benny-n
force-pushed
the
benny-n/add-ci
branch
from
c70c5ea to
d855586
Compare
.github/workflows/e2e-aws.yaml
Outdated
| should_run: ${{ steps.filter.outputs.aws }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dorny/paths-filter@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| python-version: "3.12" | ||
|
|
||
| - name: Install Pulumi CLI | ||
| uses: pulumi/actions@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| uses: pulumi/actions@v6 | ||
|
|
||
| - name: Install kubectl | ||
| uses: azure/setup-kubectl@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
.github/workflows/e2e-gcp.yaml
Outdated
| should_run: ${{ steps.filter.outputs.gcp }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dorny/paths-filter@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| python-version: "3.12" | ||
|
|
||
| - name: Install Pulumi CLI | ||
| uses: pulumi/actions@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
| uses: pulumi/actions@v6 | ||
|
|
||
| - name: Install kubectl | ||
| uses: azure/setup-kubectl@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow
benny-n
force-pushed
the
benny-n/add-ci
branch
from
d855586 to
dc998d6
Compare
benny-n
force-pushed
the
benny-n/add-ci
branch
from
dc998d6 to
83500f9
Compare
benny-n
force-pushed
the
benny-n/add-ci
branch
2 times, most recently
from
cc2cc49 to
2ca1dff
Compare
benny-n
force-pushed
the
benny-n/add-ci
branch
from
2ca1dff to
85236b1
Compare
benny-n
force-pushed
the
benny-n/add-ci
branch
from
85236b1 to
c67c80c
Compare
benny-n
force-pushed
the
benny-n/add-ci
branch
from
c67c80c to
fb1fe0c
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| fi | ||
| if [ "${{ needs.aws.result }}" = "cancelled" ] || [ "${{ needs.gcp.result }}" = "cancelled" ]; then | ||
| echo "E2E cancelled" | ||
| exit 1 |
There was a problem hiding this comment.
Result job ignores changes job failures
Medium Severity
result only fails on needs.aws.result and needs.gcp.result, but never checks needs.changes.result. If changes fails, both cloud jobs are skipped and result still prints OK, so .github/workflows/e2e.yaml can report a successful E2E run after an internal workflow failure.
Additional Locations (1)
| - 'config/base.py' | ||
| - 'config/__init__.py' | ||
| - 'setup/wizard.py' | ||
| - 'setup/gcp_wizard.py' |
There was a problem hiding this comment.
E2E path filter misses dependency changes
Medium Severity
The dorny/paths-filter rules in .github/workflows/e2e.yaml exclude root build files like pyproject.toml. Changes to dependencies or packaging can break both cloud deployments, but aws/gcp jobs stay skipped because only selected source paths are watched.
1 participant
Note
Medium Risk
Adds CI that can provision/destroy real cloud infrastructure and changes teardown behavior; misconfiguration or workflow logic issues could lead to leaked resources or failed cleanups.
Overview
Introduces GitHub Actions automation: a new
CIworkflow runsruffformatting/linting andtytype checks, and a newE2Eworkflow conditionally runs reusable AWS/GCP E2E pipelines based on touched paths.Adds reusable
aws.yaml/gcp.yamlworkflows that generate an e2e Pulumi project via the setup wizard in headless mode, override package deps to use the PR’s local source, apply CI-specific Pulumi config, runpulumi up, and always clean up withpulumi destroy+ stack removal.Updates the setup wizard to support
--headless,--stack-name, and--skip-install, emitting stack config files without interactive prompts, and adjusts cluster teardown to pass acloudhint so the uninstaller only injectsgcloudtokens for GCP. Also adds dev tooling deps/config (ruff,ty) and minor type/format cleanups across modules.Written by Cursor Bugbot for commit f621f25. This will update automatically on new commits. Configure here.