[gha] Trigger installer_release on deploy_release

[Copilot]

The installer_release workflow fails when it runs before deploy_release completes, as it attempts to pull container images from AWS ECR that haven't been uploaded yet. Both workflows previously triggered simultaneously on release publication.

Solution Implemented

Implements use of the gh API as suggested by Claude Sonnet.

Also adds "workflow_dispatch:" to installer_release to be able to manually trigger the workflow.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[GHA] installer_release fails until deploy_release is complete</issue_title>
<issue_description>We have 2 workflows triggered by a new release: deploy_release and installer_release. The latter depends on things uploaded to AWS by the former. We need to update installer_release to depend on deploy_release success. Two approaches:

• Add a wait job at the start of installer_release (e.g., using lewagon/wait-on-check-action)
• Change installer_release to

on:
  workflow_run:
    workflows: ["Deploy Update to Live Server"]
    types:
      - completed

and get the version/tag as an output of deploy_release</issue_description>

<agent_instructions>Come up with a plan for both approaches listed in the issue description. Optionally add a third plan if there is another viable approach. Consult with me before implementing any of the 2+ plans.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [GHA] installer_release fails until deploy_release is complete #4044

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

This change is 

Summary by CodeRabbit

• Chores
  • Updated installer release workflow to support flexible triggering mechanisms, including workflow dispatch and completion events, for improved release automation control.
  • Improved release tag handling through automated fetching and propagation of the latest release tag.
  • Enhanced security configuration by updating allowed endpoints in the release pipeline.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow now triggers after deploy_release completes successfully instead of on release publication. A new step dynamically fetches the release tag from GitHub and passes it downstream. Allowed endpoints expanded to include GitHub and API endpoints for secure external communication.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Update .github/workflows/installer_release.yml	Changed trigger from release/published to workflow_run with completion gate; added dynamic release tag fetching via GitHub API; expanded Harden Runner allowed-endpoints to include api.github.com and github.com; propagated tag via job outputs for downstream S3 upload targeting.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub
    participant DR as deploy_release<br/>Workflow
    participant IR as installer_release<br/>Workflow
    participant API as GitHub API
    participant S3 as AWS S3

    DR->>S3: Upload assets & binaries
    DR->>GH: Workflow completes
    GH->>IR: Trigger on workflow_run<br/>(if completed successfully)
    IR->>API: Fetch latest release tag
    API-->>IR: Return release tag
    IR->>IR: Build installer with tag
    IR->>S3: Upload to S3 with tag-based path

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A workflow once stood all alone,
Now waits for its friend to be known,
With tags fetched so bright,
The sequence feels right,
Dependencies perfectly sown! 📦✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title refers to triggering installer_release on deploy_release, which is directly related to the main change (switching from release/published trigger to workflow_run trigger).
Linked Issues check	✅ Passed	The PR implements approach 2 from issue #4044 by converting workflow triggers to workflow_run targeting deploy_release and fetching the release tag via gh API.
Out of Scope Changes check	✅ Passed	All changes are scoped to the installer_release workflow file and directly address the dependency sequencing requirement from issue #4044; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[imnasnainaec]

@copilot Proceed with "Approach 2: workflow_run Trigger (Recommended)"

[Copilot]

@copilot Proceed with "Approach 2: workflow_run Trigger (Recommended)"

Implemented in commit 16f44ee.

Key changes:

• installer_release now uses workflow_run trigger to wait for "Deploy Update to Live Server" completion
• Added output_metadata job to deploy_release for future extensibility
• Release tag extracted from github.event.workflow_run.head_branch
• Both workflows include success condition checks to prevent runs on failed deploys

The installer workflow will now only execute after deploy_release completes successfully, ensuring AWS ECR images are available before the installer build begins.

[imnasnainaec]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.57%. Comparing base (31681d1) to head (dc1c2dc).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4083   +/-   ##
=======================================
  Coverage   74.57%   74.57%           
=======================================
  Files         295      295           
  Lines       10938    10938           
  Branches     1372     1372           
=======================================
  Hits         8157     8157           
  Misses       2385     2385           
  Partials      396      396           

Flag	Coverage Δ
backend	85.59% <ø> (ø)
frontend	66.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR modifies the installer_release workflow to execute after the deploy_release workflow completes, rather than both running simultaneously when a release is published. This prevents the installer workflow from attempting to pull container images from AWS ECR before they've been uploaded by the deploy workflow.

Key changes:

• Changed trigger from release.published to workflow_run that fires when "Deploy Update to Live Server" completes
• Added workflow_dispatch trigger for manual execution
• Implemented release tag retrieval via GitHub CLI (gh release view) instead of from the release event context
• Updated hardened-runner allowed endpoints to include api.github.com for GitHub CLI access

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 31681d1 and dc1c2dc.

📒 Files selected for processing (1)

• .github/workflows/installer_release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: docker_build

🔇 Additional comments (7)

.github/workflows/installer_release.yml (7)

4-8: LGTM: Workflow trigger properly sequences execution.

The workflow_run trigger ensures this workflow waits for "Deploy Update to Live Server" to complete, addressing the race condition where ECR images weren't available. The workflow_dispatch addition allows manual testing.

---

16-16: LGTM: Conditional properly gates execution.

The condition ensures the job only runs on manual dispatch or when the upstream workflow completes successfully, preventing wasted runs when deploy_release fails.

---

17-18: LGTM: Job outputs properly configured.

The output correctly propagates the release tag to the downstream upload_installer job.

---

66-66: Correct usage of release tag output.

The reference to steps.release.outputs.tag is syntactically correct. However, verify that the upstream step (lines 57-62) properly handles all edge cases to ensure a valid tag is always provided here.

---

29-29: LGTM: API endpoint correctly added for gh CLI.

The api.github.com:443 endpoint is required for the new gh release view command in the "Get latest release tag" step.

---

86-86: LGTM: GitHub endpoint required for artifact download.

The github.com:443 endpoint is required for the actions/download-artifact action to fetch the installer from the previous job.

---

102-102: LGTM: Correct reference to upstream job output.

The reference to needs.make_installer.outputs.release_tag correctly retrieves the release tag from the dependent job for the S3 upload path.

[imnasnainaec]

@imnasnainaec reviewed 1 file and all commit messages.
Reviewable status: 1 of 2 files reviewed, all discussions resolved.

[jasonleenaylor]

@jasonleenaylor reviewed 2 files and all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @copilot[bot]).