Add GitHub Actions CI/CD workflows#1
Conversation
- test.yml: Run tests, lint on feature branches and PRs - deploy.yml: Build, push, and deploy on main/staging Migrating from CircleCI to GitHub Actions for CI/CD pipeline. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Authenticate to Google Cloud | ||
| uses: google-github-actions/auth@v2 | ||
| with: | ||
| credentials_json: ${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }} |
There was a problem hiding this comment.
google-github-actions/auth@v2 requires credentials_json to be the literal service account JSON, but the workflow passes the base64-encoded key (GCLOUD_SERVICE_KEY_BASE64). That string is not valid JSON, so the auth step fails before any gcloud commands run, aborting both the build-and-push and deploy jobs. The secret needs to be decoded or stored as raw JSON for authentication to succeed.
Useful? React with 👍 / 👎.
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed everything up to 7600725 in 2 minutes and 42 seconds. Click for details.
- Reviewed
193lines of code in2files - Skipped
0files when reviewing. - Skipped posting
5draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/deploy.yml:25
- Draft comment:
Consider using a current Node.js LTS version (e.g. 16 or 18) instead of 14.15.3 to avoid potential EOL issues. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
2. .github/workflows/deploy.yml:126
- Draft comment:
Consider using input redirection with 'envsubst < kubernetes/frontend.yml' instead of 'cat kubernetes/frontend.yml | envsubst' for clarity. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
3. .github/workflows/deploy.yml:87
- Draft comment:
Ensure that secrets passed as build-args (e.g. MAPBOX_KEY) are not inadvertently exposed in the final image layers or build logs; consider using Docker best practices for secret management. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment starts with "Ensure that..." which is a red flag according to the rules - comments that ask the PR author to verify, ensure, or double-check things are not useful. The comment is also speculative in nature - it says "consider using Docker best practices" without pointing to a specific problem or providing a concrete solution. It doesn't definitively state that there IS a problem, just that there COULD be one. The comment doesn't provide actionable guidance on what specifically to change. While secret management is important, this comment is more of a general security reminder rather than identifying a specific issue with the code. However, passing secrets as build-args is actually a known Docker anti-pattern that can expose secrets in image layers and build history. This could be a legitimate security concern that warrants a code change to use Docker secrets or BuildKit secret mounts instead. While the security concern is valid in principle, the comment violates the rule about not asking the author to "ensure" things. It's also not actionable - it doesn't say "change this to use BuildKit secrets" but rather "consider using best practices." Without seeing the Dockerfile or knowing how these build args are used, we can't definitively say there's a problem. The comment is speculative and advisory rather than pointing to a concrete issue. This comment should be deleted because it starts with "Ensure that..." which explicitly violates the rules, and it's speculative/advisory rather than identifying a definite problem requiring a code change. It asks the author to verify something rather than providing clear, actionable guidance.
4. .github/workflows/deploy.yml:72
- Draft comment:
Verify that GCLOUD_SERVICE_KEY_BASE64 is provided in the correct JSON format; if it's base64 encoded, ensure it is decoded as needed by the Google auth action. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
5. .github/workflows/test.yml:25
- Draft comment:
Consider upgrading to a current Node.js LTS version (e.g. 16 or 18) as Node 14.15.3 may soon reach end-of-life. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
Workflow ID: wflow_6TGOWvfZhc6bpaGw
You can customize 
There was a problem hiding this comment.
Pull request overview
This PR migrates CI/CD from CircleCI to GitHub Actions, introducing two new workflow files for automated testing and deployment. The workflows maintain the existing branching strategy where feature branches and PRs run tests only, while staging and main branches trigger full deployment pipelines to GKE.
Key Changes:
- Adds
test.ymlworkflow for automated testing and linting on feature branches and pull requests - Adds
deploy.ymlworkflow for building Docker images, pushing to GCR, and deploying to GKE on main/staging branches - Maintains environment-specific configurations (production vs staging) with appropriate build arguments and Google Analytics IDs
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/test.yml |
Defines test workflow that runs ESLint, Jest tests, and uploads coverage to Coveralls for non-deployment branches |
.github/workflows/deploy.yml |
Defines deployment workflow with test, build-and-push, and deploy jobs for main/staging branches, including GKE deployment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '14.15.3' |
There was a problem hiding this comment.
Node.js version 14.15.3 reached end of life in April 2023 and no longer receives security updates. Consider upgrading to a supported LTS version (e.g., Node.js 18 or 20) to ensure security patches and compatibility with modern dependencies.
| node-version: '14.15.3' | |
| node-version: '18.x' |
| FRONTEND_IMAGE_TAG: ${{ needs.build-and-push.outputs.image-tag }} | ||
| GOOGLE_PROJECT_ID: ${{ env.GOOGLE_PROJECT_ID }} | ||
| run: | | ||
| cat kubernetes/frontend.yml | envsubst | kubectl apply -n ${{ needs.build-and-push.outputs.namespace }} -f - |
There was a problem hiding this comment.
The envsubst command is used but the required gettext-base package is not installed. Add a step before deployment to install it:
- name: Install envsubst
run: sudo apt-get update && sudo apt-get install -y gettext-base| - name: Authenticate to Google Cloud | ||
| uses: google-github-actions/auth@v2 | ||
| with: | ||
| credentials_json: ${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }} |
There was a problem hiding this comment.
The credentials_json parameter expects JSON format, but the secret name GCLOUD_SERVICE_KEY_BASE64 suggests it contains base64-encoded data. If the secret is base64-encoded (as used in CircleCI with base64 -d), authentication will fail. Either:
- Store the service key JSON directly in the secret (recommended for GitHub Actions), or
- Decode it first: add a step to decode and write to a file, then use
credentials_fileparameter instead
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }} | |
| - name: Decode Google Cloud service account key | |
| run: | | |
| echo "${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }}" | base64 -d > gcloud-key.json | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_file: gcloud-key.json |
| - name: Authenticate to Google Cloud | ||
| uses: google-github-actions/auth@v2 | ||
| with: | ||
| credentials_json: ${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }} | ||
|
|
There was a problem hiding this comment.
The credentials_json parameter expects JSON format, but the secret name GCLOUD_SERVICE_KEY_BASE64 suggests it contains base64-encoded data. If the secret is base64-encoded (as used in CircleCI with base64 -d), authentication will fail. Either:
- Store the service key JSON directly in the secret (recommended for GitHub Actions), or
- Decode it first: add a step to decode and write to a file, then use
credentials_fileparameter instead
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }} | |
| - name: Decode Google Cloud credentials | |
| run: | | |
| echo "${{ secrets.GCLOUD_SERVICE_KEY_BASE64 }}" | base64 -d > gcloud-key.json | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_file: gcloud-key.json |
| name: Test | ||
|
|
||
| on: | ||
| push: | ||
| branches-ignore: | ||
| - main | ||
| - staging | ||
| - develop | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| - staging | ||
| - develop | ||
|
|
||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '14.15.3' | ||
| cache: 'yarn' | ||
|
|
||
| - name: Install dependencies | ||
| run: yarn install --frozen-lockfile | ||
|
|
||
| - name: ESLint | ||
| run: yarn lint | ||
|
|
||
| - name: Run tests | ||
| run: yarn test:ci | ||
| env: | ||
| JEST_JUNIT_OUTPUT_DIR: ./reports/ | ||
|
|
||
| - name: Upload test results | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() | ||
| with: | ||
| name: test-results | ||
| path: ./reports/ | ||
|
|
||
| - name: Coveralls | ||
| env: | ||
| COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }} | ||
| run: yarn coveralls | ||
| continue-on-error: true |
There was a problem hiding this comment.
The CircleCI configuration includes integration tests (integration-test-non-interactive and integration-test-interactive jobs) that are not present in this GitHub Actions workflow. These integration tests use Cypress to test the application end-to-end with a backend, database, and Elasticsearch. Consider adding a similar integration test job to maintain test coverage parity with the previous CI setup.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '14.15.3' |
There was a problem hiding this comment.
Node.js version 14.15.3 reached end of life in April 2023 and no longer receives security updates. Consider upgrading to a supported LTS version (e.g., Node.js 18 or 20) to ensure security patches and compatibility with modern dependencies.
| node-version: '14.15.3' | |
| node-version: '18.x' |
|
Warning Rate limit exceeded@rajivsinclair has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 44 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (2)
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
test.ymlworkflow for running tests and linting on feature branches and PRsdeploy.ymlworkflow for building, pushing Docker images, and deploying to GKE on main/staging branchesEnvironment Variables
All required secrets have been configured in the repository settings:
GCLOUD_SERVICE_KEY_BASE64DJANGO_SECRET_KEYMAPBOX_KEYGA_MEASUREMENT_IDGA_STAGING_MEASUREMENT_IDTest plan
🤖 Generated with Claude Code
Important
Migrates CI/CD from CircleCI to GitHub Actions, adding workflows for testing and deployment with environment variable configuration.
test.ymlfor tests and linting on feature branches and PRs.deploy.ymlfor Docker image building and GKE deployment on main/staging branches.GCLOUD_SERVICE_KEY_BASE64,DJANGO_SECRET_KEY,MAPBOX_KEY,GA_MEASUREMENT_ID,GA_STAGING_MEASUREMENT_ID.test.yml: Runs ESLint and tests, uploads results, and reports to Coveralls.deploy.yml: Builds Docker images, pushes to GCR, and deploys to GKE, verifying deployment status.This description was created by
for 7600725. You can customize this summary. It will automatically update as commits are pushed.