fix(frontend): correct GitHub callback path and add production ConfigMap patch

[jsell-rh]

Summary

Follow-up to #1441. Two things that didn't make it into the squash merge:

• Callback path fix: Update fallback from /integrations/github/setup to /api/auth/github/user/callback (confirmed by team as the correct path for all clusters)
• Production overlay patch: Add kustomize JSON patch that injects GITHUB_CALLBACK_URL from a per-cluster frontend-config ConfigMap

Per-cluster setup after deploy

# UAT
oc create configmap frontend-config \
  --from-literal=github-callback-url=https://ambient-code.apps.rosa.vteam-uat.0ksl.p3.openshiftapps.com/api/auth/github/user/callback \
  -n ambient-code

# Stage
oc create configmap frontend-config \
  --from-literal=github-callback-url=https://ambient-code.apps.rosa.vteam-stage.7fpc.p3.openshiftapps.com/api/auth/github/user/callback \
  -n ambient-code

Then oc rollout restart deployment/frontend -n ambient-code on each.

Test plan

• Verify GitHub App install redirects back to correct cluster on UAT
• Verify GitHub App install redirects back to correct cluster on stage
• Verify fallback works when frontend-config ConfigMap is not present

🤖 Generated with Claude Code

Summary by CodeRabbit

• Configuration Updates

  • Updated GitHub OAuth callback URL endpoint configuration for frontend deployments across staging and production environments.
  • Callback URL now defaults to the API authentication endpoint instead of the integrations setup route.

• Documentation

  • Updated configuration documentation to reflect the new default GitHub callback URL path and deployment setup instructions.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	68814b8
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ea7cd4af0b270008e14ae9

[coderabbitai]

📝 Walkthrough

Walkthrough

Changes introduce a GITHUB_CALLBACK_URL environment variable across CI/CD workflows (staging and production) for frontend deployments. Corresponding updates to frontend code and documentation reflect the new callback endpoint path from /integrations/github/setup to /api/auth/github/user/callback.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration .github/workflows/components-build-deploy.yml, .github/workflows/prod-release-deploy.yaml	Adds GITHUB_CALLBACK_URL environment variable to frontend deployment in build/deploy (staging) and prod release workflows, pointing to the API auth callback endpoint.
Frontend Documentation & Component components/frontend/README.md, components/frontend/src/components/github-connection-card.tsx	Updates default GitHub OAuth callback fallback path from integrations setup route to API callback route (/api/auth/github/user/callback); adds configuration guidance for per-cluster setup via oc set env.

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(frontend): ...) and accurately describes the main changes: correcting GitHub callback path and adding production ConfigMap patch.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR is a configuration and documentation update with minimal code changes. Frontend modification is a single-line fallback URL change with no algorithmic complexity or performance regressions.
Security And Secret Handling	✅ Passed	PR is secure: no hardcoded secrets exposed, proper OAuth state validation and authorization checks implemented, callback URL properly encoded, no sensitive data in logs, no K8s Secrets modified.
Kubernetes Resource Safety	✅ Passed	PR makes no changes to Kubernetes resource definitions or manifests. Only updates environment variables on existing deployments via oc set env, modifies frontend component code, and updates documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/components-build-deploy.yml (1)

403-403: Stage callback URL duplicated across two jobs.

Both deploy-to-openshift and deploy-with-disptach hardcode the same stage GITHUB_CALLBACK_URL. Fine for now, but any future URL change means editing two spots — consider sourcing from a repo/environment variable (e.g., vars.GITHUB_CALLBACK_URL_STAGE) to keep them in lockstep.

Also applies to: 481-481

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/components-build-deploy.yml at line 403, The same
hardcoded GITHUB_CALLBACK_URL value is duplicated in the deploy-to-openshift and
deploy-with-dispatch jobs; define a single canonical variable (e.g.,
vars.GITHUB_CALLBACK_URL_STAGE) at the workflow level (or top-level env) and
replace the inline hardcoded GITHUB_CALLBACK_URL assignments in both jobs with a
reference to that variable (use the workflow expression syntax to read
vars.GITHUB_CALLBACK_URL_STAGE), so deploy-to-openshift and deploy-with-dispatch
both consume the single source of truth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/components-build-deploy.yml:
- Line 403: The same hardcoded GITHUB_CALLBACK_URL value is duplicated in the
deploy-to-openshift and deploy-with-dispatch jobs; define a single canonical
variable (e.g., vars.GITHUB_CALLBACK_URL_STAGE) at the workflow level (or
top-level env) and replace the inline hardcoded GITHUB_CALLBACK_URL assignments
in both jobs with a reference to that variable (use the workflow expression
syntax to read vars.GITHUB_CALLBACK_URL_STAGE), so deploy-to-openshift and
deploy-with-dispatch both consume the single source of truth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 67715694-93ab-4d44-a17c-2dda5f752067

📥 Commits

Reviewing files that changed from the base of the PR and between 9e787d2 and 68814b8.

📒 Files selected for processing (4)

• .github/workflows/components-build-deploy.yml
• .github/workflows/prod-release-deploy.yaml
• components/frontend/README.md
• components/frontend/src/components/github-connection-card.tsx

[markturansky]

LGTM