Added monthly scheduling and automation of container image tag

[aayushchouhan09]

Explain the changes

1. Automation: Replaced manual trigger with monthly cron schedule (0 0 1 * *) and auto-generated master-YYYYMMDD tags using $(date +%Y%m%d).
2. Cleanup: Added if: always() cleanup step that automatically removes orphaned branch if PR merge fails.
3. Updated the gh token : GHACTIOIN_TOKEN_PR_PERMS

Issues: Fixed #xxx / Gap #xxx

1. Fixed (GAP): Added github workflow to automatic update noobaa-core image tag #1642

Testing Instructions:

1. We can manually trigger workflow to update noobaa-core image tag.

Summary by CodeRabbit

• Chores
  • Automated generation of container image tags (no manual input required); tags use the previous day's date to ensure availability.
  • Workflow now runs monthly on the first day and can still be triggered manually.
  • Pull requests, branch names and commit messages use the generated tag.
  • Added automatic cleanup to remove temporary branches if the workflow fails.

[coderabbitai]

Walkthrough

Workflow updated to auto-generate a container image tag using yesterday’s date, remove the manual tag input, add a monthly cron trigger, change the token secret, update branch/commit/PR references to the generated tag, and add an always-run cleanup step to delete the remote branch on failure.

Changes

Cohort / File(s)

Change Summary

Workflow — update-noobaa-core-tag .github/workflows/update-noobaa-core-tag.yml

Added monthly cron trigger while retaining manual dispatch; removed manual container_image_tag input; added step to generate tag as master-YYYYMMDD (yesterday); switched token from GHACTION_TOKEN_WRITE to GHACTION_TOKEN_PR_PERMS; updated git branch naming, commit messages, push commands, and PR title/body/head to use generated tag; added Cleanup branch on failure step that always runs to delete the remote branch if present.

Sequence Diagram(s)

sequenceDiagram
    participant Scheduler as GitHub Scheduler
    participant Workflow as update-noobaa-core-tag.yml
    participant Repo as Git Repository
    Scheduler->>Workflow: Trigger (monthly cron) / Manual dispatch
    Workflow->>Workflow: Generate tag "master-YYYYMMDD" (yesterday) -> output container_image_tag
    Workflow->>Repo: Create branch "update-core-tag-<container_image_tag>"
    Workflow->>Repo: Commit & push changes using generated tag (uses GHACTION_TOKEN_PR_PERMS)
    Workflow->>Repo: Create PR referencing generated tag (title/body/head use generated tag)
    alt Always
        Workflow->>Repo: On failure or completion - Cleanup: delete remote branch if exists
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Possibly related PRs

• Added github workflow to automatic update noobaa-core image tag #1642: Modified the same workflow to add a manual-trigger input for container_image_tag; closely related due to overlapping workflow changes.

Suggested reviewers

• tangledbytes
• liranmauda
• dannyzaken
• Neon-White

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

.github/workflows/update-noobaa-core-tag.yml (1)

41-47: Workflow continues after self-cancellation

After invoking gh run cancel, the script proceeds to later steps. Add an explicit exit to prevent wasted minutes and side-effects.

-            gh run cancel ${{ github.run_id }}
+            gh run cancel ${{ github.run_id }}
+            echo "Run canceled – exiting"
+            exit 0

🧹 Nitpick comments (2)

.github/workflows/update-noobaa-core-tag.yml (2)

4-6: Specify timezone for deterministic scheduling

GitHub Actions cron schedules run in UTC by default. If “midnight on the first day of each month” is intended for a specific timezone (e.g., IST, PST), add timezone: under schedule: to avoid accidental day-shifts.

Example:

on:
  schedule:
    - cron: '0 0 1 * *'
      timezone: 'Asia/Kolkata'

---

53-57: Handle existing branch gracefully

git checkout -b fails if the branch already exists (e.g., re-run on the same day). Use -B (force) or fallback logic to reuse the branch.

-          git checkout -b update-core-tag-${{ steps.generate_tag.outputs.container_image_tag }}
+          git checkout -B update-core-tag-${{ steps.generate_tag.outputs.container_image_tag }}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5488c39 and 54ff6ee.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yml (4 hunks)

[Neon-White]

Looks good ✨

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

.github/workflows/update-noobaa-core-tag.yml (1)

41-47: No-op cancellation: the job continues after gh run cancel

Calling gh run cancel does not terminate the current job immediately; subsequent steps may still execute. Explicitly exit to prevent commits/PRs when no changes are detected.

       if git diff --quiet pkg/options/options.go; then
         echo "Noobaa Core image tag is already up to date"
         echo "No changes needed - canceling workflow"
         gh run cancel ${{ github.run_id }}
+        # Ensure the job stops here to avoid creating branches/PRs
+        exit 0
       fi

♻️ Duplicate comments (1)

.github/workflows/update-noobaa-core-tag.yml (1)

37-37: Critical: Expression is not interpolated due to single-quoted YAML string

Inside single quotes, GitHub does not evaluate ${{ … }} expressions. The literal text will be written into options.go. Switch to double quotes and escape inner quotes.

-          replace: 'ContainerImageTag = "${{ steps.generate_tag.outputs.container_image_tag }}"'
+          replace: "ContainerImageTag = \"${{ steps.generate_tag.outputs.container_image_tag }}\""

🧹 Nitpick comments (2)

.github/workflows/update-noobaa-core-tag.yml (2)

69-79: Consider avoiding --admin and add a safety timeout for checks

--admin requires elevated privileges; if not strictly needed, omit it. Also, gh pr checks --watch can hang on stuck checks; consider adding a loop with a max wait or using --interval/--fail-fast if available in your gh version.

-          gh pr checks "${{ steps.create_pr.outputs.pr_url }}" --watch
+          gh pr checks "${{ steps.create_pr.outputs.pr_url }}" --watch
           echo "Rebasing and merging PR..."
-          gh pr merge "${{ steps.create_pr.outputs.pr_url }}" --rebase --admin --delete-branch
+          gh pr merge "${{ steps.create_pr.outputs.pr_url }}" --rebase --delete-branch

---

26-32: Nit: Make timezone explicit to avoid edge cases

Runners are UTC, but being explicit helps future-proofing and manual runs.

-          tag="master-$(date -d 'yesterday' +%Y%m%d)" # using yesterday's date to ensure the image is available
+          TZ=UTC
+          tag="master-$(date -d 'yesterday' +%Y%m%d)" # using yesterday's date (UTC) to ensure the image is available

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a67846b and 9a10d40.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-cli-tests
• GitHub Check: run-hac-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-admission-test
• GitHub Check: golangci-lint

🔇 Additional comments (3)

.github/workflows/update-noobaa-core-tag.yml (3)

26-32: LGTM: Deterministic tag generation using yesterday’s date

Using master-$(date -d 'yesterday' +%Y%m%d) reduces flakiness when images lag publication.

---

4-6: LGTM: Monthly schedule trigger is appropriate

The cron trigger aligns with the monthly refresh goal and removes manual overhead.

---

17-19: Avoid overriding GITHUB_TOKEN; inject your PAT into GH_TOKEN instead
Overriding GITHUB_TOKEN replaces the job-scoped token (contents: write, pull-requests: write, actions: write) used by checkout and other actions. By moving your PAT to GH_TOKEN, you preserve the default GITHUB_TOKEN for built-in permissions.

• File: .github/workflows/update-noobaa-core-tag.yml
• Location: job-level env block

-    env:
-      GITHUB_TOKEN: ${{ secrets.GHACTION_TOKEN_PR_PERMS }}
+    env:
+      GH_TOKEN: ${{ secrets.GHACTION_TOKEN_PR_PERMS }}

• We haven’t overridden persist-credentials, so checkout will continue using the default GITHUB_TOKEN once the override is removed.

Action items:

• Verify that secrets.GHACTION_TOKEN_PR_PERMS has at least repo and workflow scopes (needed if you ever run gh CLI commands).
• Confirm that commits/pushes still succeed via the default runner-provided GITHUB_TOKEN.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

.github/workflows/update-noobaa-core-tag.yml (1)

69-79: Remove --admin to respect branch protection rules

The --admin flag in gh pr merge can bypass branch protection requirements unless your protection rules explicitly apply to admins. Since this workflow already waits for all checks, it’s safer to remove --admin and rely on standard merges.

Files to update:

• .github/workflows/update-noobaa-core-tag.yml (around lines 69–79)

Suggested diff:

-          echo "Rebasing and merging PR..."
-          gh pr merge "${{ steps.create_pr.outputs.pr_url }}" --rebase --admin --delete-branch
+          echo "Merging PR after checks pass..."
+          gh pr merge "${{ steps.create_pr.outputs.pr_url }}" --rebase --delete-branch

Action items:

• Remove the --admin flag to prevent unintended bypass of protections.
• Confirm whether your org’s branch protection settings already enforce rules for admins.
• If your policy discourages rebasing, consider switching to --merge instead of --rebase.

♻️ Duplicate comments (3)

.github/workflows/update-noobaa-core-tag.yml (3)

36-38: Fix string interpolation in replace input (use double-quoted YAML string)

Single-quoted YAML may pass the literal text without evaluating the expression. Use double quotes so ${{ ... }} is interpolated at runtime, and escape the inner quotes.

Apply this diff:

-          replace: 'ContainerImageTag = "${{ steps.generate_tag.outputs.container_image_tag }}"'
+          replace: "ContainerImageTag = \"${{ steps.generate_tag.outputs.container_image_tag }}\""

---

61-66: Make PR creation idempotent (avoid failure when PR already exists)

gh pr create fails if a PR for the head branch already exists, causing an unnecessary job failure and cleanup. Use a view-or-create flow.

Apply this diff:

-          PR_URL=$(gh pr create \
-            --title "Update ContainerImageTag to ${{ steps.generate_tag.outputs.container_image_tag }}" \
-            --body "Automated update of ContainerImageTag to ${{ steps.generate_tag.outputs.container_image_tag }} in options.go" \
-            --head update-core-tag-${{ steps.generate_tag.outputs.container_image_tag }} \
-            --base master)
+          set -e
+          HEAD_BRANCH="update-core-tag-${{ steps.generate_tag.outputs.container_image_tag }}"
+          PR_URL=$(gh pr view --head "$HEAD_BRANCH" --json url -q .url 2>/dev/null || true)
+          if [ -z "$PR_URL" ]; then
+            PR_URL=$(gh pr create \
+              --title "Update ContainerImageTag to ${{ steps.generate_tag.outputs.container_image_tag }}" \
+              --body "Automated update of ContainerImageTag to ${{ steps.generate_tag.outputs.container_image_tag }} in options.go" \
+              --head "$HEAD_BRANCH" \
+              --base master)
+          fi

---

81-88: Scope cleanup to failures and skip deletion when a PR exists

always() risks deleting a branch even on success or when PR already exists (e.g., create step failed due to “PR exists”). Restrict to failure() and guard on PR existence.

Apply this diff:

-      - name: Cleanup branch on failure
-        if: always()
+      - name: Cleanup branch on failure
+        if: failure()
         run: |
           branch_name="update-core-tag-${{ steps.generate_tag.outputs.container_image_tag }}"
-          if git ls-remote --heads origin "$branch_name" | grep -q "$branch_name"; then
-            echo "Branch $branch_name still exists, deleting..."
-            git push origin --delete "$branch_name"
-          fi
+          if gh pr view --head "$branch_name" >/dev/null 2>&1; then
+            echo "PR exists for $branch_name; skipping deletion."
+            exit 0
+          fi
+          if git ls-remote --heads origin "$branch_name" | grep -q "$branch_name"; then
+            echo "Branch $branch_name still exists, deleting..."
+            git push origin --delete "$branch_name" || true
+          fi

🧹 Nitpick comments (5)

.github/workflows/update-noobaa-core-tag.yml (5)

41-47: Short-circuit the job after “no changes” and make cancel robust

If gh run cancel fails (token/perm), the job continues. Also, explicitly exit to avoid racing on cancellation.

Apply this diff:

           if git diff --quiet pkg/options/options.go; then
             echo "Noobaa Core image tag is already up to date"
             echo "No changes needed - canceling workflow"
-            gh run cancel ${{ github.run_id }}
+            gh run cancel ${{ github.run_id }} || echo "Warning: failed to cancel run (insufficient permissions?)"
+            echo "Exiting job cleanly."
+            exit 0
           fi

---

18-18: Verify secret scope; consider avoiding long-lived PAT if possible

You’re overriding GITHUB_TOKEN with secrets.GHACTION_TOKEN_PR_PERMS for the entire job. Ensure it has only the minimum scopes needed (repo, pull_request; avoid admin:org, workflow unless required). If you drop --admin, you can likely switch to the built-in GITHUB_TOKEN with explicit permissions block and remove the custom PAT, reducing risk.

Would you like a follow-up patch that removes the PAT and relies on GITHUB_TOKEN safely?

---

26-31: Date offset: confirm that “yesterday” aligns with available images on schedule and manual runs

Using date -d 'yesterday' is fine on ubuntu-latest, but:

• On the monthly schedule at 00:00 UTC on the 1st, this targets the last day of the previous month—confirm that’s the intended image.
• On manual runs, “yesterday” depends on when someone runs it; consider parameterizing the offset for workflow_dispatch.

If you want deterministic monthly behavior while allowing overrides on manual runs, I can propose a flag for “days_offset” with a default of 1.

---

33-40: Constrain the regex to reduce accidental matches

The find: 'ContainerImageTag = "[^"]*"' will match any similar assignment in the file. If options.go ever grows, anchor the match to the exact line to avoid unintended replacements.

Example tighter pattern (if the line starts exactly with the field):

• Use start-of-line anchor and optional whitespace:
  find: '^\sContainerImageTag = "[^"]"'
  Note: The action supports regex: true; ensure it is multiline-aware (it is by default).

---

8-12: Permissions: actions: write likely unnecessary

You request actions: write, but this job doesn’t modify workflow files or dispatch other workflows. Drop it unless you need it, tightening least-privilege.

Proposed change outside this hunk:

• Remove the actions: write line from permissions if not strictly required.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9a10d40 and c9ed6a2.

📒 Files selected for processing (1)

• .github/workflows/update-noobaa-core-tag.yml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-cli-tests
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-operator-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: golangci-lint
• GitHub Check: run-hac-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-azure-vault-test