Skip to content

Run the upload-to-s3 step in release #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lucperkins merged 3 commits into from
Dec 17, 2025
Merged

Run the upload-to-s3 step in release #40

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fba94e8
Run the upload-to-s3 step in release
grahamc Dec 17, 2025
3fba003
Delete errant comment
lucperkins Dec 17, 2025
de5f9ea
Fix secret names
lucperkins Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions .github/workflows/build-and-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,7 @@ jobs:

upload-artifacts-to-s3:
needs: build-artifacts
# Upload only on PR merge
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
environment: release
Copy link

@coderabbitai coderabbitai bot Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the workflow file to understand context
cat -n .github/workflows/build-and-release.yml

Repository: DeterminateSystems/flake-iter

Length of output: 2783

🏁 Script executed:

# Check for environment configuration files
find .github -name "*environment*" -o -name "*release*" 2>/dev/null | head -20
ls -la .github/ 2>/dev/null

Repository: DeterminateSystems/flake-iter

Length of output: 279

🏁 Script executed:

# Search for references to 'release' environment or environment setup
rg "release.*environment|environment.*release" --type md --type txt --type yml -i
# Check if README mentions environment setup
cat README.md 2>/dev/null | head -100

Repository: DeterminateSystems/flake-iter

Length of output: 1445

Verify the release environment exists and is configured with branch restrictions to main.

This change significantly alters job execution behavior:

  • Previous behavior: Job only ran on push to main (explicit conditional)
  • New behavior: Job attempts to run on all triggers (including PRs, workflow_dispatch) but is gated by the release environment's protection rules

If the release environment doesn't exist, GitHub will automatically create it with no protection rules configured, which means all branches can deploy and uploads could occur from feature branches.

Confirm:

  • The release environment exists and is configured in repository settings
  • It has branch restrictions limited to main
  • The change in PR check behavior (upload job showing as pending) is intentional
🤖 Prompt for AI Agents 
.github/workflows/build-and-release.yml around line 56: the job now uses
environment: release which will cause the job to be gated by a GitHub
Environment rather than only running on pushes to main; verify the release
environment exists in repository settings and configure its protection to
restrict deployments to the main branch (add branch protection rules to only
allow main), or if this gating was not intended revert the change to keep the
previous conditional that ran the job only on pushes to main; also confirm the
altered PR check behavior (upload job showing as pending) is intentional with
stakeholders.

runs-on: ubuntu-24.04
permissions:
id-token: write
Expand All @@ -70,8 +69,8 @@ jobs:
- name: Upload to S3
uses: DeterminateSystems/push-artifact-ids@main
with:
s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE }}
bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET }}
s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }}
bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }}
directory: ./artifacts
ids_project_name: flake-iter
ids_binary_prefix: flake-iter
Loading