chore(pipelines): improve caching

[patrickleet]

Summary by CodeRabbit

• Chores
  • Updated CI workflow references to use the feat/cache variant instead of previously pinned refs across PR, push, and release flows.
  • Removed explicit AWS secret entries from the end-to-end job configuration.
  • Increased end-to-end job timeouts from 30 to 33 minutes (including cleanup).
  • CI control flow and job steps remain unchanged otherwise.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@patrickleet has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 13 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 745ecf9 and 79e53b0.

📒 Files selected for processing (3)

• .github/workflows/on-pr.yaml
• .github/workflows/on-push-main.yaml
• .github/workflows/on-version-tagged.yaml

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow job refs from @v2.7.0 to @feat/cache across three workflow files; removed the explicit AWS secrets block from the e2e job in PR and push workflows; increased timeout-minutes and cleanup-timeout-minutes from 30 to 33 for the PR e2e job. (38 words)

Changes

Cohort / File(s)	Summary
PR workflow \.github/workflows/on-pr.yaml	Updated validate, test, e2e, and publish job workflow refs from @v2.7.0 to @feat/cache; removed explicit AWS secrets block from the e2e job; increased timeout-minutes and cleanup-timeout-minutes from 30 to 33.
Push-main workflow \.github/workflows/on-push-main.yaml	Updated validate, test, and e2e job workflow refs from @v2.7.0 to @feat/cache; removed explicit AWS secrets block from the e2e job.
Version-tagged workflow \.github/workflows/on-version-tagged.yaml	Updated publish job workflow ref from @v2.7.0 to @feat/cache.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through YAML, quick and neat,
Swapped refs and trimmed a secrets sheet,
Timers nudged, the jobs now race,
Pipelines hum with lighter pace,
A carrot cheer for CI complete 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(pipelines): improve caching' directly aligns with the changeset, which updates workflow references to a feat/cache branch across all three workflow files to enable caching improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Published Crossplane Package

The following Crossplane package was published as part of this PR:

Package: ghcr.io/hops-ops/aws-network:pr-13-472b974d3f901cfc1c2c779afeea9ee1ec972638

View Package

[coderabbitai]

Actionable comments posted: 8

🤖 Fix all issues with AI agents

In @.github/workflows/on-pr.yaml:
- Line 52: The workflow is using a mutable branch ref in the `uses:` line
("uses:
unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache"),
which risks pulling unreviewed changes; change that ref to a stable tag or
commit SHA (for example replace `@feat/cache` with a release tag like `@v1.2.3`
or a specific commit hash `@<commit-sha>`), and update the workflow to reference
that immutable identifier so the e2e job always runs the pinned version.
- Line 68: The workflow currently references a mutable branch in the reusable
workflow call "uses:
unbounded-tech/workflows-crossplane/.github/workflows/publish.yaml@feat/cache";
change that to a fixed, immutable reference such as a release tag or commit SHA
(for example replace "@feat/cache" with "@v1.0.0" or "@<commit-sha>") so the
publish job uses a stable workflow version; update the reference in the same
"uses:" line and ensure the chosen tag/SHA points to the intended release of the
publish.yaml file.
- Line 30: The workflow currently references a mutable branch ref for the
reusable workflow (uses:
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache)
in the validate, test, e2e and publish jobs; replace that branch ref with a
stable tag or specific commit SHA across all four jobs (e.g., change @feat/cache
to @v2.8.0 or @<commit-sha>) so the workflow becomes reproducible and immutable.
- Line 49: The workflow is pinning an external reusable workflow to a mutable
branch reference ("uses:
unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache");
replace that branch ref with an immutable tag or full commit SHA (for example
change "@feat/cache" to a release tag like "@v1.2.3" or a commit SHA) wherever
this pattern appears (including the validate job and other uses lines) so the
reusable workflow is pinned to a stable, auditable revision.

In @.github/workflows/on-push-main.yaml:
- Line 46: The workflow references an external reusable workflow using a mutable
branch ref
"unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache";
replace that mutable branch ref with an immutable version tag (e.g. match the
pattern used by the version-and-tag job such as "@v1.20.2") so the "uses:
unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache" line
(and any other "uses:" lines pointing to branches) uses a fixed tag instead of a
branch name to ensure reproducible runs.
- Line 27: Replace the mutable branch ref "@feat/cache" with a fixed version tag
(for example "@v2.7.0") for all three reusable workflow uses entries so the
main-branch CI is stable; locate the three uses lines that reference
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache
and similarly for the test and e2e jobs (job names "validate", "test", "e2e")
and update each to point to a concrete tag such as "@v2.7.0".
- Line 49: Replace the mutable branch reference
"unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache" with
an immutable version tag (for example "@v1.20.2"); update the "uses:
unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache" entry
and any other occurrences in the workflow (validate/test/e2e job uses) to the
chosen tag so the CI workflow references a stable, reproducible release instead
of the mutable "feat/cache" branch.

In @.github/workflows/on-version-tagged.yaml:
- Line 16: The workflow uses an unstable branch reference
"unbounded-tech/workflows-crossplane/.github/workflows/publish.yaml@feat/cache"
which breaks reproducible releases; update that uses line to point to a stable
version tag (for example replace "@feat/cache" with "@v2.8.0" or a later semver
tag) so the publish workflow invocation is pinned to a specific released commit
instead of a branch.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f80d45f and 2b06295.

📒 Files selected for processing (3)

• .github/workflows/on-pr.yaml
• .github/workflows/on-push-main.yaml
• .github/workflows/on-version-tagged.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test / test
• GitHub Check: e2e / test

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find and read the on-pr.yaml workflow file
find . -name "on-pr.yaml" -path "*/.github/workflows/*" | head -20

Repository: hops-ops/aws-network

Length of output: 94

---

🏁 Script executed:

# Read the on-pr.yaml workflow file
cat -n .github/workflows/on-pr.yaml

Repository: hops-ops/aws-network

Length of output: 2908

---

🌐 Web query:

GitHub Actions best practices mutable branch references security stability

💡 Result:

Quick best-practices checklist for handling mutable branch references in GitHub Actions (security + stability):

• Pin third‑party actions to a full commit SHA (avoid branch/tag refs like v1 or main). (docs.github.com)
• Prefer immutable action distributions (GHCR / “immutable actions”) or package versions when available. (ghsioux.github.io)
• Enforce org/repo policy to require SHA‑pinning and block unpinned/mutable references. (docs.github.com)
• Use protected, stable branches (e.g., main) for workflow files and reuse workflows from the default branch so workflow execution uses trusted workflow code. (docs.github.com)
• Avoid trusting refs from untrusted actors (fork PRs, dependabot PRs); restrict secrets and write permissions for workflows triggered by external contributors. Use pull_request_target only when you understand the secret-exposure risk. (docs.github.com)
• Minimize permissions (principle of least privilege) for GITHUB_TOKEN and any tokens used in workflows. Rotate and scope credentials. (docs.github.com)
• Use branch filters and explicit refs in triggers/checkout to prevent accidental runs on the wrong branch (branches/branches-ignore, exact ref checks). (gist.github.com)
• Monitor and alert on action vulnerabilities via Dependabot/Advisory database; treat SHA‑pinned actions differently (Dependabot alerts vary by versioning). (docs.github.com)
• Audit workflow runs (logs, actors), rotate secrets after incidents, and review third‑party action source code before trusting mutable refs. (docs.github.com)

If you want, I can: audit a specific workflow for mutable refs and produce line-by-line fixes (send the workflow YAML).

Citations:

• 1: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 2: https://ghsioux.github.io/2024/12/10/securing-workflow-immutable-actions?utm_source=openai
• 3: https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions?utm_source=openai
• 4: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 5: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 6: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 7: https://gist.github.com/bgoonz/9edc7a097cfde1fefc1d0a8e720e8178?utm_source=openai
• 8: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 9: https://docs.github.com/actions/security-guides/security-hardening-for-github-actions?utm_source=openai

---

Replace mutable branch reference with a version tag or commit SHA.

Line 49 references @feat/cache, a mutable branch that can change without notice. This creates stability and security risks in production workflows. GitHub best practices require pinning reusable workflows to immutable references—either a specific release tag or a full commit SHA—rather than branch names. The validate job (line 30) and other jobs in this workflow have the same issue.

🤖 Prompt for AI Agents

In @.github/workflows/on-pr.yaml at line 49, The workflow is pinning an external
reusable workflow to a mutable branch reference ("uses:
unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache");
replace that branch ref with an immutable tag or full commit SHA (for example
change "@feat/cache" to a release tag like "@v1.2.3" or a commit SHA) wherever
this pattern appears (including the validate job and other uses lines) so the
reusable workflow is pinned to a stable, auditable revision.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the workflow file
find . -name "on-pr.yaml" -path ".github/workflows/*"

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

# Get the file and check its size
wc -l .github/workflows/on-pr.yaml

Repository: hops-ops/aws-network

Length of output: 95

---

🏁 Script executed:

# Read the relevant section around line 52
sed -n '45,60p' .github/workflows/on-pr.yaml

Repository: hops-ops/aws-network

Length of output: 569

---

🏁 Script executed:

# Search for other uses of workflows-crossplane to see the pattern
rg "workflows-crossplane" -A 2 -B 2 .github/workflows/

Repository: hops-ops/aws-network

Length of output: 2332

---

🏁 Script executed:

# Check if there's a validate job mentioned in the file
rg "validate" .github/workflows/on-pr.yaml

Repository: hops-ops/aws-network

Length of output: 181

---

Avoid using mutable branch references in production workflows.

The e2e job references @feat/cache instead of a version tag or commit SHA. This creates stability and security concerns—the branch can be force-pushed or modified without notice, pulling in unintended changes. Pin to a specific commit hash or release tag instead.

🤖 Prompt for AI Agents

In @.github/workflows/on-pr.yaml at line 52, The workflow is using a mutable
branch ref in the `uses:` line ("uses:
unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache"),
which risks pulling unreviewed changes; change that ref to a stable tag or
commit SHA (for example replace `@feat/cache` with a release tag like `@v1.2.3`
or a specific commit hash `@<commit-sha>`), and update the workflow to reference
that immutable identifier so the e2e job always runs the pinned version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && ls -la && pwd

Repository: hops-ops/aws-network

Length of output: 411

---

🏁 Script executed:

cat -n .github/workflows/on-push-main.yaml | head -60

Repository: hops-ops/aws-network

Length of output: 2565

---

🏁 Script executed:

# Check the full workflow file to see validate job and other references
cat .github/workflows/on-push-main.yaml

Repository: hops-ops/aws-network

Length of output: 2671

---

Replace mutable branch references with version tags for all reusable workflows.

The test, validate, and e2e jobs reference @feat/cache instead of version tags. In main branch workflows, all external workflow references should use immutable version tags to ensure reproducibility and prevent unintended changes from branch updates. The version-and-tag job correctly demonstrates this pattern by using @v1.20.2.

🤖 Prompt for AI Agents

In @.github/workflows/on-push-main.yaml at line 46, The workflow references an
external reusable workflow using a mutable branch ref
"unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache";
replace that mutable branch ref with an immutable version tag (e.g. match the
pattern used by the version-and-tag job such as "@v1.20.2") so the "uses:
unbounded-tech/workflows-crossplane/.github/workflows/test.yaml@feat/cache" line
(and any other "uses:" lines pointing to branches) uses a fixed tag instead of a
branch name to ensure reproducible runs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/on-push-main.yaml

Repository: hops-ops/aws-network

Length of output: 3224

---

🏁 Script executed:

# Check if there are any comments or documentation in the repo about this
rg -i "feat/cache" --type yaml

Repository: hops-ops/aws-network

Length of output: 46

---

Use a version tag instead of the mutable @feat/cache branch reference.

The e2e job (and the validate and test jobs) reference @feat/cache, which is a branch that can be force-pushed or deleted. Use an immutable version tag (like @v1.20.2) to ensure stable, reproducible workflows in the main branch.

🤖 Prompt for AI Agents

In @.github/workflows/on-push-main.yaml at line 49, Replace the mutable branch
reference
"unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache" with
an immutable version tag (for example "@v1.20.2"); update the "uses:
unbounded-tech/workflows-crossplane/.github/workflows/e2e.yaml@feat/cache" entry
and any other occurrences in the workflow (validate/test/e2e job uses) to the
chosen tag so the CI workflow references a stable, reproducible release instead
of the mutable "feat/cache" branch.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/on-version-tagged.yaml

Repository: hops-ops/aws-network

Length of output: 763

---

🏁 Script executed:

git log --oneline --all -- .github/workflows/on-version-tagged.yaml | head -20

Repository: hops-ops/aws-network

Length of output: 569

---

🏁 Script executed:

git show 2b06295 -- .github/workflows/on-version-tagged.yaml

Repository: hops-ops/aws-network

Length of output: 996

---

🏁 Script executed:

git show 2b06295 | head -50

Repository: hops-ops/aws-network

Length of output: 1345

---

🏁 Script executed:

git log --all --grep="cache\|feat/cache" --oneline | head -10

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

rg "feat/cache" .github/workflows/

Repository: hops-ops/aws-network

Length of output: 1020

---

🏁 Script executed:

web_search
GitHub Actions best practices for reusable workflows version pinning release workflows

Repository: hops-ops/aws-network

Length of output: 159

---

🌐 Web query:

GitHub Actions best practices reusable workflows version pinning release reproducibility

💡 Result:

Summary — concise best practices for reusable workflows, version pinning, releases and reproducibility:

1. Pin to immutable refs (commit SHAs) for security and reproducibility. Prefer full commit SHA in uses: (repo@), with an inline comment noting the human-friendly tag/version. This is the most secure and immutable option. [1][2]

2. Use semantic/loose tags for controlled upgrades. Publish tag hierarchy (v1, v1.2, v1.2.3) and “slip” only minor/patch tags when you intentionally want callers to pick up backward-compatible fixes; keep major tags immutable. Combine this with a strict release process and changelog. [4]

3. Make reusable-workflow inputs explicit and versioned. Add an optional ref input or explicit version input where callers can override the ref; document defaults and compatibility guarantees in the workflow README. Test breaking changes by bumping major tags only. [4]

4. Release hygiene: create signed/immutable releases (tags) for public reusable workflows and actions, publish release notes and compatibility guarantees, and update callers by pinning to the released SHA or patch tag. If available, enable immutable releases / attestations. [3][4]

5. Enforce org/enterprise policies: require SHA pinning and restrict allowed actions/reusable workflows via the allowed-actions policy; use blocklists for known-bad versions. This lets admins prevent unpinned or malicious updates. [3][2]

6. Audit and avoid “unpinnable” actions: review action source code and dependencies; avoid actions that download or run unverified remote code (these can change behavior despite SHA pinning). Fork and vendor-critical actions into org-controlled repos when possible. [2][8]

7. Use Dependabot and CI tests for safe updates: run automated tests against new action/workflow versions in a sandbox branch/PR, then promote to a pinned SHA after verification; record the tested SHA in workflows. [2][5]

8. Documentation and observability: document supported inputs, outputs, and compatibility matrix in the workflow repo; include the tested SHA in callers as a comment; add automated tests and release notes so consumers can understand when to upgrade. [4][2]

Quick practical template examples:

• Secure pin (recommended): uses: actions/checkout@f43a0e5 # v3.6.0. [2]
• Loose/minor adoption: callers reference repo@v1.2 (slipped intentionally) while CI uses pinned SHAs for production runs. [4]

If you want, I can:

• produce a concrete tagging/release workflow (GitHub Actions YAML) that enforces SHAs, creates signed immutable releases and slips tags according to semver; or
• draft an example allowed-actions policy for an org enforcing SHA pinning.

Sources: GitHub security docs & guidance; Well‑Architected Actions security; GitHub changelog on SHA pinning & blocking; community best-practice guides on versioning/pinning. [1][2][3][4][5]

References
[1] GitHub Docs — Security hardening for GitHub Actions (pin to full-length commit SHA / reuse workflows).
[2] GitHub Well‑Architected — Securing GitHub Actions Workflows (pin versions, avoid unpinnable actions).
[3] GitHub Changelog — Allowed-actions policy updates: enforce SHA pinning & blocklist (2025 changelog).
[4] Versioning gist / community writeups — loose versioning, tag slipping & migration patterns.
[5] Community posts on pinning actions (practical pin-to-SHA examples).

---

Critical: Do not use branch references in release workflows.

This workflow triggers on version tags (v*.*.*) and must use stable, versioned dependencies to ensure reproducible releases. Using @feat/cache undermines release reproducibility—if the branch is updated, re-running the same tagged version will produce different behavior. This is especially problematic given that line 23 already uses @v2.1.1 for the release job, demonstrating awareness of versioning requirements.

Required: Replace @feat/cache with a stable version tag (e.g., @v2.8.0 or later) to maintain release integrity.

🤖 Prompt for AI Agents

In @.github/workflows/on-version-tagged.yaml at line 16, The workflow uses an
unstable branch reference
"unbounded-tech/workflows-crossplane/.github/workflows/publish.yaml@feat/cache"
which breaks reproducible releases; update that uses line to point to a stable
version tag (for example replace "@feat/cache" with "@v2.8.0" or a later semver
tag) so the publish workflow invocation is pinned to a specific released commit
instead of a branch.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/on-pr.yaml (1)

52-59: Mutable branch reference should use a stable release tag, not feat/cache.

All workflow jobs reference the feat/cache branch, which is a mutable feature branch. This poses a supply chain risk: if the feat/cache branch in the external repository is compromised, it can be modified to alter the behavior of all jobs, including the e2e job that has AWS OIDC access.

Replace with a specific release tag or commit SHA to ensure the workflow definition cannot change unexpectedly.

🤖 Fix all issues with AI agents

In @.github/workflows/on-pr.yaml:
- Around line 65-66: The PR workflow currently reuses the reusable workflow via
"uses:
unbounded-tech/workflows-crossplane/.github/workflows/publish.yaml@feat/cache"
together with "secrets: inherit", which risks secret exposure if that branch is
compromised; either pin the reusable workflow reference to an immutable commit
hash (replace @feat/cache with @<commit-sha>), or remove "secrets: inherit" if
the publish job (which creates tag "pr-${{ github.event.pull_request.number
}}-${{ github.sha }}") does not actually need secrets, or add an inline comment
documenting why a mutable branch plus inherited secrets is required for
testing—apply the chosen change where the "uses:" and "secrets: inherit" lines
appear.
- Line 30: The workflow currently references a mutable feature branch via the
step "uses:
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache";
decide whether this is temporary or permanent and fix accordingly: if temporary
for testing, add a clear comment in the PR/commit and keep the branch reference
only for the test duration; if permanent, pin the workflow to an immutable
identifier (a released tag like @vX.Y.Z or a specific commit SHA) by replacing
@feat/cache with the tag or SHA so CI is reproducible and stable. Ensure the PR
description documents the chosen approach and, if keeping the branch short-term,
create a follow-up task to update to a tag once upstream changes are released.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2b06295 and 7e5b9a1.

📒 Files selected for processing (1)

• .github/workflows/on-pr.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e / test

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/on-pr.yaml:
- Line 30: Replace the mutable branch reference in the workflow job "uses"
entries that currently point to
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache
(and the identical occurrences used by test, e2e, publish jobs) with the
immutable tag @v2.7.0 so the workflow uses
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@v2.7.0;
update all four occurrences to ensure reproducible, stable references.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 582449d and 99ee9eb.

📒 Files selected for processing (2)

• .github/workflows/on-pr.yaml
• .github/workflows/on-push-main.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/on-push-main.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test / test
• GitHub Check: e2e / test

🔇 Additional comments (1)

.github/workflows/on-pr.yaml (1)

52-59: No action needed - the e2e job is correctly configured.

The e2e job correctly omits secrets: inherit because it uses GitHub OIDC authentication (aws-use-oidc: true). OIDC doesn't require passing AWS credentials as secrets; instead, it exchanges the GitHub OIDC token for temporary AWS credentials using the role specified by aws-account-id. The workflow has proper permissions configured (id-token: write) to support this. This configuration is consistent across both on-pr.yaml and on-push-main.yaml, and matches the recommended pattern where only jobs that need explicit secrets (like publish) include secrets: inherit.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/on-pr.yaml (1)

58-59: Consider documenting the rationale for the specific timeout values.

The timeout values were increased from 30 to 33 minutes. While the increase makes sense if caching adds overhead, the specific value of 33 seems arbitrary. Consider using a round number (e.g., 35 or 40) or documenting why 33 minutes was chosen.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 99ee9eb and a709d28.

📒 Files selected for processing (1)

• .github/workflows/on-pr.yaml

🔇 Additional comments (1)

.github/workflows/on-pr.yaml (1)

51-60: LGTM! OIDC authentication is properly configured.

The e2e job correctly uses OIDC authentication (aws-use-oidc: true) with the required id-token: write permission (line 22). This is a security best practice that eliminates the need for long-lived AWS credentials.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the feat/cache branch and available alternatives in unbounded-tech/workflows-crossplane

# Try to check if the branch exists using git ls-remote
git ls-remote --heads https://github.com/unbounded-tech/workflows-crossplane.git feat/cache

echo "---"

# Check recent tags
git ls-remote --tags https://github.com/unbounded-tech/workflows-crossplane.git | tail -20

Repository: hops-ops/aws-network

Length of output: 1290

---

Use immutable workflow references instead of a feature branch.

Referencing @feat/cache introduces instability because feature branches are mutable and can be force-pushed, deleted, or modified without notice. This breaks reproducibility and could cause unexpected workflow failures.

For testing purposes during development, this may be acceptable, but before merging to main, consider:

• Using the specific commit SHA: @72f4b0fa9ec90be73d54458461b2f4670e11eafd for immutability during this PR
• Merging feat/cache into a release branch and tagging it (e.g., @v2.8.0)
• Reverting to @v2.7.0 if the caching improvements can wait for the feature branch to stabilize

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/on-push-main.yaml:
- Line 27: Replace the temporary branch ref in the uses line (uses:
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache)
with a stable version tag (e.g., @v2.8.0) once the caching experiment completes,
and add a brief note in the PR or workflow header stating the planned revert
timeline and testing checklist; also reconcile the timeout inconsistency by
aligning on-push-main.yaml’s timeout to match on-pr.yaml (33 minutes) or vice
versa so both workflows use the same value.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e76e45 and 51dfb44.

📒 Files selected for processing (1)

• .github/workflows/on-push-main.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test / test
• GitHub Check: e2e / test

🔇 Additional comments (2)

.github/workflows/on-push-main.yaml (2)

55-56: Confirm timeout value differences are intentional.

The on-pr.yaml workflow uses timeout-minutes: 33 and cleanup-timeout-minutes: 33 for the e2e job, while this file uses 30 for both. Clarify whether this difference is intentional based on expected execution times for push vs. PR workflows, or if both files should be aligned.

---

50-53: OIDC authentication setup is correct.

The workflow properly configures OIDC authentication with id-token: write permission (line 18) and aws-use-oidc: true (line 52). This approach is more secure than static credentials and follows AWS best practices.

Ensure the AWS account (034489662075) has:

• An OIDC provider configured for token.actions.githubusercontent.com
• An IAM role with trust policy allowing the GitHub repository (hops-ops/aws-network) to assume the role
• Appropriate permissions for the E2E tests (AWS resources being deployed)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the repository structure and the file in question
git ls-files .github/workflows/ | head -20

Repository: hops-ops/aws-network

Length of output: 169

---

🏁 Script executed:

# Check the actual content of the file to see the current state
cat -n .github/workflows/on-push-main.yaml

Repository: hops-ops/aws-network

Length of output: 3074

---

🏁 Script executed:

# Check git log to see recent changes to this file
git log --oneline -20 .github/workflows/on-push-main.yaml

Repository: hops-ops/aws-network

Length of output: 89

---

🏁 Script executed:

# Check if there's any documentation about the feat/cache branch or caching improvements
find . -type f \( -name "*.md" -o -name "*.txt" \) -exec grep -l "feat/cache\|caching" {} \; 2>/dev/null | head -10

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

# Get the git diff to see what changed
git diff HEAD~1 .github/workflows/on-push-main.yaml

Repository: hops-ops/aws-network

Length of output: 252

---

🏁 Script executed:

# Check the commit message details
git show -s 51dfb44

Repository: hops-ops/aws-network

Length of output: 217

---

🏁 Script executed:

# Search for any references to workflows-crossplane or feat/cache in the repo
rg "workflows-crossplane|feat/cache" --type yaml

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

# Check if there are any recent issues or PRs mentioning caching or feat/cache
git log --all --oneline --grep="cache\|feat/cache" | head -10

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

# Check git status to understand the current state
git status

Repository: hops-ops/aws-network

Length of output: 129

---

🏁 Script executed:

# Look at git log more broadly to understand the repository history
git log --oneline | head -20

Repository: hops-ops/aws-network

Length of output: 89

---

🏁 Script executed:

# Check if there are any PR or issue related files
find . -type f -name "*.md" | xargs grep -l "feat/cache\|branch\|caching" 2>/dev/null | head -10

Repository: hops-ops/aws-network

Length of output: 46

---

🏁 Script executed:

# Look for any GitHub Actions related environment or context files
find . -type f \( -name "*.yml" -o -name "*.yaml" \) | xargs grep -l "feat/cache\|v2.7.0" 2>/dev/null

Repository: hops-ops/aws-network

Length of output: 175

---

🏁 Script executed:

# Check all yaml files to see the context of the changes
cat -n .github/workflows/on-pr.yaml | head -60

Repository: hops-ops/aws-network

Length of output: 2451

---

🏁 Script executed:

# Check on-version-tagged.yaml to see if it uses different references
cat -n .github/workflows/on-version-tagged.yaml

Repository: hops-ops/aws-network

Length of output: 763

---

🏁 Script executed:

# Look at the git log to understand if there are previous versions with v2.7.0
git log --all --oneline | head -30

Repository: hops-ops/aws-network

Length of output: 1512

---

Branch references should be temporary for this caching experiment.

Using @feat/cache instead of version tags in production workflows reduces reproducibility and stability. While the commit message "chore: experiment" indicates this is temporary, confirm:

1. Timeline for reverting to a stable version reference (e.g., @v2.8.0 or later tag once testing is complete)
2. Plan to test the feat/cache branch thoroughly before reverting

Note: The timeout inconsistency should also be resolved—on-pr.yaml uses 33 minutes while on-push-main.yaml uses 30 minutes.

🤖 Prompt for AI Agents

In @.github/workflows/on-push-main.yaml at line 27, Replace the temporary branch
ref in the uses line (uses:
unbounded-tech/workflows-crossplane/.github/workflows/validate.yaml@feat/cache)
with a stable version tag (e.g., @v2.8.0) once the caching experiment completes,
and add a brief note in the PR or workflow header stating the planned revert
timeline and testing checklist; also reconcile the timeout inconsistency by
aligning on-push-main.yaml’s timeout to match on-pr.yaml (33 minutes) or vice
versa so both workflows use the same value.