Merged
Conversation
📝 Walkthrough📝 Walkthrough🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (1)
.github/workflows/cd-production.yml (1)
30-41:⚠️ Potential issue | 🔴 CriticalSame critical SSM expansion +
$ROOT_USER-as-command bugs as incd-staging.yml.The single-quoted
--parametersstring prevents the runner from substituting$BUILD_DIRECTORY,$APP_NAME, and$ROOT_USER, and the&& $ROOT_USER && pm2 restart $APP_NAMEsegment will execute the username as a standalone command (failing underset -e). On a tagged release this means production goes down on the first deploy after merge. See the detailed analysis and proposed diff on the staging file — the same fix applies here, withEC2_INSTANCE_IDinstead ofEC2_STAGING_INSTANCE_ID.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/cd-production.yml around lines 30 - 41, The SSM command's single-quoted --parameters prevents GitHub runner variable expansion and mistakenly treats $ROOT_USER as a command; fix by constructing the parameters so runner variables (BUILD_DIRECTORY, APP_NAME, ROOT_USER, AWS_REGION, INSTANCE_ID) are expanded before calling aws ssm send-command and ensure the restart runs as that user instead of executing the username. Specifically, change the --parameters argument to a double-quoted/escaped string or JSON where the inner command is a single string with expanded variables and replace the standalone "$ROOT_USER" token with an explicit user-invocation (for example use sudo -u $ROOT_USER -- pm2 restart $APP_NAME or prefix the pm2 restart with sudo -H -u "$ROOT_USER") and continue using INSTANCE_ID/EC2_INSTANCE_ID and AWS_REGION as currently named so SSM receives the fully expanded commands.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cd-production.yml:
- Line 11: The production workflow currently sets environment: AWS_ENV (same as
staging); restore or replace it with a dedicated production environment to avoid
staging reading prod secrets and to allow stricter protection rules—update the
cd-production workflow to use a new environment name (e.g., AWS_PRODUCTION)
instead of AWS_ENV and ensure required reviewers/approval gates are configured
for that new environment; if the consolidation is intentional, add a clear
comment in the cd-production workflow and confirm that approval rules and secret
scoping have been reviewed and tightened.
In @.github/workflows/cd-staging.yml:
- Line 11: The workflow currently sets environment: AWS_ENV which collapses
staging and production into one GitHub Actions environment; change this to use
distinct environments (for example AWS_STAGING_ENV for the staging deploy job
and AWS_PRODUCTION_ENV for the production deploy job) or split into two
workflows so EC2_STAGING_INSTANCE_ID and EC2_INSTANCE_ID remain separate secrets
and environment protection rules (required reviewers/approval gates) can differ;
update the deploy job(s) that reference AWS_ENV to reference the appropriate
environment symbol (AWS_STAGING_ENV or AWS_PRODUCTION_ENV) and add an explicit
approval gate or protection condition for the production deploy job to restore
isolation and scoped secrets.
- Around line 30-41: The SSM payload is being single-quoted so runner env vars
(BUILD_DIRECTORY, APP_NAME, ROOT_USER) are sent literally and the fragment "&&
$ROOT_USER && pm2 restart $APP_NAME" treats the username as a command; update
the aws ssm send-command --parameters value to use double quotes so the runner
expands $BUILD_DIRECTORY, $APP_NAME and $ROOT_USER, escape the PATH expansion on
the remote side (use \$PATH) so it is evaluated on the EC2 host, and replace the
standalone "$ROOT_USER" token with a proper user switch such as "sudo -u
$ROOT_USER pm2 restart $APP_NAME" so pm2 is restarted as that user.
---
Duplicate comments:
In @.github/workflows/cd-production.yml:
- Around line 30-41: The SSM command's single-quoted --parameters prevents
GitHub runner variable expansion and mistakenly treats $ROOT_USER as a command;
fix by constructing the parameters so runner variables (BUILD_DIRECTORY,
APP_NAME, ROOT_USER, AWS_REGION, INSTANCE_ID) are expanded before calling aws
ssm send-command and ensure the restart runs as that user instead of executing
the username. Specifically, change the --parameters argument to a
double-quoted/escaped string or JSON where the inner command is a single string
with expanded variables and replace the standalone "$ROOT_USER" token with an
explicit user-invocation (for example use sudo -u $ROOT_USER -- pm2 restart
$APP_NAME or prefix the pm2 restart with sudo -H -u "$ROOT_USER") and continue
using INSTANCE_ID/EC2_INSTANCE_ID and AWS_REGION as currently named so SSM
receives the fully expanded commands.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 86346b05-fd6d-4d32-9c1a-bd482d760572
📒 Files selected for processing (2)
.github/workflows/cd-production.yml.github/workflows/cd-staging.yml
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cd-staging.yml:
- Around line 4-6: Update the push branch filter in the GitHub Actions workflow
so it targets the production branch again: replace the current branch entry
'build/update-deployment-script' with 'main' in the push -> branches list and
update or remove the stale inline comment that currently reads "# Deploy only
when changes are pushed to the main branch" so it matches the actual config;
this change affects the branch filter in the cd-staging.yml workflow file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e5cee7dd-bb6e-43c0-8ad8-f07f539c9b0c
📒 Files selected for processing (2)
.github/workflows/cd-staging.ymlapp/lib/constants.ts
✅ Files skipped from review due to trivial changes (1)
- app/lib/constants.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cd-production.yml:
- Line 37: The REMOTE_CMD string is embedding runner-expanded vars without
quoting, causing word-splitting for values like APP_NAME; update the REMOTE_CMD
in both REMOTE_CMD occurrences (in .github/workflows/cd-production.yml and
cd-staging.yml) to wrap the remote-side variable references in escaped quotes so
they are passed as single arguments on the EC2 host (e.g., change occurrences of
${APP_NAME}, ${BUILD_DIRECTORY}, and ${ROOT_USER} inside REMOTE_CMD to
\"${APP_NAME}\", \"${BUILD_DIRECTORY}\", and \"${ROOT_USER}\" respectively) so
pm2 restart and other commands receive the full, quoted values.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c680c4ea-9cbd-4b50-a08b-3168278ac514
📒 Files selected for processing (2)
.github/workflows/cd-production.yml.github/workflows/cd-staging.yml
vprashrex
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue: #125
Description
BUILD_DIRECTORY,APP_NAME,AWS_REGION,INSTANCE_ID) into a step-level env: block instead of inlining${{ secrets.* }}throughout the SSM command, making the shell command readable and easier to maintain.Summary by CodeRabbit
New Features
Chores