You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Code builds successfully without lint or type errors
Unit tests added or updated [Backend]
UI verified [Frontend]
Documentation updated (README / Confluence / API Docs)
No sensitive information (keys, passwords, secrets) committed
I have updated the CHANGELOG with relevant details
I have given a clear and meaningful PR title and description as per standard format
I have verified cross-repo dependencies (if any)
I have confirmed backward compatibility with previous releases
Details:
add these secrets
DEV_EKS_CLUSTER
DEV_OPENSOURCE_NAMESPACE
👥 Reviewer Notes
PR Type
Enhancement
Description
Add manual dev deployment GitHub Action
Compute release version from VERSION
Configure AWS/EKS access and kubectl
Patch dev deployments to new images
Diagram Walkthrough
flowchart LR
A["workflow_dispatch trigger"]
B["Read VERSION and set env"]
C["Configure AWS credentials"]
D["Update EKS kubeconfig"]
E["kubectl patch deployments with image tags"]
F["kubectl rollout status checks"]
A -- "starts" --> B
B -- "prepares" --> C
C -- "authenticates" --> D
D -- "enables access" --> E
E -- "verifies" --> F
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 Security concerns
Credential management: The workflow uses long-lived AWS access keys from GitHub Secrets (AWS_DEPLOYMENT_ACCESS_KEY_ID / AWS_DEPLOYMENT_SECRET_ACCESS_KEY). Consider migrating to GitHub OIDC role assumption to reduce exposure/rotation risk. Also review the requested packages: write permission for necessity to minimize blast radius if the workflow token is abused.
The kubectl patch payload sets spec.template.spec.containers to a single-item array. If any of these deployments have multiple containers (sidecars, init patterns converted to containers, etc.), this can unintentionally drop the other containers and break the pod spec. Consider using kubectl set image deployment/<name> <container>=<image>:<tag> (or a patch that only updates the matching container entry without replacing the whole list).
Using version: latest for kubectl and not pinning action versions to immutable SHAs can introduce non-deterministic behavior (sudden workflow breakage or behavior changes). Prefer pinning kubectl to a known version and actions to a commit SHA (or at least a stable major+minor strategy if that is your standard).
The job requests packages: write but the workflow appears to only deploy to EKS. If not required, drop this permission. Also consider whether static AWS access keys are necessary vs GitHub OIDC (id-token: write) with an assumed role for improved security posture and easier credential rotation.
The current JSON patch strings rely on fragile shell quoting and are easy to break, which can result in deploying the wrong image or failing silently. Use kubectl set image (built for this use-case) and add a rollout --timeout so the job doesn’t hang indefinitely on a bad deploy.
Why: The current kubectl patch ... -p '{...'"${VERSION}"'...}' constructs are brittle and easy to break due to complex quoting, so switching to kubectl set image is a solid, purpose-built alternative. Adding --timeout to kubectl rollout status prevents the workflow from hanging indefinitely on failed deployments, improving CI robustness.
Medium
Fix version string replacement
The bash parameter expansion VER=${VER/-alpha/''} is error-prone and can behave unexpectedly because of the embedded quotes. Replace it with the standard “replace with empty string” form to reliably strip -alpha from the version.
Why: Replacing VER=${VER/-alpha/''} with VER=${VER/-alpha/} is a correct, more idiomatic Bash expansion and avoids confusing embedded quotes. Impact is modest since the current form often still works, but it improves reliability/readability of VERSION computation.
Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
📝 Pull Request Summary
Description:
Workflow file to deploy imgaes into dev namespace
Related Jira Ticket: https://aottech.atlassian.net/browse/OPS-242
DEPENDENCY PR:
Type of Change:
💻 Frontend Changes
Modules/Components Affected:
Summary of Frontend Changes:
UI/UX Review:
Screenshots / Screen Recordings (if applicable):
⚙️ Backend Changes (Java / Python)
Modules/Endpoints Affected:
Summary of Backend Changes:
API Testing:
Screenshots / Screen Recordings (if applicable):
✅ Checklist
Details:
add these secrets
DEV_EKS_CLUSTER
DEV_OPENSOURCE_NAMESPACE
👥 Reviewer Notes
PR Type
Enhancement
Description
Add manual dev deployment GitHub Action
Compute release version from
VERSIONConfigure AWS/EKS access and kubectl
Patch dev deployments to new images
Diagram Walkthrough
File Walkthrough
dev-deployment.yml
Add manual dev deployment workflow for EKS.github/workflows/dev-deployment.yml
workflow_dispatchdev deployment workflowVERSIONdifferently formaster