added aws ecr upload to rag ingestion workflow#293
Conversation
📝 WalkthroughWalkthroughGitHub Actions workflows are updated to enable and extend AWS ECR integration: the RAG ingestion workflow activates previously commented AWS environment variables and ECR push steps, the inference app workflow adds new AWS environment variables and ECR push/cleanup steps, and AWS credential configuration actions are upgraded from v1 to v4 across three additional workflows. ChangesAWS ECR Integration
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-rag-ingestion-develop.yaml:
- Around line 72-73: Replace the deprecated action reference "uses:
aws-actions/configure-aws-credentials@v1" with the current major release "uses:
aws-actions/configure-aws-credentials@v6" in this workflow (and any other
workflows containing the same string); update any input names if the v6 action
requires different parameters and run the workflow lint to ensure no actionlint
deprecations remain.
- Line 73: Replace floating action tags with immutable commit SHAs: update the
two workflow lines that currently read "uses:
aws-actions/configure-aws-credentials@v1" and "uses:
aws-actions/amazon-ecr-login@v1" to reference their full commit SHAs (e.g.,
"aws-actions/configure-aws-credentials@<commit-sha>" and
"aws-actions/amazon-ecr-login@<commit-sha>"); obtain the desired commit SHAs
from the respective repositories' secure releases, commit the updated workflow
file, and ensure both occurrences are pinned to fixed SHAs rather than version
tags.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f130e3ca-bc26-4c96-9440-b780841440c8
📒 Files selected for processing (1)
.github/workflows/build-rag-ingestion-develop.yaml
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
rg -n "aws-actions/configure-aws-credentials@" .github/workflows -S || true
sed -n '60,90p' .github/workflows/build-rag-ingestion-develop.yaml || trueRepository: rootflo/wavefront
Length of output: 2598
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
rg -n "aws-actions/configure-aws-credentials@" .github/workflows -S || true
sed -n '60,90p' .github/workflows/build-rag-ingestion-develop.yaml || trueRepository: rootflo/wavefront
Length of output: 2598
🌐 Web query:
aws-actions/configure-aws-credentials current major version supported v1 v2 v3 v4 actionlint too old
💡 Result:
As of June 12, 2026, the current major version of the aws-actions/configure-aws-credentials action is v6 [1][2][3]. The action maintains a release policy where major versions (such as v6) receive active updates, while older major versions may no longer be supported or updated [4][5][6]. Using floating tags like @v6 is supported and recommended for convenience, as they automatically point to the latest minor/patch release within that major version [4][6]. Regarding the "actionlint too old" error, this typically occurs because actionlint checks the version of the action used in your workflow file against its own internal database of known, supported, or "modern" actions [7]. If actionlint reports that an action is "too old," it often means: 1. You are referencing an outdated major version (e.g., using v1, v2, or v3 when v6 is available) [5]. 2. Your local version of actionlint itself is outdated and does not recognize newer releases of the action (e.g., it may not be aware that v6 is a valid, current release) [7]. To resolve this: - Update your workflow to use the latest major version, currently @v6 [4][6]. - Ensure your actionlint tool is updated to the latest version to recognize the newest releases [7]. - If you are already using the latest version and still receive the error, check if your actionlint configuration requires an explicit update to its internal rules or if you are using an older, pinned commit SHA that the linter flags as deprecated [8][7].
Citations:
- 1: https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md
- 2: https://github.com/aws-actions/configure-aws-credentials/releases/tag/v6.2.0
- 3: https://github.com/aws-actions/configure-aws-credentials/releases
- 4: https://github.com/aws-actions/configure-aws-credentials/blob/main/README.md
- 5: https://github.com/aws-actions/configure-aws-credentials/blob/master/README.md
- 6: https://github.com/aws-actions/configure-aws-credentials/tree/refs/heads/main
- 7: Static Analysis Report - 2026-02-25 github/gh-aw#18283
- 8: Invalid URL error after updating to 4.3.0 aws-actions/configure-aws-credentials#1423
Update deprecated AWS credentials action version before merge
aws-actions/configure-aws-credentials@v1 is an outdated major release; update it to the current supported major (@v6) to avoid actionlint deprecation (“too old”) and potential workflow breakage. (This same @v1 reference appears in other workflows as well.)
🧰 Tools
🪛 actionlint (1.7.12)
[error] 73-73: the runner of "aws-actions/configure-aws-credentials@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.25.2)
[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-rag-ingestion-develop.yaml around lines 72 - 73,
Replace the deprecated action reference "uses:
aws-actions/configure-aws-credentials@v1" with the current major release "uses:
aws-actions/configure-aws-credentials@v6" in this workflow (and any other
workflows containing the same string); update any input names if the v6 action
requires different parameters and run the workflow lint to ensure no actionlint
deprecations remain.
Source: Linters/SAST tools
| # docker tag rootflo:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
| # docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }} | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build-rag-ingestion-develop.yaml"
echo "== File exists? =="
ls -l "$FILE" || true
echo "== Relevant lines (73-90) =="
nl -ba "$FILE" | sed -n '60,95p'Repository: rootflo/wavefront
Length of output: 270
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build-rag-ingestion-develop.yaml"
echo "== Relevant lines (70-90) with numbers (cat -n) =="
cat -n "$FILE" | sed -n '65,90p'
echo "== Lines containing configure-aws-credentials in this file =="
rg -n "aws-actions/configure-aws-credentials@" "$FILE" || true
echo "== Lines containing aws-actions/ in this file =="
rg -n "uses: aws-actions/" "$FILE" || trueRepository: rootflo/wavefront
Length of output: 1681
Pin AWS GitHub Action references to immutable commit SHAs (avoid floating tags).
.github/workflows/build-rag-ingestion-develop.yaml uses aws-actions/configure-aws-credentials@v1 (line 73) and aws-actions/amazon-ecr-login@v1 (line 81); pin both to full commit SHAs to prevent supply-chain drift.
🧰 Tools
🪛 actionlint (1.7.12)
[error] 73-73: the runner of "aws-actions/configure-aws-credentials@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.25.2)
[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-rag-ingestion-develop.yaml at line 73, Replace
floating action tags with immutable commit SHAs: update the two workflow lines
that currently read "uses: aws-actions/configure-aws-credentials@v1" and "uses:
aws-actions/amazon-ecr-login@v1" to reference their full commit SHAs (e.g.,
"aws-actions/configure-aws-credentials@<commit-sha>" and
"aws-actions/amazon-ecr-login@<commit-sha>"); obtain the desired commit SHAs
from the respective repositories' secure releases, commit the updated workflow
file, and ensure both occurrences are pinned to fixed SHAs rather than version
tags.
Source: Linters/SAST tools
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-wavefront-inference_app-develop.yaml:
- Around line 79-81: The aws-actions/amazon-ecr-login action in the Login to
Amazon ECR step is using a mutable tag reference (v1) instead of a specific
commit hash. Replace the `@v1` tag with a pinned commit SHA (in the format
@<commit-hash>) to ensure security and reproducibility. You can find the
appropriate commit hash from the action's releases page on GitHub.
- Around line 72-77: Update the aws-actions/configure-aws-credentials action in
the Configure AWS credentials step from v1 to a more recent version pinned to a
specific commit hash. Replace the current uses statement that references v1 with
a pinned version using a specific commit SHA (for example,
e3dd6a429d7300a6a4c196c26e071d42e0343502 for v4.0.2) to ensure security and
reproducibility. This addresses both the outdated runner issue that causes
workflow failures and provides better security through commit pinning rather
than using version tags.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6b44785a-9af7-4ee6-81ff-075ce10be29d
📒 Files selected for processing (1)
.github/workflows/build-wavefront-inference_app-develop.yaml
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v1 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ env.AWS_REGION }} |
There was a problem hiding this comment.
Update to aws-actions/configure-aws-credentials@v2 or later.
The v1 runner is too old for current GitHub Actions and will cause workflow failures. Additionally, the action should be pinned to a specific commit hash for security and reproducibility.
🔧 Proposed fix
# Configure AWS credentials and push to ECR
- name: Configure AWS credentials
- uses: aws-actions/configure-aws-credentials@v1
+ uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}For production workflows, consider pinning to a specific commit SHA:
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 73-73: the runner of "aws-actions/configure-aws-credentials@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🪛 zizmor (1.25.2)
[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-inference_app-develop.yaml around lines 72
- 77, Update the aws-actions/configure-aws-credentials action in the Configure
AWS credentials step from v1 to a more recent version pinned to a specific
commit hash. Replace the current uses statement that references v1 with a pinned
version using a specific commit SHA (for example,
e3dd6a429d7300a6a4c196c26e071d42e0343502 for v4.0.2) to ensure security and
reproducibility. This addresses both the outdated runner issue that causes
workflow failures and provides better security through commit pinning rather
than using version tags.
Source: Linters/SAST tools
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v1 |
There was a problem hiding this comment.
Pin action to a specific commit hash.
For security and reproducibility, GitHub Actions should be pinned to specific commit SHAs rather than mutable tags.
🔒 Proposed fix
- name: Login to Amazon ECR
id: login-ecr
- uses: aws-actions/amazon-ecr-login@v1
+ uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 81-81: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-inference_app-develop.yaml around lines 79
- 81, The aws-actions/amazon-ecr-login action in the Login to Amazon ECR step is
using a mutable tag reference (v1) instead of a specific commit hash. Replace
the `@v1` tag with a pinned commit SHA (in the format @<commit-hash>) to ensure
security and reproducibility. You can find the appropriate commit hash from the
action's releases page on GitHub.
Source: Linters/SAST tools
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-wavefront-floconsole-develop.yaml:
- Line 73: The aws-actions/configure-aws-credentials action in all four
workflows must be pinned to immutable commit SHAs instead of version tags for
supply-chain security. In
.github/workflows/build-wavefront-floconsole-develop.yaml line 73, replace `@v4`
with the full commit SHA for the v4 release. Apply the same vetted commit SHA to
the corresponding line 73 in
.github/workflows/build-wavefront-floware-develop.yaml and
.github/workflows/build-wavefront-web-develop.yaml, and also to
.github/workflows/build-wavefront-inference_app-develop.yaml line 73 (use the
same commit SHA consistently across all four files to ensure all workflows
reference the same validated action version).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d350d53d-851e-4249-9cff-315c7a138c56
📒 Files selected for processing (5)
.github/workflows/build-rag-ingestion-develop.yaml.github/workflows/build-wavefront-floconsole-develop.yaml.github/workflows/build-wavefront-floware-develop.yaml.github/workflows/build-wavefront-inference_app-develop.yaml.github/workflows/build-wavefront-web-develop.yaml
| # Configure AWS credentials and push to ECR | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v1 | ||
| uses: aws-actions/configure-aws-credentials@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned uses of configure-aws-credentials in workflow files.
# Expected after fix: no matches for `@v`* tags on this action in these files.
rg -n --type=yaml 'uses:\s*aws-actions/configure-aws-credentials@v[0-9]+' .github/workflows/build-wavefront-*-develop.yamlRepository: rootflo/wavefront
Length of output: 518
All four workflows with mutable AWS credentials actions must be pinned to commit SHAs.
The shared root cause is using aws-actions/configure-aws-credentials@v4 (tag) instead of an immutable commit SHA, which violates the unpinned-action policy and weakens CI supply-chain guarantees.
.github/workflows/build-wavefront-floconsole-develop.yaml#L73: replace@v4with the published full commit SHA for the intended v4 release..github/workflows/build-wavefront-floware-develop.yaml#L73: replace@v4with the same vetted commit SHA..github/workflows/build-wavefront-web-develop.yaml#L73: replace@v4with that vetted commit SHA..github/workflows/build-wavefront-inference_app-develop.yaml#L73: replace@v4with that vetted commit SHA.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 73-73: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
📍 Affects 3 files
.github/workflows/build-wavefront-floconsole-develop.yaml#L73-L73(this comment).github/workflows/build-wavefront-floware-develop.yaml#L73-L73.github/workflows/build-wavefront-web-develop.yaml#L73-L73
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-wavefront-floconsole-develop.yaml at line 73, The
aws-actions/configure-aws-credentials action in all four workflows must be
pinned to immutable commit SHAs instead of version tags for supply-chain
security. In .github/workflows/build-wavefront-floconsole-develop.yaml line 73,
replace `@v4` with the full commit SHA for the v4 release. Apply the same vetted
commit SHA to the corresponding line 73 in
.github/workflows/build-wavefront-floware-develop.yaml and
.github/workflows/build-wavefront-web-develop.yaml, and also to
.github/workflows/build-wavefront-inference_app-develop.yaml line 73 (use the
same commit SHA consistently across all four files to ensure all workflows
reference the same validated action version).
Source: Linters/SAST tools
2 participants
Summary by CodeRabbit