chore: add test-releases.yaml for testing branch code in environments

[Datron]

Problem

Cannot test some infrastructure without merging something to main

Solution

add a test releases workflow with calendar branch versioning so that in some cases tests can be run in our infra

Summary by CodeRabbit

• Chores
  • Automated test release workflow for multi-architecture Docker images (amd64, arm64) with automatic versioning based on branch name and date.

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/test-releases.yaml	0% smaller

[coderabbitai]

Walkthrough

A new GitHub Actions workflow test-releases.yaml implements a multi-architecture Docker test release pipeline. The workflow triggers on manual dispatch, skips the main branch, computes a calendar-based version tag, builds per-architecture images via Buildx (amd64/arm64), and consolidates them into a multi-arch GHCR manifest using run-level concurrency to cancel in-progress builds.

Changes

Test Release Docker Pipeline

Layer / File(s)	Summary
Workflow setup and release version computation .github/workflows/test-releases.yaml	Workflow triggers on workflow_dispatch, enforces concurrency with in-progress run cancellation, and a tag-release job blocks execution on main while computing a calendar-based version from branch name + current date, exposed as a job output.
Multi-architecture Docker image builds and push .github/workflows/test-releases.yaml	A docker-build job runs only on non-main branches, builds images for both linux/amd64 and linux/arm64 using Docker Buildx with a platform matrix, and pushes each architecture-specific image to GHCR with computed version and architecture-suffix tags.
Multi-architecture manifest consolidation .github/workflows/test-releases.yaml	A create-manifest job depends on both prior jobs and creates a unified GHCR manifest tag pointing to the previously pushed amd64 and arm64 images.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A workflow springs forth with manifest care,
Building images in architectures rare—
amd64 and arm64 unite,
In Docker registry, shining bright!
hop hop 🏗️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a test-releases.yaml workflow for testing branch code. It is concise, specific, and directly relates to the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rds-proxy-complaince

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/test-releases.yaml (1)

15-80: 💤 Low value

Consider consolidating main branch protection.

The workflow has job-level if conditions at lines 15, 39, and 80 to prevent execution on main. While this is safe, it means manually triggering the workflow on main will result in all jobs being skipped with a "success" status, which could be confusing.

Consider one of these approaches:

1. Remove the job-level conditions and rely only on the workflow-level trigger (but workflow_dispatch doesn't support branch filters)
2. Keep only the first check at tag-release and let dependency propagation skip the rest
3. Add a workflow-level guard job that fails early with a clear message

Current implementation is safe but may show unexpected "success" status when triggered on main.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-releases.yaml around lines 15 - 80, Add a single
guard job (e.g., fail-on-main) that runs first and fails with a clear message
when github.ref == 'refs/heads/main', then remove the duplicate job-level if:
github.ref != 'refs/heads/main' conditions from the tag-release, docker-build,
and create-manifest jobs so they rely on dependency propagation instead of
per-job guards; ensure the new guard job is listed as a dependency (needs) for
tag-release so it executes before the rest and produces an explicit failure
rather than multiple skipped-success jobs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-releases.yaml:
- Around line 53-69: Replace mutable action tags with immutable commit SHAs for
supply-chain safety: update actions/checkout@v4, docker/setup-buildx-action@v3,
docker/login-action@v3, and docker/build-push-action@v6 to their corresponding
commit SHAs (e.g., actions/checkout@<sha>) by locating those uses in the
workflow and substituting the tag with the pinned SHA you fetch from each action
repo (or use a pinning tool), and optionally add a comment indicating the
original tag and upstream version for future maintenance.
- Around line 52-56: The checkout step ("Checkout repository") uses
actions/checkout@v4 without disabling credential persistence, which can leak Git
credentials; update that step to include persist-credentials: false in the with
block so the checkout action does not store the token for subsequent steps
(modify the "uses: actions/checkout@v4" step to add persist-credentials: false
alongside fetch-depth and token).
- Around line 83-87: The checkout step using actions/checkout@v4 currently
leaves credentials persisted; update the "Checkout repository" step (the
actions/checkout@v4 invocation) to add persist-credentials: false under its
with: block so GitHub credentials are not left in the workspace or artifacts
unless later steps explicitly require them.
- Around line 19-23: Remove the unreachable step named "Fail if running on main
branch" (the step with if: github.ref == 'refs/heads/main' and run: echo
"::error::Test releases cannot be triggered on the main branch.") because the
job already has a guard if: github.ref != 'refs/heads/main' that prevents the
job from running on main; delete that entire step block to eliminate dead code
and keep the workflow concise.

---

Nitpick comments:
In @.github/workflows/test-releases.yaml:
- Around line 15-80: Add a single guard job (e.g., fail-on-main) that runs first
and fails with a clear message when github.ref == 'refs/heads/main', then remove
the duplicate job-level if: github.ref != 'refs/heads/main' conditions from the
tag-release, docker-build, and create-manifest jobs so they rely on dependency
propagation instead of per-job guards; ensure the new guard job is listed as a
dependency (needs) for tag-release so it executes before the rest and produces
an explicit failure rather than multiple skipped-success jobs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2513721-8174-40ea-9945-8a78c02a78a3

📥 Commits

Reviewing files that changed from the base of the PR and between dddd1c6 and 2374235.

📒 Files selected for processing (1)

• .github/workflows/test-releases.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove unreachable guard step.

This step will never execute because the job-level condition at line 15 (if: github.ref != 'refs/heads/main') already prevents the entire job from running on the main branch. The step is dead code.

🗑️ Proposed fix: remove the unreachable step

-            - name: Fail if running on main branch # CHANGED: new guard step
-              if: github.ref == 'refs/heads/main'
-              run: |
-                echo "::error::Test releases cannot be triggered on the main branch."
-                  exit 1
-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-releases.yaml around lines 19 - 23, Remove the
unreachable step named "Fail if running on main branch" (the step with if:
github.ref == 'refs/heads/main' and run: echo "::error::Test releases cannot be
triggered on the main branch.") because the job already has a guard if:
github.ref != 'refs/heads/main' that prevents the job from running on main;
delete that entire step block to eliminate dead code and keep the workflow
concise.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider setting persist-credentials: false for security.

Credentials persisted by the checkout action can leak through artifacts or logs. Unless you need Git credentials for subsequent steps (which doesn't appear to be the case here), set persist-credentials: false.

🔒 Proposed fix

             - name: Checkout repository
               uses: actions/checkout@v4
               with:
                   fetch-depth: 0
                   token: ${{ secrets.SUPERPOSITION_TOKEN }}
+                  persist-credentials: false

As per coding guidelines, static analysis tool zizmor flagged this as credential persistence risk (artipacked).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	token: ${{ secrets.SUPERPOSITION_TOKEN }}
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	token: ${{ secrets.SUPERPOSITION_TOKEN }}
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 52-56: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 53-53: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-releases.yaml around lines 52 - 56, The checkout step
("Checkout repository") uses actions/checkout@v4 without disabling credential
persistence, which can leak Git credentials; update that step to include
persist-credentials: false in the with block so the checkout action does not
store the token for subsequent steps (modify the "uses: actions/checkout@v4"
step to add persist-credentials: false alongside fetch-depth and token).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin GitHub Actions to commit SHAs for supply chain security.

Actions are currently pinned to mutable tags (@v3, @v4, @v6) which can be moved by maintainers. Best practice is to pin to immutable commit SHAs to prevent supply chain attacks.

Example for line 53:

- name: Checkout repository
  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

You can use a tool like pin-github-action to automate this, or manually look up the SHAs from the action repositories.

As per coding guidelines, static analysis tool zizmor flagged this as unpinned action references with blanket policy requirement.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 53-53: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 59-59: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 62-62: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 69-69: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-releases.yaml around lines 53 - 69, Replace mutable
action tags with immutable commit SHAs for supply-chain safety: update
actions/checkout@v4, docker/setup-buildx-action@v3, docker/login-action@v3, and
docker/build-push-action@v6 to their corresponding commit SHAs (e.g.,
actions/checkout@<sha>) by locating those uses in the workflow and substituting
the tag with the pinned SHA you fetch from each action repo (or use a pinning
tool), and optionally add a comment indicating the original tag and upstream
version for future maintenance.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider setting persist-credentials: false for security.

Same issue as in the docker-build job - credentials persisted by checkout can leak through artifacts or logs. Set persist-credentials: false unless Git credentials are needed for subsequent steps.

🔒 Proposed fix

             - name: Checkout repository
               uses: actions/checkout@v4
               with:
                   fetch-depth: 0
                   token: ${{ secrets.SUPERPOSITION_TOKEN }}
+                  persist-credentials: false

As per coding guidelines, static analysis tool zizmor flagged this as credential persistence risk (artipacked).

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 83-87: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 84-84: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-releases.yaml around lines 83 - 87, The checkout step
using actions/checkout@v4 currently leaves credentials persisted; update the
"Checkout repository" step (the actions/checkout@v4 invocation) to add
persist-credentials: false under its with: block so GitHub credentials are not
left in the workspace or artifacts unless later steps explicitly require them.

[Copilot]

Pull request overview

Adds a manually triggered GitHub Actions workflow to build and publish “test release” container images from non-main branches, enabling infrastructure testing without merging to main.

Changes:

• Introduces .github/workflows/test-releases.yaml workflow dispatch pipeline for non-main branches.
• Generates a branch-based calver tag and builds/pushes per-arch images to GHCR.
• Creates a multi-arch manifest tag that points to the per-arch images.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.