fix(ci): link digest-pinned evidence ref in UAT summaries#1498
Conversation
The UAT Actions summaries rebuilt a mutable
`…aicr-evidence/<recipe>:run-${{ github.run_id }}` OCI tag, which can
drift from the actual bundle if the naming scheme changes or the tag is
repointed — pointing reviewers at the wrong artifact while ingest uses
the verified digest.
Print the digest-pinned `steps.evidence_ref.outputs.ref` instead — the
same validated, immutable ref the ingest job consumes — and guard the
line on that ref being non-empty so the summary degrades cleanly when no
bundle was produced.
Signed-off-by: Nathan Hensley <[email protected]>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe UAT AWS and GCP workflow summaries now conditionally print the Evidence (OCI) line only when Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
mchmarny
left a comment
There was a problem hiding this comment.
Right fix — the summary now links the same validated, digest-pinned ref (steps.evidence_ref.outputs.ref) that ingest consumes, instead of rebuilding a mutable :run- tag that could drift. Confirmed evidence_ref and the summary step live in the same job in both workflows, so the output reference resolves. The -n guard is also a strict improvement over conformance.outcome == 'success': it degrades cleanly when no bundle was produced. LGTM.
Summary
Print the digest-pinned evidence bundle ref in the UAT (AWS + GCP) Actions summaries instead of a reconstructed mutable
:run-<run_id>OCI tag.Motivation / Context
Follow-up to the GP2 evidence-ingest work (#1402 / #1484). CodeRabbit flagged that the UAT summaries rebuilt a mutable
…aicr-evidence/<recipe>:run-${{ github.run_id }}tag for the human-facing "Evidence (OCI)" link. That tag can drift from the actual bundle if the naming scheme changes or the tag is later repointed, sending reviewers to the wrong artifact — while ingest itself already uses the verified digest. Both jobs already export the validated, digest-pinned ref viasteps.evidence_ref.outputs.ref(the same value fed to theingest-evidencejob), so the summary should use it too.Fixes: N/A
Related: #1484, #1402
Type of Change
Component(s) Affected
.github/workflows/uat-aws.yaml,.github/workflows/uat-gcp.yaml)Implementation Notes
…:run-${{ github.run_id }}string with${{ steps.evidence_ref.outputs.ref }}in both summary steps.conformance.outcome == 'success'to-n <ref>: the ref is non-empty only when conformance succeeded and a bundle was produced, so the summary degrades cleanly (no empty `Evidence (OCI): ``) when no bundle exists.Testing
yamllint .github/workflows/uat-aws.yaml .github/workflows/uat-gcp.yaml # cleanNo Go changes; this is a workflow-summary string fix only. The summaries render at runtime, exercised by the scheduled UAT runs.
Risk Assessment
Rollout notes: N/A — cosmetic/summary-only; ingest behavior is unchanged.
Checklist
make testwith-race) — N/A, no Go changesmake lint) — yamllint clean on both filesgit commit -S)