chore: update workflow to run on demand

[pratapalakshmi]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for Packer AMI build
  • Removed branch restriction for manual workflow dispatch
  • Improved YAML file formatting

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5087321

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The pull request modifies the GitHub Actions workflow configuration for building AWS AMIs using Packer. The key change involves removing the branch specification under the workflow_dispatch trigger, which previously limited manual workflow execution to the prod branch. This modification allows more flexible manual triggering of the workflow across different branches. Additionally, the Assume Role step has been reformatted for improved YAML consistency, though its functional behavior remains unchanged.

Changes

File	Change Summary
.github/workflows/packer-build-ami.yml	Removed branch restriction for manual workflow dispatch; Reformatted Assume Role step indentation

Poem

🐰 A Packer's Tale of Freedom

Branches no longer bind my flow,
Workflow triggers now freely go!
With YAML neat and triggers bright,
My AMI build takes playful flight! 🚀

• Coded Rabbit 🐇

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/packer-build-ami.yml (1)

Line range hint 1-42: Consider adding workflow concurrency control.

To prevent concurrent AMI builds that might interfere with each other, consider adding a concurrency configuration.

Add this configuration at the workflow level:

name: Packer build AWS AMI's 
on: 
  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false

🧰 Tools

🪛 actionlint (1.7.4)

15-15: the runner of "actions/checkout@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d6f7267 and 5087321.

📒 Files selected for processing (1)

• .github/workflows/packer-build-ami.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Analyze (javascript)

🔇 Additional comments (2)

.github/workflows/packer-build-ami.yml (2)

Line range hint 2-3: Verify the security implications of unrestricted manual triggers.

Removing the branch restriction from workflow_dispatch allows manual triggering from any branch. While this provides flexibility, please ensure this aligns with your security requirements for AMI builds.

Consider these security aspects:

1. Who has permissions to trigger workflows manually?
2. Should AMI builds be restricted to specific branches?
3. Are there adequate controls in the environment configuration?

🧰 Tools

🪛 actionlint (1.7.4)

15-15: the runner of "actions/checkout@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

17-24: Review the role assumption duration and permissions.

The role assumption duration is set to 900 seconds (15 minutes). This follows the principle of least privilege by limiting the credential lifetime.

Run this script to check for any hardcoded AWS credentials or overly permissive IAM configurations:

✅ Verification successful

Role assumption configuration follows security best practices

The role assumption implementation in the workflow is secure and well-configured:

• Uses GitHub secrets for sensitive credentials
• Sets a reasonable session duration of 15 minutes
• Includes a clear session name for audit tracking
• No hardcoded credentials or concerning configurations found

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for AWS credentials and IAM configurations in the codebase

# Search for potential AWS credential patterns
echo "Checking for AWS credential patterns..."
rg -g '!.git' -i '(aws_access_key|aws_secret_key|arn:aws|AKIA[0-9A-Z]{16})'

# Search for IAM role configurations
echo "Checking for IAM role configurations..."
rg -g '!.git' -i '(assume.*role|iam.*role|role.*arn)'

Length of output: 311

---

Script:

#!/bin/bash
# Find and examine the action implementation and workflow files
echo "Checking action implementation..."
fd "action.yml|action.yaml" --type f --exec cat {}

echo -e "\nChecking workflow files..."
fd "\.ya?ml$" --type f -p ".github/workflows" --exec cat {}

echo -e "\nChecking for role configurations in YAML files..."
fd "\.ya?ml$" --type f --exec grep -i -A 5 -B 5 "role" {}

Length of output: 93210

---

Script:

#!/bin/bash
# Find and examine the local action implementation
echo "Checking action.yml in repository root..."
cat action.yml 2>/dev/null || cat action.yaml 2>/dev/null

echo -e "\nChecking for role-related files..."
fd -t f -e yml -e yaml -e json . --exec grep -l "role" {} || true

echo -e "\nChecking for AWS assume role implementations..."
fd -t f . --exec grep -l "AssumeRole" {} || true

Length of output: 710

---

Script:

#!/bin/bash
echo "Checking content of role-related files..."

echo -e "\nChecking ballerine-playbook.yml..."
cat deploy/ansible/ballerine_playbook/ballerine-playbook.yml 2>/dev/null

echo -e "\nChecking grants.json..."
cat services/workflows-service/src/grants.json 2>/dev/null

echo -e "\nChecking for AWS role assumption in workflow file..."
cat .github/workflows/packer-build-ami.yml 2>/dev/null

echo -e "\nChecking for AWS SDK or role assumption code..."
find . -type f -name "*.js" -o -name "*.ts" | xargs grep -l "AWS.STS\|AssumeRole" 2>/dev/null || true

Length of output: 2916