feat(ci): build depot snapshot for all runs#3393
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 5 files
Confidence score: 3/5
- There is a meaningful regression risk in
.github/workflows/build-ci-image.yml: adding Depot snapshot/push without verified API key permissions can cause CI image build/push steps to fail after merge. - The issue is high-confidence and medium-high severity (7/10, 9/10), so this is more than a housekeeping concern even though it appears limited to pipeline behavior rather than application runtime logic.
- This should be straightforward to de-risk by validating the production key scopes before rollout; once confirmed, merge risk drops significantly.
- Pay close attention to
.github/workflows/build-ci-image.yml- ensure the production API key has the required Depot permissions for snapshot/push actions.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/build-ci-image.yml">
<violation number="1" location=".github/workflows/build-ci-image.yml:38">
P1: Custom agent: **API Key Permission Check SDK Methods**
This PR introduces Depot’s snapshot/push action, but there is no confirmation that the existing production API key has the required permissions for this new operation. Please verify key scopes before rollout to avoid permission-related CI failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| - name: Install Playwright browsers with system deps | ||
| run: pnpm exec playwright install --with-deps chromium | ||
| - name: Snapshot and push image | ||
| uses: depot/snapshot-action@b11edd94cf3edbcab102fc45e695c2967953e177 |
There was a problem hiding this comment.
P1: Custom agent: API Key Permission Check SDK Methods
This PR introduces Depot’s snapshot/push action, but there is no confirmation that the existing production API key has the required permissions for this new operation. Please verify key scopes before rollout to avoid permission-related CI failures.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/build-ci-image.yml, line 38:
<comment>This PR introduces Depot’s snapshot/push action, but there is no confirmation that the existing production API key has the required permissions for this new operation. Please verify key scopes before rollout to avoid permission-related CI failures.</comment>
<file context>
@@ -0,0 +1,40 @@
+ - name: Install Playwright browsers with system deps
+ run: pnpm exec playwright install --with-deps chromium
+ - name: Snapshot and push image
+ uses: depot/snapshot-action@b11edd94cf3edbcab102fc45e695c2967953e177
+ with:
+ image: ${{ vars.DEPOT_ORG_ID }}.registry.depot.dev/react-email-ci:latest
</file context>
1 participant
Summary by cubic
Standardizes CI on a prebuilt Depot image with Node 22, warmed
pnpmstore, andPlaywrightbrowsers to speed up runs and reduce flakiness. Adds an automated workflow to build and push this image on schedule and oncanary.New Features
.github/workflows/build-ci-image.ymlto build and push a Depot snapshot image oncanary, weekly, and on demand.pnpmstore, andPlaywrightChromium with system deps at/opt/playwright.depot/snapshot-actionto publish${{ vars.DEPOT_ORG_ID }}.registry.depot.dev/react-email-ci:latest.Refactors
tests,e2e,lint, andpin-dependencies-checkto Depot runners withimage: .../react-email-ci:latest(8x16or2x8).pnpm/action-setup; rely on the prebuilt image.PLAYWRIGHT_BROWSERS_PATH=/opt/playwrightfor tests.Written for commit 7294808. Summary will update on new commits.