fix(ci): require RAG_QUERY_HASH_SECRET for deployment boot smoke#429
Conversation
Production instrumentation now requires a query-hash secret (PIA-2). The deployment boot smoke starts next start in production mode but only stubbed Supabase/OpenAI placeholders, so main CI verify failed after the privacy guard landed. Add a matching placeholder so the smoke can still verify /api/local-project-id without a real secret. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0827b687c0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Address Codex review: wire the query-hash secret through CI as a required repository secret instead of stubbing a placeholder in the smoke script. Also document the secret alongside the other boot-smoke GitHub secrets. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
📝 WalkthroughWalkthroughAdds RAG_QUERY_HASH_SECRET as a required deployment boot smoke secret, wires it into the CI workflow, and updates deployment and observability documentation to list it as a required secret. ChangesRAG_QUERY_HASH_SECRET requirement
Estimated code review effort: 1 (Trivial) | ~5 minutes Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 1 warning)
✅ Passed checks (9 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
docs/deployment-architecture.md (1)
187-187: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAnnotation omits eval canary, inconsistent with observability-slos.md.
The
SUPABASE_SERVICE_ROLE_KEYrow (Line 183) notes "CI boot smoke + eval canary", but this new row only says "(CI boot smoke)" even thoughdocs/observability-slos.md(Lines 149-152, same PR) listsRAG_QUERY_HASH_SECRETas required for the eval canary too.📝 Proposed fix
-| `RAG_QUERY_HASH_SECRET` | high | runtime | host secret store; GitHub repo secret (CI boot smoke) | +| `RAG_QUERY_HASH_SECRET` | high | runtime | host secret store; GitHub repo secret (CI boot smoke + eval canary) |🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/deployment-architecture.md` at line 187, The RAG_QUERY_HASH_SECRET row is missing the eval canary annotation, making it inconsistent with the related secret requirements. Update the annotation in the deployment-architecture table for RAG_QUERY_HASH_SECRET to match the usage described in observability-slos.md, using the same style as the SUPABASE_SERVICE_ROLE_KEY entry so it clearly indicates both CI boot smoke and eval canary.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/observability-slos.md`:
- Around line 149-153: The required-secret list in the observability SLOs doc is
out of sync with eval-canary’s actual preflight checks. Update the doc to match
the current `eval-canary.yml` behavior by listing only the secrets it really
validates via its preflight, or first add the missing `RAG_QUERY_HASH_SECRET`
and eval owner wiring to the workflow and then keep the doc aligned. Use the
`eval-canary.yml` workflow and the required-repo-secrets section in this doc as
the sources of truth.
---
Nitpick comments:
In `@docs/deployment-architecture.md`:
- Line 187: The RAG_QUERY_HASH_SECRET row is missing the eval canary annotation,
making it inconsistent with the related secret requirements. Update the
annotation in the deployment-architecture table for RAG_QUERY_HASH_SECRET to
match the usage described in observability-slos.md, using the same style as the
SUPABASE_SERVICE_ROLE_KEY entry so it clearly indicates both CI boot smoke and
eval canary.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 2559fa20-6733-4e3a-96af-b5ad1954ad06
📒 Files selected for processing (4)
.github/workflows/ci.ymldocs/deployment-architecture.mddocs/observability-slos.mdscripts/deployment-boot-smoke.mjs
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. The branch was updated while autofix was in progress. Please try again. |
The observability SLO doc incorrectly listed RAG_QUERY_HASH_SECRET as required for eval-canary.yml; only boot smoke needs it. Trim the doc to match the workflow's actual preflight checks. Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Summary
Fixes the main CI
verifyfailure after production instrumentation began requiringRAG_QUERY_HASH_SECRET(PIA-2).After #426 merged, deployment boot smoke failed with:
Changes
scripts/deployment-boot-smoke.mjs: addRAG_QUERY_HASH_SECRETtorequiredProductionEnv(no placeholder fallback — fails closed when absent)..github/workflows/ci.yml: passsecrets.RAG_QUERY_HASH_SECRETinto the boot-smoke step alongside the other production secrets.RAG_QUERY_HASH_SECRETamong required GitHub repo secrets for boot smoke.Review feedback addressed
ChatGPT P1: require the real query-hash secret in boot smoke instead of defaulting a placeholder that would let a missing production secret slip through CI.
CodeRabbit: keep
observability-slos.mdeval-canary secret list aligned witheval-canary.ymlpreflight (boot smoke only needsRAG_QUERY_HASH_SECRET).Verification
SUPABASE_SERVICE_ROLE_KEY=… OPENAI_API_KEY=… RAG_QUERY_HASH_SECRET=… npm run check:deployment-readiness— passRAG_QUERY_HASH_SECRET— explicit missing-env errorverify— passOps note
Ensure
RAG_QUERY_HASH_SECRET(min 16 chars) is configured as a GitHub Actions repository secret before merging tomain.