ADFA-3989: Fix missing AWS CLI in weekly release yaml

[Daniel-ADFA]

No description provided.

[coderabbitai]

📝 Walkthrough

Release Notes

Changes

• Added AWS CLI 2 to Flox base environment - Added awscli2 package to flox/base/.flox/env/manifest.toml with updated lock file containing package details for all supported architectures (aarch64-darwin, aarch64-linux, x86_64-darwin, x86_64-linux)

• Updated GitHub Actions workflow checkout steps - Removed explicit ref: main override from four actions/checkout@v4 steps in the prepare, pull-apk, build, and cleanup jobs, allowing these steps to use the current branch context instead of always checking out main

• Enhanced upload-r2 job - Added missing actions/checkout@v4 step at the start of the upload-r2 job with persist-credentials: false

• Added Flox environment activation to R2 upload step - Applied shell: flox activate -d flox/base -- bash -eo pipefail {0} override to the "Upload to Cloudflare R2" step to ensure AWS CLI and other Flox-managed dependencies are available during execution

Risks & Best Practices Violations

• ⚠️ Checkout behavior change - Removing ref: main from multiple checkout steps changes the workflow's behavior to use the current branch context rather than always checking out the main branch. This could introduce unexpected behavior if the workflow is executed from non-main branches. Verify that this change is intentional and that all workflow steps are compatible with checking out other branch revisions.

• ⚠️ Missing explicit checkout reference in upload-r2 - The new checkout step in upload-r2 job does not specify ref: main or any explicit reference, creating inconsistency with what the workflow may expect to be available at that stage. Consider documenting the expected branch/ref context for this job.

• ⚠️ Added shell dependency - The R2 upload step now depends on Flox environment activation. Ensure that the flox/base environment is properly maintained and that CI runners have Flox installed and configured correctly.

Walkthrough

This PR normalizes checkout behavior across multiple GitHub Actions jobs by removing explicit ref: main overrides, configures the upload-r2 job to handle credentials securely and execute within a Flox environment, and adds the awscli2 package dependency to support those updates.

Changes

GitHub Actions workflow and Flox manifest updates

Layer / File(s)	Summary
Checkout ref normalization across jobs .github/workflows/weekly-release.yml	ref: main is removed from actions/checkout@v4 steps in prepare, pull-apk, release-codeonthego, and finalize jobs, allowing default branch-based checkout.
R2 upload job setup with Flox shell and awscli2 .github/workflows/weekly-release.yml, flox/base/.flox/env/manifest.toml	The upload-r2 job gains an initial checkout step with persist-credentials: false and the subsequent R2 upload step is wrapped in a Flox environment shell. The awscli2.pkg-path is added to the Flox manifest to support tool availability within that shell.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• appdevforall/CodeOnTheGo#1290: Both PRs modify the .github/workflows/weekly-release.yml job logic involved in uploading artifacts/APKs to Cloudflare R2.
• appdevforall/CodeOnTheGo#1328: Both PRs modify .github/workflows/weekly-release.yml's actions/checkout@v4 usage and step shell wrapping.

Suggested reviewers

• dara-abijo-adfa
• jatezzz

Poem

🐰 A checkout cleanup hops along,
Removing refs that don't belong,
Upload to R2 with Flox's might,
AWS tools shining bright!
The workflow flows more right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether the description relates to the changeset.	Add a description explaining the issue being fixed, the changes made, and any testing performed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the specific issue (missing AWS CLI) and the file affected (weekly release yaml), directly matching the changeset that adds AWS CLI to the manifest.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ADFA-3989-fix-aws

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/weekly-release.yml:
- Around line 228-230: Replace all mutable references to "uses:
actions/checkout@v4" in the workflows with a vetted 40-character commit SHA
(e.g. "actions/checkout@<40-char-sha>"); find each occurrence of the literal
"uses: actions/checkout@v4" and substitute the tag with the immutable commit
SHA, keeping the step parameters (like persist-credentials) unchanged, and
ensure every occurrence is updated consistently across all workflow files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 20824208-b699-46bc-a8d0-3a9d9eb3bbf4

📥 Commits

Reviewing files that changed from the base of the PR and between a331093 and 269bf2a.

⛔ Files ignored due to path filters (1)

• flox/base/.flox/env/manifest.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/weekly-release.yml
• flox/base/.flox/env/manifest.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify unpinned GitHub Actions references in workflow files.
# Expected after fix: no output for the updated line.
rg -nP '^\s*-\s+uses:\s+\S+@(?!(?:[0-9a-f]{40})\b)\S+' .github/workflows

Repository: appdevforall/CodeOnTheGo

Length of output: 519

---

Pin actions/checkout to an immutable commit SHA (multiple occurrences).

Unpinned actions/checkout@v4 is used in:

• .github/workflows/weekly-release.yml at lines 23, 79, 184, 228, 271
• .github/workflows/release-plugin-api.yml at line 20

Use a vetted 40-char commit SHA instead of the mutable tag.

Suggested change

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<audited-actions-checkout-v4-sha>
         with:
           persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[error] 228-228: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/weekly-release.yml around lines 228 - 230, Replace all
mutable references to "uses: actions/checkout@v4" in the workflows with a vetted
40-character commit SHA (e.g. "actions/checkout@<40-char-sha>"); find each
occurrence of the literal "uses: actions/checkout@v4" and substitute the tag
with the immutable commit SHA, keeping the step parameters (like
persist-credentials) unchanged, and ensure every occurrence is updated
consistently across all workflow files.