Run the upload-to-s3 step in release

[grahamc]

Summary by CodeRabbit

• Chores
  • Release workflow now uses an environment-based release gate instead of a branch push condition.
  • Upload-to-storage step input names were clarified (role and bucket identifiers renamed) to improve configuration clarity.
  • Removed obsolete commented note about upload-on-merge behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Replaces the if: github.event_name == 'push' && github.ref == 'refs/heads/main' guard on the upload-artifacts-to-s3 job with environment: release, and renames two Upload to S3 step inputs: s3_upload_role → AWS_S3_UPLOAD_ROLE_ARN and bucket → AWS_S3_UPLOAD_BUCKET_NAME. (36 words)

Changes

Cohort / File(s)	Summary
GitHub Actions workflow configuration ​.github/workflows/build-and-release.yml	Removed if: github.event_name == 'push' && github.ref == 'refs/heads/main' from the upload-artifacts-to-s3 job, added environment: release, and updated Upload to S3 step inputs to use ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }} and ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }}.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify environment release exists and its protection/approval settings.
• Confirm secrets AWS_S3_UPLOAD_ROLE_ARN and AWS_S3_UPLOAD_BUCKET_NAME are defined and used correctly.

Possibly related PRs

• Upload flake-iter to S3 #39 — Modifies the same workflow and the upload-artifacts-to-s3 job inputs/triggers.

Suggested reviewers

• colemickens

Poem

🐰 I hopped through YAML in the night,
Swapped a guard for "release" — neat and light.
Role ARN and bucket named with care,
Artifacts ready, floating on air. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: updating the upload-to-s3 job execution to use the release environment instead of a conditional check on push-to-main.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch grahamc-patch-1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5f3e9c and fba94e8.

📒 Files selected for processing (1)

• .github/workflows/build-and-release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-artifacts (aarch64-darwin, macos-latest-xlarge, flake-iter-ARM64-macOS)
• GitHub Check: flake-check
• GitHub Check: rust-fmt-and-clippy

🔇 Additional comments (1)

.github/workflows/build-and-release.yml (1)

57-57: Verify that the release environment has proper protection rules configured.

Replacing the explicit conditional (if: github.event_name == 'push' && github.ref == 'refs/heads/main') with environment-based gating changes the job's execution model. The job will now attempt to run for all workflow triggers (including pull_request events), and the release environment's protection rules must prevent unauthorized execution.

Ensure the release environment is configured with:

• Branch restrictions limited to main
• Required reviewers (if manual approval is desired)
• Prevention of access from forked PRs

Without these safeguards, secrets (AWS_S3_UPLOAD_ROLE, AWS_S3_UPLOAD_BUCKET) and S3 upload permissions could be exposed to untrusted code.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build-and-release.yml (1)

54-56: Consider adding a comment to document the environment-based gating.

The past review mentioned an outdated comment "Upload only on PR merge" that has been removed. While removing misleading comments is appropriate, the new environment-based gating approach is less self-evident than the previous explicit conditional. Consider adding a brief comment to document the behavior.

Apply this diff to add a clarifying comment:

   upload-artifacts-to-s3:
     needs: build-artifacts
+    # Gated by 'release' environment protection rules
     environment: release

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fba94e8 and 3fba003.

📒 Files selected for processing (1)

• .github/workflows/build-and-release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-artifacts (aarch64-darwin, macos-latest-xlarge, flake-iter-ARM64-macOS)
• GitHub Check: flake-check
• GitHub Check: rust-fmt-and-clippy

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the workflow file to understand context
cat -n .github/workflows/build-and-release.yml

Repository: DeterminateSystems/flake-iter

Length of output: 2783

---

🏁 Script executed:

# Check for environment configuration files
find .github -name "*environment*" -o -name "*release*" 2>/dev/null | head -20
ls -la .github/ 2>/dev/null

Repository: DeterminateSystems/flake-iter

Length of output: 279

---

🏁 Script executed:

# Search for references to 'release' environment or environment setup
rg "release.*environment|environment.*release" --type md --type txt --type yml -i
# Check if README mentions environment setup
cat README.md 2>/dev/null | head -100

Repository: DeterminateSystems/flake-iter

Length of output: 1445

---

Verify the release environment exists and is configured with branch restrictions to main.

This change significantly alters job execution behavior:

• Previous behavior: Job only ran on push to main (explicit conditional)
• New behavior: Job attempts to run on all triggers (including PRs, workflow_dispatch) but is gated by the release environment's protection rules

If the release environment doesn't exist, GitHub will automatically create it with no protection rules configured, which means all branches can deploy and uploads could occur from feature branches.

Confirm:

• The release environment exists and is configured in repository settings
• It has branch restrictions limited to main
• The change in PR check behavior (upload job showing as pending) is intentional

🤖 Prompt for AI Agents

.github/workflows/build-and-release.yml around line 56: the job now uses
environment: release which will cause the job to be gated by a GitHub
Environment rather than only running on pushes to main; verify the release
environment exists in repository settings and configure its protection to
restrict deployments to the main branch (add branch protection rules to only
allow main), or if this gating was not intended revert the change to keep the
previous conditional that ran the job only on pushes to main; also confirm the
altered PR check behavior (upload job showing as pending) is intentional with
stakeholders.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/build-and-release.yml (1)

56-56: Verify the release environment is configured with proper branch restrictions.

This change replaces explicit conditional logic with environment-based gating. As previously noted, if the release environment doesn't exist or lacks protection rules, uploads could execute from any branch, including PRs.

Confirm that the release environment:

• Exists in repository settings
• Has branch protection limiting deployments to main only
• Has appropriate approval requirements if needed

Run the following to check if the environment is configured:

#!/bin/bash
# Check if the release environment exists and its configuration
gh api repos/DeterminateSystems/flake-iter/environments/release --jq '{name: .name, protection_rules: .protection_rules, deployment_branch_policy: .deployment_branch_policy}'

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3fba003 and de5f9ea.

📒 Files selected for processing (1)

• .github/workflows/build-and-release.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-artifacts (aarch64-darwin, macos-latest-xlarge, flake-iter-ARM64-macOS)
• GitHub Check: rust-fmt-and-clippy
• GitHub Check: flake-check