semaphore: fix status reporting for pipelines

[Yashprime1]

SNE-50382

Summary by CodeRabbit

• Chores
  • Hardened staging and production deployment scripts to fail fast on errors, improving deployment reliability.
  • Consolidated build commands in CI into a single script with stricter error handling.
  • Minor formatting adjustments to pipeline scripts without functional changes to deployment steps.
  • No user-facing behavior changes; release process resilience improved.
  • No changes to features, performance, or APIs.

[coderabbitai]

Walkthrough

Introduces strict shell error handling (set -euo pipefail) in staging and production deploy scripts and consolidates build commands into a single multiline script with the same strict mode in the main Semaphore pipeline. No functional command changes; indentation and script block structure adjusted.

Changes

Cohort / File(s)	Summary
Build pipeline script consolidation .semaphore/semaphore.yml	Replaces separate npm commands with a single multiline script block starting with set -euo pipefail, then runs npm install and npm run build_sw. Artifact steps unchanged.
Deploy scripts strict mode .semaphore/production-deploy.yml, .semaphore/staging-deploy.yml	Adds set -euo pipefail at the start of Deploy Assets script blocks. All AWS S3 sync and CloudFront invalidation commands remain unchanged; only error handling tightened.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev
  participant Semaphore
  participant Build as Build Job
  participant DeployStg as Deploy (Staging)
  participant DeployProd as Deploy (Production)
  participant AWS as AWS (S3/CloudFront)

  Dev->>Semaphore: Push / Trigger
  Semaphore->>Build: Run build step (strict shell)
  note right of Build: set -euo pipefail<br/>npm install → npm run build_sw
  Build-->>Semaphore: Artifacts ready

  alt Promote to Staging
    Semaphore->>DeployStg: Deploy Assets (strict shell)
    note right of DeployStg: set -euo pipefail
    DeployStg->>AWS: S3 sync → CloudFront invalidate
    AWS-->>DeployStg: OK/Errors
  end

  alt Promote to Production
    Semaphore->>DeployProd: Deploy Assets (strict shell)
    note right of DeployProd: set -euo pipefail
    DeployProd->>AWS: S3 sync → CloudFront invalidate
    AWS-->>DeployProd: OK/Errors
  end

  opt Error handling
    note over Build,DeployProd: Any command error or unset var causes immediate exit
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• staging: adding semaphore changes for staging #395 — Also modifies Semaphore CI job commands, consolidating npm steps and deploy script blocks; likely touches the same CI paths.

Suggested reviewers

• singhkunal2050

Poem

I hop through scripts with bashy grace,
Flip one switch—errors show their face.
Build in one hop, deploy with care,
S3 winds and clouds to clear the air.
Ears up, tails high—pipeline tight,
Green carrots glow in Semaphore light. 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch task/fix-status-reporting

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[francispereira]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.semaphore/staging-deploy.yml (1)

19-35: Harden script: remove secret echo, fix rm flags, and batch CloudFront invalidation.

• Remove env | grep AWS to avoid credential leakage and pipefail-induced failures.
• Replace rm -r with rm -f -- on files.
• Combine the five invalidations into one call to reduce API calls and speed up deploys.

-              set -euo pipefail
+              set -euo pipefail
               mkdir utils
               aws s3 cp s3://cfstack-init-sources3bucket-b5bxfzywj4ae/utils/generate_assumed_role_creds.py utils/generate_assumed_role_creds.py
               eval $(python3 utils/generate_assumed_role_creds.py --role-arn ${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} --session-name SemaphoreAgent)
-              env | grep AWS
               aws sts get-caller-identity
               aws s3 cp ./clevertap.min.js s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ --acl public-read
               aws s3 cp ./clevertap.js s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ --acl public-read
               aws s3 cp ./clevertap.js.map s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ --acl public-read
               aws s3 cp ./sw_webpush.min.js s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ --acl public-read
               aws s3 cp ./sw_webpush.js s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ --acl public-read
-              rm -r clevertap.min.js clevertap.js clevertap.js.map sw_webpush.min.js sw_webpush.js
-              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.js
-              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.js.map
-              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/sw_webpush.min.js
-              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/sw_webpush.js
-              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.min.js
+              rm -f -- clevertap.min.js clevertap.js clevertap.js.map sw_webpush.min.js sw_webpush.js
+              aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths \
+                "/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.js" \
+                "/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.js.map" \
+                "/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/sw_webpush.min.js" \
+                "/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/sw_webpush.js" \
+                "/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/clevertap.min.js"

🧹 Nitpick comments (2)

.semaphore/semaphore.yml (2)

17-17: Fix YAML lint: trailing space after block scalar.
Remove the trailing space after - | to satisfy yamllint.

-            - | 
+            - |

---

17-20: Prefer npm ci in CI for reproducible installs.
If a lockfile exists, npm ci is faster and deterministic.

-              npm install
+              npm ci

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d84da67 and 1010803.

📒 Files selected for processing (3)

• .semaphore/production-deploy.yml (1 hunks)
• .semaphore/semaphore.yml (1 hunks)
• .semaphore/staging-deploy.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.semaphore/semaphore.yml

[error] 17-17: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)

.semaphore/production-deploy.yml (1)

15-21: Verify env/ACL assumptions under set -u.

• Ensure ${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} is always present; set -u will hard-fail otherwise.
• If the S3 bucket enforces Object Ownership (ACLs disabled), --acl public-read will fail; confirm bucket settings or drop the flag.

.semaphore/staging-deploy.yml (2)

19-21: Strict mode adoption LGTM.
This should improve failure visibility and status reporting.

---

22-29: Confirm required env presence under set -u.
${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} and ${SEMAPHORE_GIT_WORKING_BRANCH} must always be set to avoid hard failures.

.semaphore/semaphore.yml (2)

17-20: Good move to a single strict script block.
Unifying with set -euo pipefail is an improvement.

---

13-22: Double-check artifact push ordering.
You push clevertap*.js artifacts (Lines 14–16) before running any build step; verify these are prebuilt/checked-in. If not, reorder to build before pushing.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Strict mode added: good, but current script will leak AWS secrets and may fail due to pipefail.

• env | grep AWS will print creds to logs and, with set -euo pipefail, can fail the job if grep returns 1. Remove it.
• Use rm -f instead of rm -r for single files to avoid unnecessary failure under -e.

Apply:

-              set -euo pipefail
+              set -euo pipefail
               mkdir utils
               aws s3 cp s3://cfstack-init-sources3bucket-b5bxfzywj4ae/utils/generate_assumed_role_creds.py utils/generate_assumed_role_creds.py
               eval $(python3 utils/generate_assumed_role_creds.py --role-arn ${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} --session-name SemaphoreAgent)
-              env | grep AWS
               aws sts get-caller-identity
               aws s3 cp clevertap.min.js s3://static.wizrocket.com/js/ --acl public-read
-              rm -r clevertap.min.js
+              rm -f -- clevertap.min.js
               aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /js/clevertap.min.js

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	set -euo pipefail
	mkdir utils
	aws s3 cp s3://cfstack-init-sources3bucket-b5bxfzywj4ae/utils/generate_assumed_role_creds.py utils/generate_assumed_role_creds.py
	eval $(python3 utils/generate_assumed_role_creds.py --role-arn ${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} --session-name SemaphoreAgent)
	env | grep AWS
	aws sts get-caller-identity
	- 'aws s3 cp clevertap.min.js s3://static.wizrocket.com/js/ --acl public-read'
	- rm -r clevertap.min.js
	- aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /js/clevertap.min.js
	aws s3 cp clevertap.min.js s3://static.wizrocket.com/js/ --acl public-read
	rm -r clevertap.min.js
	aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /js/clevertap.min.js
	set -euo pipefail
	mkdir utils
	aws s3 cp s3://cfstack-init-sources3bucket-b5bxfzywj4ae/utils/generate_assumed_role_creds.py utils/generate_assumed_role_creds.py
	eval $(python3 utils/generate_assumed_role_creds.py --role-arn ${PRODUCTION_ACCOUNT_IAM_ROLE_ARN} --session-name SemaphoreAgent)
	aws sts get-caller-identity
	aws s3 cp clevertap.min.js s3://static.wizrocket.com/js/ --acl public-read
	rm -f -- clevertap.min.js
	aws cloudfront create-invalidation --distribution-id E1OCAMMKX0F1A1 --paths /js/clevertap.min.js

🤖 Prompt for AI Agents

In .semaphore/production-deploy.yml around lines 15 to 23, remove the line that
prints environment variables with "env | grep AWS" (it can leak credentials and
under set -euo pipefail a non-zero grep exit will fail the job) and replace the
"rm -r clevertap.min.js" with "rm -f clevertap.min.js" so removing the file
won't error under strict mode.