semaphore: replacing semaphore agents with newer upstreamed agents

[Yashprime1]

SNE-51208

Changes

Describe the key changes in this PR with the Jira Issue reference

Changes to Public Facing API if any

Please list the impact on the public facing API if any

How Has This Been Tested?

Describe the testing approach and any relevant configurations (e.g., environment, platform)

Checklist

• Code compiles without errors
• Version Bump added to package.json & CHANGELOG.md
• All tests pass
• Build process is successful
• Documentation has been updated (if needed)
• Automation tests are passing

Link to Deployed SDK

Use these url for testing :

1. https://static.wizrocket.com/staging/<CURRENT_BRANCH_NAME>/js/clevertap.min.js
2. https://static.wizrocket.com/staging/<CURRENT_BRANCH_NAME>/js/sw_webpush.min.js

How to trigger Automations

Just add a empty commit after all your changes are done in the PR with the command

 git commit --allow-empty -m "[run-test] Testing Automation"

This will trigger the automation suite

---

Note

Migrates Semaphore to new s1-agent types, updates deploy scripts to use uv-based Python env and new S3 bucket, and builds/publishes service worker with staging/production promotions.

• CI/CD (Semaphore pipelines):
  • Agents: Switch machine types to s1-agent-* and clear os_image across semaphore.yml, production-deploy.yml, and staging-deploy.yml.
  • Deploy scripts:
    • Use new S3 bucket for utils/generate_assumed_role_creds.py and fetch uv tarball; add uv-based venv, install Python deps, then deactivate.
    • Remove AWS identity debug commands.
  • Build pipeline (.semaphore/semaphore.yml):
    • Add npm install and npm run build_sw.
    • Push new artifacts: sw_webpush.min.js and sw_webpush.js.
    • Add promotions for Production and Staging (auto-promote on pass for staging).
  • Staging deploy (staging-deploy.yml): upload clevertap.* and sw_webpush.* to s3://static.wizrocket.com/staging/${SEMAPHORE_GIT_WORKING_BRANCH}/js/ and add CloudFront invalidations for each.
  • Production deploy (production-deploy.yml): deploy clevertap.min.js to s3://static.wizrocket.com/js/ and invalidate its CloudFront path.

^{Written by Cursor Bugbot for commit ea22573. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated CI/CD infrastructure configurations across deployment pipelines.
  • Optimized agent machine types and deployment environment setup.
  • Enhanced Python dependency management during deployment processes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[francispereira]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Walkthrough

Updates three Semaphore CI configuration files to use newer agent machine types (s1-agent-c5-large, s1-agent-t2-micro), modify OS images, introduce uv-based Python virtual environment setup, fetch resources from updated S3 paths, and restructure deployment steps for environment handling.

Changes

Cohort / File(s)	Summary
Semaphore CI Agent & Machine Type Updates .semaphore/semaphore.yml	Updated agent machine type from f1-standard-2 to s1-agent-t2-micro and cleared os_image field.
Production Deployment Overhaul .semaphore/production-deploy.yml	Changed agent machine types (e1-standard-2 → s1-agent-c5-large), updated S3 resource paths for credential scripts, introduced uv-based Python venv setup with package installations (argparse, PyJWT, requests, cryptography, pytablewriter, pyyaml, boto3), removed AWS validation commands (env grep and sts get-caller-identity), and added environment deactivation.
Staging Deployment Updates .semaphore/staging-deploy.yml	Updated agent machine type (e1-standard-2 → s1-agent-t2-micro), cleared os_image, updated S3 paths, introduced uv tarball extraction and Python venv setup with package installations, replaced environment validation commands with autonomous credential handling, added deactivation step, and changed final agent type to s1-agent-c5-large.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Machine type and OS image consistency: Verify the new agent types (s1-agent-c5-large, s1-agent-t2-micro) are appropriate for workload requirements across environments.
• uv setup and Python dependencies: Ensure the uv virtual environment creation, package installation steps, and PATH configuration are correct and consistent across production and staging files.
• S3 path updates: Confirm the new S3 paths are valid and accessible; validate the uv tarball extraction logic.
• Removed commands impact: Verify that removing AWS validation commands doesn't compromise credential/environment verification in deployment pipelines.

Possibly related PRs

• staging: adding semaphore changes for staging #397: Also modifies Semaphore CI config files and updates agent machine types.
• web-sdk: adding semaphore pipeline for staging #389: Modifies the same Semaphore pipeline files with related infrastructure changes.
• staging: adding semaphore changes for staging #395: Updates agent machine type entries in the same Semaphore CI configuration files.

Suggested reviewers

• singhkunal2050

Poem

🐰 A rabbit hops through deployment lanes,
New agents spark where uv reigns,
S3 paths and venvs bloom,
CI pipelines zoom, zoom, zoom!
Faster stages, cleaner dreams, 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes only the template structure with a Jira reference (SNE-51208) and a comprehensive AI-generated summary, but lacks substantive author-provided content in the key sections like 'Changes', 'Testing', and 'Checklist' completion.	Fill in the 'Changes' section with specific details about agent migration, update testing approach documentation, and complete the checklist items to clarify which checks have been performed.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: replacing older Semaphore agents with newer s1-agent types across all pipeline configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch task/SNE-51208-replace-agent

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.semaphore/staging-deploy.yml (1)

21-26: Verify S3 bucket path and uv availability on the new agent type.

Lines 21-26 introduce two significant changes:

1. S3 bucket path change: The hardcoded bucket path (semaphore-agent-customres-semaphoredependenciess3b-okhz8b8lstnx) is very long and tightly coupled to infrastructure. If this S3 bucket name or structure changes, the pipeline will break silently with an opaque S3 access error.

2. uv tool dependency: The script downloads and uses uv for Python virtual environment and package management. Verify that:

   • uv is available and compatible with s1-agent-t2-micro and s1-agent-c5-large agents.
   • The tarball path (uv/uv-x86_64-unknown-linux-gnu.tar.gz) exists in the S3 bucket.
   • The extracted binary (uv-x86_64-unknown-linux-gnu) is functional on the target agent OS.

3. Redundant argparse package (line 26): argparse is a built-in module in Python 3.2+. Removing it from the uv pip install list will reduce unnecessary dependency bloat.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbe7f58 and ea22573.

📒 Files selected for processing (3)

• .semaphore/production-deploy.yml (2 hunks)
• .semaphore/semaphore.yml (1 hunks)
• .semaphore/staging-deploy.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (6)

.semaphore/staging-deploy.yml (3)

5-6: Verify agent machine configuration with empty os_image.

The configuration sets os_image to an empty string for s1-agent-t2-micro. This is unconventional—typically os_image is set to a specific OS image identifier or completely omitted. Confirm that this configuration is correct and that the new agent type provides the necessary runtime environment (Python, AWS CLI, etc.).

---

39-39: Clarify the intent and sequencing of the deactivate command.

Line 39 adds a deactivate command to close the Python virtual environment. However, line 27 (the credential generation command) occurs after the venv is activated but before deactivate is called.

Verify that:

• The virtual environment remains active through line 27 (credential eval) and all subsequent AWS operations (lines 28–38).
• The source prod/bin/activate on line 25 properly sets up the Python environment for the credential script.
• Deactivating the venv at the end does not inadvertently affect any downstream steps in the Semaphore workflow (if any).

If the venv is only needed for the credential generation step and not for subsequent AWS CLI operations, consider moving the deactivate command immediately after line 27 to minimize the scope of environment modification.

Also applies to: 27-27

---

44-44: Verify agent machine type compatibility and resource availability.

The job-level agent override changes the machine type to s1-agent-c5-large (previously s1-ultron-c5-large). Ensure:

• The new machine type has sufficient resources (CPU, memory, disk) for the deployment tasks (S3 uploads, CloudFront invalidations).
• AWS CLI and other required utilities are pre-installed on this agent type.
• The empty os_image setting is intentional and supported on this machine type.

.semaphore/semaphore.yml (1)

5-6: > Likely an incorrect or invalid review comment.

.semaphore/production-deploy.yml (2)

19-21: Verify uv compatibility with the new agent machine type.

The deployment now relies on uv, a modern Python package and project manager written in Rust, being available in the s1-agent-c5-large machine type. Confirm that the extracted uv binary works correctly in this environment and that the PATH configuration allows proper execution.

---

6-6: > Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, check the full context of the production-deploy.yml file
cat -n .semaphore/production-deploy.yml

Repository: CleverTap/clevertap-web-sdk

Length of output: 1787

---

🏁 Script executed:

# Search for references to this S3 bucket throughout the codebase
rg "semaphore-agent-customres-semaphoredependenciess3b-okhz8b8lstnx" --type-list

Repository: CleverTap/clevertap-web-sdk

Length of output: 460

---

🏁 Script executed:

# Search for any S3 bucket references
rg "s3://" --type yaml -A 2 -B 2

Repository: CleverTap/clevertap-web-sdk

Length of output: 219

---

🏁 Script executed:

# Check git history for changes to this file
git log --oneline .semaphore/production-deploy.yml | head -20

Repository: CleverTap/clevertap-web-sdk

Length of output: 145

---

🏁 Script executed:

# Check for any AWS or S3 configuration documentation
fd -e md -e txt | xargs rg -l "S3|bucket|semaphore-agent" 2>/dev/null | head -10

Repository: CleverTap/clevertap-web-sdk

Length of output: 53

---

🏁 Script executed:

# Check the git diff to see what changed in this commit
git show ea22573 --stat | head -30

Repository: CleverTap/clevertap-web-sdk

Length of output: 1663

---

🏁 Script executed:

# Check for any old S3 bucket references that might have been replaced
git show ea22573 | head -100

Repository: CleverTap/clevertap-web-sdk

Length of output: 2799

---

🏁 Script executed:

# Search for any documentation, README, or setup instructions
fd -type f \( -name "README*" -o -name "DEPLOY*" -o -name "*.md" \) | xargs cat 2>/dev/null | head -50

Repository: CleverTap/clevertap-web-sdk

Length of output: 241

---

🏁 Script executed:

# Check if there are any other Semaphore config files for context
git ls-files ".semaphore/*.yml" | xargs cat

Repository: CleverTap/clevertap-web-sdk

Length of output: 5299

---

🏁 Script executed:

# Look for any deployment documentation or scripts
find . -type f \( -name "*deploy*" -o -name "*setup*" \) | grep -v node_modules | grep -v ".git" | head -20

Repository: CleverTap/clevertap-web-sdk

Length of output: 192

---

🏁 Script executed:

# Check if there are GitHub Actions workflows that might reference similar S3 paths
cat .github/workflows/release.yml 2>/dev/null | head -80

Repository: CleverTap/clevertap-web-sdk

Length of output: 1819

---

Verify S3 bucket access and artifact availability before production deployment.

The S3 paths are consistently referenced across all Semaphore pipeline configurations (production, staging, and build workflows), suggesting this is intentional infrastructure setup. However, the deployment scripts contain no validation, retry logic, or fallback mechanisms. Since the aws s3 cp commands are executed under set -euo pipefail, any S3 access failure will silently halt the production deployment. Before merging, confirm that:

• The S3 bucket semaphore-agent-customres-semaphoredependenciess3b-okhz8b8lstnx is accessible with the ProductionAccountAwsCredentials
• Both artifacts exist and are correct: utils/generate_assumed_role_creds.py and uv/uv-x86_64-unknown-linux-gnu.tar.gz
• IAM role PRODUCTION_ACCOUNT_IAM_ROLE_ARN has s3:GetObject permissions on this bucket

🤖 Prompt for AI Agents

.semaphore/production-deploy.yml around lines 17-18: the current aws s3 cp
commands run under set -euo pipefail with no validation or retry so any
transient S3 failure or missing artifact will abort deployment; update the
script to first verify bucket and object accessibility (e.g., aws s3api
head-object or aws s3 ls for each path) using the
ProductionAccountAwsCredentials, check that the IAM role
PRODUCTION_ACCOUNT_IAM_ROLE_ARN has s3:GetObject on the bucket, and only then
perform the downloads; add simple retry logic with exponential backoff (3
attempts) for the aws s3 cp commands and emit clear, actionable error messages
if verification or downloads fail so the pipeline fails with context rather than
a silent abort.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Pin specific versions for production dependencies.

While uv offers substantial speed and reproducibility benefits in CI/CD environments, the current dependency installation does not pin specific versions. This can lead to version drift and potential breaking changes in production deployments.

Apply this diff to pin dependency versions:

-              uv pip install argparse PyJWT requests cryptography pytablewriter pyyaml boto3
+              uv pip install \
+                argparse==1.4.0 \
+                PyJWT==2.8.1 \
+                requests==2.31.0 \
+                cryptography==42.0.0 \
+                pytablewriter==1.3.0 \
+                pyyaml==6.0.1 \
+                boto3==1.34.0

Note: Verify the exact versions currently in use and adjust accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uv venv prod
	source prod/bin/activate
	uv pip install argparse PyJWT requests cryptography pytablewriter pyyaml boto3
	uv venv prod
	source prod/bin/activate
	uv pip install \
	argparse==1.4.0 \
	PyJWT==2.8.1 \
	requests==2.31.0 \
	cryptography==42.0.0 \
	pytablewriter==1.3.0 \
	pyyaml==6.0.1 \
	boto3==1.34.0

🤖 Prompt for AI Agents

.semaphore/production-deploy.yml around lines 20 to 22: the CI step installs
production Python deps without pinned versions, causing potential version drift;
update the step to install explicit, pinned versions for argparse, PyJWT,
requests, cryptography, pytablewriter, pyyaml, and boto3 (using == to pin exact
versions) or point the install command to a committed requirements.txt with
pinned versions; verify the exact package versions currently used in production
(or in your local venv) and replace the unpinned installs with either a pip
install -r requirements.txt or pip install package==x.y.z for each package,
ensuring the virtualenv setup remains unchanged.

[singhkunal2050]

Please verify the job once before merge.