Switch Kitmaker to use Artifactory

[aristarkhovNV]

Summary by CodeRabbit

• Chores
  • Migrated wheel distribution from GitHub Releases to Artifactory; GitHub release/tag asset steps removed.
  • Publish job now exposes artifact path outputs, clears local wheel artifacts before downloading, and records uploaded wheel paths.
  • Downstream kitmaker integration updated to consume Artifactory paths, run only for non-PR events, and validate Artifactory config (HTTPS required).
  • Enhanced masking/redaction of Artifactory and kitmaker secrets.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed GitHub Release publishing; publish-wheel now uploads wheels to Artifactory, resolves repo-relative wheel_paths and exposes them; kitmaker now validates Artifactory inputs, constructs full wheel URLs from WHEEL_PATHS, and runs only for non-PR events.

Changes

Cohort / File(s)	Summary
Workflow entry point .github/workflows/build-ubuntu.yml	Removed GitHub Release creation/upload and cleanup jobs; reworked job dependencies so kitmaker depends on publish-wheel and is gated to non-PR events.
Publish -> Artifactory .github/workflows/build-ubuntu.yml (step Upload wheel(s) to Artifactory / id: upload-artifactory)	Added id: upload-artifactory; deletes local wheels/ dir pre-step, uploads wheels to Artifactory, queries Artifactory to resolve each artifact's downloadUri, and produces repo-relative wheel_paths.
Job outputs / step ids .github/workflows/build-ubuntu.yml	Added publish-wheel.outputs.wheel_paths mapped from steps.upload-artifactory.outputs.wheel_paths; introduced step id for upload to expose outputs.
Kitmaker job & validation .github/workflows/build-ubuntu.yml	Switched kitmaker input from WHEEL_URLS to WHEEL_PATHS; validates ARTIFACTORY_URL (requires https://) and ARTIFACTORY_REPO, constructs final wheel URLs as ARTIFACTORY_URL + ARTIFACTORY_REPO + wheel_path, and masks/redacts Artifactory/Kitmaker secrets in submit/status steps.
Misc local cleanup .github/workflows/build-ubuntu.yml	Added pre-step to remove local wheels/ before downloads; removed GitHub release tag/asset deletion logic and related cleanup job.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as CI Runner
    participant PW as publish-wheel job
    participant AF as Artifactory API
    participant KM as kitmaker job

    Runner->>PW: remove local wheels/ directory
    PW->>AF: upload wheel files (twine) 
    AF-->>PW: upload confirmation / artifact IDs
    PW->>AF: search artifacts -> request metadata (downloadUri)
    AF-->>PW: return downloadUri(s)
    PW->>PW: strip base URL/repo -> produce repo-relative wheel_paths
    PW-->>Runner: set job output wheel_paths
    Runner->>KM: start kitmaker (depends on publish-wheel)
    KM->>KM: validate ARTIFACTORY_URL (HTTPS), ARTIFACTORY_REPO, WHEEL_PATHS
    KM->>KM: construct full wheel URLs = ARTIFACTORY_URL + ARTIFACTORY_REPO + wheel_path
    KM->>KM: build submission payload (mask secrets)
    KM->>KM: submit payload / report status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰
I hopped through builds with nimble paws,
swapped release bells for artful claws.
I trim the URLs, tuck paths in a nest—
Kitmaker hums, the wheels find rest. 🥕📦

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Switch Kitmaker to use Artifactory' directly reflects the main objective of the pull request, which involves rewiring Kitmaker jobs to depend on Artifactory-published wheels instead of GitHub release assets.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aaristarkhov/kitmaker-artifactory

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the Ubuntu CI workflow to stop using temporary GitHub Releases as an intermediate wheel distribution mechanism and instead have Kitmaker consume wheels directly from internal Artifactory.

Changes:

• Expose publish-wheel job output (wheel_paths) derived from Artifactory metadata after upload.
• Remove the publish-github-release-assets and cleanup-github-release-assets jobs and rewire Kitmaker to depend on publish-wheel.
• Add a cleanup step to ensure the wheels download directory is clean before fetching artifacts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-ubuntu.yml:
- Around line 361-364: The consumer job is reconstructing artifact URLs from
ARTIFACTORY_URL/ARTIFACTORY_REPO which can drift between environments; change
the producer job publish-wheel to export the full verified downloadUri (e.g.,
outputs.downloadUris or outputs.downloadUri_base) instead of only the relative
path, and update the consumer to use needs.publish-wheel.outputs.downloadUris
(or the new full downloadUri output) in place of recomputing the URL (replace
usage of WHEEL_PATHS + ARTIFACTORY_URL/ARTIFACTORY_REPO); ensure publish-wheel
sets the GitHub Actions output and the consumer job reads that output and
retains KITMAKER_UPLOAD behavior.
- Around line 301-333: search_json parsing currently uses .results[0] which can
be non-deterministic; change the logic around search_json/storage_uri to verify
the search returned exactly one result (e.g. use jq to compute .results |
length) and fail with an explanatory error (including search_json) if length !=
1, then only extract storage_uri from the sole result; update the error paths
that reference wheel_name and metadata_json so the workflow exits instead of
proceeding to compute wheel_path and append to wheel_paths when multiple or zero
matches are found.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a17fc978-6c58-4fb8-a65d-81eca000e4ba

📥 Commits

Reviewing files that changed from the base of the PR and between ed953ed and ac86e99.

📒 Files selected for processing (1)

• .github/workflows/build-ubuntu.yml

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/build-ubuntu.yml (2)

361-364: ⚠️ Potential issue | 🟠 Major

Cross-environment secret drift risk persists.

The previous review flagged that publish-wheel (running under dev environment) resolves the verified downloadUri but only passes the relative path. This job (running under release environment) reconstructs the full URL using its own ARTIFACTORY_URL and ARTIFACTORY_REPO secrets. If these secrets differ between environments, kitmaker will receive incorrect URLs.

Consider exporting the full verified downloadUri (or at least the base URL) from publish-wheel instead of only the relative path to eliminate cross-environment configuration drift.

,

Also applies to: 388-394

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 361 - 364, The workflow
currently uses needs.publish-wheel.outputs.wheel_paths (WHEEL_PATHS) and
reconstructs full artifact URLs using ARTIFACTORY_URL/ARTIFACTORY_REPO in the
release job (and gates behavior with KITMAKER_UPLOAD), causing cross-environment
secret drift if those secrets differ; change the publish-wheel job to export the
fully-qualified downloadUri(s) (or at minimum the base URL) as an output (e.g.,
publish-wheel.outputs.wheel_uris) and update this job to consume that output
instead of rebuilding URLs from ARTIFACTORY_URL/ARTIFACTORY_REPO so kitmaker
receives the verified full URLs regardless of environment.

---

301-312: ⚠️ Potential issue | 🟠 Major

Require exactly one Artifactory match before using .results[0].

The previous review flagged that /api/search/artifact can return multiple hits when files with identical names exist at different paths, and results are unordered. The code still selects .results[0].uri without verifying uniqueness, making the resolved wheel path non-deterministic.

🛡️ Suggested guard

-          storage_uri="$(jq -r '.results[0].uri // empty' <<< "${search_json}")"
+          result_count="$(jq '.results | length' <<< "${search_json}")"
+          if (( result_count != 1 )); then
+            echo "Expected exactly one Artifactory match for ${wheel_name}, got ${result_count}"
+            echo "${search_json}"
+            exit 1
+          fi
+          storage_uri="$(jq -r '.results[0].uri' <<< "${search_json}")"

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 301 - 312, The current
selection of storage_uri uses jq '.results[0].uri' on search_json, but the
Artifactory /api/search/artifact can return multiple unordered hits; update the
logic around search_json/storage_uri to require exactly one match for
wheel_name: use jq to check '.results | length' (or otherwise count results) and
if the count is not equal to 1, emit the full search_json and exit nonzero; only
when the count is exactly 1 should you extract the single '.results[0].uri' into
storage_uri and proceed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/build-ubuntu.yml:
- Around line 361-364: The workflow currently uses
needs.publish-wheel.outputs.wheel_paths (WHEEL_PATHS) and reconstructs full
artifact URLs using ARTIFACTORY_URL/ARTIFACTORY_REPO in the release job (and
gates behavior with KITMAKER_UPLOAD), causing cross-environment secret drift if
those secrets differ; change the publish-wheel job to export the fully-qualified
downloadUri(s) (or at minimum the base URL) as an output (e.g.,
publish-wheel.outputs.wheel_uris) and update this job to consume that output
instead of rebuilding URLs from ARTIFACTORY_URL/ARTIFACTORY_REPO so kitmaker
receives the verified full URLs regardless of environment.
- Around line 301-312: The current selection of storage_uri uses jq
'.results[0].uri' on search_json, but the Artifactory /api/search/artifact can
return multiple unordered hits; update the logic around search_json/storage_uri
to require exactly one match for wheel_name: use jq to check '.results | length'
(or otherwise count results) and if the count is not equal to 1, emit the full
search_json and exit nonzero; only when the count is exactly 1 should you
extract the single '.results[0].uri' into storage_uri and proceed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 30efc95c-2755-4499-b267-037bf3fb61a3

📥 Commits

Reviewing files that changed from the base of the PR and between ac86e99 and 0784035.

📒 Files selected for processing (1)

• .github/workflows/build-ubuntu.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/build-ubuntu.yml (2)

361-364: ⚠️ Potential issue | 🟠 Major

Pass the verified download URL across jobs instead of rebuilding it.

publish-wheel (running under dev environment) resolves the exact downloadUri from Artifactory but outputs only the relative path. This kitmaker job (running under release environment) then reconstructs the full URL using its own ARTIFACTORY_URL and ARTIFACTORY_REPO secrets. If these secrets differ between environments, kitmaker will submit invalid URLs to Kitmaker.

Consider exporting the full downloadUri (or verified base URL) from publish-wheel instead of only the relative path.

Also applies to: 388-388, 394-394

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 361 - 364, The kitmaker job
rebuilds artifact URLs from ARTIFACTORY_URL and ARTIFACTORY_REPO instead of
using the verified downloadUri produced by publish-wheel, which breaks when
secrets differ between environments; modify the publish-wheel job to output the
full downloadUri (or a verified base URL) as a workflow output (e.g., add an
output like full_download_uris) and change the kitmaker job to consume that
output (instead of reconstructing with ARTIFACTORY_URL/ARTIFACTORY_REPO) by
reading needs.publish-wheel.outputs.full_download_uris (or the chosen name) and
using that value when setting WHEEL_PATHS/KITMAKER_UPLOAD payloads so the exact
validated URL from publish-wheel is passed across jobs.

---

301-312: ⚠️ Potential issue | 🟠 Major

Require a unique Artifactory match before using .results[0].

The Artifactory /api/search/artifact API can return multiple results when files with identical names exist at different paths. Line 307 blindly selects the first result without verifying uniqueness, making the resolved wheel path non-deterministic.

🔎 Suggested guard

-          storage_uri="$(jq -r '.results[0].uri // empty' <<< "${search_json}")"
+          result_count="$(jq '.results | length' <<< "${search_json}")"
+          if (( result_count != 1 )); then
+            echo "Expected exactly one Artifactory match for ${wheel_name}, got ${result_count}"
+            echo "${search_json}"
+            exit 1
+          fi
+          storage_uri="$(jq -r '.results[0].uri' <<< "${search_json}")"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 301 - 312, The current code
reads search_json and unconditionally uses .results[0] to set storage_uri, which
is unsafe when Artifactory returns multiple matches; update the logic around
search_json/storage_uri to first count results (e.g., via jq '.results |
length') and assert it equals 1, and if not log an explicit error with the full
search_json and wheel_name and exit non‑zero; only when the count is exactly 1
extract .results[0].uri into storage_uri (and treat empty as an error as
before). Ensure you reference the variables search_json, storage_uri and
wheel_name and the jq-based results length check so the new guard replaces the
blind .results[0] usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-ubuntu.yml:
- Around line 445-447: The workflow step currently injects ARTIFACTORY_URL and
ARTIFACTORY_REPO into the environment but they are not referenced anywhere in
the step logic; remove these two environment variables from the env block (or
alternatively use them where needed) to avoid adding unused masked secrets—look
for the ARTIFACTORY_URL and ARTIFACTORY_REPO entries in the workflow step and
either delete those keys from the env map or update the step to actually consume
them.

---

Duplicate comments:
In @.github/workflows/build-ubuntu.yml:
- Around line 361-364: The kitmaker job rebuilds artifact URLs from
ARTIFACTORY_URL and ARTIFACTORY_REPO instead of using the verified downloadUri
produced by publish-wheel, which breaks when secrets differ between
environments; modify the publish-wheel job to output the full downloadUri (or a
verified base URL) as a workflow output (e.g., add an output like
full_download_uris) and change the kitmaker job to consume that output (instead
of reconstructing with ARTIFACTORY_URL/ARTIFACTORY_REPO) by reading
needs.publish-wheel.outputs.full_download_uris (or the chosen name) and using
that value when setting WHEEL_PATHS/KITMAKER_UPLOAD payloads so the exact
validated URL from publish-wheel is passed across jobs.
- Around line 301-312: The current code reads search_json and unconditionally
uses .results[0] to set storage_uri, which is unsafe when Artifactory returns
multiple matches; update the logic around search_json/storage_uri to first count
results (e.g., via jq '.results | length') and assert it equals 1, and if not
log an explicit error with the full search_json and wheel_name and exit
non‑zero; only when the count is exactly 1 extract .results[0].uri into
storage_uri (and treat empty as an error as before). Ensure you reference the
variables search_json, storage_uri and wheel_name and the jq-based results
length check so the new guard replaces the blind .results[0] usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b93e6248-b9e7-4903-b926-83321cd4be9c

📥 Commits

Reviewing files that changed from the base of the PR and between 0784035 and a9140ac.

📒 Files selected for processing (1)

• .github/workflows/build-ubuntu.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/build-ubuntu.yml (3)

254-259: ⚠️ Potential issue | 🟠 Major

Mask Artifactory values before printing Artifactory responses.

Artifactory API responses printed on failure paths (lines 310, 317, 328, 336) can leak the Artifactory URL and repository name embedded in response URIs. Add masking after the URL validation:

         if [[ "${ARTIFACTORY_URL}" != https://* ]]; then
           echo "ARTIFACTORY_URL must use https://"
           exit 1
         fi
+
+        echo "::add-mask::${ARTIFACTORY_URL}"
+        echo "::add-mask::${ARTIFACTORY_URL%/}"
+        echo "::add-mask::${ARTIFACTORY_REPO}"
 
         shopt -s nullglob

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 254 - 259, The workflow
prints raw Artifactory API responses on failure which can expose ARTIFACTORY_URL
and ARTIFACTORY_REPO; update the run step logic inside the same run block to
mask these values before printing by replacing any occurrences of the
ARTIFACTORY_URL and ARTIFACTORY_REPO environment variables in the response
strings with masked placeholders (e.g., "***"); do this masking immediately
after you validate or read the URL (the validation step mentioned in the
comment) and before any echo/printf of responses on the failure paths so all
failure logs use the sanitized response.

---

363-370: ⚠️ Potential issue | 🟠 Major

Do not log the raw Kitmaker create-release response.

Line 426 echoes response_json before any values are masked. The API response contains the submitted Artifactory URLs and the release_uuid, which are then treated as sensitive in downstream steps. Add the mask block before the POST request and replace the raw response dump with a minimal sanitized log line.

🧯 Safer logging pattern

         if [[ "${ARTIFACTORY_URL}" != https://* ]]; then
           echo "ARTIFACTORY_URL must use https://"
           exit 1
         fi
+
+        echo "::add-mask::${KITMAKER_API_ENDPOINT}"
+        echo "::add-mask::${KITMAKER_API_ENDPOINT%/}"
+        echo "::add-mask::${KITMAKER_PROJECT_ID}"
+        echo "::add-mask::${ARTIFACTORY_URL}"
+        echo "::add-mask::${ARTIFACTORY_URL%/}"
+        echo "::add-mask::${ARTIFACTORY_REPO}"
 
         if [[ -z "${WHEEL_PATHS}" ]]; then
           echo "No wheel paths were produced by publish-wheel job"
           exit 1
         fi
@@
-        echo "${response_json}"
-
         release_uuid="$(jq -r '.release_uuid // empty' <<< "${response_json}")"
         if [[ -z "${release_uuid}" ]]; then
           echo "Kitmaker response missing release_uuid"
           exit 1
         fi
+        echo "::add-mask::${release_uuid}"
+        echo "Kitmaker release created"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 363 - 370, The workflow
currently echoes the raw response_json from the Kitmaker create-release POST and
leaks Artifactory URLs and release_uuid; move or add the mask step (using
::add-mask or the repo's mask mechanism) before making the POST in the
create-release step, stop echoing the full response_json after the curl/POST,
and replace that dump with a minimal sanitized log (e.g., success/failure and
sanitized release id placeholder). Update references in the create-release step
to use the masked variables and ensure any downstream steps rely on the masked
outputs rather than printing response_json.

---

224-233: ⚠️ Potential issue | 🟠 Major

Add PR guard to publish-wheel job for consistency with downstream jobs.

The downstream kitmaker and kitmaker-status jobs both explicitly exclude pull requests with github.event_name != 'pull_request', but publish-wheel does not. This allows same-repo PRs to upload unmerged wheels to the internal Artifactory repository. Fork PRs will fail at the secret check, but the asymmetry suggests unintended behavior. Gate publish-wheel with the same PR condition as downstream jobs.

Suggested guard

-    if: ${{ needs.build-ubuntu.result == 'success' && needs.test-cloudxr.result == 'success' }}
+    if: ${{ github.event_name != 'pull_request' && needs.build-ubuntu.result == 'success' && needs.test-cloudxr.result == 'success' }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-ubuntu.yml around lines 224 - 233, The publish-wheel
job currently lacks the PR guard used by downstream jobs (kitmaker and
kitmaker-status), allowing same-repo pull requests to upload unmerged wheels;
update the publish-wheel job (job name: publish-wheel) to include the same PR
gate by adding the condition that github.event_name != 'pull_request' (the same
check used in kitmaker / kitmaker-status) to its if expression so it only runs
for non-PR events and matches downstream behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/build-ubuntu.yml:
- Around line 254-259: The workflow prints raw Artifactory API responses on
failure which can expose ARTIFACTORY_URL and ARTIFACTORY_REPO; update the run
step logic inside the same run block to mask these values before printing by
replacing any occurrences of the ARTIFACTORY_URL and ARTIFACTORY_REPO
environment variables in the response strings with masked placeholders (e.g.,
"***"); do this masking immediately after you validate or read the URL (the
validation step mentioned in the comment) and before any echo/printf of
responses on the failure paths so all failure logs use the sanitized response.
- Around line 363-370: The workflow currently echoes the raw response_json from
the Kitmaker create-release POST and leaks Artifactory URLs and release_uuid;
move or add the mask step (using ::add-mask or the repo's mask mechanism) before
making the POST in the create-release step, stop echoing the full response_json
after the curl/POST, and replace that dump with a minimal sanitized log (e.g.,
success/failure and sanitized release id placeholder). Update references in the
create-release step to use the masked variables and ensure any downstream steps
rely on the masked outputs rather than printing response_json.
- Around line 224-233: The publish-wheel job currently lacks the PR guard used
by downstream jobs (kitmaker and kitmaker-status), allowing same-repo pull
requests to upload unmerged wheels; update the publish-wheel job (job name:
publish-wheel) to include the same PR gate by adding the condition that
github.event_name != 'pull_request' (the same check used in kitmaker /
kitmaker-status) to its if expression so it only runs for non-PR events and
matches downstream behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 74104790-0932-4d6e-8b9e-12b3042140e2

📥 Commits

Reviewing files that changed from the base of the PR and between a9140ac and 79b032f.

📒 Files selected for processing (1)

• .github/workflows/build-ubuntu.yml