Conversation
PullPreview Deployment
|
There was a problem hiding this comment.
Pull request overview
This PR represents a complete runtime migration from Ruby to Go, replacing the Docker-based action with a composite action that uses prebuilt Go binaries. The migration maintains functional compatibility while adding new features like PR status comments and deployment heartbeat logging.
Changes:
- Migrated entire runtime from Ruby to Go with comprehensive test coverage
- Changed action runtime from Docker to composite with prebuilt Linux binaries (amd64/arm64)
- Added PR comment support (optional via
comment_prinput) with deployment status updates
Reviewed changes
Copilot reviewed 56 out of 61 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
cmd/pullpreview/main.go |
New Go CLI entrypoint with up/down/list/github-sync commands |
internal/pullpreview/*.go |
Core orchestration logic ported from Ruby (instance management, GitHub sync, licensing) |
internal/providers/lightsail/*.go |
AWS Lightsail provider implementation with snapshot/firewall support |
internal/github/client.go |
GitHub API wrapper using go-github library |
internal/license/client.go |
License check client with graceful fallback |
action.yml |
Changed from Docker to composite action, added comment_pr input |
go.mod, go.sum |
Go dependencies (AWS SDK v2, go-github, oauth2) |
Makefile |
Build targets for cross-compilation to Linux amd64/arm64 |
.tool-versions |
Switched from Ruby to Go version specification |
.github/workflows/*.yml |
Updated to use ubuntu-slim runner and checkout@v5 |
AGENTS.md, MIGRATION_PLAN.md |
Documentation for Go architecture and migration details |
examples/example-app/ |
Example application for local testing |
| Removed Ruby files | bin/pullpreview, lib/, Gemfile, Dockerfile, .dockerignore |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| func (i *Instance) SCP(input io.Reader, target, mode string) error { | ||
| command := fmt.Sprintf("cat - > %s && chmod %s %s", target, mode, target) |
There was a problem hiding this comment.
Potential command injection: the target and mode parameters in the SCP method are directly interpolated into a shell command without escaping. If a malicious value is passed for target (e.g., containing shell metacharacters like ;, &, |), it could lead to command injection. While the callers currently use hardcoded or safe values, consider adding validation or using proper shell escaping to prevent future vulnerabilities.
| if strings.TrimSpace(preScript) != "" { | ||
| lines = append(lines, | ||
| fmt.Sprintf("echo 'Attempting to run pre-script at %s...'", preScript), | ||
| fmt.Sprintf("bash -e %s", preScript), |
There was a problem hiding this comment.
Potential command injection vulnerability: the preScript path is directly interpolated into a bash command without escaping at line 40. If a user provides a malicious value like ./script.sh; malicious_command, it will be executed. Use shell escaping or validate the path to prevent command injection. Consider using proper shell quoting (e.g., bash -e "$script" with proper escaping) or validating that the path doesn't contain shell metacharacters.
internal/pullpreview/github_sync.go
Outdated
| if g.prCache != nil { | ||
| _ = g.prCache | ||
| } |
There was a problem hiding this comment.
Dead code: g.prCache is read but immediately discarded with _ = g.prCache. This appears to be leftover debugging code or an incomplete implementation. Remove these lines.
| if g.prCache != nil { | |
| _ = g.prCache | |
| } |
| package pullpreview | ||
|
|
||
| const ( | ||
| Version = "1.0.0" |
There was a problem hiding this comment.
The version is hardcoded to "1.0.0" here and in the Ruby VERSION constant that was removed. Consider whether this version accurately reflects the migration to Go or if it should be bumped to indicate a major change in the runtime implementation.
| Version = "1.0.0" | |
| Version = "2.0.0" |
| @@ -1 +1 @@ | |||
| ruby 3.1.6 No newline at end of file | |||
| go 1.25.1 | |||
There was a problem hiding this comment.
The .tool-versions specifies Go version "1.25.1", but go.mod declares go 1.23. There is no Go 1.25 release yet (the latest stable as of January 2025 is 1.23). This appears to be a typo - either use "1.23.1" in .tool-versions or update both to match a valid Go version.
| go 1.25.1 | |
| go 1.23.1 |
| if err != nil { | ||
| return | ||
| } | ||
| defer f.Close() |
There was a problem hiding this comment.
File handle may be writable as a result of data flow from a call to OpenFile and closing it may result in data loss upon failure, which is not handled explicitly.
Deploying action with ⚡ PullPreview
|
Deploying action with ⚡ PullPreview
|
github-actions
bot
removed
the
pullpreview
1 participant
Summary
cmd/pullpreviewandinternal/...)AGENTS.md,MIGRATION_PLAN.md) and note to run Go viamiseexamples/example-appfor public-image local live deploy validationValidation
mise exec -- go test ./...mise exec -- go test -cover ./...mise exec -- go build ./cmd/pullpreviewAWS_PROFILE=runs-on-dev AWS_REGION=us-east-1 mise exec -- go run ./cmd/pullpreview up examples/example-appAWS_PROFILE=runs-on-dev AWS_REGION=us-east-1 mise exec -- go run ./cmd/pullpreview down --name local-example-app