Conversation
add manifests/workflow
delete duplicate dir
Update workflow parameter values
Add workflow to deploy to AKS
Add workflow to deploy to AKS
Add workflow to deploy to AKS
📝 WalkthroughWalkthroughThis pull request replaces a demo GitHub Actions workflow with infrastructure-as-code for deploying a Go application to Azure Kubernetes Service. It introduces a CI/CD pipeline that builds Docker images, pushes to Azure Container Registry, and deploys Kubernetes manifests to AKS, along with corresponding service and deployment configurations. Changes
Sequence Diagram(s)sequenceDiagram
participant GHA as GitHub Actions
participant Azure as Azure Login
participant ACR as Container Registry
participant AKS as Kubernetes Cluster
rect rgba(100, 150, 200, 0.5)
Note over GHA,ACR: Build & Push Phase (buildImage job)
GHA->>GHA: Checkout code
GHA->>Azure: Authenticate with Azure
GHA->>ACR: Login to Container Registry
GHA->>ACR: Build & push image<br/>(test.Dockerfile)
end
rect rgba(150, 200, 100, 0.5)
Note over GHA,AKS: Deploy Phase (deploy job)
GHA->>GHA: Checkout code
GHA->>Azure: Authenticate with Azure
GHA->>AKS: Configure kubelogin<br/>& get kubeconfig
GHA->>AKS: Deploy manifests<br/>(deployment + service)
AKS->>ACR: Pull image from registry
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Fix all issues with AI agents
In @.github/workflows/test-aks-deploy.yaml:
- Line 29: Replace the deprecated actions/checkout@v3 usages with
actions/checkout@v4; locate both occurrences of the literal string "uses:
actions/checkout@v3" in the workflow and update them to "uses:
actions/checkout@v4" so the job steps at those positions (the checkout steps at
the two uses) run on the supported runtime.
- Line 17: The DOCKER_FILE workflow variable is pointing to ./Dockerfile but the
PR added test.Dockerfile, so the az acr build step will fail; update the
DOCKER_FILE value to reference test.Dockerfile (or rename the Dockerfile to
match DOCKER_FILE) so that the az acr build command uses the correct file name
referenced by DOCKER_FILE in the workflow.
In `@manifests/deployment.yaml`:
- Line 21: The manifest's hardcoded image reference (image:
testACRCA.azurecr.io/goecho:latest) won't be replaced by the CI because the
workflow tags images as sunehatestaksregistry.azurecr.io/go-echo:${{ github.sha
}}; update the image field in the Deployment manifest to match the
workflow-produced name and tag (use sunehatestaksregistry.azurecr.io/go-echo:${{
github.sha }} or the placeholder used by the deploy action) so Azure/k8s-deploy
can correctly substitute the image during CI/CD.
In `@test.Dockerfile`:
- Around line 1-16: The workflow uses the variable DOCKER_FILE: ./Dockerfile but
the image build file is named test.Dockerfile, causing the build to miss the
intended file; fix by either renaming test.Dockerfile to Dockerfile or updating
the workflow's DOCKER_FILE variable in test-aks-deploy.yaml to ./test.Dockerfile
so the build step references the correct Dockerfile.
- Line 1: Update the builder base image reference from the EOL golang:1.18 to
the current stable golang:1.26 by changing the FROM line (the symbol to edit is
the Dockerfile FROM instruction currently set to "golang:1.18 AS builder"); also
adjust the final image stage to avoid running as root by switching its base to a
distroless nonroot runtime (e.g., use a distroless/static:nonroot or appropriate
nonroot runtime image) and ensure any user creation/ownership steps in the
Dockerfile set a non-root user before switching to that final image.
🧹 Nitpick comments (3)
manifests/deployment.yaml (1)
18-24: Add a security context and resource constraints.Static analysis (Trivy KSV-0014, KSV-0118; Checkov CKV_K8S_20, CKV_K8S_23) correctly flags that the container runs with default (root) privileges and no filesystem restrictions. Even for a test deployment, hardening the pod spec is good practice and prevents accidentally promoting an insecure config.
Suggested addition
spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 containers: - name: go-echo image: testACRCA.azurecr.io/goecho:latest imagePullPolicy: Always ports: - containerPort: 1323 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 250m + memory: 256Mi.github/workflows/test-aks-deploy.yaml (2)
7-19: Environment variables contain hardcoded personal/test resource names.Resource names like
suneha-test-rgandsuneha-test-aksare hardcoded. If this workflow is intended as a reusable template, consider parameterizing these via repository variables or workflow inputs. Fine if this is strictly a personal test.
68-71: Updatekubeloginto v0.2.14 or later for CVE fixes.The current version v0.0.25 is significantly outdated. The latest release is v0.2.14 (January 2026), a maintenance release that addresses CVEs and includes updated dependencies.
| DEPLOYMENT_MANIFEST_PATH: | | ||
| manifests/deployment.yaml | ||
| manifests/service.yaml | ||
| DOCKER_FILE: ./Dockerfile |
There was a problem hiding this comment.
Dockerfile path mismatch — build will fail.
DOCKER_FILE is set to ./Dockerfile, but the Dockerfile added in this PR is test.Dockerfile. This will cause az acr build to fail (or use a wrong/missing file).
- DOCKER_FILE: ./Dockerfile
+ DOCKER_FILE: ./test.Dockerfile📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| DOCKER_FILE: ./Dockerfile | |
| DOCKER_FILE: ./test.Dockerfile |
🤖 Prompt for AI Agents
In @.github/workflows/test-aks-deploy.yaml at line 17, The DOCKER_FILE workflow
variable is pointing to ./Dockerfile but the PR added test.Dockerfile, so the az
acr build step will fail; update the DOCKER_FILE value to reference
test.Dockerfile (or rename the Dockerfile to match DOCKER_FILE) so that the az
acr build command uses the correct file name referenced by DOCKER_FILE in the
workflow.
| runs-on: ubuntu-latest | ||
| steps: | ||
| # Checks out the repository this file is in | ||
| - uses: actions/checkout@v3 |
There was a problem hiding this comment.
Update actions/checkout from v3 to v4.
As flagged by actionlint, actions/checkout@v3 uses a deprecated Node.js runtime. Both usages (lines 29 and 57) should be updated.
Proposed fix
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4Apply the same change at line 57.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v3 | |
| - uses: actions/checkout@v4 |
🧰 Tools
🪛 actionlint (1.7.10)
[error] 29-29: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🤖 Prompt for AI Agents
In @.github/workflows/test-aks-deploy.yaml at line 29, Replace the deprecated
actions/checkout@v3 usages with actions/checkout@v4; locate both occurrences of
the literal string "uses: actions/checkout@v3" in the workflow and update them
to "uses: actions/checkout@v4" so the job steps at those positions (the checkout
steps at the two uses) run on the supported runtime.
| spec: | ||
| containers: | ||
| - name: go-echo | ||
| image: testACRCA.azurecr.io/goecho:latest |
There was a problem hiding this comment.
Image reference mismatch — deployment will use the wrong image.
The manifest hardcodes testACRCA.azurecr.io/goecho:latest, but the workflow builds and tags the image as sunehatestaksregistry.azurecr.io/go-echo:${{ github.sha }}. The Azure/k8s-deploy action performs image substitution by matching the image name in the manifest against the provided images input — since the registry and repository names differ, the substitution won't match and the deployment will keep pulling the stale testACRCA.azurecr.io/goecho:latest image.
Update the image to match what the workflow produces:
Proposed fix
- image: testACRCA.azurecr.io/goecho:latest
+ image: sunehatestaksregistry.azurecr.io/go-echo📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| image: testACRCA.azurecr.io/goecho:latest | |
| image: sunehatestaksregistry.azurecr.io/go-echo |
🤖 Prompt for AI Agents
In `@manifests/deployment.yaml` at line 21, The manifest's hardcoded image
reference (image: testACRCA.azurecr.io/goecho:latest) won't be replaced by the
CI because the workflow tags images as
sunehatestaksregistry.azurecr.io/go-echo:${{ github.sha }}; update the image
field in the Deployment manifest to match the workflow-produced name and tag
(use sunehatestaksregistry.azurecr.io/go-echo:${{ github.sha }} or the
placeholder used by the deploy action) so Azure/k8s-deploy can correctly
substitute the image during CI/CD.
| FROM golang:1.18 AS builder | ||
|
|
||
| WORKDIR /build | ||
| COPY go.mod go.sum ./ | ||
| RUN go mod download && go mod verify | ||
| COPY . . | ||
| RUN CGO_ENABLED=0 GOOS=linux go build -v -o app-binary | ||
|
|
||
| FROM gcr.io/distroless/static-debian12 | ||
|
|
||
| ENV PORT=1323 | ||
| EXPOSE 1323 | ||
|
|
||
| WORKDIR /app | ||
| COPY --from=builder /build/app-binary . | ||
| CMD ["/app/app-binary"] No newline at end of file |
There was a problem hiding this comment.
This Dockerfile is not referenced by the workflow.
The workflow sets DOCKER_FILE: ./Dockerfile (line 17 of test-aks-deploy.yaml), but this file is named test.Dockerfile. Either rename this file to Dockerfile or update the workflow variable to ./test.Dockerfile, otherwise the build step will fail or use a different file.
🧰 Tools
🪛 Trivy (0.69.1)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
In `@test.Dockerfile` around lines 1 - 16, The workflow uses the variable
DOCKER_FILE: ./Dockerfile but the image build file is named test.Dockerfile,
causing the build to miss the intended file; fix by either renaming
test.Dockerfile to Dockerfile or updating the workflow's DOCKER_FILE variable in
test-aks-deploy.yaml to ./test.Dockerfile so the build step references the
correct Dockerfile.
| @@ -0,0 +1,16 @@ | |||
| FROM golang:1.18 AS builder | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Go programming language latest stable version 2026
💡 Result:
As of February 12, 2026, the latest stable Go release is Go 1.26.0, released on February 10, 2026. [1], [2]
Where to verify/download: the official downloads page lists go1.26.0 as the current stable version. [2]
Sources:
[1] Go blog announcement (“Go 1.26 is released”, Feb 10, 2026) (go.dev)
[2] Official Go downloads page (stable versions shows go1.26.0) (go.dev)
Citations:
🏁 Script executed:
find . -name "*.Dockerfile" -o -name "Dockerfile" | head -20Repository: gambtho/go_echo
Length of output: 89
🏁 Script executed:
rg "DOCKER_FILE|distroless/static-debian12" --type yaml --type ymlRepository: gambtho/go_echo
Length of output: 86
🏁 Script executed:
find .github/workflows -type f 2>/dev/null | xargs cat 2>/dev/null | grep -i "dockerfile\|distroless"Repository: gambtho/go_echo
Length of output: 86
🏁 Script executed:
rg "distroless" --type yamlRepository: gambtho/go_echo
Length of output: 41
🌐 Web query:
distroless static-debian12 nonroot variant availability
💡 Result:
gcr.io/distroless/static-debian12 does have a nonroot variant: it’s published as the :nonroot tag (and also :debug-nonroot). The Distroless project lists the available tags for static-debian12 as latest, nonroot, debug, and debug-nonroot. [1][2]
Practically, you can use:
gcr.io/distroless/static-debian12:nonrootgcr.io/distroless/static-debian12:debug-nonroot
(And if you use the :nonroot tag, the image default user is the nonroot account, typically UID/GID 65532 with working dir /home/nonroot.) [3]
Sources: [1] [2] [3]
golang:1.18 is end-of-life — upgrade the builder image.
Go 1.18 reached end-of-life in early 2023 and no longer receives security patches. Use the current stable version, golang:1.26.
The Trivy hint about running as root is also valid. The final stage can use the distroless nonroot variant:
Proposed fix
-FROM golang:1.18 AS builder
+FROM golang:1.26 AS builder-FROM gcr.io/distroless/static-debian12
+FROM gcr.io/distroless/static-debian12:nonroot🧰 Tools
🪛 Trivy (0.69.1)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
In `@test.Dockerfile` at line 1, Update the builder base image reference from the
EOL golang:1.18 to the current stable golang:1.26 by changing the FROM line (the
symbol to edit is the Dockerfile FROM instruction currently set to "golang:1.18
AS builder"); also adjust the final image stage to avoid running as root by
switching its base to a distroless nonroot runtime (e.g., use a
distroless/static:nonroot or appropriate nonroot runtime image) and ensure any
user creation/ownership steps in the Dockerfile set a non-root user before
switching to that final image.
1 participant
Summary by CodeRabbit
Chores
New Features