fix(ci): auto deploy lexical-service

[ehayes2000]

No description provided.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d0548dc0-e46c-420e-aae6-29083fed1603

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request adds CI/CD automation for deploying the Lexical service. It introduces a reusable GitHub Actions workflow that handles deployment to either dev or prod environments, accepting a Cloudflare API token and executing a Bun-based deployment script. The workflow is then integrated into two trigger points: a dev push workflow that automatically deploys on main branch pushes when changes occur in Lexical service paths (with path-based gating), and a production release workflow that deploys when releases are published.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to verify if the description relates to the changeset.	Add a pull request description explaining the purpose, motivation, and impact of the automated deployment workflow changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commits format with 'fix(ci):' prefix, is under 72 characters (36 chars), and accurately describes the main change: adding automated deployment for the lexical-service.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy-lexical-service-dev-push.yml (1)

1-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for this workflow.

No permissions: block means default token scope is used. This workflow only needs read-level access for checkout/diff detection and calling the reusable deploy workflow.

Proposed minimal permissions

 name: "Deploy lexical service dev on push to main"
 on:
   push:
     branches: [main]
+permissions:
+  contents: read

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-lexical-service-dev-push.yml around lines 1 - 32,
Add an explicit least-privilege permissions block at the top-level of the
workflow so the token only has read access for checkout/diff detection and when
invoking the reusable deploy job; update the workflow to include a permissions:
block (e.g., permissions: contents: read, actions: read) and keep existing jobs
check-to-deploy (steps using actions/checkout@v6 and
whutchinson98/diff-checker-action@v1.0.2) and deploy_lexical_service unchanged
so the reusable workflow call only runs with the scoped token.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-lexical-service-dev-push.yml:
- Line 21: Update the workflow to use the correct token context and harden
permissions: replace the invalid token expression "token: ${{ GITHUB.TOKEN }}"
with "token: ${{ github.token }}" (or "token: ${{ secrets.GITHUB_TOKEN }}")
where it appears, pin the two actions "actions/checkout@v6" and
"whutchinson98/diff-checker-action@v1.0.2" to their exact commit SHAs instead of
tags, and add an explicit minimal "permissions:" block (e.g., read/write only
for the specific scopes needed) to the workflow so the GITHUB_TOKEN has least
privilege.

In @.github/workflows/deploy-lexical-service.yml:
- Around line 14-17: Constrain and/or validate the workflow_call input to avoid
shell interpolation injection: change the workflow input definition for
workflow_call.inputs.environment to use a choice/enum (e.g. set type to choice
and options to ["dev","prod"]) so only allowed values are accepted, and ensure
the run command that uses run: bun run deploy-${{ inputs.environment }} only
receives those validated values (or map inputs.environment to a known-safe
internal variable before interpolation); update the input schema and the usage
of inputs.environment in the run step accordingly (references:
workflow_call.inputs.environment and the run: bun run deploy-${{
inputs.environment }} command).

In @.github/workflows/release-production.yml:
- Around line 27-33: The deploy-lexical-service job currently inherits default
GITHUB_TOKEN permissions; add an explicit job-level permissions block on the
deploy-lexical-service job (the job whose key/name is "deploy-lexical-service"
and which uses the reusable workflow via "uses:
./.github/workflows/deploy-lexical-service.yml") and restrict the GITHUB_TOKEN
to only the minimum scopes the reusable workflow needs (e.g., explicitly set
only id-token/write, contents/read or pages/write or other specific scopes
required by your deploy workflow), replacing the implicit defaults so the job
runs with least-privilege.

---

Outside diff comments:
In @.github/workflows/deploy-lexical-service-dev-push.yml:
- Around line 1-32: Add an explicit least-privilege permissions block at the
top-level of the workflow so the token only has read access for checkout/diff
detection and when invoking the reusable deploy job; update the workflow to
include a permissions: block (e.g., permissions: contents: read, actions: read)
and keep existing jobs check-to-deploy (steps using actions/checkout@v6 and
whutchinson98/diff-checker-action@v1.0.2) and deploy_lexical_service unchanged
so the reusable workflow call only runs with the scoped token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6a5d7cf3-8ac4-4afa-a0bb-49e630cfe604

📥 Commits

Reviewing files that changed from the base of the PR and between d696b03 and 3666b0d.

📒 Files selected for processing (3)

• .github/workflows/deploy-lexical-service-dev-push.yml
• .github/workflows/deploy-lexical-service.yml
• .github/workflows/release-production.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: locate invalid uppercase context usage in workflows
rg -nP '\$\{\{\s*GITHUB\.TOKEN\s*\}\}' .github/workflows

Repository: macro-inc/macro

Length of output: 239

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the specific workflow file
FILE=".github/workflows/deploy-lexical-service-dev-push.yml"

echo "=== workflow header (first 60 lines) ==="
nl -ba "$FILE" | head -n 60

echo
echo "=== uses: lines (to check pinned SHAs) ==="
rg -n --fixed-string "uses:" "$FILE" || true

echo
echo "=== permissions: block (if any) ==="
rg -n --fixed-string "permissions:" "$FILE" || true

echo
echo "=== check for any remaining invalid GITHUB.TOKEN usage in workflows ==="
rg -nP '\$\{\{\s*GITHUB\.TOKEN\s*\}\}' .github/workflows

Repository: macro-inc/macro

Length of output: 161

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/deploy-lexical-service-dev-push.yml"

echo "=== workflow header (first 60 lines) ==="
cat -n "$FILE" | head -n 60

echo
echo "=== uses: lines (pinned-by-SHA check requires inspecting each line) ==="
rg -n --fixed-string "uses:" "$FILE" || true

echo
echo "=== permissions: block (if any) ==="
rg -n --fixed-string "permissions:" "$FILE" || true

echo
echo "=== check for any remaining invalid GITHUB.TOKEN usage in workflows ==="
rg -nP '\$\{\{\s*GITHUB\.TOKEN\s*\}\}' .github/workflows

Repository: macro-inc/macro

Length of output: 2583

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILES=(
  ".github/workflows/deploy-lexical-service-dev-push.yml"
  ".github/workflows/deploy-web-app-dev-push.yml"
)

for FILE in "${FILES[@]}"; do
  echo "===== FILE: $FILE (first 220 lines) ====="
  cat -n "$FILE" | head -n 220
  echo
  echo "--- permissions: occurrences ---"
  rg -n "^\s*permissions:" "$FILE" || true
  echo
  echo "--- uses: lines ---"
  rg -n "^\s*- uses:\s*" "$FILE" || true
  echo
  echo "--- actions pinned to a SHA (40 hex) in this file ---"
  rg -n "^\s*- uses:\s*[^@]+@[0-9a-f]{40}\b" "$FILE" || true
  echo "========================================"
  echo
done

echo "=== invalid token context usage across workflows ==="
rg -nP '\$\{\{\s*GITHUB\.TOKEN\s*\}\}' .github/workflows

Repository: macro-inc/macro

Length of output: 3979

---

Fix invalid token context and harden workflow security

• Update token: ${{ GITHUB.TOKEN }} in .github/workflows/deploy-lexical-service-dev-push.yml (line 21) to ${{ github.token }} (or ${{ secrets.GITHUB_TOKEN }}); same issue exists in .github/workflows/deploy-web-app-dev-push.yml (line 21).

  token: ${{ GITHUB.TOKEN }}

• Pin actions/checkout@v6 and whutchinson98/diff-checker-action@v1.0.2 to commit SHAs (not version tags).
• Add an explicit permissions: block with least-privilege to avoid default broad GITHUB_TOKEN scope.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-lexical-service-dev-push.yml at line 21, Update the
workflow to use the correct token context and harden permissions: replace the
invalid token expression "token: ${{ GITHUB.TOKEN }}" with "token: ${{
github.token }}" (or "token: ${{ secrets.GITHUB_TOKEN }}") where it appears, pin
the two actions "actions/checkout@v6" and
"whutchinson98/diff-checker-action@v1.0.2" to their exact commit SHAs instead of
tags, and add an explicit minimal "permissions:" block (e.g., read/write only
for the specific scopes needed) to the workflow so the GITHUB_TOKEN has least
privilege.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la .github/workflows || true
sed -n '1,120p' .github/workflows/deploy-lexical-service.yml

Repository: macro-inc/macro

Length of output: 3150

---

🏁 Script executed:

rg -n "uses:\s*.*deploy-lexical-service\.yml" -S .github/workflows
rg -n "environment:\s*(dev|prod)|inputs\.environment|CLOUDFLARE_API_TOKEN" -S .github/workflows/deploy-lexical-service*.yml

Repository: macro-inc/macro

Length of output: 1002

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "uses:\s*.*deploy-lexical-service\.yml" -S .github/workflows || true
rg -n "uses:\s*\./?\.github/workflows/deploy-lexical-service\.yml" -S .github/workflows || true

rg -n "environment:\s*\\${{\\s*inputs\\.environment\\s*\\}}" -S .github/workflows || true
rg -n "with:\s*\\n(?:.*\\n)*?\\s*environment:" -S .github/workflows --glob '*deploy-lexical-service*.yml' || true

# Also inspect any reusable deploy invocations that might pass environment into this workflow.
rg -n "deploy-lexical-service\.yml.*environment|environment:.*deploy-lexical-service\.yml" -S .github/workflows || true

Repository: macro-inc/macro

Length of output: 597

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,120p' .github/workflows/release-production.yml
sed -n '1,120p' .github/workflows/deploy-lexical-service-dev-push.yml
sed -n '1,120p' .github/workflows/deploy-lexical-service.yml

# Look for any script/code that logs CLOUDFLARE_API_TOKEN
rg -n "CLOUDFLARE_API_TOKEN" -S js/lexical-service || true
rg -n "deploy-\$\{\{ inputs\.environment \}\}|deploy-\$\{.*inputs\.environment" -S .github/workflows/deploy-lexical-service.yml || true

Repository: macro-inc/macro

Length of output: 6041

---

Validate workflow_call input environment before interpolating it into run: bun run deploy-${{ inputs.environment }}.

.github/workflows/deploy-lexical-service.yml defines workflow_call.inputs.environment as an unconstrained string, which gets interpolated into a shell run: command. Even though current callers pass only dev/prod, the reusable workflow itself doesn’t enforce that, so unexpected values could enable command injection.

Safer pattern

   deploy:
     runs-on: ubuntu-latest
+    if: ${{ inputs.environment == 'dev' || inputs.environment == 'prod' }}
     steps:
@@
-      - name: Deploy to Cloudflare (${{ inputs.environment }})
+      - name: Deploy to Cloudflare (${{ inputs.environment }})
         working-directory: js/lexical-service
-        run: bun run deploy-${{ inputs.environment }}
+        run: |
+          case "${{ inputs.environment }}" in
+            dev|prod) bun run "deploy-${{ inputs.environment }}" ;;
+            *) echo "Invalid environment"; exit 1 ;;
+          esac

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-lexical-service.yml around lines 14 - 17, Constrain
and/or validate the workflow_call input to avoid shell interpolation injection:
change the workflow input definition for workflow_call.inputs.environment to use
a choice/enum (e.g. set type to choice and options to ["dev","prod"]) so only
allowed values are accepted, and ensure the run command that uses run: bun run
deploy-${{ inputs.environment }} only receives those validated values (or map
inputs.environment to a known-safe internal variable before interpolation);
update the input schema and the usage of inputs.environment in the run step
accordingly (references: workflow_call.inputs.environment and the run: bun run
deploy-${{ inputs.environment }} command).

Sources: Coding guidelines, Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit job-level permissions for the reusable deploy call.

This newly added job inherits default GITHUB_TOKEN permissions. Set least-privilege permissions directly on this uses: job to reduce blast radius.

Proposed change

   deploy-lexical-service:
     name: Deploy Lexical Service
+    permissions:
+      contents: read
     uses: ./.github/workflows/deploy-lexical-service.yml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	deploy-lexical-service:
	name: Deploy Lexical Service
	uses: ./.github/workflows/deploy-lexical-service.yml
	with:
	environment: prod
	secrets:
	CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
	deploy-lexical-service:
	name: Deploy Lexical Service
	permissions:
	contents: read
	uses: ./.github/workflows/deploy-lexical-service.yml
	with:
	environment: prod
	secrets:
	CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 27-33: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-production.yml around lines 27 - 33, The
deploy-lexical-service job currently inherits default GITHUB_TOKEN permissions;
add an explicit job-level permissions block on the deploy-lexical-service job
(the job whose key/name is "deploy-lexical-service" and which uses the reusable
workflow via "uses: ./.github/workflows/deploy-lexical-service.yml") and
restrict the GITHUB_TOKEN to only the minimum scopes the reusable workflow needs
(e.g., explicitly set only id-token/write, contents/read or pages/write or other
specific scopes required by your deploy workflow), replacing the implicit
defaults so the job runs with least-privilege.

Source: Linters/SAST tools

[whutchinson98]

We should probably put this behind the same needs as the rest of the services. This way if services fail to build we dont accidentally deploy lexical service

[ehayes2000]

Done — gated on deploy-cloud-storage like the web app deploy.

[whutchinson98]

testing