fix: update cd (add messing env)

[TN19N]

Summary by CodeRabbit

• Chores
  • Prevents overlapping production deployments by canceling in-progress runs.
  • Deployments now push both latest and commit-SHA–tagged images for predictable rollouts.
  • Cloud Run now reads a configurable email-client timeout environment setting to improve reliability.
  • Minor deployment config syntax and step identifiers updated; no changes to app functionality or UI.

[coderabbitai]

Walkthrough

Replaces permissions-based protection with a concurrency policy, tags and pushes Docker images (latest and SHA), sets step IDs, switches Cloud Run flag quoting to double quotes, and adds SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT to Cloud Run env_vars in .github/workflows/cd.yml. No other logic changed.

Changes

Cohort / File(s)

Summary of Changes

GitHub Actions workflow: CI/CD updates .github/workflows/cd.yml

Replaced permissions-based protection with concurrency (group: cd-${{ github.ref }}, cancel-in-progress: true); added step IDs (id: setup-buildx, id: deploy); updated Docker image tagging to push two tags (latest and SHA) via multi-line tags; Cloud Run deploy uses the SHA-tagged image; added SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT to env_vars (sourced from SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT); changed Cloud Run flags quoting from single to double quotes.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Buildx as Docker Buildx
    participant Registry as Container Registry
    participant CloudRun as Google Cloud Run

    rect rgba(135,206,250,0.12)
    GH->>Buildx: setup-buildx (id: setup-buildx)
    Buildx->>Registry: build & push image (tags: latest, SHA)
    end

    rect rgba(144,238,144,0.12)
    GH->>CloudRun: deploy (id: deploy) with SHA-tagged image\nenv: SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT
    CloudRun-->>GH: deployment result
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop through YAML rows so neat,
Tags and IDs beneath my feet.
Concurrency keeps overlaps few,
Timeouts set — subscriptions queue.
A carrot-built image sails away, hooray! 🥕

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cc996b9 and ae8275b.

📒 Files selected for processing (1)

• .github/workflows/cd.yml (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/cd.yml

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 15-fix-cd

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/cd.yml (2)

63-65: Fix missing step id: outputs reference will be empty/broken

You echo steps.deploy.outputs.url but the deploy step has no id. Add id: deploy to the Cloud Run step.

-      - name: Deploy to Google Cloud Run
+      - name: Deploy to Google Cloud Run
+        id: deploy
         uses: google-github-actions/deploy-cloudrun@v2
@@
-      - name: Deployment URL
-        run: 'echo "${{ steps.deploy.outputs.url }}"'
+      - name: Deployment URL
+        run: 'echo "${{ steps.deploy.outputs.url }}"'

Also applies to: 85-86

---

23-25: Buildx outputs used without step id

steps.setup-buildx.outputs.name is referenced but the Buildx step lacks id: setup-buildx. Add it or update the reference.

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Set up Docker Buildx
+        id: setup-buildx
+        uses: docker/setup-buildx-action@v3
@@
-          builder: ${{ steps.setup-buildx.outputs.name }}
+          builder: ${{ steps.setup-buildx.outputs.name }}

Also applies to: 36-37

🧹 Nitpick comments (4)

.github/workflows/cd.yml (4)

83-83: Confirm units and presence for SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT

Is this value expected in ms or seconds? Cloud Run passes strings; ensure the app parses the correct unit and that the repo variable is set in prod. Optionally add a preflight check to fail fast if missing.

+      - name: Validate required variables
+        run: |
+          [ -n "${{ vars.SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT }}" ] || { echo "SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT not set"; exit 1; }

---

47-55: Tag images with commit SHA to enable deterministic rollbacks

Using only :latest makes rollbacks and audits harder. Push a SHA tag and deploy that.

       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           push: true
-          tags: ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
+          tags: |
+            ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
+            ${{ vars.DOCKER_USERNAME }}/subscriptions:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@
-          image: ${{ vars.DOCKER_USERNAME }}/subscriptions:latest
+          image: ${{ vars.DOCKER_USERNAME }}/subscriptions:${{ github.sha }}

Also applies to: 68-68

---

9-13: Prevent overlapping deploys

Add GitHub Actions concurrency to avoid concurrent prod deployments on rapid pushes.

 jobs:
   deploy:
     runs-on: ubuntu-latest
     environment: production
+    concurrency:
+      group: cd-${{ github.ref }}
+      cancel-in-progress: true

---

14-18: Permissions/auth alignment

You’re using a JSON key (credentials_json). id-token: write isn’t needed unless using Workload Identity Federation. Either remove that permission or migrate to WIF.

Also applies to: 57-62

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 48dca77 and 5d68e4d.

📒 Files selected for processing (1)

• .github/workflows/cd.yml (1 hunks)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/cd.yml (1)

13-16: Consider a simpler, branch-agnostic concurrency group.

Current grouping is per ref. If you want to strictly serialize all prod deploys (push and manual), use a static group.

-    concurrency:
-      group: cd-${{ github.ref }}
-      cancel-in-progress: true
+    concurrency:
+      group: cd-production
+      cancel-in-progress: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5d68e4d and cc996b9.

📒 Files selected for processing (1)

• .github/workflows/cd.yml (4 hunks)

🔇 Additional comments (4)

.github/workflows/cd.yml (4)

23-23: Good: step id added for reuse.

This enables referencing the builder name reliably in later steps.

---

66-66: Good: step id on deploy.

Enables clean retrieval of outputs like the service URL.

---

71-73: LGTM: deploy immutable SHA tag with explicit flag.

Using the SHA tag avoids “latest” drift; flag quoting is correct.

---

86-86: Verify var existence and units for TIMEOUT.

Confirm the org/repo variable SUBSCRIPTIONS__EMAIL_CLIENT__TIMEOUT exists and that its unit matches the app’s expectation (e.g., ms vs s) to prevent misconfigured timeouts at runtime.