chore(deploy): Build Edge on demand

[justin-tahara]

Description

Building Edge Images on demand

How Has This Been Tested?

Additional Options

• [Optional] Please cherry-pick this PR to the latest release version.
• [Optional] Override Linear Check

---

Summary by cubic

Adds a GitHub Actions workflow to trigger on-demand Edge image builds by pushing a tag to main. This enables ad-hoc builds via repository_dispatch without needing a PR or merge.

• New Features
  • New workflow .github/workflows/build-edge-on-demand.yml listens for repository_dispatch type build-edge-on-demand.
  • CI creates and pushes a tag using a deploy SSH key (so downstream tag-based workflows run). Tag is from client_payload.tag_name or auto-generated as nightly-latest-YYYYMMDD-HHMMSS (UTC).
  • On failure, sends a Slack alert via ./.github/actions/slack-notify using MONITOR_DEPLOYMENTS_WEBHOOK.

^{Written for commit b8a5caf. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[greptile-apps]

Greptile Summary

This PR adds a new GitHub Actions workflow (.github/workflows/build-edge-on-demand.yml) that allows triggering an Edge image build on demand via the repository_dispatch API event. It works by checking out main, creating a git tag (either caller-supplied or auto-generated as nightly-latest-<timestamp>), and pushing it — which in turn triggers the existing deployment.yml tag-push workflow that builds and publishes Docker images.

Key changes:

• New repository_dispatch-triggered workflow (build-edge-on-demand) with the ci-protected environment gate
• Tag creation logic mirrors tag-nightly.yml but accepts an optional caller-supplied tag name via client_payload.tag_name
• Slack failure notification reuses the existing slack-notify action

Issues found:

• ${{ github.event.client_payload.tag_name }} is interpolated directly into the shell script, creating a script-injection risk — the value should be passed via an env: block instead (P1)
• No duplicate-tag guard: unlike tag-nightly.yml, the workflow will fail outright if the same tag is dispatched twice, rather than skipping gracefully (P2)

Confidence Score: 4/5

• Mostly safe to merge, but the script-injection issue with unsanitized client_payload.tag_name should be addressed first.
• One P1 security finding (script injection via user-controlled payload interpolated directly into shell) warrants fixing before merge. The P2 duplicate-tag guard is a quality improvement. Both are straightforward to fix. The environment gate (ci-protected) partially mitigates the injection risk, but best practice is to eliminate it entirely.
• .github/workflows/build-edge-on-demand.yml — the Create and push tag step needs the injection fix.

Important Files Changed

Filename	Overview
.github/workflows/build-edge-on-demand.yml	New on-demand edge-build workflow triggered by repository_dispatch; has a script-injection risk from unsanitized client_payload interpolation and lacks a duplicate-tag guard present in the sibling nightly workflow.

Sequence Diagram

sequenceDiagram
    participant Caller as External Caller
    participant GH as GitHub API
    participant WF as build-edge-on-demand.yml
    participant Repo as Git Repository
    participant Deploy as deployment.yml

    Caller->>GH: POST /repos/.../dispatches<br/>{event_type: "build-edge-on-demand",<br/>client_payload: {tag_name: "..."}}
    GH->>WF: Trigger repository_dispatch
    WF->>Repo: checkout main (via SSH deploy key)
    WF->>WF: Resolve TAG_NAME<br/>(payload or nightly-latest-timestamp)
    WF->>Repo: git tag TAG_NAME
    WF->>Repo: git push origin TAG_NAME
    Repo-->>Deploy: Tag push event triggers deployment workflow
    Deploy->>Deploy: Build & push Docker images<br/>(EDGE_TAG=true if nightly-latest*)
    WF-->>Caller: Slack alert on failure

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/build-edge-on-demand.yml
Line: 36

Comment:
**Script injection via `client_payload.tag_name`**

`${{ github.event.client_payload.tag_name }}` is interpolated directly into the shell script. This is a classic GitHub Actions script-injection vector: any user who can trigger `repository_dispatch` (i.e., anyone with repo write access) can supply a crafted `tag_name` such as `foo"; malicious_command; echo "` and have it executed in the runner's shell.

The fix is to pass the payload value through an `env:` block so it is treated as a data variable and never interpolated into the script text:

```suggestion
          TAG_NAME="${TAG_NAME_INPUT}"
```

Add a corresponding `env:` block to the step:

```yaml
        env:
          TAG_NAME_INPUT: ${{ github.event.client_payload.tag_name }}
```

This is the pattern recommended by GitHub's [security hardening guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections).

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .github/workflows/build-edge-on-demand.yml
Line: 33-44

Comment:
**No duplicate tag guard**

Unlike `tag-nightly.yml`, this workflow has no check for an existing tag before calling `git tag "$TAG_NAME"`. If the same `tag_name` is dispatched twice (or if the auto-generated timestamp collides), `git tag` will exit non-zero and the push will never happen — the Slack alert will fire and the workflow will fail with a somewhat opaque error.

Consider adding a guard similar to the one in `tag-nightly.yml`:

```yaml
      - name: Check for existing tag
        id: check_tag
        run: |
          if git tag --list "$TAG_NAME" | grep -q .; then
            echo "Tag $TAG_NAME already exists — skipping."
            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
          else
            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
          fi
```

Then gate the create/push steps on `steps.check_tag.outputs.tag_exists == 'false'`.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "chore(deploy): Build Edge on demand" | Re-trigger Greptile}

[greptile-apps]

Script injection via client_payload.tag_name

${{ github.event.client_payload.tag_name }} is interpolated directly into the shell script. This is a classic GitHub Actions script-injection vector: any user who can trigger repository_dispatch (i.e., anyone with repo write access) can supply a crafted tag_name such as foo"; malicious_command; echo " and have it executed in the runner's shell.

The fix is to pass the payload value through an env: block so it is treated as a data variable and never interpolated into the script text:

Suggested change

	if [ -z "$TAG_NAME" ]; then
	TAG_NAME="${TAG_NAME_INPUT}"

Add a corresponding env: block to the step:

        env:
          TAG_NAME_INPUT: ${{ github.event.client_payload.tag_name }}

This is the pattern recommended by GitHub's security hardening guide.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/build-edge-on-demand.yml
Line: 36

Comment:
**Script injection via `client_payload.tag_name`**

`${{ github.event.client_payload.tag_name }}` is interpolated directly into the shell script. This is a classic GitHub Actions script-injection vector: any user who can trigger `repository_dispatch` (i.e., anyone with repo write access) can supply a crafted `tag_name` such as `foo"; malicious_command; echo "` and have it executed in the runner's shell.

The fix is to pass the payload value through an `env:` block so it is treated as a data variable and never interpolated into the script text:

```suggestion
          TAG_NAME="${TAG_NAME_INPUT}"
```

Add a corresponding `env:` block to the step:

```yaml
        env:
          TAG_NAME_INPUT: ${{ github.event.client_payload.tag_name }}
```

This is the pattern recommended by GitHub's [security hardening guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections).

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

No duplicate tag guard

Unlike tag-nightly.yml, this workflow has no check for an existing tag before calling git tag "$TAG_NAME". If the same tag_name is dispatched twice (or if the auto-generated timestamp collides), git tag will exit non-zero and the push will never happen — the Slack alert will fire and the workflow will fail with a somewhat opaque error.

Consider adding a guard similar to the one in tag-nightly.yml:

      - name: Check for existing tag
        id: check_tag
        run: |
          if git tag --list "$TAG_NAME" | grep -q .; then
            echo "Tag $TAG_NAME already exists — skipping."
            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
          else
            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
          fi

Then gate the create/push steps on steps.check_tag.outputs.tag_exists == 'false'.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/build-edge-on-demand.yml
Line: 33-44

Comment:
**No duplicate tag guard**

Unlike `tag-nightly.yml`, this workflow has no check for an existing tag before calling `git tag "$TAG_NAME"`. If the same `tag_name` is dispatched twice (or if the auto-generated timestamp collides), `git tag` will exit non-zero and the push will never happen — the Slack alert will fire and the workflow will fail with a somewhat opaque error.

Consider adding a guard similar to the one in `tag-nightly.yml`:

```yaml
      - name: Check for existing tag
        id: check_tag
        run: |
          if git tag --list "$TAG_NAME" | grep -q .; then
            echo "Tag $TAG_NAME already exists — skipping."
            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
          else
            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
          fi
```

Then gate the create/push steps on `steps.check_tag.outputs.tag_exists == 'false'`.

How can I resolve this? If you propose a fix, please make it concise.

[github-actions]

🖼️ Visual Regression Report

Project	Changed	Added	Removed	Unchanged	Report
admin	8	0	0	158	View Report
exclusive	0	0	0	8	✅ No changes