harden bump version

[ofek1weiss]

Summary by CodeRabbit

• Chores
  • Strengthened security of the release workflow through implementation of least-privilege permissions and pinned dependency versions.
  • Improved version validation logic and release process stability.

[linear]

APP-1003 bump version

[github-actions]

👋 @ofek1weiss
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions workflow for version bumping is enhanced with explicit least-privilege permissions, improved version validation using regex-matching instead of sed extraction, consistent environment variables, pinned action commit SHAs for reproducibility, and adjusted job dependencies to use validated version outputs.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Security & Logic .github/workflows/bump-version.yml	Added explicit least-privilege permissions (permissions: {} top-level with granular job permissions), replaced sed-based version extraction with regex-matching, introduced environment variables for consistency, pinned GitHub Actions to specific commit SHAs, added job dependency (create-pr depends on validate-version), and refined failure conditions for DBT validation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 A rabbit hops through workflows with care,
Least privileges granted, permissions to spare,
SHAs pinned tight, validation precise,
No version shall pass without paying the price!
Security strengthened, dependencies clear—
The bump workflow's better, hip-hip-hooray, my dear! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'harden bump version' directly reflects the main changes: adding security hardening to the bump-version workflow through least-privilege permissions, commit SHA pinning, and validation improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch app-1003-bump-version

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/bump-version.yml (1)

89-98: Redundant conditional steps can be consolidated.

Both "Bump version for package (using input)" and "Bump version for package (using default)" execute identical sed commands since DBT_PACKAGE_VERSION is already set with fallback logic at line 74. These two conditional steps can be merged into a single unconditional step.

♻️ Proposed consolidation

       - name: Bump version for package (using input)
-        if: ${{ needs.validate-version.outputs.validated-dbt-package-version != ''}}
-        run: |
-          sed -i "s/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: $DBT_PACKAGE_VERSION/" ./elementary/monitor/dbt_project/packages.yml
-          sed -i "s/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: $DBT_PACKAGE_VERSION/" ./docs/_snippets/quickstart-package-install.mdx
-      - name: Bump version for package (using default)
-        if: ${{ needs.validate-version.outputs.validated-dbt-package-version == ''}}
+      - name: Bump version for package
         run: |
           sed -i "s/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: $DBT_PACKAGE_VERSION/" ./elementary/monitor/dbt_project/packages.yml
           sed -i "s/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: $DBT_PACKAGE_VERSION/" ./docs/_snippets/quickstart-package-install.mdx

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bump-version.yml around lines 89 - 98, Consolidate the two
identical steps "Bump version for package (using input)" and "Bump version for
package (using default)" into a single step (e.g., "Bump version for package")
by removing the conditional checks that reference
needs.validate-version.outputs.validated-dbt-package-version and leaving a
single run block with the two sed commands that update packages.yml and
quickstart-package-install.mdx using the already-populated DBT_PACKAGE_VERSION;
this removes duplication while preserving behavior because DBT_PACKAGE_VERSION
is set with fallback logic earlier.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/bump-version.yml:
- Around line 89-98: Consolidate the two identical steps "Bump version for
package (using input)" and "Bump version for package (using default)" into a
single step (e.g., "Bump version for package") by removing the conditional
checks that reference
needs.validate-version.outputs.validated-dbt-package-version and leaving a
single run block with the two sed commands that update packages.yml and
quickstart-package-install.mdx using the already-populated DBT_PACKAGE_VERSION;
this removes duplication while preserving behavior because DBT_PACKAGE_VERSION
is set with fallback logic earlier.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c7ede34-d6d6-49e0-bcb5-2e3ff7d96b1b

📥 Commits

Reviewing files that changed from the base of the PR and between d3149ff and 5292c56.

📒 Files selected for processing (1)

• .github/workflows/bump-version.yml