ADFA-3269 share nightly release to private telegram

[hal-eisen-adfa]

No description provided.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 22cf2e53-f55d-48d7-85e6-2f3bfb398756

📥 Commits

Reviewing files that changed from the base of the PR and between deafbbd and 20fdd30.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• scripts/cloudflare-r2-upload.py

---

📝 Walkthrough

Release Notes - ADFA-3269: Share Nightly Release to Private Telegram

Changes

• Infrastructure: Replaced SSH-based asset transfer with direct Cloudflare R2 cloud storage integration
• Upload Method: New scripts/cloudflare-r2-upload.py handles APK uploads to Cloudflare R2 via S3-compatible endpoint with:
  • Environment variable validation for Cloudflare credentials (CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_KEY_ID, CLOUDFLARE_SECRET_ACCESS_KEY)
  • Boto3 S3 client with configurable timeouts (300s read, 60s connect) and 10 retry attempts
  • Dynamic variant-based filename generation (e.g., app-v8.apk, app-v7.apk) to support multiple CPU architectures
  • Progress tracking with 10% interval callbacks showing upload percentage and MB transferred
  • Automatic Content-Type header for APK files
• Notifications: Added Telegram notifications to send APK download links and recent commit history to private telegram chat
  • Uses TELEGRAM_TOKEN and TELEGRAM_EARLY_ACCESS_CHAT_ID from secrets/variables
  • Includes 24-hour git log or "(no commits in the last 24 hours)" fallback
  • Download URL constructed as https://download.appdevforall.org/{APK_FILENAME}
  • Message capped at 4096 characters (Telegram API limit)
• Build Integration: Replaced manual SSH setup with automated uv Python runner for seamless dependency management

Risks & Best Practices Violations

⚠️ Security & Credential Management:

• Cloudflare R2 credentials passed via environment variables must be stored as GitHub secrets; ensure CLOUDFLARE_SECRET_ACCESS_KEY is marked as sensitive
• Telegram token (TELEGRAM_TOKEN) stored as secret—verify access is restricted to necessary workflows only
• No validation that file upload was successful; boto3 upload_file() may silently fail in edge cases

⚠️ Error Handling & Resilience:

• Telegram curl request uses -s flag which suppresses error output; notification failures won't be surfaced if API is unreachable
• No timeout specified on Telegram API calls—could hang indefinitely if API is slow
• Two separate Telegram notification steps create redundancy risk; consider consolidating or adding guards to prevent duplicate messages
• Message truncation to 4096 chars happens silently—important commit info could be lost without user awareness

⚠️ Code Quality Issues:

• Hardcoded bucket name "apk-repo" in script requires code change if bucket name needs to be updated
• Progress callback uses mutable list closure pattern (_seen_so_far, _last_printed_pct) instead of cleaner state management
• No structured logging format for upload progress; raw prints to stdout may clutter CI logs
• 10% interval progress reporting could be excessive for small files or too sparse for very large uploads

⚠️ Testing Recommendations:

1. Verify Cloudflare R2 credentials have PutObject permission on apk-repo bucket
2. Test Telegram notification delivery with production bot credentials in staging environment before release
3. Validate variant filename generation works for all build variants (v7, v8, and any future variants)
4. Confirm download URL format works with actual CDN/reverse proxy at https://download.appdevforall.org/
5. Test upload with various APK file sizes to confirm progress tracking and timeouts are appropriate
6. Verify that Slack notification still works correctly alongside new Telegram notifications

Walkthrough

This pull request replaces the SSH-based asset transfer mechanism with direct Cloudflare R2 uploads in the release workflow, introduces a new Python script for S3-compatible uploads, and adds Telegram notifications for build alerts alongside existing Slack messaging.

Changes

Cohort / File(s)	Summary
Release Workflow .github/workflows/release.yml	Removed SSH key setup block and replaced with uv installation and Cloudflare R2 upload step. Added two Telegram notification steps to alert about release APK and recent commits.
Cloudflare R2 Upload Script scripts/cloudflare-r2-upload.py	New Python script that uploads files to Cloudflare R2 via boto3 S3 client. Validates required environment variables, derives destination paths from variant names, and provides upload progress tracking with lifecycle messages.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant UV as uv Runtime
    participant R2 as Cloudflare R2
    participant TG as Telegram API
    
    GHA->>UV: Install & run cloudflare-r2-upload.py
    UV->>R2: Validate credentials & connect
    R2-->>UV: S3 endpoint ready
    UV->>R2: Upload APK with progress tracking
    R2-->>UV: Upload complete
    UV-->>GHA: Return success
    GHA->>TG: Send release notification
    TG-->>GHA: Notification sent

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ADFA-3269 Share nightly release build with private Telegram channel #1073: Implements the identical Cloudflare R2 upload replacement, Python script, and Telegram notification changes to the release workflow.
• Restore ssh key in release.yml #793: Directly conflicts with this PR as it restores SSH key setup that this PR removes in favor of R2 uploads.

Suggested reviewers

• MadaraMods

Poem

🐰 A rabbit hops through clouds so fair,
No SSH keys floating in the air!
To Cloudflare R2, files now soar,
While Telegram chirps forevermore! 📱✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ADFA-3269-Share-nightly-release-to-private-Telegram

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable poems in the walkthrough.

Disable the reviews.poem setting to disable the poems in the walkthrough.