chore(cd): Refactor version update action and add new sandbox paths

[m1so]

Summary by CodeRabbit

• New Features

  • Configuration update actions now support updating multiple files and keys in a single operation.
  • Enhanced validation for file paths, key expressions, and version values (semver or commit SHA formats).

• Refactor

  • Consolidated input parameters for configuration updates to enable batch operations across staging and production environments.
  • Updated workflow structure to process multiple configuration updates more efficiently.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[linear]

BLU-5508 Update Toolkit CD pipeline to push its version to global Helm values

[github-actions]

📦 Python package built successfully!

• Version: 2.0.0.dev4+35fa17f
• Wheel: deepnote_toolkit-2.0.0.dev4+35fa17f-py3-none-any.whl
• Install:

  pip install "deepnote-toolkit @ https://deepnote-staging-runtime-artifactory.s3.amazonaws.com/deepnote-toolkit-packages/2.0.0.dev4%2B35fa17f/deepnote_toolkit-2.0.0.dev4%2B35fa17f-py3-none-any.whl"

[coderabbitai]

📝 Walkthrough

Walkthrough

The action replaces separate version_key and values_yaml inputs with a unified versions input accepting multiple --file "path" --key ".expr" --value "ver" specifications. Input parsing converts this multi-line format into parallel arrays of file paths, keys, and values. Per-entry validation checks file path format, key expressions, and value semver/SHA compliance. The action iterates through these arrays to perform multiple yq-based updates via octopilot. The CD workflow is updated to supply multiple version specifications for staging and production deployments across various configuration files.

Sequence Diagram

sequenceDiagram
    participant Workflow as CD Workflow
    participant Action as update-config-version
    participant Parser as Input Parser
    participant Validator as Entry Validator
    participant Iterator as Multi-entry Iterator
    participant yq as yq Update Engine
    participant Octopilot as Octopilot

    Workflow->>Action: Call action with versions input<br/>(multi-line format)
    Action->>Parser: Parse versions input
    Parser->>Parser: Split by lines &<br/>extract --file --key --value
    Parser->>Action: Return FILE_PATHS, VERSION_KEYS,<br/>VERSION_VALUES arrays
    Action->>Validator: Validate each entry
    Validator->>Validator: Check file path format<br/>(no traversal, .yaml/.yml)
    Validator->>Validator: Check key format<br/>(yq expression)
    Validator->>Validator: Check value format<br/>(semver or SHA)
    Validator->>Action: Validation complete
    Action->>Iterator: Iterate through arrays
    Iterator->>yq: For each entry: perform<br/>yq update on file
    yq->>yq: Update configuration value
    Iterator->>Octopilot: Apply all per-entry<br/>yq expressions
    Octopilot->>Octopilot: Commit changes with<br/>first entry metadata
    Octopilot->>Workflow: Return completion status

Loading

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: refactoring the version update action and adding sandbox paths to the CD pipeline.
Linked Issues check	✅ Passed	The changes update the CD pipeline to support pushing the Toolkit version to global Helm values via the refactored action, fulfilling the BLU-5508 requirement.
Out of Scope Changes check	✅ Passed	All changes focus on the version update action refactoring and applying it to additional paths (sandbox, multi-tenant staging/production), directly supporting the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.28%. Comparing base (2028d60) to head (a301baa).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #60   +/-   ##
=======================================
  Coverage   73.28%   73.28%           
=======================================
  Files          93       93           
  Lines        5199     5199           
  Branches      757      757           
=======================================
  Hits         3810     3810           
  Misses       1147     1147           
  Partials      242      242           

Flag	Coverage Δ
combined	73.28% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[deepnote-bot]

🚀 Review App Deployment Started

📝 Description	🌐 Link / Info
🌍 Review application	ra-60
🔑 Sign-in URL	Click to sign-in
📊 Application logs	View logs
🔄 Actions	Click to redeploy
🚀 ArgoCD deployment	View deployment
⏰ Last deployed	2026-01-27 14:52:32 (UTC)
📜 Deployed commit	a041b4d2eda24f8fd80bac78e5b2cbeef777e48e
🛠️ Toolkit version	35fa17f

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/actions/update-config-version/action.yml:
- Around line 196-209: Ensure all entries in VERSION_VALUES are identical before
using the first value in git_commit_body: iterate over VERSION_VALUES (the array
populated earlier) and compare each element to VERSION_VALUES[0]; if any differ,
print an error like "ERROR: Conflicting version values" and exit non-zero. Only
after this validation set VERSION_VALUE="${VERSION_VALUES[0]}" and use it in
git_commit_body (keep existing references to ENV and RELEASE_NAME).
- Around line 177-182: The current strict regex validating the variable named
key rejects valid yq paths (e.g., .foo["bar-baz"], .items[0], .foo-bar); replace
the regex check in the action.yml validation block with a looser rule: assert
the string starts with a dot (.) and disallow single-quote characters for shell
safety, but otherwise allow any characters used by yq (including brackets,
quotes, hyphens and digits). Update the validation around the key variable (the
block that currently uses the ^\.?[a-zA-Z0-9_]+... regex) to implement "must
start with '.'" and "must not contain '\''" checks instead of the existing
restrictive pattern so yq-compatible paths are accepted.