Refactor deploy action to use helm upgrade via setup_combine.py

[Copilot]

The deploy action used kubectl set image which only swaps container images — helm chart configs (secrets, schedules, ingress settings, etc.) were never updated. QA configs had drifted since Oct 2024, production since Apr 2025.

Devin review: https://app.devin.ai/review/sillsdev/TheCombine/pull/4216

The deploy_qa workflow was successfully run from this branch: https://github.com/sillsdev/TheCombine/actions/runs/23814304234

Changes

.github/actions/combine-deploy-update/action.yml

• Replaced all kubectl set image steps with a call to deploy/scripts/setup_combine.py, which runs helm upgrade with full chart configuration
• Removed inputs: image_registry_alias, update_cert_proxy
• Added inputs: target (qa or prod) + all application secrets required by setup_combine.py
• Action now installs Helm, kubectl, and Python requirements before running the deploy script

.github/workflows/deploy_qa.yml / deploy_release.yml

• Pass target: qa / target: prod and all required secrets to the refactored action
• deploy_release.yml: simplified registry from public.ecr.aws + image_registry_alias: /thecombine to public.ecr.aws/thecombine

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Deployment doesn't update helm charts</issue_title>
<issue_description>Our deploy action uses kubectl set image (rather than helm upgrade with all needed configs), so the QA configs haven't been fully updated since Oct 2024, nor the production configs since Apr 2025.

TODO:

• Refactor .github/actions/combine-deploy-update to run deploy/scripts/setup_combine.py (possibly with modifications to the latter)
• Update .github/workflows/deploy_qa.yml and .github/workflows/deploy_release.yml accordingly
• Give clear directions for what repo secrets and environment variables need to be added or removed</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Deployment doesn't update helm charts #4211

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

This change is 

Summary by CodeRabbit

• Chores
  • Updated deployment infrastructure to use Helm for more consistent and reliable deployments across environments.
  • Simplified image registry configuration for cleaner deployment setup.
  • Enhanced deployment targeting with explicit environment selection (QA/Production).
  • Improved deployment logging for better visibility during update operations.

[github-actions]

⚠️ Commit Message Format Issues ⚠️
commit 50a6eec3ba:
4: B1 Line exceeds max length (100>80): "Agent-Logs-Url: https://github.com/sillsdev/TheCombine/sessions/4238e849-5ac8-431c-a4d0-5bb43d07616d"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.94%. Comparing base (6aae02b) to head (5d9bc11).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4216   +/-   ##
=======================================
  Coverage   75.94%   75.94%           
=======================================
  Files         303      303           
  Lines       11352    11352           
  Branches     1403     1403           
=======================================
  Hits         8621     8621           
  Misses       2330     2330           
  Partials      401      401           

Flag	Coverage Δ
backend	87.23% <ø> (ø)
frontend	66.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5104459b-a4f9-4d7b-a3a6-4d0e4440effc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The deployment infrastructure migrates from direct kubectl set image commands to a Helm-based workflow. The .github/actions/combine-deploy-update action is refactored to invoke a Python deployment script that manages Helm upgrades, while inputs are expanded to include AWS credentials, application secrets, and a target parameter. Both QA and production workflows are updated to supply these new credentials and specify their deployment targets.

Changes

Cohort / File(s)	Summary
GitHub Actions deployment configuration .github/actions/combine-deploy-update/action.yml	Replaces per-component kubectl set image steps with a single Helm-based deployment via Python script. Adds 9 new inputs (AWS credentials/account/region, application secrets, helm_version, target) and removes image_registry_alias and update_cert_proxy. Adds Helm and kubectl installation steps.
Workflow definitions .github/workflows/deploy_qa.yml, .github/workflows/deploy_release.yml	Updates action calls with new secret/credential inputs (AWS access key/account/region, SMTP/JWT/CAPTCHA secrets, helm_version) and replaces update_cert_proxy parameter with target: qa or target: prod. Adds explicit naming to checkout steps.
Deployment automation deploy/scripts/setup_combine.py	Adds --non-interactive (-n) CLI flag to suppress prompts and AWS environment initialization when running in CI/CD environments.
Configuration and documentation deploy/ansible/vars/k3s_versions.yml, docs/deploy/README.md, README.md	Updates version variable comment to reference HELM_VERSION, documents new GitHub Actions CI/CD workflow with Helm upgrade process and self-hosted runner requirements, adds note on using --non-interactive in CI/CD.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant PythonScript as setup_combine.py
    participant Helm as Helm
    participant K8s as Kubernetes
    
    GHA->>GHA: Checkout code & install dependencies
    GHA->>Helm: Install Helm (helm_version)
    GHA->>K8s: Install kubectl
    GHA->>PythonScript: Execute with --context, --repo, --tag, --target
    PythonScript->>K8s: Set kubeconfig context
    PythonScript->>K8s: Retrieve current values (non-interactive mode)
    PythonScript->>Helm: helm upgrade with merged values
    Helm->>K8s: Apply Helm release to cluster
    K8s-->>Helm: Deployment status
    Helm-->>PythonScript: Release updated
    PythonScript-->>GHA: Deployment complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• [deploy] Use Helm's upgrade --install #4207 — Modifies Helm-based deployment flow including changes to deploy/scripts/setup_combine.py and Helm invocation patterns, directly related to this PR's Helm integration work.

Suggested labels

🟥High

Suggested reviewers

• jasonleenaylor

Poem

🐰 A Helm chart hops where kubectl once trod,
With secrets and credentials, no longer odd,
CI/CD pipelines now smoothly deploy,
Non-interactive runs bring DevOps joy! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly and clearly describes the main refactoring: replacing the deploy action with a helm-based approach using setup_combine.py, which is the primary change across all modified files.
Linked Issues check	✅ Passed	All coding objectives from issue #4211 are met: the action uses setup_combine.py for helm upgrade, workflows are updated with required secrets and target parameters, and deployment now applies full chart configuration.
Out of Scope Changes check	✅ Passed	All changes are directly related to the deployment refactoring objective. Minor documentation updates (README.md, docs/deploy/README.md) and version variable comments support the deployment changes and do not introduce unrelated functionality.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/fix-deployment-helm-charts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

deploy/scripts/setup_combine.py (2)

198-198: Consider unpacking for list construction (optional).

Static analysis suggests using [*helm_cmd, "--namespace", chart_namespace] instead of concatenation. This is a minor style preference for modern Python.

♻️ Optional refactor using unpacking

-            namespace_cmd = helm_cmd + ["--namespace", chart_namespace]
+            namespace_cmd = [*helm_cmd, "--namespace", chart_namespace]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/scripts/setup_combine.py` at line 198, The current list concatenation
that builds namespace_cmd from helm_cmd and ["--namespace", chart_namespace]
should be refactored to use list unpacking for clarity and modern Python style:
replace the expression that assigns namespace_cmd (which uses helm_cmd +
["--namespace", chart_namespace]) with an unpacking form that expands helm_cmd
into the new list and appends "--namespace" and chart_namespace; locate the
assignment to namespace_cmd and update it accordingly, keeping the same values
and order.

---

203-207: Consider unpacking for list construction (optional).

Similar to line 198, static analysis suggests unpacking instead of list concatenation.

♻️ Optional refactor using unpacking

                     logging.info(f"  Deleting chart: {chart}")
-                    delete_cmd = namespace_cmd + ["delete", chart]
+                    delete_cmd = [*namespace_cmd, "delete", chart]
                     if args.dry_run:
                         delete_cmd.append("--dry-run")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/scripts/setup_combine.py` around lines 203 - 207, Replace the list
concatenation when building delete_cmd with list unpacking to match the pattern
used elsewhere: build delete_cmd by unpacking namespace_cmd and appending the
"delete" and chart elements (so subsequent conditional append of "--dry-run" and
the run_cmd(namespace_cmd) invocation remain unchanged); update the construction
near the existing namespace_cmd, delete_cmd, args.dry_run, chart, and run_cmd
usage accordingly to use unpacking rather than namespace_cmd + ["delete",
chart].

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deploy/scripts/setup_combine.py`:
- Line 198: The current list concatenation that builds namespace_cmd from
helm_cmd and ["--namespace", chart_namespace] should be refactored to use list
unpacking for clarity and modern Python style: replace the expression that
assigns namespace_cmd (which uses helm_cmd + ["--namespace", chart_namespace])
with an unpacking form that expands helm_cmd into the new list and appends
"--namespace" and chart_namespace; locate the assignment to namespace_cmd and
update it accordingly, keeping the same values and order.
- Around line 203-207: Replace the list concatenation when building delete_cmd
with list unpacking to match the pattern used elsewhere: build delete_cmd by
unpacking namespace_cmd and appending the "delete" and chart elements (so
subsequent conditional append of "--dry-run" and the run_cmd(namespace_cmd)
invocation remain unchanged); update the construction near the existing
namespace_cmd, delete_cmd, args.dry_run, chart, and run_cmd usage accordingly to
use unpacking rather than namespace_cmd + ["delete", chart].

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 052b3ea2-04e3-4f46-8fc2-12d4e1526a5d

📥 Commits

Reviewing files that changed from the base of the PR and between e3b2c85 and 88f1411.

📒 Files selected for processing (6)

• .github/actions/combine-deploy-update/action.yml
• .github/workflows/deploy_qa.yml
• .github/workflows/deploy_release.yml
• deploy/ansible/vars/k3s_versions.yml
• deploy/scripts/helm_utils.py
• deploy/scripts/setup_combine.py

✅ Files skipped from review due to trivial changes (1)

• deploy/ansible/vars/k3s_versions.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/actions/combine-deploy-update/action.yml
• .github/workflows/deploy_qa.yml

[jasonleenaylor]

@jasonleenaylor reviewed 15 files and all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on copilot[bot]).