[Fixes: mosip/mosip-infra#1874] Add WireGuard onboarding workflow in master

[Ivanmeneges]

…master

This workflow automates the onboarding of WireGuard environments by allocating peers and publishing them as GitHub environment secrets. It includes steps for SSH key handling and committing peer allocations if changes occur.

Summary by CodeRabbit

Release Notes

• New Features
  • Added a manually triggered GitHub Actions workflow to onboard a new WireGuard environment through self-service.
  • Supports configurable inputs such as environment name, jumpserver host, SSH credential secret, WireGuard directory, and allowed IPs, with an optional ticket reference.
  • Provides a default dry-run mode to validate before applying changes.
  • When dry-run is disabled, it updates configuration, creates a signed commit, and pushes it to the current branch.

[coderabbitai]

Warning

Review limit reached

@Ivanmeneges, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 12 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ba03287d-2414-4451-98ee-675f89161ae1

📥 Commits

Reviewing files that changed from the base of the PR and between 6b4e140 and 4cfd8ab.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

Walkthrough

A new workflow_dispatch-only GitHub Actions workflow (wg-onboard.yml) is added. It accepts typed inputs for environment name, jumpserver host, SSH key secret, and optional fields. It materializes and validates the SSH key, invokes wg-onboard.sh, and conditionally commits changes to wg-peer-allocation.tsv when DRY_RUN is false.

Changes

WireGuard Onboarding Workflow

Layer / File(s)	Summary
Workflow declaration and repo checkout .github/workflows/wg-onboard.yml	Declares workflow_dispatch inputs (env name, jumpserver host, optional ticket/dir/allowed IPs, DRY_RUN defaulting to true), sets permissions: contents: read, configures concurrency grouping by ENV_NAME, and checks out the repository with a PAT, credential persistence disabled.
SSH key materialization, validation, and script execution .github/workflows/wg-onboard.yml	Writes the SSH private key to a temporary file, strips CR characters, locks down permissions to 600, validates with ssh-keygen, constructs the argument array for wg-onboard.sh from workflow inputs and repo context, conditionally appends --ticket and --dry-run, invokes the script, and cleans up the key file unconditionally.
Conditional tracker update and push .github/workflows/wg-onboard.yml	Gated on DRY_RUN == false: pulls with --rebase on the current branch, detects changes to wg-peer-allocation.tsv, commits with sign-off only if changes exist, and pushes to the current branch via HTTPS using the PAT token.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• mosip/infra#247: Introduces the wg-onboard.sh script that this workflow directly invokes, including the --dry-run flag and wg-peer-allocation.tsv manipulation.
• mosip/infra#249: Contains a corresponding or earlier version of the same wg-onboard.yml workflow with the same SSH key writing, script invocation, and conditional commit/push structure.

Poem

🐇 Hoppity-hop, a new workflow appears,
WireGuard peers onboarded without tears!
The jumpserver key is written with care,
--dry-run guards us from changes laid bare.
When all looks good, we commit and we push —
No manual steps, just a bunny's soft whoosh! 🌐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the GitHub issue (mosip/mosip-infra#1874) and accurately describes the main change: adding a WireGuard onboarding workflow to the master branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Ivanmeneges-patch-5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/wg-onboard.yml (1)

104-113: 💤 Low value

Rebase conflicts will fail silently without user guidance.

If git pull --rebase at line 111 encounters conflicts (e.g., concurrent peer allocations), the workflow fails without clear recovery instructions. Consider adding conflict detection or a clearer error message.

          else
            git add "$tracker"
            git commit -s -m "wg: allocate peers for environment $INPUT_ENV_NAME"
-           git pull --rebase origin "${GITHUB_REF_NAME}"
+           if ! git pull --rebase origin "${GITHUB_REF_NAME}"; then
+             echo "ERROR: Rebase failed. Concurrent allocation may have occurred. Re-run the workflow."
+             exit 1
+           fi
            git push "https://x-access-token:${GH_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git" "HEAD:${GITHUB_REF_NAME}"
          fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wg-onboard.yml around lines 104 - 113, The git pull
--rebase origin command can fail silently when conflicts occur during concurrent
peer allocations, with no clear guidance for recovery. Add error detection after
the git pull --rebase origin "${GITHUB_REF_NAME}" command to check if the rebase
succeeded, and include an explicit error message that informs users about
potential rebase conflicts and recovery steps. This prevents silent failures and
provides users with actionable recovery instructions when concurrent allocations
cause conflicts.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Around line 58-70: The SSH private key written to ~/.ssh/jumpserver_key in the
"Write SSH private key" step is not being cleaned up after the workflow
completes, leaving the sensitive file on the self-hosted runner disk. Add a new
workflow step named "Cleanup SSH key" that runs after the "Write SSH private
key" step with the condition "if: always()" to ensure it executes even if
previous steps fail, and have this cleanup step remove the ~/.ssh/jumpserver_key
file to prevent the key from persisting on the runner.
- Around line 82-94: The chmod command on line 83 applies execute permissions to
`.github/workflows/scripts/wg-onboard.sh`, but the actual script being executed
on line 94 is `.github/scripts/wg-onboard.sh` (without the `workflows`
subdirectory). Update the chmod command to apply permissions to the correct path
`.github/scripts/wg-onboard.sh` to match the script path being executed later in
the run block.

---

Nitpick comments:
In @.github/workflows/wg-onboard.yml:
- Around line 104-113: The git pull --rebase origin command can fail silently
when conflicts occur during concurrent peer allocations, with no clear guidance
for recovery. Add error detection after the git pull --rebase origin
"${GITHUB_REF_NAME}" command to check if the rebase succeeded, and include an
explicit error message that informs users about potential rebase conflicts and
recovery steps. This prevents silent failures and provides users with actionable
recovery instructions when concurrent allocations cause conflicts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 883c75df-8363-4baf-9263-ca32f2e415e7

📥 Commits

Reviewing files that changed from the base of the PR and between d9b9da0 and f9784cc.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/wg-onboard.yml:
- Around line 44-46: The wg-onboard.yml workflow references two files that do
not exist in the repository: the shell script `.github/scripts/wg-onboard.sh`
that is executed in the workflow step (referenced at line 108), and the tracker
file `.github/scripts/wg-peer-allocation.tsv` that is committed as part of the
workflow. Verify whether these files should be created as part of this PR and
include them in the `.github/scripts/` directory, or confirm with your reviewer
if they are expected to be added in a separate commit. Ensure both the script
file and the tracker file exist before merging to prevent workflow runtime
failures.
- Around line 113-119: The git pull --rebase command is executing on a dirty
working tree before the diff check, which causes rebase failures when the
tracker file has uncommitted changes. Move the git pull --rebase origin
"${GITHUB_REF_NAME}" command from before the git diff --quiet check into the
else block that handles commits (where git add and git commit are executed), and
add the --autostash flag to the pull command so it automatically stashes local
modifications, performs the rebase, and reapplies the changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 393ae5d8-b482-4aef-b526-d99cb36028ed

📥 Commits

Reviewing files that changed from the base of the PR and between 47cdbbc and 6b4e140.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.