CI: remove light-aws-builder specs, use binary from image.

[aramprice]

These specs moved to that pipeline, and the docker image now contains the light-aws-builder binary.

NOTE: the publisher pipeline must be reconfigured after merging.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

Walkthrough

The pull request removes four AWS CI jobs (test-aws-unit, test-aws-drivers, test-aws-integration, cleanup-light-aws-builder-test-amis) and their task definitions from the Concourse pipeline. The build_light_aws_stemcell_new YTT helper is refactored to accept prefix-based parameters (prefix, stemcell_os, stemcell_version, efi, ami_destinations, ami_excluded_destinations) and the build-light-aws job plan is reworked to use the new signature with aws-light-stemcell-builder-registry-image. The light-aws-builder-src resource is removed and the registry-image resource is renamed from light-stemcell-builder-registry-image to aws-light-stemcell-builder-registry-image. The Google make-raw-from-heavy-stemcell task is updated to use gce-cpi-release-registry-image. The light-stemcell-builder binary is invoked directly instead of go run main.go. Builder-src inputs are removed from build.yml, cleanup-ami.yml, run-upload-test.yml, and us-gov-merge-builds.yml. Bash parameter validation is hardened throughout by replacing unquoted : ${VAR:?} checks with quoted : "${VAR:?}" syntax and quoting all variable and path uses in heredocs and command substitutions. The cleanup-ami.sh script introduces stricter environment validation and refactors AMI selection with a reusable past_due_query expression. The make-raw-from-heavy-stemcell.sh script refactors stemcell_url to accept a name parameter and simplifies the existence check to a direct conditional.

Suggested reviewers

• mkocher

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description provides context for why specs are being removed but does not follow the merge-forward strategy template with branch-specific instructions.	Clarify which stemcell branch this PR targets and confirm it follows the merge-forward strategy (PR should be made to oldest branch first, then merged forward).

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: removing light-aws-builder specs and using the binary from the Docker image instead.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch remove-aws-light-stemcell-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci/pipelines/publisher.yml`:
- Line 19: The image reference `light-stemcell-builder-registry-image` on line
19 does not match the actual resource name that has been renamed to
`aws-light-stemcell-builder-registry-image` (as defined at line 751 and fetched
by the job at line 130). Update the image field on line 19 from
`light-stemcell-builder-registry-image` to
`aws-light-stemcell-builder-registry-image` to resolve the artifact name
mismatch so the build-<prefix>-stemcell task can locate the correct image at
runtime.

In `@ci/tasks/light-google/create-public-image.sh`:
- Around line 65-67: The `touch image` command on line 65 only updates the
modification time without clearing existing file contents, which means if the
image file already exists from a previous extraction, it will retain the full
heavy payload when calculating the SHA1 hash and packaging into the tar archive.
Replace `touch image` with a command that actually empties the file contents,
such as using output redirection (> image) or truncate, to ensure image is
created as an empty light placeholder before the SHA1 calculation on line 66.
- Around line 53-54: The guest_os_features_flag variable is being passed as a
quoted argument to gcloud compute images create even when it is empty, which
causes gcloud argument parsing to fail for configurations with no features
enabled. Remove the quotes around the guest_os_features_flag variable and
conditionally include the flag only when it contains a non-empty value, such as
by using parameter expansion (e.g., only adding the flag and its value when the
variable is not empty).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: aaf392a4-d67f-4fbf-8849-6245785807f6

📥 Commits

Reviewing files that changed from the base of the PR and between 0488435 and 5ee4a96.

📒 Files selected for processing (13)

• ci/pipelines/publisher.yml
• ci/tasks/light-aws/build.sh
• ci/tasks/light-aws/cleanup-ami.sh
• ci/tasks/light-aws/cleanup-ami.yml
• ci/tasks/light-aws/test-drivers.sh
• ci/tasks/light-aws/test-drivers.yml
• ci/tasks/light-aws/test-integration.sh
• ci/tasks/light-aws/test-integration.yml
• ci/tasks/light-aws/test-unit.sh
• ci/tasks/light-aws/test-unit.yml
• ci/tasks/light-google/create-public-image.sh
• ci/tasks/light-google/deploy-skeletal.sh
• ci/tasks/light-google/make-raw-from-heavy-stemcell.sh

💤 Files with no reviewable changes (8)

• ci/tasks/light-aws/test-integration.yml
• ci/tasks/light-aws/cleanup-ami.yml
• ci/tasks/light-aws/cleanup-ami.sh
• ci/tasks/light-aws/test-drivers.yml
• ci/tasks/light-aws/test-unit.sh
• ci/tasks/light-aws/test-unit.yml
• ci/tasks/light-aws/test-drivers.sh
• ci/tasks/light-aws/test-integration.sh

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci/tasks/light-aws/cleanup-ami.sh`:
- Around line 14-16: The parameter expansion guards for AWS credentials in the
export statements for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and
AWS_DEFAULT_REGION are using the `?` operator which only checks if variables are
set, but allows empty values. Change each guard from the current
`${variable?'must be set'}` format to `${variable:?'must be set'}` format by
adding a colon before the question mark. This will ensure that the script fails
immediately if any of these credential variables are empty or unset, rather than
passing validation and failing later during AWS API calls.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8e0214ee-af7c-4d1a-bc21-f711bf6d1f9d

📥 Commits

Reviewing files that changed from the base of the PR and between 5ee4a96 and 3fcb013.

📒 Files selected for processing (17)

• ci/pipelines/publisher.yml
• ci/tasks/light-aws/build.sh
• ci/tasks/light-aws/build.yml
• ci/tasks/light-aws/cleanup-ami.sh
• ci/tasks/light-aws/cleanup-ami.yml
• ci/tasks/light-aws/run-upload-test.sh
• ci/tasks/light-aws/run-upload-test.yml
• ci/tasks/light-aws/test-drivers.sh
• ci/tasks/light-aws/test-drivers.yml
• ci/tasks/light-aws/test-integration.sh
• ci/tasks/light-aws/test-integration.yml
• ci/tasks/light-aws/test-unit.sh
• ci/tasks/light-aws/test-unit.yml
• ci/tasks/light-aws/us-gov-merge-builds.yml
• ci/tasks/light-google/create-public-image.sh
• ci/tasks/light-google/deploy-skeletal.sh
• ci/tasks/light-google/make-raw-from-heavy-stemcell.sh

💤 Files with no reviewable changes (8)

• ci/tasks/light-aws/test-drivers.yml
• ci/tasks/light-aws/test-unit.yml
• ci/tasks/light-aws/test-unit.sh
• ci/tasks/light-aws/build.yml
• ci/tasks/light-aws/test-integration.sh
• ci/tasks/light-aws/us-gov-merge-builds.yml
• ci/tasks/light-aws/test-integration.yml
• ci/tasks/light-aws/test-drivers.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/usr/bin/env bash
set -eu -o pipefail

ami_access_key=""
ami_secret_key=""
ami_region="us-east-1"

echo "Current behavior (\${var?}): empty values are accepted"
AWS_ACCESS_KEY_ID=${ami_access_key?'must be set'}
AWS_SECRET_ACCESS_KEY=${ami_secret_key?'must be set'}
echo "accepted: '${AWS_ACCESS_KEY_ID}' / '${AWS_SECRET_ACCESS_KEY}'"

echo "Expected strict behavior (\${var:?}): empty values are rejected"
if : "${ami_access_key:?must be set}"; then
  echo "unexpected: strict check passed"
fi

Repository: cloudfoundry/bosh-linux-stemcell-builder

Length of output: 285

---

Use :? guards so empty AWS credentials fail fast.

Lines 14-16 currently use ${var?'must be set'}, which permits empty-but-set values. With this task's default params (ci/tasks/light-aws/cleanup-ami.yml), empty credentials pass these checks and fail later in AWS calls instead of failing immediately.

Suggested fix

- export AWS_ACCESS_KEY_ID=${ami_access_key?'must be set'}
- export AWS_SECRET_ACCESS_KEY=${ami_secret_key?'must be set'}
- export AWS_DEFAULT_REGION=${ami_region?'must be set'}
+ : "${ami_access_key:?must be set}"
+ : "${ami_secret_key:?must be set}"
+ : "${ami_region:?must be set}"
+ export AWS_ACCESS_KEY_ID="${ami_access_key}"
+ export AWS_SECRET_ACCESS_KEY="${ami_secret_key}"
+ export AWS_DEFAULT_REGION="${ami_region}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export AWS_ACCESS_KEY_ID=${ami_access_key?'must be set'}
	export AWS_SECRET_ACCESS_KEY=${ami_secret_key?'must be set'}
	export AWS_DEFAULT_REGION=${ami_region?'must be set'}
	: "${ami_access_key:?must be set}"
	: "${ami_secret_key:?must be set}"
	: "${ami_region:?must be set}"
	export AWS_ACCESS_KEY_ID="${ami_access_key}"
	export AWS_SECRET_ACCESS_KEY="${ami_secret_key}"
	export AWS_DEFAULT_REGION="${ami_region}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ci/tasks/light-aws/cleanup-ami.sh` around lines 14 - 16, The parameter
expansion guards for AWS credentials in the export statements for
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION are using the
`?` operator which only checks if variables are set, but allows empty values.
Change each guard from the current `${variable?'must be set'}` format to
`${variable:?'must be set'}` format by adding a colon before the question mark.
This will ensure that the script fails immediately if any of these credential
variables are empty or unset, rather than passing validation and failing later
during AWS API calls.