sec(iac/aws): drop hardcoded branch ref from cleanup-staging.yml

[cristim]

Summary

• Removes ref: feat/multicloud-web-frontend from all four actions/checkout steps in .github/workflows/cleanup-staging.yml
• Checkout now uses the ref selected at workflow_dispatch time (the branch/tag the operator chooses), closing the supply-chain risk where commits to the feature branch automatically became the Terraform config used by the destroy workflow
• Regression: no hardcoded ref: key remains in cleanup-staging.yml

Closes #386

Summary by CodeRabbit

• Chores
  • Updated cleanup staging workflow to use default Git checkout behavior across destroy jobs for AWS Lambda, AWS Fargate, Azure, and GCP environments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85974e17-712d-425d-abe6-252666c5b6c9

📥 Commits

Reviewing files that changed from the base of the PR and between bc7bf0f and 7e6cc84.

📒 Files selected for processing (1)

• .github/workflows/cleanup-staging.yml

💤 Files with no reviewable changes (1)

• .github/workflows/cleanup-staging.yml

---

📝 Walkthrough

Walkthrough

The cleanup-staging workflow removes hardcoded branch references from checkout steps across all cloud provider destroy jobs, enabling the workflow to use default ref resolution behavior instead of a specific feature branch.

Changes

Cleanup Workflow Security Fix

Layer / File(s)	Summary
Remove hardcoded branch refs from destroy jobs .github/workflows/cleanup-staging.yml	AWS Lambda, AWS Fargate, Azure, and GCP destroy job checkout steps no longer override the ref to feat/multicloud-web-frontend, allowing default checkout behavior to apply.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

type/security, effort/xs

Poem

🐰 A hardcoded branch, once locked in place,
Now freed to checkout with grace,
Feature refs removed with care,
Cleanup workflows stay fair and square!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'sec(iac/aws): drop hardcoded branch ref from cleanup-staging.yml' accurately summarizes the main change—removing hardcoded branch references from the cleanup workflow.
Linked Issues check	✅ Passed	The PR removes hardcoded ref from all four actions/checkout steps as required by issue #386, resolving the supply-chain risk and functional dependency on a feature branch.
Out of Scope Changes check	✅ Passed	All changes in the PR are scoped to removing hardcoded branch refs from cleanup-staging.yml; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/386-cleanup-staging-branch-param

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.