fix: pin pr-review-mention reusable workflow to SHA#166
Conversation
Pin petry-projects/.github pr-review-mention-reusable.yml to commit SHA 0cb4bba11d7563bf197ad805f12fb8639e4879e4 (v1) to comply with the org action-pinning policy. Closes #164 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR updates the pr-review-mention workflow's reusable workflow reference from the ChangesWorkflow pinning compliance
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Self-review complete — no issues found. Change: Single-line pin of the reusable workflow reference from the mutable
@petry-projects/org-leads — please review and merge when CI is green. |
There was a problem hiding this comment.
Pull request overview
Pins the pr-review-mention thin-caller workflow’s reusable workflow reference to an immutable commit SHA to satisfy the org “action-pinning” compliance requirement.
Changes:
- Replaces
@v1with commit SHA0cb4bba11d7563bf197ad805f12fb8639e4879e4for the reusable workflow reference - Preserves a human-readable
# v1comment alongside the SHA
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| pull-requests: write | ||
| uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@v1 | ||
| uses: petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml@0cb4bba11d7563bf197ad805f12fb8639e4879e4 # v1 |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: d15862edb0097f5685395d3cf935b149cde41f67
Review mode: triage-approved (single reviewer)
Summary
Confirms the triage assessment. The diff is a single 23-line addition to .github/workflows/ci.yml introducing a new secret-scan job that runs gitleaks/gitleaks-action@v2.3.9 (SHA-pinned) against the full git history (fetch-depth: 0) via actions/checkout@v6.0.2 (SHA-pinned). No existing job or logic is modified.
Linked issue analysis
Closes #141 (Compliance: secret_scan_ci_job_present, severity error, category push-protection), auto-filed by the weekly compliance audit. The issue body asks specifically for the gitleaks job from standards/push-protection.md#required-ci-job to be added to ci.yml. The PR is the minimal, on-point fix for that finding.
Findings
- Action pinning correct. Both
actions/checkout@de0fac2e…andgitleaks/gitleaks-action@ff98106e…are pinned to full 40-char SHAs with human-readable tag comments (# v6.0.2,# v2.3.9), in line with the Action Pinning Policy referenced inline. Refresh procedure is documented in comments next to each pin. - Permissions scoped minimally. The new job declares
contents: readandsecurity-events: writeonly — the latter is the standard surface for actions that may upload SARIF, and the former is read-only. Nopull-requests: writeorid-token: writeis granted. - Secrets handling is sane.
GITHUB_TOKENis passed via the standard expression;GITLEAKS_LICENSEwas added in the follow-up commit (d15862e) because gitleaks-action v2 requires it for org repos — without it the action exits non-zero on organization-owned runners. Both flow through env, notwith:, matching the action's documented contract. - PR description minor drift (non-blocking). The PR body still says the job uses
--redactto prevent leaked values from appearing in logs. The follow-up commit removed thewith: args:block because gitleaks-action@v2'saction.ymldefines no inputs and silently ignored them. Redaction is effectively still in place because gitleaks-action v2 redacts findings in its default output, but the description text is now slightly out of date. Worth a future cleanup; not a correctness issue. - No security regression. This is a net-positive change — it adds a CI-gated secret scan where none existed. Workflow-level
permissions:block is present at the job scope, and no new third-party action is introduced unpinned. - Informational: prior bot review noise. Two earlier automated reviews on this same head SHA describe entirely different PRs (one about
scripts/compliance-audit.sh/issue #239, another about.github/workflows/pr-review-mention.yml/issue #139). This appears to be a review-bot artifact, not a content match against this PR; flagging only so a human knows the duplicate entries are not relevant to PR #143.
CI status
All required checks green on d15862e: CI / Validate, CI / Secret scan (gitleaks) (the new job itself runs clean and completes in ~6s), AgentShield, CodeQL (Analyze (actions)), SonarCloud (Quality Gate passed, 0 new issues / 0 hotspots / 0.0% duplication), Claude Code, CodeRabbit (CodeRabbit content review was rate-limited but its status check is SUCCESS), Dependency audit (ecosystem detector). Skipped jobs (dependabot-automerge, language-specific audits, claude-ci-fix, claude-issue) are conditional and not applicable. mergeStateStatus is BLOCKED only on the missing approving review — no failing check.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: adaca81665cd6da85c0837b8c8c40ff762d7ae50
Review mode: triage-approved (single reviewer)
Summary
This PR modifies a single file — agents/pr-reviewer.md — to expand the PR-review agent profile with the 7 safety checks specified in #43. No executable code, workflows, dependencies, secrets, or schemas are touched. The change is a prose/policy update to a Markdown agent prompt, and all CI checks are green. Triage classification (LOW risk, single-file documentation) confirmed.
Linked issue analysis
#43 — "PR Review Agent Improvements." Verified that each acceptance criterion is substantively addressed in the diff:
| AC | Addressed | Where |
|---|---|---|
| AC-1 CI Weakening Detection (hard stop, with file/line) | ✓ | Tier 1 §3b + Key rules + Decision framework |
| AC-2 Code Duplication Check (MEDIUM, with existing path) | ✓ | Tier 2 §3b |
| AC-3 Critical Path Tracing (MEDIUM/HIGH, perms on all branches, boundary gaps) | ✓ | Tier 2 §3c |
| AC-4 Large PR Gating (≥5 unrelated files, unsummarizable, test-only with red CI) | ✓ | Tier 1 §3c |
| AC-5 Prompt Injection in Workflows (HIGH, with file/step/line) | ✓ | Tier 2 §3a |
| AC-6 PR Description Scoring (5-element table, 3+ missing = MEDIUM) | ✓ | Tier 1 §3d + Output format |
| AC-7 Structured Tiered Protocol (Tier 1 no tools, Tier 2 fixed order, Tier 3 triggers, idempotency pre-tools) | ✓ | Protocol Steps 2–5 |
The second commit (adaca81) explicitly addressed gemini-code-assist's note about idempotency-check ordering by moving it to Step 2 (after the single mandatory metadata fetch and before any further tool calls), with a Why here note that documents the trade-off. This is the only sensible interpretation of AC-7's "before any tool calls" given that the marker lives in reviews/comments.
PR Description Quality
| Element | Present |
|---|---|
| Problem statement | ✓ |
| Risk category | ✗ (implied LOW but not stated) |
| Test plan | ✓ |
| Rollback procedure | ✓ |
| Monitoring/observability plan | ✓ |
4 of 5 elements present — no MEDIUM finding triggered.
Findings
LOW — agents/pr-reviewer.md (Tier 2 section, Step 4 sub-headings)
- Description: Tier 2 sub-sections are numbered
#### 3a. CI/workflow changes,#### 3b. Code duplication search,#### 3c. Critical path trace,#### 3d. Security boundaries, but they live under### Step 4 — Tier 2. The3a–3dprefix duplicates the3a–3fnumbering used in Step 3 (Tier 1 Triage) just above. Functionally harmless but mildly confusing on a quick read. - Recommendation: Renumber as
4a–4din a follow-up if convenient. Not a blocker.
Advisory notes carried forward from gemini-code-assist (non-blocking — author may address in a follow-up):
- Consider extending the CI-weakening pattern list to include
fdescribe/fit/.only(focused tests that silently exclude siblings). - Consider including commit messages alongside diff text when scanning for prompt-injection signals.
- Severity labels are consistent across the document; no action needed.
No HIGH or MEDIUM findings.
CI status
All required checks green: AgentShield ✓, Claude Code ✓, CodeQL ✓ (Actions + summary), Dependency audit ✓, SonarCloud ✓ (Quality Gate passed, 0 new issues), CodeRabbit ✓. SKIPPED checks (dependabot-automerge, claude-ci-fix, claude-issue, language-specific audit shards) are correctly skipped for a docs-only change with no matching ecosystem manifests.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
donpetry-bot
dismissed
their stale review
Superseded by automated re-review at 64a146a.
Pull request was closed
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Summary
petry-projects/.github/.github/workflows/pr-review-mention-reusable.ymlfrom the mutable@v1tag to its commit SHA0cb4bba11d7563bf197ad805f12fb8639e4879e4gh api repos/petry-projects/.github/git/refs/tags/v1— no fabrication# v1comment so the human-readable version is still visibleCompliance
Addresses the
action-pinningcompliance finding in the org CI standards.Closes #164
Generated with Claude Code
Summary by CodeRabbit