feat: create separate PRs per branch for downstream repos in cve.fix

[vmrh21]

Summary

Updates cve.fix to target branches differently based on repo_type:

• upstream / midstream: PR against default_branch only (e.g. main)
• downstream: separate PR for default_branch + each branch in active_release_branches

Each branch gets its own independent clone → fix → test → PR cycle. Branches are never combined into a single PR.

Example for red-hat-data-services/llm-d-inference-scheduler with active branches rhoai-3.3, rhoai-3.4, rhoai-3.4-ea.1, rhoai-3.4-ea.2:

• PR 1 → base: main
• PR 2 → base: rhoai-3.3
• PR 3 → base: rhoai-3.4
• PR 4 → base: rhoai-3.4-ea.1
• PR 5 → base: rhoai-3.4-ea.2

No mapping file changes required — logic is derived from existing repo_type, default_branch, and active_release_branches fields.

Test plan

• Run /cve.fix llm-d with an inference-scheduler CVE — verify upstream gets 1 PR (main only) and downstream gets 5 PRs (main + 4 release branches)
• Verify each PR targets the correct base branch
• Verify fix branch naming includes the target branch (e.g. fix/cve-YYYY-XXXXX-urllib3-rhoai-3.4-attempt-1)

🤖 Generated with Claude Code

[coderabbitai]

Walkthrough

The CVE fixer workflow instructions are updated to change target-branch selection logic based on repository type (upstream/midstream target only default branch; downstream targets default plus active release branches) and repository handling strategy (single clone with git fetch --all, then loop-based branch checkout and PR creation).

Changes

Cohort / File(s)	Summary
Workflow Instructions workflows/cve-fixer/.claude/commands/cve.fix.md	Revised target-branch selection to derive from repo_type, updated multi-repo strategy to process downstream branches independently with separate PR creation per branch, and changed repository cloning guidance from branch-specific checkout to unified fetch-then-loop pattern.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: creating separate PRs per branch for downstream repos in the cve.fix workflow.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, clearly explaining the new branch-targeting behavior, examples, and test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workflows/cve-fixer/.claude/commands/cve.fix.md`:
- Around line 163-172: Update the fenced code blocks in
workflows/cve-fixer/.claude/commands/cve.fix.md to satisfy MD031/MD040 by adding
explicit language identifiers (e.g., ```text for the plain table and ```bash for
the shell block) and ensuring there is a blank line before and after each fenced
block; locate the blocks using the existing fence markers (``` and ```bash) and
the shown content ("upstream  llm-d/..." table and the "# Clone once:" shell
example) and insert the missing blank lines and the language tag on the opening
fence for each block.
- Around line 174-179: The branch naming guidance is inconsistent: the
multi-branch example uses a target-branch token (e.g.,
fix/cve-YYYY-XXXXX-<package>-rhoai-3.4-attempt-1) but the canonical rule later
omits it (fix/cve-...-<package>-attempt-1), risking collisions across base
branches; update the canonical naming rule to include a target-branch
placeholder (e.g., <target-branch> or the actual base branch name) and make both
the example and the canonical pattern consistent so every fix branch (symbols:
fix/cve-YYYY-XXXXX-<package>-<target-branch>-attempt-N) uniquely identifies the
base branch and prevents reuse/overwrite when repeating steps 4–11 for each
branch.
- Around line 183-191: The current flow that "Clone the repo once" then loops
over TARGET_BRANCHES (steps 5–11) can leak state between branch iterations;
update the procedure so each target branch runs in an isolated workspace: for
each branch in TARGET_BRANCHES either (a) create a fresh clone (git clone into a
new REPO_DIR per branch) or (b) perform a strict reset (git fetch --all; git
checkout <branch>; git reset --hard origin/<branch>; git clean -fdx) before
applying fixes, and ensure git credentials configuration (gh auth setup-git /
credential.helper / SSH fallback) is applied for each cloned workspace so
pushes/PRs cannot be affected by artifacts, uncommitted changes, or lockfile
drift from previous iterations.
- Around line 155-159: The TARGET_BRANCHES array construction can include
duplicates if ACTIVE_RELEASE_BRANCHES contains DEFAULT_BRANCH; change the logic
that sets TARGET_BRANCHES (the branch assembly around TARGET_BRANCHES,
DEFAULT_BRANCH and ACTIVE_RELEASE_BRANCHES) to deduplicate entries before use —
for example, build TARGET_BRANCHES by iterating DEFAULT_BRANCH and each element
of ACTIVE_RELEASE_BRANCHES and only appending branches not already present (or
use a temporary associative set) so TARGET_BRANCHES contains unique branch names
and avoids duplicate PR attempts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dcde3137-0bcb-4cf1-9ef6-55b5f3a67393

📥 Commits

Reviewing files that changed from the base of the PR and between 66bceaf and 96c3e63.

📒 Files selected for processing (1)

• workflows/cve-fixer/.claude/commands/cve.fix.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

TARGET_BRANCHES needs deduplication to avoid duplicate PR attempts.

If ACTIVE_RELEASE_BRANCHES contains DEFAULT_BRANCH, this creates duplicate targets and can trigger redundant PR creation/push conflicts.

Suggested doc fix

-  if [ "$REPO_TYPE" = "downstream" ]; then
-    TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
-  else
-    TARGET_BRANCHES=("$DEFAULT_BRANCH")
-  fi
+  if [ "$REPO_TYPE" = "downstream" ]; then
+    TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
+  else
+    TARGET_BRANCHES=("$DEFAULT_BRANCH")
+  fi
+
+  # Deduplicate while preserving order
+  UNIQUE_TARGET_BRANCHES=()
+  for b in "${TARGET_BRANCHES[@]}"; do
+    [[ -z "$b" ]] && continue
+    [[ " ${UNIQUE_TARGET_BRANCHES[*]} " == *" $b "* ]] || UNIQUE_TARGET_BRANCHES+=("$b")
+  done
+  TARGET_BRANCHES=("${UNIQUE_TARGET_BRANCHES[@]}")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ "$REPO_TYPE" = "downstream" ]; then
	TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
	else
	TARGET_BRANCHES=("$DEFAULT_BRANCH")
	fi
	if [ "$REPO_TYPE" = "downstream" ]; then
	TARGET_BRANCHES=("$DEFAULT_BRANCH" "${ACTIVE_RELEASE_BRANCHES[@]}")
	else
	TARGET_BRANCHES=("$DEFAULT_BRANCH")
	fi
	# Deduplicate while preserving order
	UNIQUE_TARGET_BRANCHES=()
	for b in "${TARGET_BRANCHES[@]}"; do
	[[ -z "$b" ]] && continue
	[[ " ${UNIQUE_TARGET_BRANCHES[*]} " == *" $b "* ]] || UNIQUE_TARGET_BRANCHES+=("$b")
	done
	TARGET_BRANCHES=("${UNIQUE_TARGET_BRANCHES[@]}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 155 - 159, The
TARGET_BRANCHES array construction can include duplicates if
ACTIVE_RELEASE_BRANCHES contains DEFAULT_BRANCH; change the logic that sets
TARGET_BRANCHES (the branch assembly around TARGET_BRANCHES, DEFAULT_BRANCH and
ACTIVE_RELEASE_BRANCHES) to deduplicate entries before use — for example, build
TARGET_BRANCHES by iterating DEFAULT_BRANCH and each element of
ACTIVE_RELEASE_BRANCHES and only appending branches not already present (or use
a temporary associative set) so TARGET_BRANCHES contains unique branch names and
avoids duplicate PR attempts.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix fenced code-block markdownlint violations.

The changed examples use fenced blocks without language identifiers and missing blank-line framing per MD040/MD031.

Suggested doc fix

-   ```
+   
+   ```text
    upstream  llm-d/llm-d-inference-scheduler          → PR against: main
    midstream opendatahub-io/llm-d-inference-scheduler  → PR against: main
    downstream red-hat-data-services/llm-d-inference-scheduler → PRs against:
      - main
      - rhoai-3.3
      - rhoai-3.4
      - rhoai-3.4-ea.1
      - rhoai-3.4-ea.2
    ```
+
...
-    ```bash
+    
+    ```bash
     # Clone once:
     # /tmp/red-hat-data-services/llm-d-inference-scheduler
     #
     # Then loop over branches — each gets its own PR:
     # PR 1 → base: main
     # PR 2 → base: rhoai-3.3
     # PR 3 → base: rhoai-3.4
     # PR 4 → base: rhoai-3.4-ea.1
     # PR 5 → base: rhoai-3.4-ea.2
     ```
+

Also applies to: 193-203

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 163-163: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 163-163: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 163 - 172,
Update the fenced code blocks in workflows/cve-fixer/.claude/commands/cve.fix.md
to satisfy MD031/MD040 by adding explicit language identifiers (e.g., ```text
for the plain table and ```bash for the shell block) and ensuring there is a
blank line before and after each fenced block; locate the blocks using the
existing fence markers (``` and ```bash) and the shown content ("upstream 
llm-d/..." table and the "# Clone once:" shell example) and insert the missing
blank lines and the language tag on the opening fence for each block.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Branch naming rule is still inconsistent and can collide across target branches.

This section says branch names include the target branch, but the canonical naming rule later still omits it (fix/cve-...-<package>-attempt-1). That can overwrite/reuse the same fix branch name for multiple base branches.

Suggested doc fix

-  - Use consistent naming: `fix/cve-YYYY-XXXXX-<package-name>-attempt-1`
+  - Use consistent naming: `fix/cve-YYYY-XXXXX-<package-name>-<target-branch>-attempt-1`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 174 - 179, The
branch naming guidance is inconsistent: the multi-branch example uses a
target-branch token (e.g., fix/cve-YYYY-XXXXX-<package>-rhoai-3.4-attempt-1) but
the canonical rule later omits it (fix/cve-...-<package>-attempt-1), risking
collisions across base branches; update the canonical naming rule to include a
target-branch placeholder (e.g., <target-branch> or the actual base branch name)
and make both the example and the canonical pattern consistent so every fix
branch (symbols: fix/cve-YYYY-XXXXX-<package>-<target-branch>-attempt-N)
uniquely identifies the base branch and prevents reuse/overwrite when repeating
steps 4–11 for each branch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Branch isolation strategy conflicts with the PR objective and can leak state across targets.

Line 183-Line 191 says to clone once and loop branches in one checkout. That contradicts the stated independent per-target cycle and risks cross-branch contamination (uncommitted files, tool artifacts, lockfile drift) between iterations.

Suggested doc fix

-   - Clone the repo once: `git clone` into `REPO_DIR`, then `git fetch --all`
+   - For each `TARGET_BRANCH`, create an independent working directory (fresh clone) to isolate fix/test/PR execution
+   - Recommended: `REPO_DIR="/tmp/${REPO_ORG}/${REPO_NAME}-${TARGET_BRANCH}"`
+   - In each branch-specific clone: checkout target branch, apply fix, run tests, create PR, then continue
...
-   - Steps 5–11 then run in a loop over `TARGET_BRANCHES` — for each branch:
-     - `git checkout <branch>` and `git pull` to ensure it is up to date
-     - Apply fix and create PR targeting that branch
+   - Steps 5–11 run independently per `TARGET_BRANCH` in its own clone:
+     - `git checkout <branch>` in the branch-specific clone
+     - Apply fix, test, and create PR targeting that branch

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Clone the repo once: `git clone` into `REPO_DIR`, then `git fetch --all`
	- **Configure git credentials** immediately after clone (needed for push):
	1. `gh auth setup-git` (if `gh` is authenticated)
	2. Else set `credential.helper` using `$GITHUB_TOKEN` or `$GH_TOKEN`
	3. Else switch remote to SSH if `~/.ssh/id_rsa` or `id_ed25519` exists
	4. Else warn: no credentials configured, push will fail
	- **Multi-repo example**:
	- Steps 5–11 then run in a loop over `TARGET_BRANCHES` — for each branch:
	- `git checkout <branch>` and `git pull` to ensure it is up to date
	- Apply fix and create PR targeting that branch
	- For each `TARGET_BRANCH`, create an independent working directory (fresh clone) to isolate fix/test/PR execution
	- Recommended: `REPO_DIR="/tmp/${REPO_ORG}/${REPO_NAME}-${TARGET_BRANCH}"`
	- In each branch-specific clone: checkout target branch, apply fix, run tests, create PR, then continue
	- **Configure git credentials** immediately after clone (needed for push):
	1. `gh auth setup-git` (if `gh` is authenticated)
	2. Else set `credential.helper` using `$GITHUB_TOKEN` or `$GH_TOKEN`
	3. Else switch remote to SSH if `~/.ssh/id_rsa` or `id_ed25519` exists
	4. Else warn: no credentials configured, push will fail
	- Steps 5–11 run independently per `TARGET_BRANCH` in its own clone:
	- `git checkout <branch>` in the branch-specific clone
	- Apply fix, test, and create PR targeting that branch

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workflows/cve-fixer/.claude/commands/cve.fix.md` around lines 183 - 191, The
current flow that "Clone the repo once" then loops over TARGET_BRANCHES (steps
5–11) can leak state between branch iterations; update the procedure so each
target branch runs in an isolated workspace: for each branch in TARGET_BRANCHES
either (a) create a fresh clone (git clone into a new REPO_DIR per branch) or
(b) perform a strict reset (git fetch --all; git checkout <branch>; git reset
--hard origin/<branch>; git clean -fdx) before applying fixes, and ensure git
credentials configuration (gh auth setup-git / credential.helper / SSH fallback)
is applied for each cloned workspace so pushes/PRs cannot be affected by
artifacts, uncommitted changes, or lockfile drift from previous iterations.