feat: implement issue #584 — [Phase 1] Wire the eval scorer into CI as a non-blocking report#741
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
More reviews will be available in 44 minutes and 23 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces a new BATS test suite to validate the Skill Eval Report workflow. The feedback focuses on improving the robustness of the embedded Python helper scripts. Specifically, the reviewer recommends handling cases where the parsed YAML is not a dictionary to prevent AttributeError crashes, using .get() to avoid KeyError when workflow_dispatch is missing, and refining the regex-based check for SHA-pinned actions to avoid false positives from comments or quoted strings.
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
✅ Approved — @don-petry. Phase-1 eval-epic continuation: wires the #583 triage scorer into CI as a non-blocking report, building on the deterministic scorer merged in #719 and #691's held-out hygiene. Good to merge once CI is green. (Recorded as a comment rather than a formal review — GitHub blocks self-approval since I authored the PR. As with #719, the Generated by Claude Code |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
092c3b3 to
8afa06c
Compare
Dev-Lead — rebase (no-changes)Agent reasoning |
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 8afa06c0a0ca2c6a9e8f164a5615f200913fbd7e
Review mode: triage-approved (single reviewer)
Summary
Adds a scheduled/dispatch Skill Eval Report workflow that runs the deterministic scorer (scripts/evals/run-eval.sh) against a skill's held-out set and publishes a non-blocking report (step summary + artifact), plus a 150-line bats suite pinning the acceptance criteria and one line wiring that suite into lint.yml. Confirms the triage tier's low-risk assessment.
Linked issue analysis
Closes #584 ([Phase 1] Wire the eval scorer into CI as a non-blocking report). All four acceptance criteria are met and pinned by tests:
- AC#1 —
schedule(cron 0 7 * * *) +workflow_dispatch(optionalskillinput); report published via$GITHUB_STEP_SUMMARYandupload-artifact. - AC#2 — report-only: the eval step is
continue-on-error: true, so a scorer exit 1 (regression) never fails the workflow or gates a merge. - AC#3 — no
pull_request/pull_request_targettrigger, so the token-costing live model eval only runs on schedule/dispatch; PR-time coverage stays on the offline bats tests. - AC#4 — all four third-party actions are SHA-pinned and the workflow sets
permissions: {}top-level, re-granting onlycontents: readto the job.
The scorer's documented exit codes (0 pass / 1 regression / 2 error) and JSON shape (.score/.passed/.failed/.total/.cases[]) match what the workflow consumes.
Findings
No blocking issues.
Security (GitHub Actions surface, reviewed closely):
- Least-privilege:
permissions: {}at top level, job grants onlycontents: read;persist-credentials: falseon checkout. - No
pull_request_target;CLAUDE_CODE_OAUTH_TOKENis only exposed on the trusted schedule/dispatch path, not to untrusted PR code. - No script-injection vector:
inputs.skillflows through theSKILLenv var and is quoted in shell; the only${{ }}interpolations insiderun:blocks aresteps.eval.outputs.outcome, which is workflow-controlled (pass/regression/error), not user input. - All third-party actions SHA-pinned (checkout df4cb1c, setup-node 48b55a0, cache 27d5ce7, upload-artifact 043fb46).
Review threads: all five gemini-code-assist threads on the bats file are resolved. The coderabbit review was dismissed; coderabbit/codex were rate-limited (no actionable findings).
Note (non-blocking, org-process): reviewDecision is REVIEW_REQUIRED and mergeStateStatus is BLOCKED pending the org-leads CODEOWNERS gate on evals/ — the author flagged this is cleared via admin bypass at merge, consistent with #719. Not a code concern.
CI status
Green. All substantive checks passed: Lint/ShellCheck/shellcheck/bats/gh-aw-compile/validate-agent-profiles, unit-tests, holdout-guard, CodeQL (actions + python), AgentShield, Agent Security Scan, SonarCloud (quality gate passed, 0 issues), gitleaks secret scan, dependency-audit (ecosystem-specific audits SKIPPED — no matching ecosystems), CodeRabbit.
Two dev-lead checks (dispatch, ci-relay) are CANCELLED — these are the agent's own concurrency-cancelled jobs, skipped via the [skip ci-relay] commit flag and known to be non-blocking (per #608/#609). dependabot-automerge SKIPPED as expected.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.



Closes #584
Implemented by dev-lead agent. Please review.