fix(seed-repo-template): correct dependabot path/default + close test gap (#966)#995
Conversation
…se test gap (#966) The #966 seeder could not run live. Two path defects, both hidden because the bats tests mocked the standards fetch: 1. ci.yml / sonarcloud.yml are declared kind=inline and fetched from standards/workflows/, but those canonical files never existed there (added in petry-projects/.github#564). 2. The dependabot baseline fetched standards/dependabot/<stack>/dependabot.yml — a subdirectory layout that does not exist — with a default stack of `node`, which is not a real stack. The real layout is flat: standards/dependabot/<stack>.yml. Changes: - Fix the dependabot fetch path to standards/dependabot/<stack>.yml. - Default DEPENDABOT_STACK node -> frontend (a real stack); fix the env doc and the generated BOOTSTRAP.md, which named non-existent `node`/`go` stacks and a <stack>/ subdir. - Tests: move fixtures to the flat layout; add fail-loud regression guards so a missing inline workflow standard (the ci/sonarcloud class) or a missing dependabot stack file exits non-zero instead of shipping an empty file; add sonarcloud inline-emit coverage; add a network-free gh stub so fail-loud tests don't depend on live repo state. Validated end-to-end against a mirror of the live standards/ plus the two new files: all 10 workflow stubs + 10 baseline files emit with zero fetch errors; inline files ship byte-identically; callers repin to @<name>/stable. shellcheck clean; 26/26 bats. Companion to petry-projects/.github#564. Refs #966, epic #964. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-30T23:05:22Z. |
There was a problem hiding this comment.
Code Review
This pull request updates the dependabot stack configuration structure in scripts/seed-repo-template.sh to use flat .yml files instead of subdirectories, changing the default stack from node to frontend. It also updates the test suite in tests/test_seed_repo_template.bats to reflect these changes and adds new tests to ensure the script fails loudly when expected workflow or dependabot files are missing. The review feedback suggests using a more readable and idiomatic here-doc in Bash/BATS instead of a single-line printf statement when creating multi-line test fixtures.
|
Warning Review limit reached
Next review available in: 49 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-30T23:10:58Z. |
|
@donpetry-bot the prior review was rate-limited (sha f86befa). All required CI is green (26/26 bats, shellcheck, lint, template-drift), threads resolved; the dev-lead dispatch/ci-relay jobs hit a transient 0s failure and are being re-run. Please re-review for the approving review. |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: f86befa33cffada966bfe7c47f346d4b354a206d
Review mode: triage-approved (single reviewer)
Summary
Two-file bug fix making scripts/seed-repo-template.sh runnable: corrects the Dependabot standards path from the non-existent nested layout (standards/dependabot//dependabot.yml) to the canonical flat layout (standards/dependabot/.yml), changes the default stack from the non-existent 'node' to the real 'frontend', updates env docs and the generated BOOTSTRAP.md stack list, and adds bats coverage including fail-loud regression guards plus a network-free gh stub. No seeder logic change. Confirms the triage low-risk assessment.
Linked issue analysis
PR references story #966 and epic #964 (no formal closing reference; closingIssuesReferences is empty, which is expected here). The change substantively addresses the described defect: the seeder could not populate repo-template because the Dependabot fetch path and default stack pointed at paths that never existed. The new flat-path fetch and the 'frontend' default match the real standards/ layout, and the added tests assert exactly this. Companion canonical files land in petry-projects/.github#564 (noted merge-order dependency); this PR is independently green via fixtures.
Findings
No blocking issues. (1) Security: shell-only change; DEPENDABOT_STACK is an operator-supplied env var used to build a standards path, not untrusted external input — no injection or traversal concern. No auth/secret/crypto/migration surface. (2) Correctness: path fix and default-stack change are coherent with the doc and test updates; error message now includes the standards repo for better diagnostics. (3) Tests: adds fail-loud guards (missing inline workflow standard or missing dependabot stack file must exit non-zero) and a gh stub returning empty so fail-loud tests don't pass/fail on live repo state — good defense against the original false-green. Secret-scan MCP tool (run_secret_scanning) not available in this environment; relied on the gitleaks CI check, which passed.
CI status
All required checks green: shellcheck/ShellCheck, bats/unit-tests, CodeQL (actions+python), SonarCloud (Quality Gate passed, 0 new issues), Secret scan (gitleaks), agent-shield, Agent Security Scan, validate-agent-profiles, template-drift, holdout-guard, CodeRabbit. Skipped checks are audit/relay jobs not applicable to this diff. mergeStateStatus is BLOCKED only on REVIEW_REQUIRED (pending this approval), mergeable=MERGEABLE.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.



What
Makes
scripts/seed-repo-template.sh(epic #964, story #966) actually runnable. It currently cannot populaterepo-template— a live run 404s and aborts. Two path defects, both hidden because the bats tests mock the standards fetch (false green):ci/sonarcloudarekind=inline, fetched fromstandards/workflows/, but those canonical files never existed there. Added in the companion chore(standards): add canonical ci.yml + sonarcloud.yml inline workflow templates (#966) .github#564.standards/dependabot/<stack>/dependabot.yml(a non-existent subdirectory layout) with default stacknode(not a real stack). The real layout is flat:standards/dependabot/<stack>.yml.Changes
standards/dependabot/<stack>.yml; error message includes the repo.DEPENDABOT_STACKnode→frontend; fix the env doc and the generatedBOOTSTRAP.md(which named non-existentnode/gostacks and a<stack>/subdir) to list the real stacks.sonarcloudinline-emit coverage; add a network-freeghstub so fail-loud tests don't pass/fail on live repo state.No seeder logic change for
kind=inlinewas needed —_emit_workflowalready ships inline workflows verbatim (no repin); the defect was purely the missing files + wrong dependabot path.Validation
End-to-end against a mirror of the live
standards/+ the two new files (from #564):ci/sonarcloudship byte-identically; caller stubs repin to@<name>/stable(S7637 NOSONAR markers preserved);shellcheckclean; 26/26 bats pass.Merge order: #564 (canonical files) should land first so a live seed succeeds; this PR is independently green (tests use fixtures).
Refs #966, epic #964.