Skip to content

feat: implement issue #433 — Compliance: copilot-setup-steps-invalid-job-name#489

Merged
don-petry merged 5 commits into
mainfrom
dev-lead/issue-433-20260619-1534
Jun 19, 2026
Merged

feat: implement issue #433 — Compliance: copilot-setup-steps-invalid-job-name#489
don-petry merged 5 commits into
mainfrom
dev-lead/issue-433-20260619-1534

Conversation

@don-petry

@don-petry don-petry commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Closes #433

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

  • Bug Fixes

    • Improved compliance-audit workflow validation to correctly recognize the jobs.copilot-setup-steps key across YAML-quoted variants, reducing false negatives during checks.
  • Tests

    • Added a new compliance-audit test suite to verify detection behavior for GitHub Actions workflows, including positive cases (direct top-level job key) and near-miss scenarios (wrong job name, comments, incorrect indentation, or missing jobs).

@don-petry don-petry requested a review from a team as a code owner June 19, 2026 15:40
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 73150806-c95c-48e2-b9e7-03e2a7ab1f6c

📥 Commits

Reviewing files that changed from the base of the PR and between e6849d3 and 1ed2731.

📒 Files selected for processing (2)
  • scripts/compliance-audit.sh
  • test/scripts/compliance-audit/copilot-setup-steps-job-name.bats

📝 Walkthrough

Walkthrough

The compliance audit script's check_copilot_setup_steps function has its Python regex updated to use \x27 (hex escape) instead of a literal single quote for the optional surrounding quote character. A new Bats test file adds an indentation-sensitive Python helper and tests covering compliant and non-compliant workflow detection cases.

Changes

copilot-setup-steps job-name detection fix and tests

Layer / File(s) Summary
Regex quote escape fix
scripts/compliance-audit.sh
Replaces the literal ' with \x27 in the Python regex character class used to detect copilot-setup-steps as a YAML job key.
Bats test suite for job-name detection
test/scripts/compliance-audit/copilot-setup-steps-job-name.bats
Introduces _has_job, an embedded Python helper that scans workflow YAML with indentation awareness; adds compliant cases (repo workflow file, minimal, quoted, non-first job) and non-compliant cases (wrong name, comment-only, wrong indent, no jobs: section).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

  • #433 (Compliance: copilot-setup-steps-invalid-job-name): This PR directly fixes the detection logic that was failing to identify the required copilot-setup-steps job name, which is the root cause of the compliance finding in this issue.

Possibly related PRs

  • petry-projects/.github#12: Modifies the same check_copilot_setup_steps function in scripts/compliance-audit.sh that this PR patches.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Linked Issues check ❓ Inconclusive The PR implements the compliance audit check infrastructure but does not appear to modify the actual workflow file to add the required job. Verify that changes to scripts/compliance-audit.sh and the new test file are sufficient to address issue #433, or if the copilot-setup-steps.yml workflow file itself needs modification.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the implementation of issue #433 regarding the copilot-setup-steps compliance check, matching the PR's primary objective.
Out of Scope Changes check ✅ Passed All changes are directly related to implementing and testing the compliance check referenced in issue #433; no unrelated modifications detected.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-433-20260619-1534

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new BATS test suite to verify the job-name detection logic for the copilot-setup-steps workflow. The tests cover both compliant workflows and various near-miss scenarios. Feedback highlights a critical syntax error in the actual implementation script due to unescaped single quotes in a Python string, and suggests adding a file existence check in the tests to prevent abrupt failures if the workflow file is missing.

Comment thread test/scripts/compliance-audit/copilot-setup-steps-job-name.bats
Comment thread test/scripts/compliance-audit/copilot-setup-steps-job-name.bats
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry don-petry enabled auto-merge (squash) June 19, 2026 15:52
@don-petry don-petry disabled auto-merge June 19, 2026 15:57
@don-petry don-petry enabled auto-merge (squash) June 19, 2026 16:02
donpetry-bot
donpetry-bot previously approved these changes Jun 19, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 3278ca89d61cc74e3cef123b7f37dbb3207af3c9
Review mode: triage-approved (single reviewer)

Summary

Test-only addition plus a one-line bug fix. The PR adds a BATS suite (test/scripts/compliance-audit/copilot-setup-steps-job-name.bats, 150 lines) pinning the indentation-aware parser in check_copilot_setup_steps, and fixes a real bug in scripts/compliance-audit.sh: the embedded python3 -c regex used a literal single quote (['] inside ["']?) within a single-quoted shell argument, which broke the shell string and made the compliance check error out. The fix replaces the literal quote with \x27 (regex hex escape for '), keeping the python valid inside the single-quoted block while still matching both quoted and unquoted YAML job keys. Triage's low-risk assessment is correct.

Linked issue analysis

Closes #433 (copilot-setup-steps-invalid-job-name compliance check). The issue is substantively addressed: the parser bug that made the check non-functional is fixed, and a near-miss test matrix (misnamed job, name only in a comment, name at wrong indent, no jobs section, quoted/unquoted/non-first job) guards against regressions.

Findings

No new issues. Both prior automated-review findings are resolved on the reviewed SHA: (1) gemini's CRITICAL — literal single quote in the script's python regex — fixed at compliance-audit.sh:1305 (now r"^["\x27]?..."), confirmed by 255 passing BATS tests; (2) gemini's LOW — missing file-existence guard in the first test — added (skip when copilot-setup-steps.yml is absent). No unresolved review threads or unanswered human questions. Secret scan: GitHub Secret Protection MCP tool was not grantable in this Action context; noted and skipped — changed content is a regex fix and test fixtures with no credentials, and the gitleaks CI check passed.

CI status

All required checks green: CI Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, AgentShield, CodeQL, and SonarCloud (Quality Gate passed) all SUCCESS. The CANCELLED dev-lead/dispatch and ci-relay runs are the authoring agent's own superseded workflow runs, not gating checks. mergeStateStatus is BEHIND (branch behind main) but mergeable — handled by auto-rebase, not a review blocker.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/scripts/compliance-audit/copilot-setup-steps-job-name.bats`:
- Around line 88-95: Add a new test function after the existing "quoted job key
is recognised" test that validates single-quoted job keys in the _has_job
function. Create a test with a similar structure and assertions, but replace the
double-quoted job key "copilot-setup-steps" with a single-quoted equivalent
'copilot-setup-steps' to ensure the regex pattern in _has_job handles both quote
styles consistently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b135e98-a00e-43c0-ad66-615816163cb4

📥 Commits

Reviewing files that changed from the base of the PR and between f685935 and e6849d3.

📒 Files selected for processing (2)
  • scripts/compliance-audit.sh
  • test/scripts/compliance-audit/copilot-setup-steps-job-name.bats

Comment thread test/scripts/compliance-audit/copilot-setup-steps-job-name.bats
@don-petry don-petry disabled auto-merge June 19, 2026 19:20
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 19, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@don-petry don-petry dismissed stale reviews from coderabbitai[bot] and donpetry-bot via 426f9e4 June 19, 2026 19:21
@don-petry don-petry enabled auto-merge (squash) June 19, 2026 19:21
@don-petry don-petry disabled auto-merge June 19, 2026 19:26
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: fix-reviews)

PR: #489
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-19T19:58:41Z

@don-petry don-petry enabled auto-merge (squash) June 19, 2026 19:28

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 426f9e4b2cd602eb6a9f6190d613b6c794b21b27
Review mode: triage-approved (single reviewer)

Summary

Test-only addition plus a one-line bug fix. scripts/compliance-audit.sh:1305 had a real shell-quoting bug: the embedded python3 -c '...' block (single-quoted at the shell level, line 1272) used a literal single quote inside the regex character class ["']?, which prematurely closed the shell single-quoted string and broke check_copilot_setup_steps. The fix replaces the literal ' with the regex hex escape \x27, which matches a single quote in Python without placing a literal quote in the shell argument, while still matching both quoted and unquoted YAML job keys. The new BATS suite (test/scripts/compliance-audit/copilot-setup-steps-job-name.bats, 159 lines) mirrors the parser and pins behaviour across compliant cases (repo file, minimal, double-quoted, single-quoted, non-first job) and near-misses (misnamed job, name only in a comment, wrong indent, no jobs section). Triage's low-risk assessment is confirmed correct.

Linked issue analysis

Closes #433 (copilot-setup-steps-invalid-job-name compliance check). Substantively addressed: the quoting bug that broke the detection logic is fixed, and a near-miss test matrix guards against regressions.

Findings

No new issues. Prior automated-review findings are resolved at the head SHA: gemini's CRITICAL (literal single quote in the script's python regex) is fixed at compliance-audit.sh:1305; CodeRabbit's CHANGES_REQUESTED at e6849d3 (add a single-quoted job-key test) is addressed — the 'single-quoted job key is recognised' test was added, and CodeRabbit re-reviewed at the head SHA and APPROVED. The prior single-reviewer APPROVED review was auto-dismissed only because a new commit was pushed; that commit is the CodeRabbit fix. No unresolved review threads or unanswered human questions. Secret scan: the GitHub secret-scanning MCP tool errored (GitHub Advanced Security not enabled for the repo) — noted and skipped; changed content is a regex fix and test fixtures with no credentials, and the gitleaks CI check passed.

CI status

All required checks green: CI Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, AgentShield, CodeQL, SonarCloud (Quality Gate passed), and Dependency audit (Detect ecosystems) all SUCCESS. CANCELLED dev-lead/dispatch and ci-relay runs are the authoring agent's own superseded workflow runs, not gating checks. mergeStateStatus is BEHIND (branch behind main) but MERGEABLE — handled by auto-rebase, not a review blocker.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge June 19, 2026 22:18
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Files changed: None needed
Skipped: Quality Gate passed with 0 issues — no actionable findings in SonarCloud report
```
The PR is clean and ready. All quality gates have passed, and prior bot findings have been addressed in the current commit.

@don-petry don-petry enabled auto-merge (squash) June 19, 2026 22:19
@don-petry don-petry merged commit 5cb9352 into main Jun 19, 2026
21 of 22 checks passed
@don-petry don-petry deleted the dev-lead/issue-433-20260619-1534 branch June 19, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: copilot-setup-steps-invalid-job-name

2 participants