feat(audit): make centralized-stub check ring-aware (#870)#529
Conversation
The 6 #482 reusables (auto-rebase, dependency-audit, dependabot-automerge, dependabot-rebase, agent-shield, pr-review-mention) are moving onto the canary-ring model (epic #495). The compliance audit must ACCEPT a repo's ring-tier channel pin before any stub is repinned — otherwise dev-lead remediation reverts the change, the #482 revert-collision lesson. Changes: - Add ring_tier_for_repo(): maps each repo to its tier (next=.github-private, ring0=.github, ring1=TalkTerm+bmad-bgreat-suite, stable=broad fleet). Mirrors the epic #495 topology and cut-release.sh. - check_centralized_workflow_stubs: the 6 reusables now carry a `RING` sentinel canonical. At check time the expected pin resolves to the repo's tier channel (e.g. agent-shield/ring1 on a ring1 repo); the transitional legacy grace accepts every ring channel plus the pre-ring @v1/@v2 pins so no stub is flagged or reverted mid-migration. - feature-ideation stays a fixed @v1 pin (not on the ring model). - bats: 4 new cases covering ring_tier_for_repo; existing stub_pin_acceptable cases unchanged (signature preserved). 11/11 pass. Refs #870
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@donpetry-bot please review |
|
Warning Review limit reached
More reviews will be available in 50 minutes and 45 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces a canary-ring model for reusable workflows, mapping repositories to specific tiers (next, ring0, ring1, stable) and dynamically resolving their canonical pins and legacy accepted channels. Feedback suggests adding an explicit return 0 to the ring_tier_for_repo function in scripts/compliance-audit.sh to make its intent self-documenting and avoid inheriting the exit status of the preceding command.
Dev-Lead — fix-bot-comment (applied)Changes committed and pushed. |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 58fcd2f698d6abf72d7f99b6479cf553e20cfd4e
Review mode: triage-approved (single reviewer)
Summary
Makes check_centralized_workflow_stubs in compliance-audit.sh ring-aware via a new ring_tier_for_repo() helper and a RING sentinel for the 6 #482 reusables. The sentinel resolves each reusable's canonical pin to the repo's ring-tier channel (next/ring0/ring1/stable) and accepts all ring channels plus the legacy v1/v2 pins, so no stub is flagged or reverted mid-migration. Scoped, well-tested audit-logic change; +82/-12 across the script and its bats suite.
Linked issue analysis
No closing issue (closingIssuesReferences empty); PR is a Refs #870 follow-on enabling epic #495 ring topology and explicitly lands audit-first so dev-lead remediation cannot revert a ring repin (the #482 revert-collision lesson). The diff delivers exactly what the description claims: tier mapping, RING resolution, and per-repo legacy grace.
Findings
No blocking issues.
- Correctness: recomputed canonical/legacy flow correctly into stub_pin_acceptable, which splits the CSV into an anchored uses: alternation regex; the 4-arg signature is preserved so existing cases are unaffected.
- chan derivation (${reusable%-reusable}) and ring_tier_for_repo mapping match the stated epic #495 topology and cut-release.sh channels; feature-ideation correctly stays a fixed @v1 pin.
- The widened acceptance set (all ring channels + v1,v2) is intentional migration grace and stays anchored to petry-projects/.github reusables, so it is not a pin-laxity security smell.
- Secret-scan MCP tool unavailable in this run; relied on the green gitleaks CI check. No secrets in diff.
- Tests: 4 new ring_tier_for_repo bats cases added; existing stub_pin_acceptable cases unchanged.
CI status
All required checks green: Lint, ShellCheck, Lint and bats, CodeQL, Agent Security Scan, AgentShield, Secret scan (gitleaks), SonarCloud all SUCCESS. Ecosystem audits (npm/pnpm/pip/cargo/go) SKIPPED as N/A. mergeStateStatus BLOCKED only on REVIEW_REQUIRED.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
Move this repo's 6 #482 reusable caller stubs from their pre-ring pins (@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/ring1` channels (epic #495). The ring1 channels were cut at the currently-running proven version (376a4fcb), so this is a zero-behavior-change repin — promotion to newer code is a separate soak-gated step. The ring-aware compliance audit (petry-projects/.github#529) already accepts these channels, so dev-lead remediation will not revert them (#482 lesson). Refs #870 Co-authored-by: Claude Code Bot <bot@petry-projects>
Move this repo's 6 #482 reusable caller stubs from their pre-ring pins (@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/ring1` channels (epic #495). The ring1 channels were cut at the currently-running proven version (376a4fcb), so this is a zero-behavior-change repin — promotion to newer code is a separate soak-gated step. The ring-aware compliance audit (petry-projects/.github#529) already accepts these channels, so dev-lead remediation will not revert them (#482 lesson). Refs #870 Co-authored-by: Claude Code Bot <bot@petry-projects>
dev-lead's auto-remediation (7dc7c16) partly reverted this PR: it correctly moved the dependency-audit test to @dependency-audit/next but "fixed" the auto-rebase-stub failure by reverting auto-rebase.yml back to @auto-rebase/stable instead of updating the test — the #482 revert-collision pattern. This restores the intended next-channel repin and updates the remaining guards: - .github/workflows/auto-rebase.yml — re-pin @auto-rebase/next. - tests/dev-lead/integration/test_auto_rebase_stub.py — EXPECTED_REF @auto-rebase/stable → @auto-rebase/next. - .github/workflows/test-dev-lead.yml — auto-rebase-stub step name → /next. - tests/test_dependabot.bats — assert dependabot-automerge/next and reject any off-channel pin (vN / SHA / stable / ringN). dev-lead's dependency-audit/next changes are kept as-is. All five .github-private reusable stubs are now on their <name>/next channels; the ring-aware compliance audit (petry-projects/.github#529) accepts them. Refs #870
* chore: repin centralized stubs to next ring channel (#870) Move this repo's 6 #482 reusable caller stubs from their pre-ring pins (@stable / @v1 / @v2 / SHA) onto the canary-ring `<name>/next` channels (epic #495). The next channels were cut at the currently-running proven version (376a4fcb), so this is a zero-behavior-change repin — promotion to newer code is a separate soak-gated step. The ring-aware compliance audit (petry-projects/.github#529) already accepts these channels, so dev-lead remediation will not revert them (#482 lesson). Refs #870 * chore: apply manual instructions [skip ci-relay] * fix: complete next-channel repin + update stub-pin guards (#870) dev-lead's auto-remediation (7dc7c16) partly reverted this PR: it correctly moved the dependency-audit test to @dependency-audit/next but "fixed" the auto-rebase-stub failure by reverting auto-rebase.yml back to @auto-rebase/stable instead of updating the test — the #482 revert-collision pattern. This restores the intended next-channel repin and updates the remaining guards: - .github/workflows/auto-rebase.yml — re-pin @auto-rebase/next. - tests/dev-lead/integration/test_auto_rebase_stub.py — EXPECTED_REF @auto-rebase/stable → @auto-rebase/next. - .github/workflows/test-dev-lead.yml — auto-rebase-stub step name → /next. - tests/test_dependabot.bats — assert dependabot-automerge/next and reject any off-channel pin (vN / SHA / stable / ringN). dev-lead's dependency-audit/next changes are kept as-is. All five .github-private reusable stubs are now on their <name>/next channels; the ring-aware compliance audit (petry-projects/.github#529) accepts them. Refs #870 --------- Co-authored-by: Claude Code Bot <bot@petry-projects> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
#531) * fix: share canary-ring pin model between audit and deploy sweep (#482) #482's root cause is that the per-reusable canonical pin was encoded independently in three places (template, compliance audit, deploy sweep) and diverged. The audit became ring-aware in #529/#870, but the deploy sweep's `is_already_compliant` was still a literal substring match on the template's @<name>/stable pin — so a fleet sweep reported every ring1/next repo as "drifted" and would have reverted the intentional ring pins back to stable (criterion 2 unmet; the dry-run was dirty for TalkTerm/bmad/.github-private). Extract the ring model into `scripts/lib/ring-pins.sh` (single source of truth) and source it from both consumers: - ring_tier_for_repo / ring_canonical_ref / ring_accepted_refs / ring_legacy_csv + the RING_REUSABLES set (now incl. dev-lead, which is ring-released too). - compliance-audit.sh: drop the duplicate ring_tier_for_repo and compute the RING canonical/legacy via the lib — behaviour-identical, 11/11 stub bats pass. - deploy-standard-workflows.sh: is_already_compliant now accepts a repo's tier channel (and the transitional grace) for ring reusables, so the sweep never reverts a ring/next pin; non-ring templates keep the exact-match rule. Now "drift" (deploy) and "non-compliant" (audit) are computed from the same code and cannot diverge again. Full-fleet dry-run drops from TalkTerm+bmad+.github-private noise to only the two genuine off-channel (SHA) pins (ContentTwin ×6, TalkTerm dev-lead) — repinned separately. Tests: new ring-pins.bats (5) + two ring-aware dry-run cases. Refs #482 * fix(reviews): address review comments [skip ci-relay] --------- Co-authored-by: Claude Code Bot <bot@petry-projects> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>



Summary
Makes
check_centralized_workflow_stubsincompliance-audit.shring-aware so the audit accepts a repo's canary-ring channel pin (epic #495) for the 6 #482 reusables. This must land before any stub is repinned onto a ring channel — otherwise dev-lead remediation reverts the change (the #482 revert-collision lesson; audit-first ordering).What changed
ring_tier_for_repo()— new helper mapping each repo to its ring tier:next→.github-privatering0→.github(dogfood; self-hosts via@main, skipped by the stub check — informational)ring1→TalkTerm,bmad-bgreat-suitestable→ broad fleet.github-private/scripts/cut-release.shchannels.RINGsentinel — the 6 reusables (auto-rebase,dependency-audit,dependabot-automerge,dependabot-rebase,agent-shield,pr-review-mention) now use aRINGcanonical. At check time it resolves to the repo's tier channel (e.g.agent-shield/ring1on a ring1 repo). The transitional legacy grace accepts every ring channel plus the pre-ring@v1/@v2pins, so no stub is flagged or reverted mid-migration.feature-ideationstays a fixed@v1pin (not on the ring model).Tests
ring_tier_for_repo; existingstub_pin_acceptablecases unchanged (signature preserved). 11/11 pass.shellcheck --severity=warningclean.Refs #870
🤖 Generated with Claude Code