docs+ci: inline S7635 NOSONAR marker for idea-pipeline caller stubs#567
Conversation
SonarCloud's githubactions:S7635 ("only pass required secrets") fires on the
`secrets: inherit` line of first-party caller stubs. secrets: inherit is
intentional — the central reusable is first-party/trusted and needs every
inherited secret; enumerating per-caller re-breaks on each reusable change.
This is the same trust boundary that exempts the channel ref from S7637.
Apply the canonical mechanism (inline NOSONAR travelling with the verbatim
stub, per the existing S7637 pattern) to the three idea-pipeline templates
that use secrets: inherit — initiative-planner.yml, idea-triage.yml,
idea-enhancer.yml — plus this repo's own dogfooded initiative-planner stub.
Verbatim adopters (e.g. the ring1/stable enrollments) now inherit S7635
coverage with zero per-repo sonar-project.properties entries.
Document a sibling "First-Party `secrets: inherit` S7635" subsection under the
existing S7637 exemption (anchor preserved) and point §10 adoption step 1 at it.
Deferred: dev-lead.yml, auto-rebase.yml, dependabot-automerge.yml, and
pr-review-mention.yml also use secrets: inherit but are deployed fleet-wide;
adding the marker there fans out a broad stub re-sync, tracked separately.
Refs petry-projects/.github-private#978, #515.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds inline ChangesNOSONAR exemption rollout
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the org-standard idea→initiative “caller stub” workflow templates (and this repo’s dogfooded stub) to inline-suppress SonarCloud rule githubactions:S7635 on intentional secrets: inherit usage, and documents the canonical suppression mechanism in ci-standards.md so adopters don’t need per-repo Sonar configuration.
Changes:
- Add inline
# NOSONAR(githubactions:S7635)comments onsecrets: inheritfor the three idea-pipeline caller stub templates. - Add the same inline marker to this repo’s
.github/workflows/initiative-planner.ymlstub. - Document the S7635 suppression standard in
standards/ci-standards.mdand update the “Adopting in a new repo” step to note verbatim-copy behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| standards/workflows/initiative-planner.yml | Adds inline S7635 NOSONAR marker on secrets: inherit for the initiative planner caller stub template. |
| standards/workflows/idea-triage.yml | Adds inline S7635 NOSONAR marker on secrets: inherit for the idea triage caller stub template. |
| standards/workflows/idea-enhancer.yml | Adds inline S7635 NOSONAR marker on secrets: inherit for the idea enhancer caller stub template. |
| standards/ci-standards.md | Documents the canonical inline NOSONAR suppression for S7635 and updates adoption guidance to reflect verbatim-copy behavior. |
| .github/workflows/initiative-planner.yml | Adds inline S7635 NOSONAR marker on secrets: inherit for the in-repo dogfooded stub. |
There was a problem hiding this comment.
Code Review
This pull request documents and implements a standard inline SonarCloud exemption (# NOSONAR(githubactions:S7635)) for first-party caller stubs that use secrets: inherit. The documentation in standards/ci-standards.md has been updated to explain this exemption, and the marker has been added to several workflow templates. The review feedback suggests improving the documentation's consistency and navigation by linking workflow paths uniformly and using a direct anchor link for the newly added SonarCloud exemption section.
Dev-Lead — review-changes (applied)Changes committed and pushed. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@standards/ci-standards.md`:
- Around line 1171-1177: The adoption steps are missing the `idea-enhancer.yml`
workflow, which is now part of the required verbatim template set. Update the
instructions near the `initiative-driver.yml`/`idea-triage.yml` references to
also mention copying `idea-enhancer.yml` into `.github/workflows/`, keeping the
guidance aligned with the S7635 caller-stub templates and the existing `#
NOSONAR` notes.
- Line 498: The markdown at the referenced documentation section has broken list
formatting because the “+ more)” fragment is being parsed like a list item and
conflicts with markdownlint rules. Update the surrounding prose in the CI
standards doc to remove that inline list-like fragment, or convert it into a
properly formatted dash list with blank lines using the nearby section text as
context. Locate the affected sentence by its “without each caller enumerating —
and re-enumerating on every reusable” wording and rewrite it as plain prose.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 261d41b4-2b34-46ee-afcd-30e8c18b547c
📒 Files selected for processing (5)
.github/workflows/initiative-planner.ymlstandards/ci-standards.mdstandards/workflows/idea-enhancer.ymlstandards/workflows/idea-triage.ymlstandards/workflows/initiative-planner.yml
…635 anchor - Add idea-triage.yml + idea-enhancer.yml (optional) to §10 adoption step 1 so the caller-stub set matches the S7635 template list (CodeRabbit). - Use full standards/workflows/ paths in the link text and link the S7635 subsection by anchor instead of prose (Gemini). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H
|
Dev-Lead — waiting on PR blockers (intent: fix-reviews)PR: #567 |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 41e23407dfca143f26f7f552ebbc56708594e73b
Review mode: triage-approved (single reviewer)
Summary
Comment-only + docs change: adds inline # NOSONAR(githubactions:S7635) first-party trusted reusable markers to the secrets: inherit line of four first-party caller stubs (this repo's dogfooded initiative-planner.yml plus the initiative-planner/idea-triage/idea-enhancer standards templates) and documents the exemption as a sibling to the existing S7637 rule in ci-standards.md. No secret-inheritance behavior changes.
Linked issue analysis
No linked closing issues (PR references petry-projects/.github-private#978 and #515 with Refs, not Closes). Nothing to substantively verify against a closing issue; the stated goal (close the S7635 SonarCloud gap surfaced by ring1 enrollment via the canonical inline-marker mechanism) is fully realized by the diff.
Findings
- No security-relevant behavior change:
secrets: inheritwas already present on every touched line; the PR only appends a NOSONAR comment. SonarCloud Quality Gate passed with 0 new issues; CodeQL, gitleaks, AgentShield, and the Agent Security Scan are all green. - The suppression is legitimate and documented, not covert: it mirrors the established first-party S7637 exemption, targets a trusted first-party reusable, and is captured in ci-standards.md with an explicit pending-list for the fleet-wide stubs not yet migrated.
- Prior CodeRabbit CHANGES_REQUESTED (add idea-enhancer.yml to adoption step 1; anchor/link nits) was addressed by commit 41e2340; CodeRabbit re-reviewed and APPROVED at the head SHA. Copilot and Gemini generated no blocking comments.
- Nit (non-blocking): CodeRabbit flagged the inline "( … + more)" fragment near ci-standards.md:498 as list-like markdown; it remains as prose but is cosmetic and CodeRabbit approved regardless.
- GitHub secret-scanning MCP tool not exposed in this environment; relied on the passing gitleaks CI check. No secrets introduced (diff adds only comments and documentation).
CI status
All substantive gates green: SonarCloud (Quality Gate passed, 0 new issues), CodeQL, Secret scan (gitleaks), AgentShield, Agent Security Scan, Lint, ShellCheck, npm audit. CANCELLED entries are only superseded dev-lead automation-agent dispatch/ci-relay runs, not quality gates. mergeStateStatus: BLOCKED reflects the outstanding org-leads human-review requirement (branch protection), not a failing check.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
…567) (#332) chore: add inline S7635 NOSONAR marker to initiative-planner + idea-triage stubs Re-sync to the updated canonical templates (petry-projects/.github#567), which moved S7635 suppression to an inline `# NOSONAR(githubactions:S7635)` marker on the `secrets: inherit` line (travels with the verbatim stub). Prevents Fleet Monitor stub-drift once #567 is on main. The per-file S7635 multicriteria added at enrollment is now redundant (marker covers it) but left in place for a minimal diff — belt-and-suspenders, same as the repo's other channel-pinned stubs. Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…567) (#343) chore: add inline S7635 NOSONAR marker to initiative-planner + idea-triage stubs Re-sync to the updated canonical templates (petry-projects/.github#567), which moved S7635 suppression to an inline `# NOSONAR(githubactions:S7635)` marker on the `secrets: inherit` line (travels with the verbatim stub). Prevents Fleet Monitor stub-drift once #567 is on main. The per-file S7635 multicriteria added at enrollment is now redundant (marker covers it) but left in place for a minimal diff — belt-and-suspenders, same as the repo's other channel-pinned stubs. Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>



Closes the SonarCloud S7635 gap surfaced by the ring1 idea→initiative enrollment (petry-projects/.github-private#978, gate #515). Companion to the ring1 PRs (TalkTerm #331, bmad #342).
Problem
githubactions:S7635("only pass required secrets to this workflow") fires on thesecrets: inheritline of first-party caller stubs.secrets: inheritis intentional — the central reusable is first-party/trusted and needs every inherited secret (GH_PAT_WORKFLOWS,CLAUDE_CODE_OAUTH_TOKEN, …); enumerating per-caller re-breaks on every reusable change. Existing deployments pass as non-"new code", so the rule only bites the first time a stub is added to a SonarCloud-gated repo — exactly what ring1 hit. The templates only carried the S7637 marker, so the auto-fix bot tried to "fix" S7635 by mangling the stubs.Fix (canonical mechanism)
Per the existing S7637 exemption, the canonical suppression is an inline
# NOSONARmarker that travels with the verbatim stub — zero per-reposonar-project.propertiesentries. This adds that for S7635:standards/workflows/initiative-planner.yml,idea-triage.yml,idea-enhancer.yml— the three idea-pipeline templates that usesecrets: inherit— getsecrets: inherit # NOSONAR(githubactions:S7635) first-party trusted reusable..github/workflows/initiative-planner.ymlstub gets the same.secrets: inheritS7635" subsection in ci-standards (S7637 anchor preserved so existing links keep working); §10 adoption step 1 points at it and notes verbatim copy needs no sonar edits.Blast radius
Deployed stub consumers of these 3 templates on
main: only this repo's owninitiative-planner.yml(updated here)..github-privateuses the full host workflow (not a stub). So no external stub-drift — the open ring1 PRs will be re-synced to match.Deferred (tracked follow-up)
dev-lead.yml,auto-rebase.yml,dependabot-automerge.yml,pr-review-mention.ymlalso usesecrets: inheritand share the latent gap, but are deployed fleet-wide — marking them fans out a broad re-sync. Until then a new adoption of one of those four needs the legacy per-file S7635 exemption (documented).🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Chores