Skip to content

feat: implement issue #580 — Retire/delineate the detection-based apply-rulesets.sh — it diverges from the codified ruleset (#575 debt)#591

Closed
don-petry wants to merge 1 commit into
mainfrom
dev-lead/issue-580-20260703-1439
Closed

feat: implement issue #580 — Retire/delineate the detection-based apply-rulesets.sh — it diverges from the codified ruleset (#575 debt)#591
don-petry wants to merge 1 commit into
mainfrom
dev-lead/issue-580-20260703-1439

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Closes #580

Implemented by dev-lead agent. Please review.

…ly-rulesets.sh — it diverges from the codified ruleset (#575 debt)
Copilot AI review requested due to automatic review settings July 3, 2026 14:47
@don-petry don-petry requested a review from a team as a code owner July 3, 2026 14:47
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 48 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 95ee1e08-e45c-459a-a867-b17fa610223f

📥 Commits

Reviewing files that changed from the base of the PR and between 82a4ea4 and 00ef3db.

📒 Files selected for processing (6)
  • .github/workflows/apply-rulesets-tests.yml
  • scripts/apply-rulesets.sh
  • standards/github-settings.md
  • test/scripts/apply-rulesets/dev-lead-not-required.bats
  • test/scripts/apply-rulesets/helpers/setup.bash
  • test/scripts/apply-rulesets/stubs/gh
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-580-20260703-1439

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Skipped (informational/non-actionable): 2
  - chatgpt-codex-connector usage limit notification
  - coderabbitai rate limit notification
Files changed: none
Status: No code review findings to address. Both comments are service notifications only.
```
The PR is ready for review once the bots' rate limits reset. No code changes are required based on these comments.

@don-petry don-petry enabled auto-merge (squash) July 3, 2026 14:48

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors scripts/apply-rulesets.sh to wrap its execution logic in a main function, allowing it to be sourced for unit testing, and updates it to omit the Dev-Lead Agent / dev-lead check from the required status checks. It also updates the corresponding documentation and adds comprehensive BATS regression tests with a mock gh binary. Feedback on the changes highlights a critical issue in the test assertions where a failing loop iteration could be masked, and suggests using the optional/try operator ? in jq filters to safely handle potentially null nested properties.

Comment on lines +60 to +66
while IFS= read -r ctx; do
[ -z "$ctx" ] && continue
grep -qxF "$ctx" <<< "$codified" || {
echo "detector emitted non-codified context: '$ctx'" >&2
false
}
done <<< "$output"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In Bash, a while loop's exit status is determined by the last executed command in the loop. If a non-codified context is encountered in an earlier iteration, false is executed, but the loop continues to the next iteration. If the last iteration succeeds, the loop exits with status 0, causing the test to silently pass despite the failure.

To fix this, track the failure state using a local variable and assert its value after the loop completes.

  local failed=0
  while IFS= read -r ctx; do
    [ -z "$ctx" ] && continue
    grep -qxF "$ctx" <<< "$codified" || {
      echo "detector emitted non-codified context: '$ctx'" >&2
      failed=1
    }
  done <<< "$output"
  [ "$failed" -eq 0 ]

Comment on lines +57 to +58
codified="$(jq -r '.rules[] | select(.type=="required_status_checks") | .parameters.required_status_checks[].context' \
"${TT_REPO_ROOT}/standards/rulesets/code-quality.json")"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

When accessing nested properties of an object that may be null or missing in jq filters, use the optional/try operator ? to prevent fatal 'Cannot index null with string' errors.

  codified="$(jq -r '.rules[] | select(.type=="required_status_checks") | .parameters?.required_status_checks[]?.context?' \\
    "${TT_REPO_ROOT}/standards/rulesets/code-quality.json")"
References
  1. In jq filters within shell scripts, when accessing nested properties of an object that may be null (e.g., .author.login), use the optional/try operator ? (e.g., .author.login?) to prevent fatal 'Cannot index null with string' errors.

run build_ruleset_json "code-quality" "CodeQL" "agent-shield / AgentShield"
[ "$status" -eq 0 ]

contexts="$(echo "$output" | jq -r '.rules[] | select(.type=="required_status_checks") | .parameters.required_status_checks[].context')"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

When accessing nested properties of an object that may be null or missing in jq filters, use the optional/try operator ? to prevent fatal 'Cannot index null with string' errors.

  contexts="$(echo "$output" | jq -r '.rules[] | select(.type=="required_status_checks") | .parameters?.required_status_checks[]?.context?')"
References
  1. In jq filters within shell scripts, when accessing nested properties of an object that may be null (e.g., .author.login), use the optional/try operator ? (e.g., .author.login?) to prevent fatal 'Cannot index null with string' errors.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Aligns the legacy, detection-based scripts/apply-rulesets.sh with the codified standards/rulesets/code-quality.json by eliminating the non-codified Dev-Lead Agent / dev-lead required-check injection, and adds regression tests + CI to prevent drift from reappearing.

Changes:

  • Remove Dev-Lead Agent / dev-lead from detect_required_checks() output and document the rationale (avoids workflow-touching PR deadlocks).
  • Add a bats test suite (with a stubbed gh) to assert the detector’s emitted contexts are a strict subset of the codified code-quality.json.
  • Add a dedicated GitHub Actions workflow to run ShellCheck and the new bats tests when relevant files change.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/apply-rulesets.sh Stops injecting the Dev-Lead Agent required context; adds a guarded main() so functions can be sourced/tested.
test/scripts/apply-rulesets/dev-lead-not-required.bats Regression tests ensuring the detector doesn’t emit Dev-Lead Agent and remains aligned with codified contexts.
test/scripts/apply-rulesets/helpers/setup.bash Shared bats helpers for repo/script path setup and installing the gh stub on PATH.
test/scripts/apply-rulesets/stubs/gh Test double for gh api to simulate workflow presence and CodeQL state during unit tests.
standards/github-settings.md Updates documentation to explicitly state Dev-Lead Agent is not a required merge-gate context.
.github/workflows/apply-rulesets-tests.yml CI workflow to run ShellCheck + bats suite for the apply-rulesets script/tests.

Comment on lines +21 to +30
# Locate the api path: the first positional argument after the `api` subcommand.
path=""
prev=""
for arg in "$@"; do
if [ "$prev" = "api" ]; then
path="$arg"
break
fi
prev="$arg"
done
Comment on lines 274 to 276
The table below covers the **unconditional fleet-wide required check contexts** — the base set `detect_required_checks()` applies when each org-standard workflow file is present.
The script also conditionally adds **Dev-Lead Agent** (when `dev-lead.yml` exists) and **Secret scan** (when `ci.yml` contains the gitleaks action), but those are in staged rollout; see below.
The script also conditionally adds **Secret scan** (when `ci.yml` contains the gitleaks action), which is in staged rollout; see below. It does **not** add **Dev-Lead Agent** as a required context — that is per-PR review, not a merge gate ([#579](https://github.com/petry-projects/.github/issues/579), [#580](https://github.com/petry-projects/.github/issues/580)); see the table row below.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: 00ef3db3300031291e2e09a4b33e304be1057e20
Cascade: triage → deep (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5)

Summary

PR removes the non-codified Dev-Lead Agent / dev-lead required-check injection from the detection-based apply-rulesets.sh and adds a bats regression suite + CI to prevent drift, aligning to the codified code-quality.json — a well-reasoned MEDIUM change (bot-reviewed, CodeQL green, read-only pinned workflow, no secrets/auth). It escalates on failed gates, not risk: the PR is in merge conflict (mergeable=CONFLICTING/DIRTY) and its core regression test has a correctness bug that defeats its purpose. No security-audit tier needed; findings are actionable by the author. Downstream impact: (none).

Findings

  • major: Merge conflict: PR is mergeable=CONFLICTING / mergeStateStatus=DIRTY against main. Must be rebased/resolved before it can merge — hard gate failure.
  • major: The 'agrees with the codified code-quality.json context set' test masks failures: the while loop's exit status is that of its final iteration. A non-codified context in an earlier iteration runs false, but if a later iteration's grep succeeds the loop exits 0 and the test silently passes — defeating the regression test's stated anti-drift purpose. Track failure in a local var (e.g. failed=1) and assert [ "$failed" -eq 0 ] after the loop. Flagged high-priority by Gemini; unaddressed.
  • minor: jq filter accesses nested properties without optional operators; if .parameters or .required_status_checks is null the filter aborts with 'Cannot index null with string'. Use .parameters?.required_status_checks[]?.context? for null-safety.
  • minor: Same jq null-safety nit as line 58: use optional/try operators (?) on nested property access in the build_ruleset_json context extraction.
  • info: The newly added apply-rulesets-tests.yml (which runs shellcheck + the bats suite) does not appear in this PR's statusCheckRollup, so the regression tests may not be executing as a merge gate on this PR. Confirm the workflow actually runs against the head SHA before relying on it.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: opus 4.8 + duck: o4-mini → audit: fable 5). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Superseded by #590, which retired the detection-based apply-rulesets.sh (Option 1) and merged at 14:45 UTC — issue #580 is closed. This PR was opened ~2 min later by an in-flight dev-lead run for the already-resolved issue and now conflicts (DIRTY) with #590's landed changes. Closing as a duplicate. (Its dev-lead-not-required.bats test overlaps the "code-quality must not require Dev-Lead Agent" guard already shipped in #590.)

@don-petry don-petry closed this Jul 3, 2026
auto-merge was automatically disabled July 3, 2026 21:08

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Retire/delineate the detection-based apply-rulesets.sh — it diverges from the codified ruleset (#575 debt)

3 participants