chore: re-sync initiative stubs to S7635 inline marker (post .github#567)#332
Conversation
…riage stubs Re-sync to the updated canonical templates (petry-projects/.github#567), which moved S7635 suppression to an inline `# NOSONAR(githubactions:S7635)` marker on the `secrets: inherit` line (travels with the verbatim stub). Prevents Fleet Monitor stub-drift once #567 is on main. The per-file S7635 multicriteria added at enrollment is now redundant (marker covers it) but left in place for a minimal diff — belt-and-suspenders, same as the repo's other channel-pinned stubs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RsWQeSJjrno6qo2DvgB63H
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Review limit reached
Next review available in: 34 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-07-01T17:53:02Z. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
There was a problem hiding this comment.
Pull request overview
This PR re-syncs the repository’s GitHub Actions caller stub workflows with the updated canonical templates by moving SonarCloud rule S7635 suppression onto an inline marker on the secrets: inherit line, eliminating stub-drift against the upstream templates (while keeping the channel-pinned @…/ring1 ref).
Changes:
- Updated
.github/workflows/initiative-planner.ymlto add# NOSONAR(githubactions:S7635)inline onsecrets: inherit. - Updated
.github/workflows/idea-triage.ymlto add# NOSONAR(githubactions:S7635)inline onsecrets: inherit.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/initiative-planner.yml |
Adds inline NOSONAR(githubactions:S7635) marker to secrets: inherit to match upstream reusable-workflow caller stub template. |
.github/workflows/idea-triage.yml |
Adds inline NOSONAR(githubactions:S7635) marker to secrets: inherit to match upstream reusable-workflow caller stub template. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 39972c55809b9cc6c540d9527566decc15dbb690
Review mode: triage-approved (single reviewer)
Summary
Re-syncs two thin caller stubs (idea-triage.yml, initiative-planner.yml) to the merged canonical templates by adding an inline '# NOSONAR(githubactions:S7635) first-party trusted reusable' marker to the existing 'secrets: inherit' line on each. Net change is +2/-2 across 2 files; no logic, permissions, or workflow behavior changes. The 'secrets: inherit' and the ring1 channel refs are pre-existing; only suppression comments are added to eliminate Fleet Monitor stub-drift against templates from petry-projects/.github#567.
Linked issue analysis
No linked closing issues. PR references petry-projects/.github#567 (merged template change that moved S7635 suppression inline), #515, and .github-private#978 as context. The change is a documented follow-up to keep stubs byte-exact to their canonical templates — consistent with the stated intent.
Findings
No blocking findings. The added NOSONAR markers suppress SonarCloud S7635 on 'secrets: inherit', but the smell is pre-existing and the reusable workflows are first-party (petry-projects/.github, pinned to sanctioned ring1 channel refs). This aligns the stubs with the already-reviewed canonical templates rather than weakening a control. Advisory bots produced no substantive findings: SonarCloud Quality Gate passed (0 new issues); Codex/Gemini/CodeRabbit were unavailable (usage limits / unsupported file types / rate limit). Secret scanning MCP tool not available in this run; gitleaks CI check passed. The PR notes the older per-file S7635/S7637 multicriteria is now redundant but intentionally left for a minimal diff — acceptable.
CI status
All required checks green. SUCCESS: AgentShield, Secret scan (gitleaks), CodeQL, Analyze (actions), Analyze (python), SonarCloud (x2) + SonarCloud Code Analysis, CodeRabbit, review, pr-auto-review, dev-lead/dispatch, dependency-audit/detect, add-to-project. Remaining checks SKIPPED (not applicable). No failures. mergeStateStatus=BLOCKED only due to REVIEW_REQUIRED (awaiting this approval); mergeable=MERGEABLE.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 39972c55809b9cc6c540d9527566decc15dbb690
Review mode: triage-approved (single reviewer)
Summary
Comment-only re-sync of two GitHub Actions caller stubs. Adds an inline # NOSONAR(githubactions:S7635) first-party trusted reusable marker to the existing secrets: inherit line in idea-triage.yml and initiative-planner.yml, restoring byte-exactness with the canonical upstream templates after petry-projects/.github#567 moved the S7635 suppression inline. No workflow behavior changes.
Linked issue analysis
No linked closing issue — this is a maintenance/template-sync PR referencing merged upstream work (petry-projects/.github#567, .github-private#978, .github#515). No issue to substantively address; scope is self-contained and matches the stated intent.
Findings
No issues found. The diff is limited to two identical single-line changes appending a NOSONAR suppression comment; secrets: inherit itself is unchanged and no new secrets, permissions, or logic are introduced. The change is consistent with the repo's other channel-pinned stubs and with AGENTS.md thin-caller-stub constraints. Secret-scanning MCP tool was not available in this environment; not applicable given the comment-only diff. Copilot review returned no comments; SonarCloud Quality Gate passed with 0 new issues.
CI status
All checks green — no failures. Notable successes: SonarCloud (Quality Gate passed), CodeQL, Analyze (actions/python), agent-shield/AgentShield, Secret scan (gitleaks), review/review. Remaining entries are SKIPPED (inapplicable ecosystems). reviewDecision is already APPROVED.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.



Re-syncs the
initiative-planner.ymlandidea-triage.ymlcaller stubs to the updated canonical templates from petry-projects/.github#567 (merged), which moved SonarCloud S7635 suppression to an inline# NOSONAR(githubactions:S7635)marker on thesecrets: inheritline.Why
The ring1 enrollment merged on the transitional per-file S7635 multicriteria. Now that #567 added the inline marker to the templates, these stubs would show as Fleet Monitor stub-drift until they carry it too. This adds the marker so each stub is byte-exact to the template again (modulo the sanctioned
@…/ring1channel ref).Change
secrets: inherit→secrets: inherit # NOSONAR(githubactions:S7635) first-party trusted reusableon both stubs.The per-file S7635/S7637 multicriteria added at enrollment is now redundant (the inline markers cover both) but left in place for a minimal diff — belt-and-suspenders, matching the repo's other channel-pinned stubs.
Refs petry-projects/.github#567, petry-projects/.github-private#978, petry-projects/.github#515.
🤖 Generated with Claude Code