Skip to content

feat: implement issue #249 — Compliance: non-stub-auto-rebase.yml#269

Closed
don-petry wants to merge 4 commits into
mainfrom
dev-lead/issue-249-20260526-1710
Closed

feat: implement issue #249 — Compliance: non-stub-auto-rebase.yml#269
don-petry wants to merge 4 commits into
mainfrom
dev-lead/issue-249-20260526-1710

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Closes #249

Implemented by dev-lead agent. Please review.

Copilot AI review requested due to automatic review settings May 26, 2026 17:12
@don-petry don-petry requested a review from a team as a code owner May 26, 2026 17:12
@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ac32e1c6-db6f-40b7-b1ac-362dc071c192

📥 Commits

Reviewing files that changed from the base of the PR and between 61aa4ee and 9e9c477.

📒 Files selected for processing (2)
  • .github/workflows/auto-rebase.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-249-20260526-1710

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a duplicate entry for .dev-lead/ to the .gitignore file. The review feedback correctly points out that this directory is already ignored multiple times in the file, making the new entry redundant.

Comment thread .gitignore
.dev-lead/
.dev-lead/
.dev-lead/
.dev-lead/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

The directory .dev-lead/ is already ignored in this file multiple times. Adding another duplicate entry is redundant.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: de650de583

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/auto-rebase.yml Outdated
contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # post comments on PRs
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pin reusable workflow to immutable commit SHA

Replace the @v1 ref with a commit SHA here, because this workflow previously pinned to an exact reusable version and the file’s own contract (lines 9–10) says upgrades should bump the SHA. Using a moving tag makes behavior non-deterministic across runs and can silently change auto-rebase logic (or reintroduce old behavior versus the prior # v2 pin) without any change in this repository, which is a reliability and maintainability regression for CI.

Useful? React with 👍 / 👎.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements compliance remediation for issue #249 by updating the repo’s thin-caller auto-rebase workflow to pin the org reusable workflow to @v1 (org standard).

Changes:

  • Pin .github/workflows/auto-rebase.yml reusable workflow reference to petry-projects/.github/...@v1.
  • Add an additional .dev-lead/ ignore entry in .gitignore (currently creating further duplication).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/auto-rebase.yml Updates the reusable workflow reference to @v1 for compliance.
.gitignore Adds another .dev-lead/ ignore line (but the file already contains multiple duplicates).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +39 to 42
contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # post comments on PRs
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1
secrets: inherit
@github-actions

Copy link
Copy Markdown
Contributor

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Code Analysis (Quality Gate)
Root cause: Config error

The PR changes .github/workflows/auto-rebase.yml to reference the reusable workflow via a mutable tag (@v1) instead of the previously pinned commit SHA (@376a4fcb1117444595e3e702fa450873d0e54310 # v2). SonarCloud flags this as a security vulnerability (CWE-829 / S6900-class): using a mutable tag means the referenced workflow could be silently updated to a different — potentially malicious — version, undermining supply-chain integrity.

Suggested fix: Revert the action reference back to the pinned SHA (petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310) or pin @v1 to its current resolved SHA and append a # v1 comment for readability.

View run logs

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5ccb1d7a1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

contents: write # update-branch via GITHUB_TOKEN (may touch .github/workflows/)
pull-requests: write # post comments on PRs
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@376a4fcb1117444595e3e702fa450873d0e54310 # v2
uses: petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@d3d768dabb7f28cc63283cdfe48630da53700e50 # v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep auto-rebase on the v2 reusable workflow

This is separate from the earlier pinning comment: the fresh evidence is that the ref is now SHA-pinned but its inline label is still # v1, while the parent commit called the # v2 SHA. On every push to main or manual dispatch, this caller now runs the older reusable workflow, undoing the repo's prior Dependabot major bump of auto-rebase from v1 to v2 and leaving any v2 fixes/behavior inactive for this workflow.

Useful? React with 👍 / 👎.

@sonarqubecloud

sonarqubecloud Bot commented Jun 1, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:23

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: non-stub-auto-rebase.yml

3 participants