chore(workflows): adopt centralized stubs from petry-projects/.github#93
Conversation
Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 35 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Pull request overview
This PR updates this repo’s GitHub Actions workflows to be “thin caller stubs” that delegate to the organization’s centralized reusable workflows in petry-projects/.github (pinned at @v1), reducing workflow drift and making future updates propagate automatically.
Changes:
- Replace inline workflow implementations with
uses: petry-projects/.github/.github/workflows/*-reusable.yml@v1caller stubs. - Standardize workflow headers/instructions and align callers with the org-level workflow standards.
- Simplify workflow logic in-repo (dependency audit + Dependabot automation now fully delegated).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/feature-ideation.yml | Converts to thin caller stub for org reusable; updates inputs and adds repo-specific project_context hook. |
| .github/workflows/dependency-audit.yml | Replaces in-repo ecosystem detection/audit jobs with a single reusable-workflow call. |
| .github/workflows/dependabot-rebase.yml | Delegates Dependabot “update and merge” serialization to org reusable workflow. |
| .github/workflows/dependabot-automerge.yml | Delegates Dependabot auto-approve/auto-merge logic to org reusable workflow. |
| .github/workflows/claude.yml | Pins Claude Code workflow to org reusable at @v1 and documents required secrets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| TODO: Replace this with a description of the project and its market. | ||
| Example: "ProjectX is a [type of product] for [target user]. Competitors | ||
| include A, B, C. Key emerging trends in this space: X, Y, Z." |
There was a problem hiding this comment.
project_context is currently a TODO/example placeholder. As-is, the scheduled ideation run will generate generic/incorrect proposals for this repository. Replace this placeholder with this repo’s actual project context (you can likely restore the previous Broodly description) so the reusable workflow has meaningful input.
| TODO: Replace this with a description of the project and its market. | |
| Example: "ProjectX is a [type of product] for [target user]. Competitors | |
| include A, B, C. Key emerging trends in this space: X, Y, Z." | |
| Broodly is a product and engineering platform focused on helping teams design, build, and ship modern web applications with strong automation, maintainability, and developer experience. | |
| Its primary users are founders, product teams, and software engineers who want to move quickly without sacrificing quality, documentation, or delivery discipline. | |
| Research should consider competitors and adjacent solutions such as GitHub-native engineering workflows, AI-assisted developer tooling, low-code/internal platform tools, and modern SaaS product-building frameworks. | |
| Mary should look for opportunities around AI-enabled product ideation, planning, implementation workflows, collaboration, and repository-driven automation that would make Broodly more differentiated and useful. |
| @@ -20,199 +29,5 @@ permissions: | |||
| contents: read | |||
|
|
|||
| jobs: | |||
| detect: | |||
| name: Detect ecosystems | |||
| runs-on: ubuntu-latest | |||
| outputs: | |||
| npm: ${{ steps.check.outputs.npm }} | |||
| pnpm: ${{ steps.check.outputs.pnpm }} | |||
| gomod: ${{ steps.check.outputs.gomod }} | |||
| cargo: ${{ steps.check.outputs.cargo }} | |||
| pip: ${{ steps.check.outputs.pip }} | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - name: Detect package ecosystems | |||
| id: check | |||
| run: | | |||
| # npm — look for package-lock.json anywhere (excluding node_modules) | |||
| if find . -name 'package-lock.json' -not -path '*/node_modules/*' | grep -q .; then | |||
| echo "npm=true" >> "$GITHUB_OUTPUT" | |||
| else | |||
| echo "npm=false" >> "$GITHUB_OUTPUT" | |||
| fi | |||
|
|
|||
| # pnpm — look for pnpm-lock.yaml anywhere | |||
| if find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' | grep -q .; then | |||
| echo "pnpm=true" >> "$GITHUB_OUTPUT" | |||
| else | |||
| echo "pnpm=false" >> "$GITHUB_OUTPUT" | |||
| fi | |||
|
|
|||
| # Go modules — detect via go.mod (not go.sum, which may not exist) | |||
| if find . -name 'go.mod' -not -path '*/vendor/*' | grep -q .; then | |||
| echo "gomod=true" >> "$GITHUB_OUTPUT" | |||
| else | |||
| echo "gomod=false" >> "$GITHUB_OUTPUT" | |||
| fi | |||
|
|
|||
| # Cargo — detect via Cargo.toml anywhere (lockfile may not exist for libraries) | |||
| if find . -name 'Cargo.toml' -not -path '*/target/*' | grep -q .; then | |||
| echo "cargo=true" >> "$GITHUB_OUTPUT" | |||
| else | |||
| echo "cargo=false" >> "$GITHUB_OUTPUT" | |||
| fi | |||
|
|
|||
| # Python — detect pyproject.toml or requirements.txt anywhere | |||
| if find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q . || \ | |||
| find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q .; then | |||
| echo "pip=true" >> "$GITHUB_OUTPUT" | |||
| else | |||
| echo "pip=false" >> "$GITHUB_OUTPUT" | |||
| fi | |||
|
|
|||
| audit-npm: | |||
| name: npm audit | |||
| needs: detect | |||
| if: needs.detect.outputs.npm == 'true' | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |||
| with: | |||
| node-version: "lts/*" | |||
|
|
|||
| - name: Audit npm dependencies | |||
| run: | | |||
| # Audit each package-lock.json found in the repo | |||
| status=0 | |||
| while IFS= read -r dir; do | |||
| echo "::group::npm audit $dir" | |||
| if ! (cd "$dir" && npm audit --audit-level=low); then | |||
| status=1 | |||
| fi | |||
| echo "::endgroup::" | |||
| done < <(find . -name 'package-lock.json' -not -path '*/node_modules/*' -exec dirname {} \;) | |||
| exit $status | |||
|
|
|||
| audit-pnpm: | |||
| name: pnpm audit | |||
| needs: detect | |||
| if: needs.detect.outputs.pnpm == 'true' | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 | |||
|
|
|||
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |||
| with: | |||
| node-version: "lts/*" | |||
|
|
|||
| - name: Audit pnpm dependencies | |||
| run: | | |||
| # Audit each pnpm-lock.yaml found in the repo | |||
| status=0 | |||
| while IFS= read -r dir; do | |||
| echo "::group::pnpm audit $dir" | |||
| if ! (cd "$dir" && pnpm audit --audit-level low); then | |||
| status=1 | |||
| fi | |||
| echo "::endgroup::" | |||
| done < <(find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' -exec dirname {} \;) | |||
| exit $status | |||
|
|
|||
| audit-go: | |||
| name: govulncheck | |||
| needs: detect | |||
| if: needs.detect.outputs.gomod == 'true' | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 | |||
| with: | |||
| go-version: "stable" | |||
|
|
|||
| - name: Install govulncheck | |||
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |||
|
|
|||
| - name: Audit Go dependencies | |||
| run: | | |||
| status=0 | |||
| while IFS= read -r dir; do | |||
| echo "::group::govulncheck $dir" | |||
| if ! (cd "$dir" && govulncheck ./...); then | |||
| status=1 | |||
| fi | |||
| echo "::endgroup::" | |||
| done < <(find . -name 'go.mod' -not -path '*/vendor/*' -exec dirname {} \;) | |||
| exit $status | |||
|
|
|||
| audit-cargo: | |||
| name: cargo audit | |||
| needs: detect | |||
| if: needs.detect.outputs.cargo == 'true' | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - name: Install Rust stable toolchain | |||
| run: rustup toolchain install stable --profile minimal | |||
|
|
|||
| - name: Install cargo-audit | |||
| run: cargo install cargo-audit@0.22.1 --locked | |||
|
|
|||
| - name: Audit Cargo dependencies | |||
| run: | | |||
| # cargo audit operates on Cargo.lock at workspace root | |||
| # For workspaces, a single audit at root covers all crates | |||
| status=0 | |||
| while IFS= read -r dir; do | |||
| echo "::group::cargo audit $dir" | |||
| if ! (cd "$dir" && cargo generate-lockfile 2>/dev/null; cargo audit); then | |||
| status=1 | |||
| fi | |||
| echo "::endgroup::" | |||
| done < <(find . -name 'Cargo.toml' -not -path '*/target/*' -exec dirname {} \; | sort -u) | |||
| exit $status | |||
|
|
|||
| audit-pip: | |||
| name: pip-audit | |||
| needs: detect | |||
| if: needs.detect.outputs.pip == 'true' | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
|
|
|||
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |||
| with: | |||
| python-version: "3.x" | |||
|
|
|||
| - name: Install pip-audit | |||
| run: pip install pip-audit==2.9.0 | |||
|
|
|||
| - name: Audit Python dependencies | |||
| run: | | |||
| status=0 | |||
| # Audit each Python project found in the repo | |||
| while IFS= read -r dir; do | |||
| echo "::group::pip-audit $dir" | |||
| if [ -f "$dir/pyproject.toml" ]; then | |||
| if ! pip-audit "$dir"; then | |||
| status=1 | |||
| fi | |||
| elif [ -f "$dir/requirements.txt" ]; then | |||
| if ! pip-audit -r "$dir/requirements.txt"; then | |||
| status=1 | |||
| fi | |||
| fi | |||
| echo "::endgroup::" | |||
| done < <( | |||
| { | |||
| find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \; | |||
| find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \; | |||
| } | sort -u | |||
| ) | |||
| exit $status | |||
| dependency-audit: | |||
| uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1 | |||
There was a problem hiding this comment.
The header comment says to add the required status check dependency-audit / Detect ecosystems, but this thin-caller job doesn’t set name: Detect ecosystems (it will show as Dependency audit / dependency-audit). Either set the job name to match the documented required check (and any existing branch protection), or update the documentation to reflect the actual check name produced by this workflow.
| # Copy to .github/workflows/dependency-audit.yml | ||
| # ───────────────────────────────────────────────────────────────────────────── | ||
| # SOURCE OF TRUTH: petry-projects/.github/standards/workflows/dependency-audit.yml | ||
| # Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym |
There was a problem hiding this comment.
The standards link anchor looks truncated: it ends with ...dependency-auditym (missing the trailing l), so the reference likely 404s. Update the anchor to the correct ...#5-dependency-audit-dependency-audityml.
| # Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym | |
| # Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-audityml |
…#93) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…#93) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…#93) Replace inline copies of standardized workflows with the canonical thin caller stubs from petry-projects/.github/standards/workflows/. Each stub delegates to a versioned reusable workflow at petry-projects/.github/.github/workflows/<name>-reusable.yml@v1, so future updates to the standard propagate automatically and drift is caught by the org-wide compliance audit. See petry-projects/.github#87, #88, #89 for context. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>


Summary
Replaces inline copies of standardized workflows with the canonical thin caller stubs from
petry-projects/.github/standards/workflows/. Each stub delegates to the org-level reusable workflow atpetry-projects/.github/.github/workflows/<name>-reusable.yml@v1.Why
Future updates to the standard propagate automatically without per-repo PRs, and drift is caught by the org-wide compliance audit (petry-projects/.github#89).
See petry-projects/.github#87 (build reusables), petry-projects/.github#88 (pin to v1, document tier model), petry-projects/.github#89 (audit drift detection).
Test plan
actionlintclean🤖 Generated with Claude Code