Skip to content

feat: implement issue #330 — Compliance: non-stub-pr-review-mention.yml#344

Closed
don-petry wants to merge 2 commits into
mainfrom
dev-lead/issue-330-20260526-1719
Closed

feat: implement issue #330 — Compliance: non-stub-pr-review-mention.yml#344
don-petry wants to merge 2 commits into
mainfrom
dev-lead/issue-330-20260526-1719

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Closes #330

Implemented by dev-lead agent. Please review.

Copilot AI review requested due to automatic review settings May 26, 2026 17:21
@don-petry don-petry requested a review from a team as a code owner May 26, 2026 17:21
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@github-actions[bot], we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 50 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4207f30b-662e-4175-a09f-86362303a1a6

📥 Commits

Reviewing files that changed from the base of the PR and between b6c4f09 and b994a63.

📒 Files selected for processing (3)
  • .github/workflows/ci-failure-analyst.yml
  • .github/workflows/pr-review-mention.yml
  • .gitignore
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-330-20260526-1719

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Implements compliance remediation for issue #330 by updating the pr-review-mention thin caller workflow to delegate to the org-standard reusable workflow reference (@v2).

Changes:

  • Update .github/workflows/pr-review-mention.yml to use petry-projects/.github/.../pr-review-mention-reusable.yml@v2.
  • Add an additional .dev-lead/ entry to .gitignore (appears to be a duplicate).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
.gitignore Adds a duplicate ignore entry for .dev-lead/.
.github/workflows/pr-review-mention.yml Pins the reusable workflow reference to the org-standard @v2 tag for compliance.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

Automated review — NEEDS HUMAN REVIEW

Risk: MEDIUM
Reviewed commit: b994a63804d94e618665f6dc2c13e0db1df34408
Cascade: triage → audit (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

The substantive change (SHA pin → @v2) is explicitly mandated by the org's own ci-standards.md and by issue #330; the reusable lives in petry-projects/.github, the same org, so the tag-move trust boundary is internal — anyone who could move @v2 could already compromise the org via other paths. The remaining substantive blocker is an open SonarQube Security Hotspot that requires explicit human review/dismissal under the org's quality-gate workflow, plus a duplicate .dev-lead/ entry in .gitignore that should be removed. Escalating to org-leads (already the requested reviewer) for the SQ hotspot dismissal and the gitignore cleanup, not because the change is unsafe.

Findings

  • MAJOR: SonarQube Quality Gate reports 1 open Security Hotspot on this PR (sonarqubecloud bot comment, 2026-05-26T17:40:30Z). Although SonarQube is not present as a required status check in statusCheckRollup (CodeQL and CodeRabbit are SUCCESS, mergeable=MERGEABLE), the org's policy is to clear or explicitly acknowledge Hotspots before merge. A human reviewer must open the linked SonarQube dashboard, confirm the Hotspot corresponds to the intentional @v2 tag pin, and mark it Reviewed/Safe (or Fix) before approval. Do not auto-approve.
  • MINOR: Change replaces @376a4fcb1117444595e3e702fa450873d0e54310 # v2 with @v2 on a reusable that uses secrets: inherit. This is the canonical pattern explicitly required by petry-projects/.github/standards/ci-standards.md ('pr-review-mention is @v2') and by the SOURCE OF TRUTH header of the template itself, which says 'You MAY change: the tag in the uses: line'. The reusable repo (petry-projects/.github) is in the same org as this caller, so a tag-move attack would require write access that already permits broader org compromise — the residual risk is bounded by internal org access controls, not external supply chain. Severity downgraded from the deep tier's 'major' to 'minor' on that basis; recording it so the human reviewer is aware of the trade-off they are signing off on. (.github/workflows/pr-review-mention.yml:39)
  • MINOR: secrets: inherit is preserved (was already present pre-PR) and is required by the canonical template — the reusable needs GH_PAT_WORKFLOWS to call the gh API. No new secret surface is introduced by this PR; the only change is the reference style. Flagging for human awareness only. (.github/workflows/pr-review-mention.yml:40)
  • MINOR: Duplicate .dev-lead/ entry added at line 13 of .gitignore. The same pattern already exists at line 12. Harmless to git, but indicates the dev-lead agent generating this PR did not detect the existing entry. Should be removed before merge. (.gitignore:13)
  • INFO: Cosmetic-only changes in ci-failure-analyst.yml: double→single quote normalization and whitespace alignment of a trailing comment. No semantic or security impact. Likely produced by the auto-fix prettier/eslint commit (b994a63). (.github/workflows/ci-failure-analyst.yml)
  • INFO: PR is authored by don-petry (org owner) with commits by donpetry-bot (dev-lead automation). Review is requested from @petry-projects/org-leads per CODEOWNERS. mergeStateStatus=BLOCKED is driven by reviewDecision=REVIEW_REQUIRED, not a failing status check. Human approval from org-leads is the gating step.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:14

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: non-stub-pr-review-mention.yml

3 participants