Wrorflows#5
Conversation
💡 TipWant to run a security-focused check? |
|
@Copilot CodeSherlock.AI has completed its review. ✅ |
Reviewer's GuideThis PR overhauls the CI workflow: it renames and streamlines the pipeline triggers, adds a manual dispatch input and environment variable, configures concurrency controls, injects an optimize_ci job for skip logic, and adjusts the clippy command argument ordering. Class diagram for optimize_ci job and outputsclassDiagram
class optimize_ci {
+runs-on: ubuntu-latest
+outputs: skip
+steps: check_skip
}
class check_skip {
+uses: withgraphite/graphite-ci-action@main
+id: check_skip
+with: graphite_token
+outputs: skip
}
optimize_ci --> check_skip
Flow diagram for manual workflow dispatch with beta_release inputflowchart TD
A["workflow_dispatch"] --> B["beta_release input (boolean, default: false)"]
B --> C["optimize_ci job"]
Flow diagram for concurrency control in CI workflowflowchart TD
A["Start workflow"] --> B["Check concurrency group"]
B --> C["If not main branch, cancel in-progress workflows"]
C --> D["Proceed with jobs"]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Codoki PR ReviewSummary: Stop ignoring .github, fix clippy report, enable coverage Issues (Critical & High only)
Showing top 2 issues. Critical: 0, High: 2. See inline suggestions for more. Key Feedback (click to expand)
Confidence: 3/5 — Needs work before merge (2 high · status: Requires changes) React with 👍 or 👎 if you found this review useful. |
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughCI workflow renamed to "Build Package CI"; added workflow_dispatch input and concurrency; introduced an optimize_ci job (Graphite skip check) that gates Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub
participant Runner as Runner (ubuntu-latest)
participant Graphite as Graphite Action
participant Checkout as actions/checkout@v4
participant Clippy as cargo (bash)
participant Jobs as Subsequent Jobs (check/test/others)
note over GH: Push to main or workflow_dispatch triggers "Build Package CI"
GH->>Runner: start optimize_ci
Runner->>Graphite: run Graphite skip check (uses: secrets.graphite_token)
Graphite-->>Runner: outputs skip = true/false
alt skip == true
Runner-->>GH: optimize_ci outputs skip=true
Note right of Jobs: Jobs with if: needs.optimize_ci.outputs.skip != 'true' are skipped
else skip == false
Runner->>Checkout: checkout repo for subsequent jobs
Checkout-->>Runner: repo available
Runner->>Jobs: run check, test, clippy, etc.
Jobs->>Clippy: run `cargo clippy --tests --message-format=json -- -D warnings > clippy_report.json`
Clippy-->>Jobs: produces clippy_report.json
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Pre-merge checks (1 passed, 1 warning, 1 inconclusive)❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✨ Finishing touches
🧪 Generate unit tests
Comment |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the GitHub Actions workflow configuration with several modifications including workflow name change, trigger adjustments, and CI optimization features.
- Updated workflow name from "Rust-Build" to "Build Package CI"
- Added workflow dispatch trigger with beta release option and CI optimization job
- Modified pull request trigger types and clippy command arguments
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| branches: [main] | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| types: [opened, synchronize, opened] |
There was a problem hiding this comment.
The pull request trigger has 'opened' listed twice. This should be 'reopened' instead of the duplicate 'opened'.
| types: [opened, synchronize, opened] | |
| types: [opened, synchronize, reopened] |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes and they look great!
Blocking issues:
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location> `.github/workflows/build.yml:7` </location>
<code_context>
+ branches: [main]
pull_request:
- types: [opened, synchronize, reopened]
+ types: [opened, synchronize, opened]
+ workflow_dispatch:
+ inputs:
</code_context>
<issue_to_address>
Duplicate 'opened' event type in pull_request triggers.
Please remove the duplicate 'opened' event to keep the trigger list clear and concise.
</issue_to_address>
<suggested_fix>
<<<<<<< SEARCH
pull_request:
types: [opened, synchronize, opened]
=======
pull_request:
types: [opened, synchronize]
>>>>>>> REPLACE
</suggested_fix>
### Comment 2
<location> `.github/workflows/build.yml:29` </location>
<code_context>
+ outputs:
+ skip: ${{ steps.check_skip.outputs.skip }}
+ steps:
+ - uses: withgraphite/graphite-ci-action@main
+ id: check_skip
+ with:
</code_context>
<issue_to_address>
Using 'main' branch for third-party action may introduce instability.
Pinning the action to a specific commit or release tag is recommended to avoid unexpected changes and maintain CI stability.
Suggested implementation:
```
- uses: withgraphite/graphite-ci-action@v1.4.0
```
If you want to pin to a specific commit SHA instead of a release tag, replace `@v1.4.0` with the desired commit SHA, e.g. `@a1b2c3d4e5f6g7h8i9j0`.
Make sure to check the official repository for the latest stable release or commit to use.
</issue_to_address>
## Security Issues
### Issue 1
<location> `.github/workflows/build.yml:29` </location>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| types: [opened, synchronize, opened] |
There was a problem hiding this comment.
suggestion: Duplicate 'opened' event type in pull_request triggers.
Please remove the duplicate 'opened' event to keep the trigger list clear and concise.
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| types: [opened, synchronize, opened] | |
| pull_request: | |
| types: [opened, synchronize] |
CI Feedback 🧐(Feedback updated until commit 92cac14)A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
|
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed everything up to 92cac14 in 2 minutes and 1 seconds. Click for details.
- Reviewed
54lines of code in1files - Skipped
0files when reviewing. - Skipped posting
3draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:20
- Draft comment:
Using branch names in the concurrency group may lead to issues with special characters; consider sanitizing or handling edge cases. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% While the concern about special characters in branch names is theoretically valid, this is a standard GitHub Actions pattern. GitHub Actions handles branch name sanitization internally for concurrency groups. The comment is speculative ("may lead to issues") rather than pointing to a concrete problem. There's no strong evidence that this is actually causing issues. I might be wrong about GitHub Actions handling branch name sanitization internally. There could be edge cases where this actually causes problems. Even if there are edge cases, the comment is speculative and doesn't provide concrete evidence of an issue. Following the rule that we should only keep comments that show strong evidence of a problem, this should be removed. Delete the comment because it's speculative and doesn't demonstrate a concrete issue with strong evidence. This is a common GitHub Actions pattern that works in practice.
2. .github/workflows/build.yml:111
- Draft comment:
Reordered clippy args now place '--message-format=json' as a cargo flag, which looks correct; verify that shell redirection (&> clippy_report.json) is processed as expected. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%The comment is asking the author to verify that shell redirection is processed as expected. This falls under the rule of not asking the author to ensure behavior is intended or to double-check things. Therefore, this comment should be removed.
3. .github/workflows/build.yml:7
- Draft comment:
Typo in pull_request types: The third type is listed as 'opened', but it appears it should be 'reopened'. Please update to [opened, synchronize, reopened]. - Reason this comment was not posted:
Marked as duplicate.
Workflow ID: wflow_SoKy6j9xTZd8jBsL
You can customize 
PR Code Suggestions ✨Explore these optional code suggestions:
|
||||||||||||||
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
.github/workflows/build.yml (4)
34-55: Make check job honor optimize_ci skip and update checkout.Connect the job to optimize_ci and modernize checkout.
check: name: Check runs-on: ubuntu-latest + needs: [optimize_ci] + if: ${{ needs.optimize_ci.outputs.skip != 'true' }} steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4
56-91: Make test job honor optimize_ci skip and update checkout; consider dropping redundant build.
- Wire needs/if and upgrade checkout.
- cargo llvm-cov builds the workspace; the preceding “cargo build” is typically redundant.
test: name: Test runs-on: ubuntu-latest + needs: [optimize_ci] + if: ${{ needs.optimize_ci.outputs.skip != 'true' }} steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4 @@ - - name: cargo build - run: cargo build --workspace --verbose
107-112: Shell redirection inside cargo args won’t work via actions-rs/cargo.The action passes args directly to cargo; “&> clippy_report.json” won’t be interpreted by a shell and will likely fail. Run via a shell step instead (and keep JSON output).
- - name: Run clippy - uses: actions-rs/cargo@v1 - with: - command: clippy - args: --tests --message-format=json -- -D warnings &> clippy_report.json + - name: Run clippy and capture JSON + shell: bash + run: | + cargo clippy --tests --message-format=json -- -D warnings > clippy_report.json
87-90: Pin qltysh/qlty-action/coverage to a release tag or commit SHAUsing @main in .github/workflows/build.yml (lines 87–90) is a CI supply-chain risk — pin to a release tag (e.g., v1 or v2) or a specific commit SHA.
If you share the repo policy on action pinning, I can align all actions accordingly in one sweep.
🧹 Nitpick comments (3)
.github/workflows/build.yml (3)
16-17: NODE_VERSION is unused. Remove it or add setup-node.No steps use Node. Prefer removing the env to avoid confusion.
-env: - NODE_VERSION: "22"
8-14: workflow_dispatch input is currently unused.beta_release isn’t referenced in any job. Either remove it or add conditionals/steps that react to it, e.g., if: github.event.inputs.beta_release == 'true'.
Want me to wire a release job gated by this input?
92-98: Upgrade checkout in clippy job.Align with other jobs and latest hardening.
- name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v4
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Codoki PR Review
- GitHub Check: Sourcery review
- GitHub Check: Test
- GitHub Check: Codacy Static Code Analysis
| optimize_ci: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| skip: ${{ steps.check_skip.outputs.skip }} | ||
| steps: | ||
| - uses: withgraphite/graphite-ci-action@main | ||
| id: check_skip | ||
| with: | ||
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} | ||
|
|
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Pin external action and wire permissions; also ensure optimize_ci output is actually used.
- withgraphite/graphite-ci-action is referenced via @main. Pin to a commit SHA for supply-chain safety.
- Set least-privilege permissions explicitly (contents: read, pull-requests: read).
- Right now, no downstream job depends on this output; add needs/if in other jobs.
Would you like me to open a follow-up PR to pin all third‑party actions to SHAs and add a permissions block?
optimize_ci:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- - uses: withgraphite/graphite-ci-action@main
+ - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== SHOW: .github/workflows/build.yml (up to 400 lines) ==="
if [ -f ".github/workflows/build.yml" ]; then
sed -n '1,400p' .github/workflows/build.yml || true
else
echo "FILE NOT FOUND: .github/workflows/build.yml"
fi
echo
echo "=== SEARCH: occurrences of 'optimize_ci' in .github/workflows ==="
rg -n --hidden -S "optimize_ci" .github || true
echo
echo "=== SEARCH: occurrences of withgraphite action across repo ==="
rg -n --hidden -S "withgraphite/graphite-ci-action" || true
echo
echo "=== SEARCH: workflows referencing '@main' for actions under .github ==="
rg -n --hidden -S "@main" .github || true
echo
echo "=== SEARCH: any 'permissions:' blocks in .github workflows (with context) ==="
rg -n --hidden -S "permissions:" .github -C3 || true
echo
echo "=== SEARCH: references to optimize_ci outputs (needs.optimize_ci.outputs or check_skip.outputs.skip) across repo ==="
rg -n --hidden -S "needs\.optimize_ci\.outputs|check_skip\.outputs\.skip|steps\.check_skip\.outputs\.skip" || true
echo
echo "=== SEARCH: any uses of 'graphite_token' or GRAPHITE_TOKEN secret ==="
rg -n --hidden -S "GRAPHITE_TOKEN|graphite_token" || trueLength of output: 4220
Pin third‑party actions, add least‑privilege permissions, and wire optimize_ci output
- withgraphite/graphite-ci-action@main is unpinned — pin to a commit SHA for supply‑chain safety. Also pin other @main usages (e.g., qltysh/qlty-action/coverage@main).
- Add explicit, least‑privilege permissions to the optimize_ci job (contents: read, pull-requests: read).
- optimize_ci.outputs.skip is not consumed by any downstream job; either make downstream jobs depend on it (needs/if) or remove the output/step.
File: .github/workflows/build.yml (optimize_ci block)
optimize_ci:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- - uses: withgraphite/graphite-ci-action@main
+ - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| optimize_ci: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip }} | |
| steps: | |
| - uses: withgraphite/graphite-ci-action@main | |
| id: check_skip | |
| with: | |
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} | |
| optimize_ci: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip }} | |
| steps: | |
| - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> | |
| id: check_skip | |
| with: | |
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} |
🤖 Prompt for AI Agents
.github/workflows/build.yml around lines 24-33: the optimize_ci job uses
third-party actions pinned to @main, lacks least-privilege permissions, and
exposes an outputs.skip value that no downstream job consumes; update the action
references to use specific commit SHAs (replace @main with the corresponding
commit SHAs for withgraphite/graphite-ci-action and any other @main usages like
qltysh/qlty-action/coverage), add a permissions block to the optimize_ci job
with minimal rights (e.g., permissions: contents: read, pull-requests: read),
and either wire optimize_ci.outputs.skip into downstream jobs by adding needs:
optimize_ci and using if: ${{ needs.optimize_ci.outputs.skip == 'false' }} (or
similar) on consumers, or remove the outputs and the check_skip step if it is
not used.
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed 2dcb597 in 1 minute and 52 seconds. Click for details.
- Reviewed
13lines of code in1files - Skipped
0files when reviewing. - Skipped posting
0draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
Workflow ID: wflow_dctmwev928dTgrTO
You can customize
| with: | ||
| command: clippy | ||
| args: --tests -- -D warnings --message-format=json &> clippy_report.json | ||
| args: --all-features --profile=test --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt continue-on-error: true |
There was a problem hiding this comment.
The clippy step now uses a complex pipeline in the args field. Note that shell pipes (|) won’t work as expected here since the action doesn’t invoke a shell. Also, verify that:
• '--profile=test' is supported by cargo clippy,
• the commands (clippy-sarif, tee, sarif-fmt) are installed and available,
• 'continue-on-error: true' isn’t mistakenly part of the pipeline (consider using the step’s continue-on-error property), and
• replacing '--tests' with '--all-features' is intentional.
| with: | ||
| command: clippy | ||
| args: --tests -- -D warnings --message-format=json &> clippy_report.json | ||
| args: --all-features --profile=test --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt continue-on-error: true |
There was a problem hiding this comment.
There's a potential typo in the command string: "sarif-fmt continue-on-error: true" appears to be missing a delimiter or flag separator before "continue-on-error: true". Please confirm if this is intended or if it should be modified (e.g., adding a pipe or proper flag formatting) to avoid mis-parsing.
| args: --all-features --profile=test --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt continue-on-error: true | |
| args: --all-features --profile=test --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt --continue-on-error: true |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/build.yml (3)
34-37: Gate job on optimize_ci to actually skip.Currently this always runs even when optimize_ci says to skip.
- check: + check: + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
56-91: Pin third‑party action and gate job; consider streamlining coverage flow.
- qltysh/qlty-action/coverage@main is unpinned → high risk.
- Add needs/if to honor optimize_ci.skip.
- You run cargo test and then cargo llvm-cov (which also runs tests) → duplicate work.
- test: + test: + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }} @@ - - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA> with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.infoOptional: drop the separate “Run tests” step and rely solely on llvm-cov for test+coverage.
92-120: YAML syntax error and broken Clippy pipeline; fix step, upload SARIF, and keep Sonar JSON.
- actionlint/yamllint error stems from putting “continue-on-error: true” on the same line as args and from trying to pipe via actions-rs/cargo.
- Generate clippy_report.json for Sonar; optionally derive SARIF in a separate run step and upload it.
- Pin third‑party actions; upgrade checkout to v4.
- Grant security-events: write only for the SARIF upload job.
clippy: name: Clippy runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - name: Checkout sources - uses: actions/checkout@v2 + - name: Checkout sources + uses: actions/checkout@v4 @@ - - name: Run clippy - uses: actions-rs/cargo@v1 - with: - command: clippy - args: --all-features --profile=test --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt continue-on-error: true + - name: Run clippy (produce JSON for Sonar) + shell: bash + continue-on-error: true + run: | + set -euo pipefail + cargo clippy --all-features --profile test --message-format=json > clippy_report.json + + - name: Convert Clippy JSON to SARIF (optional) + shell: bash + run: | + set -euo pipefail + command -v clippy-sarif >/dev/null 2>&1 || cargo install clippy-sarif + command -v sarif-fmt >/dev/null 2>&1 || cargo install sarif-fmt + cat clippy_report.json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + + - name: Upload SARIF to code scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: rust-clippy-results.sarif @@ - - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup sonarqube + uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA> @@ - sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }} + sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }}Also gate this job like others:
- clippy: + clippy: + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
♻️ Duplicate comments (3)
.github/workflows/build.yml (3)
6-7: Fix duplicate pull_request type; add reopened.Use a deduped list so reopen events trigger.
- pull_request: - types: [opened, synchronize, opened] + pull_request: + types: [opened, synchronize, reopened]
19-21: Concurrency group can collide on push; use ref_name instead of head_ref.head_ref is empty on push; this collapses groups across branches.
- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
24-33: Pin third‑party action, add least‑privilege permissions, and wire outputs.
- withgraphite/graphite-ci-action is unpinned (@main) → supply‑chain risk.
- Add minimal permissions.
- Expose skip is fine; ensure downstream jobs depend on it (see next comments).
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@main + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧹 Nitpick comments (2)
.github/workflows/build.yml (2)
8-14: workflow_dispatch input is unused.If beta_release controls behavior, wire it into conditions or steps; otherwise drop it.
Example:
- workflow_dispatch: - inputs: - beta_release: - description: Create beta release - type: boolean - default: false - required: false + workflow_dispatch: + inputs: + beta_release: + description: Create beta release + type: boolean + default: false + required: false +# later in a job: + if: ${{ github.event_name != 'workflow_dispatch' || inputs.beta_release == true }}
38-47: Upgrade core actions to maintained majors.actions/checkout@v2 → @v4; actions-rs is OK but consider pinning or migrating to rust-toolchain-file + plain cargo for longevity.
- uses: actions/checkout@v2 + uses: actions/checkout@v4Repeat for other occurrences.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(2 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🪛 actionlint (1.7.7)
.github/workflows/build.yml
111-111: could not parse as YAML: yaml: line 111: mapping values are not allowed in this context
(syntax-check)
🪛 YAMLlint (1.37.1)
.github/workflows/build.yml
[error] 111-111: syntax error: mapping values are not allowed here
(syntax)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
| env: | ||
| NODE_VERSION: "22" |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Add top‑level default permissions.
Set least‑privilege defaults; override per job as needed.
env:
NODE_VERSION: "22"
+
+permissions:
+ contents: read📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| env: | |
| NODE_VERSION: "22" | |
| env: | |
| NODE_VERSION: "22" | |
| permissions: | |
| contents: read |
🤖 Prompt for AI Agents
In .github/workflows/build.yml around lines 16-17, add a top-level permissions
block to enforce least-privilege defaults (for example grant only the minimal
scopes like contents: read and actions: read) and then raise permissions per-job
where necessary; update the workflow YAML to include a top-level permissions:
{...} section and ensure any job that needs broader permissions explicitly
overrides it.
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed c46ba86 in 1 minute and 50 seconds. Click for details.
- Reviewed
13lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:110
- Draft comment:
The previous pipeline that included 'clippy-sarif' (for converting the clippy JSON output to SARIF) has been removed. Confirm that the raw JSON output meets SonarScanner’s expected SARIF format (or reinstate the conversion step if SARIF is required). - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The comment raises a valid concern about format compatibility. However, looking at line 119, the pipeline is explicitly configured to use clippy.reportPaths which suggests SonarQube expects Clippy's JSON format. The PR author likely made this change intentionally knowing SonarQube can handle Clippy's JSON. The comment is asking for verification rather than pointing out a definite issue. I might be wrong about SonarQube's capabilities - maybe it really does require SARIF format and this will break the scan. If SARIF was truly required, the build would fail immediately when testing this change. The author likely tested this before submitting. Delete the comment. It's asking for verification rather than pointing out a definite issue, and the SonarQube configuration suggests it expects Clippy's JSON format.
Workflow ID: wflow_03nFA3J8ehCWWpLm
You can customize
| with: | ||
| command: clippy | ||
| args: --tests -- -D warnings --message-format=json &> clippy_report.json | ||
| args: --all-features --profile=test --message-format=json &> clippy_report.json |
There was a problem hiding this comment.
Using shell redirection (&>) in the 'args' field may not work as expected because the action likely executes the command without a shell. Consider using a 'run:' step or a shell wrapper to ensure redirection is processed.
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (7)
.github/workflows/build.yml (7)
39-39: Upgrade checkout to v4 and pin to a commit SHA.actions/checkout@v2 is outdated and mutable. Use v4 and pin.
-uses: actions/checkout@v2 +uses: actions/checkout@v4 +# optionally: actions/checkout@<PINNED_COMMIT_SHA>Also applies to: 61-61, 97-97
42-46: Pin actions-rs/toolchain and explicitly set minimal permissions if needed.with third‑party actions, pin to commit SHAs for supply‑chain safety.
-uses: actions-rs/toolchain@v1 +uses: actions-rs/toolchain@<PINNED_COMMIT_SHA>Also applies to: 100-106
49-54: Pin actions-rs/cargo to a commit SHA.-uses: actions-rs/cargo@v1 +uses: actions-rs/cargo@<PINNED_COMMIT_SHA>Also applies to: 71-76
78-80: Pin taiki-e/install-action to a tag or commit SHA.-uses: taiki-e/install-action@cargo-llvm-cov +uses: taiki-e/install-action@<PINNED_COMMIT_SHA_OR_TAG>
87-91: Pin qlty coverage action; avoid @main.Mutable @main poses risk; pin to a release or commit SHA.
-- uses: qltysh/qlty-action/coverage@main +- uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA>
107-112: Clippy step won’t redirect via &>; actions-rs runs cargo directly.&> will be passed as args, likely breaking the command and leaving no clippy_report.json for Sonar. Use a shell step and mark continue-on-error at the step level.
- - name: Run clippy - uses: actions-rs/cargo@v1 - with: - command: clippy - args: --all-features --profile=test --message-format=json &> clippy_report.json + - name: Run clippy (emit JSON for Sonar) + shell: bash + run: cargo clippy --all-features --profile=test --message-format=json > clippy_report.json + continue-on-error: true
113-115: Pin Sonar Scanner setup action to a commit SHA.-uses: warchant/setup-sonar-scanner@v3 +uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
♻️ Duplicate comments (4)
.github/workflows/build.yml (4)
6-9: Fix duplicate PR event type; include reopened.Current: types: [opened, synchronize, opened]. Use reopened instead of the second opened so PR re-open events trigger.
- types: [opened, synchronize, opened] + types: [opened, synchronize, reopened]
19-21: Make concurrency key stable on push; use ref_name (or event-aware fallback).github.head_ref is empty on push, collapsing groups across branches. Prefer ref_name.
- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }}
16-17: Add top‑level default permissions (least privilege).Set conservative defaults; raise per job only if needed.
env: NODE_VERSION: "22" + +permissions: + contents: read
24-33: Pin third‑party action, add least‑privilege permissions, and wire skip output.
- withgraphite/graphite-ci-action@main is mutable; pin to a commit SHA.
- Add explicit minimal permissions.
- outputs.skip isn’t consumed by downstream jobs; either wire it or drop it.
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@main + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}Also gate jobs:
- check: + check: + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}Apply the same needs/if to test and clippy jobs.
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)
16-17: Nit: NODE_VERSION is unused in this Rust‑only workflow.Drop it or use it in a Node step; otherwise remove to reduce noise.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(2 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: Codoki PR Review
- GitHub Check: Test
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed ac8655f in 50 seconds. Click for details.
- Reviewed
16lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:108
- Draft comment:
The updated Clippy step now uses a shell command with redirection to capture output. Please ensure that directing both stdout and stderr into clippy_report.json (line 108) does not mix any non-JSON log messages with the JSON output. This could affect downstream processing by SonarQube. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%The comment is asking the author to ensure that the redirection of stdout and stderr does not mix non-JSON log messages with JSON output. This is a request for confirmation of behavior, which violates the rule against asking the author to ensure behavior is intended.
Workflow ID: wflow_wPruQ4DtBwkSRdkT
You can customize
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (9)
.github/workflows/build.yml (9)
34-37: Wire optimize_ci skip output to gate this job.Currently unused; add needs/if so CI is actually skipped when advised.
check: name: Check runs-on: ubuntu-latest + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
56-59: Gate test job on optimize_ci as well.test: name: Test runs-on: ubuntu-latest + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
92-95: Gate clippy job on optimize_ci.clippy: name: Clippy runs-on: ubuntu-latest + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
39-39: Upgrade and pin actions/checkout.v2 is outdated; use v4 and pin to a full commit SHA.
- uses: actions/checkout@v2 + uses: actions/checkout@<ACTIONS_CHECKOUT_V4_FULL_SHA>(Apply to all occurrences.)
Also applies to: 61-61, 97-97
42-47: Pin actions-rs/toolchain and consider rust caching.
- Pin to full SHA for supply‑chain safety.
- Optional: add Swatinem/rust-cache to speed builds.
- uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@<FULL_COMMIT_SHA>Optional cache (add once after toolchain in each job):
+ - uses: Swatinem/rust-cache@<FULL_COMMIT_SHA>Also applies to: 64-69, 100-106
49-55: Pin actions-rs/cargo to a commit SHA.- uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@<FULL_COMMIT_SHA>Also applies to: 71-76
78-80: Pin taiki-e/install-action@cargo-llvm-cov.- - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + - name: Install cargo-llvm-cov + uses: taiki-e/install-action@<FULL_COMMIT_SHA>
87-91: Pin qlty coverage action (currently on @main).- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<FULL_COMMIT_SHA>
110-116: Pin sonar-scanner setup action.- uses: warchant/setup-sonar-scanner@v3 + uses: warchant/setup-sonar-scanner@<FULL_COMMIT_SHA>
♻️ Duplicate comments (4)
.github/workflows/build.yml (4)
7-7: Fix pull_request types: duplicate "opened", missing "reopened".This prevents runs on PR reopen events.
- types: [opened, synchronize, opened] + types: [opened, synchronize, reopened]
16-17: Add least‑privilege default permissions.Harden workflow by default; escalate per-job when needed.
env: NODE_VERSION: "22" + +permissions: + contents: read
19-21: Make concurrency group robust on push events.github.head_ref is empty on push; use ref_name fallback to avoid cross-branch cancellations.
- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref || github.ref_name }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
24-33: Pin third‑party action and add minimal job permissions.withgraphite/graphite-ci-action@main is a supply‑chain risk; pin to a full SHA and scope permissions.
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@main + - uses: withgraphite/graphite-ci-action@<FULL_COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧹 Nitpick comments (2)
.github/workflows/build.yml (2)
8-14: Optional: either use beta_release input or remove it for now.Keeps the workflow minimal until the flag is consumed.
16-17: Nit: NODE_VERSION appears unused in this workflow.Remove or reference it to avoid drift.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(2 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (1)
.github/workflows/build.yml (1)
108-108: Confirm clippy flags.File: .github/workflows/build.yml (line 108)
run: cargo clippy --all-features --profile=test --message-format=json > clippy_report.json 2>&1Sandbox couldn't run cargo (no /proc) so I couldn't verify --profile=test. Run and paste outputs from your CI or locally:
cargo clippy -V cargo clippy --help | sed -n '1,160p' # replicate the CI step: cargo clippy --all-features --profile=test --message-format=json >clippy_report.json 2>&1; echo "EXIT:$?"If it fails in CI, drop --profile/test (or remove --profile) or adjust CI RUSTFLAGS/profile configuration as needed.
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed 4d364bb in 1 minute and 56 seconds. Click for details.
- Reviewed
14lines of code in1files - Skipped
0files when reviewing. - Skipped posting
2draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:108
- Draft comment:
The updated 'Run clippy' command removes the '--all-features' flag. Please confirm that this change is intentional because it may cause clippy to skip checks on code gated behind feature flags. Also, there's an extra space after 'cargo clippy' which should be cleaned up for consistency. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 20% vs. threshold = 50% The removal of --all-features could be significant as it affects which code gets analyzed. However, the comment asks for confirmation rather than directly stating a problem. The extra space is a minor formatting issue. The build system would still work with the extra space. We should avoid asking for confirmations per our rules. I might be overvaluing the --all-features flag - maybe it's not needed for clippy since test coverage and linting serve different purposes. Also, the suggestion fixes the space issue which could be worth keeping. While the space fix is nice, it's too minor to warrant a comment. Without more context about feature flags in this codebase, we can't be certain the --all-features removal is problematic. Delete the comment because it asks for confirmation rather than stating a clear problem, and we don't have strong evidence that removing --all-features is definitely wrong.
2. .github/workflows/build.yml:108
- Draft comment:
There appears to be an extra space in the command. Consider changing "cargo clippy --profile=test" to "cargo clippy --profile=test" to avoid any potential issues. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% While technically correct about the extra space, in shell commands multiple spaces are collapsed into one by the shell interpreter. This won't cause any functional issues. The comment is pointing out something that's purely cosmetic and doesn't affect functionality. According to the rules, we shouldn't make comments that are obvious or unimportant. Maybe in some edge cases or specific shell environments, multiple spaces could cause issues? Maybe this is part of a style guide requirement? Shell behavior of collapsing multiple spaces is extremely well-established and universal. Even if there's a style guide, this is too minor to warrant a PR comment. Delete this comment as it points out a cosmetic issue that has no functional impact and is too minor to be worth addressing in a PR review.
Workflow ID: wflow_k2v0AIfiDoNZApGK
You can customize
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed 0066822 in 57 seconds. Click for details.
- Reviewed
14lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:108
- Draft comment:
The removal of '--profile=test' from the clippy command appears to fix the argument order issue for '--message-format'. Ensure that this change is intentional; if a test profile was originally needed, consider a proper fix instead of removal. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =30%<= threshold50%The comment is asking the PR author to ensure that the change is intentional, which violates the rules. However, it also provides a suggestion to consider a proper fix if a test profile was originally needed, which is a specific suggestion. The comment is partially useful but mostly violates the rules.
Workflow ID: wflow_r7zjqWyjt73cjeI4
You can customize
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/build.yml (2)
110-116: Pin Sonar scanner action to an immutable ref.
Supply-chain hardening; it also uses a secret.- - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup sonarqube + uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
38-41: Upgrade and pin checkout to v4.
Use the maintained major and pin for integrity.- uses: actions/checkout@v2 + uses: actions/checkout@v4 + # ideally pin to a commit SHA for immutabilityAlso applies to: 60-62, 96-98
♻️ Duplicate comments (6)
.github/workflows/build.yml (6)
7-7: Fix pull_request types: duplicate "opened", missing "reopened".
Use a deduped set to ensure reopen events trigger CI.- types: [opened, synchronize, opened] + types: [opened, synchronize, reopened]
19-21: Concurrency group can collapse on push; use ref_name.
github.head_ref is empty on push events → cross-branch cancellations.- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
78-89: Also pin qlty coverage action (and any other @main usages).
Floating @main with secrets is risky.- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA>
16-17: Add top‑level default permissions.
Set least privilege by default; raise per-job as needed.env: NODE_VERSION: "22" + +permissions: + contents: read
107-109: Strengthen Clippy gating and keep Sonar integration working.
Run across all targets/features and fail on warnings; ensure Sonar still runs.- - name: Run clippy - run: cargo clippy --message-format=json > clippy_report.json 2>&1 + - name: Run clippy (JSON for Sonar, fail on warnings) + run: cargo clippy --all-targets --all-features --message-format=json -- -D warnings > clippy_report.json 2>&1 + # If you want Sonar to run even when Clippy fails, add: + # continue-on-error: true + + # Ensure Sonar runs regardless of previous step outcome (optional): + # - name: Sonar Scan + # if: always()
24-33: Pin third-party action, add least-privilege permissions, and wire skip output.
The action is on a floating branch and consumes a secret; also the skip output isn’t used downstream.optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@main + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}Wire the skip into jobs (illustrative pattern):
check: name: Check + needs: optimize_ci + if: ${{ needs.optimize_ci.outputs.skip != 'true' }} runs-on: ubuntu-latestApply the same needs/if to test and clippy.
🧹 Nitpick comments (2)
.github/workflows/build.yml (2)
8-15: workflow_dispatch input is not referenced elsewhere.
If unused, drop it; if intended, wire it into jobs via conditions or a release job.workflow_dispatch: inputs: beta_release: description: Create beta release type: boolean default: false required: false + # TODO: consume this input in a release job or condition (e.g., if: inputs.beta_release == 'true')
16-17: NODE_VERSION is unused in this workflow.
Either remove it or add setup-node to actually use Node 22.env: - NODE_VERSION: "22" + NODE_VERSION: "22" # Remove if not used, or add a setup-node step where neededExample step (if needed elsewhere):
- uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }}
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(2 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: Codoki PR Review
🔇 Additional comments (2)
.github/workflows/build.yml (2)
1-1: LGTM on workflow rename.
Name update is clear and non-breaking.
5-5: Push trigger looks good.
Restricting to main is fine.
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed d4b87c1 in 1 minute and 10 seconds. Click for details.
- Reviewed
35lines of code in2files - Skipped
0files when reviewing. - Skipped posting
4draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .cargo/config.toml:5
- Draft comment:
Removed 'integration-test' alias and env block. Ensure these removals are intentional so that any dependent integration tests or logging configurations aren't inadvertently affected. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
2. .github/workflows/build.yml:7
- Draft comment:
Updated pull_request trigger: replacing duplicate 'opened' with 'reopened' improves event handling. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%None
3. .github/workflows/build.yml:29
- Draft comment:
Pinning the graphite-ci-action to version 1.4.0 is a good practice for stability. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%None
4. .github/workflows/build.yml:20
- Draft comment:
The concurrency group expression works but could be clearer with added parentheses for readability. Verify that github.head_ref is defined when not on main. - Reason this comment was not posted:
Confidence changes required:30%<= threshold50%None
Workflow ID: wflow_Om3tWn3pKzBlrDPW
You can customize
There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (3)
.github/workflows/build.yml (3)
8-14: workflow_dispatch input is added but currently unused.
If this flag is meant to alter behavior (e.g., create a beta release), wire it into jobs via conditions or env.Example:
jobs: check: + if: ${{ !inputs.beta_release }} name: CheckAlso, PR types now include reopened — duplicate “opened” from prior commit is resolved.
19-21: Fix concurrency grouping for push events (head_ref is empty on push).
Use ref_name so groups don’t collapse and cancel unrelated branches.- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }} cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
24-33: Pin third-party action to a commit SHA, add permissions, and guard/wire skip.
- Pin withgraphite action to a full SHA (security, immutability).
- Add minimal permissions for the job.
- Avoid failures on forked PRs without secrets.
- Actually use the skip output to gate downstream jobs.
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@1.4.0 + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip + if: ${{ secrets.GRAPHITE_TOKEN != '' }} with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}Apply skip to consumers (example shown for all three jobs):
check: + needs: [optimize_ci] + if: ${{ needs.optimize_ci.outputs.skip != 'true' }} name: Check runs-on: ubuntu-latestRepeat needs/if for test and clippy. Also consider pinning other third‑party actions in this file (e.g., qltysh/qlty-action/coverage) to SHAs for consistency.
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)
16-17: Add least-privilege defaults; NODE_VERSION appears unused.
- Introduce a top-level permissions block.
- If Node isn’t used in this workflow, consider removing NODE_VERSION.
env: NODE_VERSION: "22" + +permissions: + contents: read
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
.cargo/config.toml(0 hunks).github/workflows/build.yml(2 hunks)
💤 Files with no reviewable changes (1)
- .cargo/config.toml
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (3)
.github/workflows/build.yml (3)
1-1: Clear, descriptive workflow name — good change.
5-5: Push trigger scoped to main is fine.
108-108: Fail CI on clippy warnings and run on all targets.
Current command won't fail CI on warnings and may skip non-lib targets.- - name: Run clippy - run: cargo clippy --message-format=json > clippy_report.json 2>&1 + - name: Run clippy + run: cargo clippy --all-targets --locked --message-format=json -- -D warnings > clippy_report.json 2>&1If you intentionally want warnings to pass, set the step's continue-on-error: true instead of relaxing linting.
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed a281bef in 1 minute and 55 seconds. Click for details.
- Reviewed
54lines of code in1files - Skipped
0files when reviewing. - Skipped posting
4draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:98
- Draft comment:
Inconsistency: The checkout step in the Clippy job still uses actions/checkout@v2 while other jobs use v4. Update for consistency. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
2. .github/workflows/build.yml:93
- Draft comment:
The Clippy job lacks a dependency on optimize_ci and an 'if' condition to skip the job when optimization indicates so. Consider adding 'needs: [optimize_ci]' and an appropriate 'if' check. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
3. .github/workflows/build.yml:13
- Draft comment:
Contradiction with PR description: NODE_VERSION environment variable was meant to be set to '22', but the env section has been removed. Verify if this change is intentional. - Reason this comment was not posted:
Comment looked like it was already resolved.
4. .github/workflows/build.yml:109
- Draft comment:
Typographical error: the shell is set to 'bask', which is likely a typo and should be 'bash'. - Reason this comment was not posted:
Marked as duplicate.
Workflow ID: wflow_qYGvyf3qH5XNadqE
You can customize
| with: | ||
| command: clippy | ||
| args: --tests -- -D warnings --message-format=json &> clippy_report.json | ||
| shell: bask |
There was a problem hiding this comment.
Typo: 'shell: bask' likely should be 'bash'.
| shell: bask | |
| shell: bash |
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed 52aa02b in 43 seconds. Click for details.
- Reviewed
13lines of code in1files - Skipped
0files when reviewing. - Skipped posting
2draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:109
- Draft comment:
Typo fix: Changed shell from 'bask' to 'bash' to ensure the correct shell is used for running the clippy command. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%This comment is purely informative, as it only describes a typo fix without suggesting any action or asking for confirmation. It doesn't provide any actionable feedback or raise any concerns about the code change.
2. .github/workflows/build.yml:109
- Draft comment:
Typographical error corrected: changed 'bask' to 'bash'. Please ensure similar consistency elsewhere if applicable. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%This comment is purely informative and asks the PR author to ensure consistency elsewhere, which violates the rules. It doesn't provide a specific code suggestion or ask for a specific test to be written.
Workflow ID: wflow_x6UYEU5L3Oy6qYgM
You can customize
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/build.yml (2)
79-81: Pin taiki-e/install-action to a commit SHA and pass tool via inputs.Ref names like “@cargo-llvm-cov” aren’t immutable; switch to a SHA and specify tool.
- - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + - name: Install cargo-llvm-cov + uses: taiki-e/install-action@<PINNED_COMMIT_SHA> + with: + tool: cargo-llvm-cov
113-119: Pin Sonar scanner action and guard scan by token; avoid passing token as CLI arg.Pin to SHA, skip on forks, and supply token via env.
- - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup SonarScanner + uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA> - - name: Sonar Scan - shell: bash - run: | - sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }} + - name: Sonar Scan + if: ${{ secrets.SONAR_TOKEN != '' }} + shell: bash + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json
♻️ Duplicate comments (2)
.github/workflows/build.yml (2)
88-92: Do not use @main; pin qlty action and guard for missing token.This is a third‑party action; pin to SHA and skip when token is absent (forks).
- - uses: qltysh/qlty-action/coverage@main + - if: ${{ secrets.QLTY_COVERAGE_TOKEN != '' }} + uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA> with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info
21-30: Guard Graphite for forks, add permissions, and pin to commit SHA.Avoid failures when secrets are unavailable; apply least privilege; pin action immutably.
optimize_ci: - runs-on: ubuntu-latest + if: ${{ secrets.GRAPHITE_TOKEN != '' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@1.4.0 + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧹 Nitpick comments (2)
.github/workflows/build.yml (2)
1-2: Add top-level least-privilege permissions.Set default read-only permissions for safer defaults; raise per-job only when needed.
name: Build Package CI +permissions: + contents: read
97-99: Update checkout to v4 for consistency and fixes.Align with other jobs using @v4.
- - name: Checkout sources - uses: actions/checkout@v2 + - name: Checkout sources + uses: actions/checkout@v4
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(3 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🪛 actionlint (1.7.7)
.github/workflows/build.yml
109-109: shell name "bask" is invalid. available names are "bash", "pwsh", "python", "sh"
(shell-name)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (4)
.github/workflows/build.yml (4)
5-14: Triggers look correct.Clean push/PR types and a useful workflow_dispatch input.
16-18: Concurrency expression is sound.ref_name avoids empty groups on push; main is exempt from cancellations.
34-39: Wiring optimize_ci into check is good.Gating on outputs.skip and using checkout@v4 looks correct.
58-63: Test job correctly gated.Same skip wiring + checkout@v4 is consistent.
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/build.yml (3)
88-92: Pin qlty coverage action to a commit SHA.
Avoid @main to reduce supply-chain risk.- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<COMMIT_SHA> with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info
98-98: Upgrade checkout to v4 for consistency.
The clippy job still uses actions/checkout@v2. Align to v4.- - name: Checkout sources - uses: actions/checkout@v2 + - name: Checkout sources + uses: actions/checkout@v4
113-115: Pin Sonar scanner setup action to a commit SHA.
Third-party action; pin for immutability.- - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup sonarqube + uses: warchant/setup-sonar-scanner@<COMMIT_SHA>
♻️ Duplicate comments (2)
.github/workflows/build.yml (2)
1-1: Add top-level default permissions.
Set least-privilege defaults; jobs can elevate as needed.name: Build Package CI + +permissions: + contents: read + pull-requests: read
21-30: Pin third-party action and add least-privilege permissions to optimize_ci.
- Pin withgraphite/graphite-ci-action to a full commit SHA (tags can be retagged).
- Add minimal permissions (contents: read, pull-requests: read).
Apply:
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip }} steps: - - uses: withgraphite/graphite-ci-action@1.4.0 + - uses: withgraphite/graphite-ci-action@<COMMIT_SHA> id: check_skip with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧹 Nitpick comments (4)
.github/workflows/build.yml (4)
40-46: Pin actions-rs/toolchain and consider adding Rust cache.
- Pin to a commit SHA for supply-chain safety.
- Add Swatinem/rust-cache to speed runs.
- name: Install toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@<COMMIT_SHA> with: toolchain: stable override: true profile: minimal + - name: Rust cache + uses: Swatinem/rust-cache@<COMMIT_SHA>
79-87: Remove redundant cargo build before llvm-cov.
cargo-llvm-cov rebuilds with instrumentation; the prior cargo build wastes time.- - name: cargo build - run: cargo build --workspace --verbose - - name: cargo test run: cargo llvm-cov --all-features --workspace --lcov --output-path target/lcov.info
109-111: Optionally allow Sonar scan to run even if Clippy fails.
If you want a report when Clippy emits warnings, set step-level continue-on-error.- - name: Run clippy + - name: Run clippy + continue-on-error: true shell: bash run: | cargo clippy --tests --message-format=json -- -D warnings > clippy_report.json
41-51: Also pin other third-party actions to SHAs.
actions-rs/toolchain, actions-rs/cargo are third-party; prefer commit SHAs.-uses: actions-rs/toolchain@v1 +uses: actions-rs/toolchain@<COMMIT_SHA> -uses: actions-rs/cargo@v1 +uses: actions-rs/cargo@<COMMIT_SHA>Also applies to: 65-75, 101-107
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(3 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (8)
.github/workflows/build.yml (8)
1-1: Workflow rename: looks good.
Clearer name. No issues.
8-14: workflow_dispatch input: good addition.
Boolean input is well-defined with defaults.
16-18: Concurrency expression fixed correctly.
Using github.ref_name prevents empty group suffix on push; cancel-in-progress logic for non-main is sound.
35-36: Gating on optimize_ci output: correct usage.
Consumers are properly skipped when skip == 'true'.
38-38: Checkout v4: good.
Matches current runner Node versions.
58-59: Test job correctly gated on skip.
Looks good.
62-62: Checkout v4 in test job: good.
20-20: Secrets check.
Ensure GRAPHITE_TOKEN, QLTY_COVERAGE_TOKEN, and SONAR_TOKEN are present in repo/org secrets; otherwise jobs will fail at runtime.
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed 025f4e4 in 1 minute and 41 seconds. Click for details.
- Reviewed
22lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:26
- Draft comment:
The Graphite CI action version changed from '1.4.0' to 'v0.0.9'. Please verify that this change is intentional as it appears to use a lower version number or a different tag format. - Reason this comment was not posted:
Comment looked like it was already resolved.
Workflow ID: wflow_jgOK67JqRmUrV7D2
You can customize
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/build.yml (3)
88-92: Pin qlty coverage action and guard for missing token (fork PRs).Avoids supply-chain risk and CI breaks when secrets aren’t available.
- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA> + if: ${{ secrets.QLTY_COVERAGE_TOKEN != '' }} with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info
113-119: Pin Sonar action and run Sonar only when token exists.Prevents secretless failures on forks and locks third‑party action version.
- - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup sonarqube + uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA> + if: ${{ secrets.SONAR_TOKEN != '' }} @@ - - name: Sonar Scan - shell: bash - run: | - sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }} + - name: Sonar Scan + if: ${{ secrets.SONAR_TOKEN != '' }} + shell: bash + run: | + sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }}Also applies to: 114-114
79-81: Pin taiki-e/install-action and avoid tag-alias; declare tool via input.Locks version and keeps behavior stable.
- - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + - name: Install cargo-llvm-cov + uses: taiki-e/install-action@<PINNED_COMMIT_SHA> + with: + tool: cargo-llvm-cov
♻️ Duplicate comments (1)
.github/workflows/build.yml (1)
18-18: Fix cancel-in-progress condition: it always evaluates true on main.github.ref_name is just "main", not "refs/heads/main". This cancels main runs unintentionally.
- cancel-in-progress: ${{ github.ref_name != 'refs/heads/main' }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
🧹 Nitpick comments (3)
.github/workflows/build.yml (3)
98-98: Standardize checkout to v4.Avoids legacy Node runtimes and keeps action versions consistent across jobs.
- uses: actions/checkout@v2 + uses: actions/checkout@v4
1-2: Set top-level default permissions to least-privilege.Good baseline; override per job when needed.
name: Build Package CI + +permissions: + contents: read
93-96: Optionally gate clippy on optimize_ci skip to save minutes.If you want full CI short-circuiting, wire clippy to the same skip output.
clippy: name: Clippy runs-on: ubuntu-latest + needs: [optimize_ci] + if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(3 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Test
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (1)
.github/workflows/build.yml (1)
31-36: Confirm optimize_ci output key is exactly "skip".If the action changes its output name/type, these conditions won’t work.
Would you like me to auto-verify the output contract against the action’s docs and recent releases?
Also applies to: 56-60
| runs-on: ubuntu-latest | ||
| outputs: | ||
| skip: ${{ steps.check_skip.outputs.skip }} | ||
| steps: | ||
| - uses: withgraphite/graphite-ci-action@v0.0.9 | ||
| id: check_skip | ||
| with: | ||
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} |
There was a problem hiding this comment.
Harden optimize_ci: pin action, add least-privilege perms, handle forks/no secret, and default skip=false.
Prevents supply-chain, missing-secret, and output issues that would block downstream jobs.
optimize_ci:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: read
outputs:
- skip: ${{ steps.check_skip.outputs.skip }}
+ skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
steps:
+ - name: Default skip=false
+ id: defaults
+ run: echo "skip=false" >> "$GITHUB_OUTPUT"
- - uses: withgraphite/graphite-ci-action@v0.0.9
+ - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
+ if: ${{ secrets.GRAPHITE_TOKEN != '' }}
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}Follow-up: replace <PINNED_COMMIT_SHA> with the exact commit SHA you trust.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| runs-on: ubuntu-latest | |
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip }} | |
| steps: | |
| - uses: withgraphite/graphite-ci-action@v0.0.9 | |
| id: check_skip | |
| with: | |
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} | |
| steps: | |
| - name: Default skip=false | |
| id: defaults | |
| run: echo "skip=false" >> "$GITHUB_OUTPUT" | |
| - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> | |
| if: ${{ secrets.GRAPHITE_TOKEN != '' }} | |
| id: check_skip | |
| with: | |
| graphite_token: ${{ secrets.GRAPHITE_TOKEN }} |
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
There was a problem hiding this comment.
Caution
Changes requested ❌
Reviewed 8b633e8 in 1 minute and 43 seconds. Click for details.
- Reviewed
24lines of code in1files - Skipped
0files when reviewing. - Skipped posting
2draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:18
- Draft comment:
The cancel-in-progress condition now compares github.ref_name against 'main'. Ensure that github.ref_name indeed returns just 'main' (and not something like 'refs/heads/main') to avoid unintended cancellations. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The code itself provides evidence that github.ref_name returns just the branch name - we can see this in line 17 where it's used in a comparison that expects just 'main'. The change appears intentional and consistent with GitHub Actions' behavior. The comment is asking for verification of something that the code itself demonstrates understanding of. I could be wrong about inferring github.ref_name behavior just from the code - maybe line 17's behavior is different or there's more context I'm missing. Even if I'm wrong, this comment violates our rules by asking for verification rather than pointing out a clear issue. It starts with "Ensure that..." which is explicitly mentioned as a red flag. The comment should be deleted because it asks for verification rather than pointing out a clear issue, and the code itself shows awareness of github.ref_name's behavior.
2. .github/workflows/build.yml:28
- Draft comment:
The addition of 'continue-on-error: true' allows the workflow to proceed even if the Graphite action fails. Confirm that in error cases the step still sets an appropriate skip output, or consider providing an explicit fallback value. - Reason this comment was not posted:
Confidence changes required:50%<= threshold50%None
Workflow ID: wflow_bNXcj981KeQUq0eB
You can customize
| optimize_ci: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} |
There was a problem hiding this comment.
The output expression now references 'steps.defaults.outputs.skip' as a fallback, but no step with id 'defaults' is defined. Consider either adding the corresponding step or updating the fallback expression.
| skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} | |
| skip: ${{ steps.check_skip.outputs.skip }} |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
.github/workflows/build.yml (4)
98-100: Upgrade checkout to v4 for Clippy job.Keep versions consistent and supported.
- uses: actions/checkout@v2 + uses: actions/checkout@v4
89-93: Pin qlty action and gate by secret to avoid fork failures.Also consider non‑fatal uploads.
- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA> + if: ${{ secrets.QLTY_COVERAGE_TOKEN != '' }} + continue-on-error: true with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info
115-121: Pin Sonar action and gate scan by secret.Prevents failing scans on forks and pins the setup action.
- - name: Setup sonarqube - uses: warchant/setup-sonar-scanner@v3 + - name: Setup sonarqube + uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA> - - name: Sonar Scan + - name: Sonar Scan + if: ${{ secrets.SONAR_TOKEN != '' }} shell: bash run: | sonar-scanner -Dcommunity.rust.clippy.reportPaths=clippy_report.json -Dsonar.login=${{ secrets.SONAR_TOKEN }}
41-47: Pin third‑party actions to full commit SHAs.actions-rs/* and taiki-e/* are third‑party; pinning reduces supply‑chain risk.
Also applies to: 48-55, 65-71, 72-79, 101-107
♻️ Duplicate comments (3)
.github/workflows/build.yml (3)
1-1: Add top‑level default permissions (least privilege).Set restrictive defaults; jobs can elevate as needed.
name: Build Package CI + +permissions: + contents: read
22-31: Harden optimize_ci: least‑privilege perms, pin action, and skip when secret absent.This avoids supply‑chain risk and fork failures while keeping the job non‑fatal.
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip: ${{ steps.check_skip.outputs.skip || 'false' }} steps: - - uses: withgraphite/graphite-ci-action@v0.0.9 + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> id: check_skip - continue-on-error: true + if: ${{ secrets.GRAPHITE_TOKEN != '' }} + continue-on-error: true with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}Replace <PINNED_COMMIT_SHA> with a trusted full commit SHA.
16-18: Make concurrency group robust for PRs (avoid “merge” collisions).Use head_ref when available; fallback to ref_name. Current value can collapse to “merge” across PRs.
- group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }} + group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.head_ref || github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }}
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)
72-88: Optional: cache Cargo to speed up CI.Add a Cargo cache before build/tests to cut runtimes.
- name: Install toolchain uses: actions-rs/toolchain@v1 with: toolchain: stable override: true profile: minimal + + - name: Cache cargo registry + target + uses: actions/cache@v4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} + restore-keys: | + ${{ runner.os }}-cargo-
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/build.yml(3 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🪛 actionlint (1.7.7)
.github/workflows/build.yml
24-24: property "defaults" is not defined in object type {check_skip: {conclusion: string; outcome: string; outputs: {string => string}}}
(expression)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Test
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (1)
.github/workflows/build.yml (1)
1-15: PR objective says NODE_VERSION=22, but workflow doesn’t set it. Confirm intent.If still desired, add at the top:
name: Build Package CI +env: + NODE_VERSION: '22'
| outputs: | ||
| skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} | ||
| steps: |
There was a problem hiding this comment.
Fix outputs reference to undefined step (breaks evaluation).
steps.defaults doesn’t exist; actionlint flags it and GitHub will treat it as invalid. Default to 'false' directly.
outputs:
- skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
+ skip: ${{ steps.check_skip.outputs.skip || 'false' }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} | |
| steps: | |
| outputs: | |
| skip: ${{ steps.check_skip.outputs.skip || 'false' }} | |
| steps: |
🧰 Tools
🪛 actionlint (1.7.7)
24-24: property "defaults" is not defined in object type {check_skip: {conclusion: string; outcome: string; outputs: {string => string}}}
(expression)
🤖 Prompt for AI Agents
.github/workflows/build.yml lines 23-25: the outputs expression references a
non-existent step "steps.defaults", causing actionlint/GitHub validation to
fail; replace that reference with a literal false default so the line becomes an
OR against false (i.e. use ${{ steps.check_skip.outputs.skip || false }}),
ensuring the workflow evaluates correctly without relying on an undefined step.
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed d68411c in 1 minute and 4 seconds. Click for details.
- Reviewed
37lines of code in3files - Skipped
0files when reviewing. - Skipped posting
3draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. .github/workflows/build.yml:112
- Draft comment:
Removal of '-D warnings' in the clippy command may allow warnings to pass. Confirm if this change is intentional. - Reason this comment was not posted:
Comment looked like it was already resolved.
2. .github/workflows/vitest.yml:26
- Draft comment:
Pinning codecov-action to v5.5.1 is good practice; ensure this version is compatible with your workflow. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%The comment is purely informative and suggests ensuring compatibility, which violates the rules. It doesn't provide a specific code suggestion or point out a potential issue with the code itself.
3. package.json:30
- Draft comment:
Upgrade of vitest from ^1.3.0 to ^3.2.4 might include breaking changes. Verify compatibility with existing tests. - Reason this comment was not posted:
Comment did not seem useful. Confidence is useful =0%<= threshold50%This comment is about a dependency upgrade and suggests verifying compatibility, which violates the rules against commenting on dependency changes and asking the author to verify intentions or test compatibility.
Workflow ID: wflow_fg5GYn9Au2JAUdOH
You can customize
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/build.yml (1)
89-93: Pin qlty coverage action to a commit SHAAvoid using
@mainfor third-party actions.- - uses: qltysh/qlty-action/coverage@main + - uses: qltysh/qlty-action/coverage@<PINNED_COMMIT_SHA> with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info
♻️ Duplicate comments (2)
.github/workflows/build.yml (2)
23-25: Broken outputs expression: references undefined stepsteps.defaults
steps.defaultsdoesn’t exist; this fails actionlint and can break evaluation. Default to false directly.outputs: - skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} + skip: ${{ steps.check_skip.outputs.skip || 'false' }}
22-31: Harden optimize_ci: pin action, guard missing secret, least-privilege permissions
- Pin
withgraphite/graphite-ci-actionto a commit SHA.- Skip the step when
GRAPHITE_TOKENis unavailable (forks).- Add minimal job permissions.
optimize_ci: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: - skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }} + skip: ${{ steps.check_skip.outputs.skip || 'false' }} steps: - - uses: withgraphite/graphite-ci-action@v0.0.9 + - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA> + if: ${{ secrets.GRAPHITE_TOKEN != '' }} id: check_skip continue-on-error: true with: graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧹 Nitpick comments (6)
package.json (1)
30-30: Vitest v3: ensure coverage provider and move to devDependencies
- With Vitest 3, coverage often requires installing a provider plugin. If you rely on
--coveragein CI, add@vitest/coverage-v8(or@vitest/coverage-istanbul) and configure it.- Also, consider moving
vitesttodevDependencies.Proposed diff:
"devDependencies": { "@eslint/js": "^9.29.0", "@types/bun": "latest", "@typescript-eslint/parser": "^8.35.0", "dprint": "^0.50.0", "eslint": "^9.29.0", "eslint-config-prettier": "^10.1.5", "prettier": "^3.6.2", - "typescript-eslint": "^8.35.0" + "typescript-eslint": "^8.35.0", + "vitest": "^3.2.4", + "@vitest/coverage-v8": "^3.2.4" }, ... "dependencies": { @@ - "smart-account-auth": "^0.6.6", - "vitest": "^3.2.4" + "smart-account-auth": "^0.6.6" }.github/workflows/vitest.yml (1)
16-18: Specify Node version used for tests for determinismCI currently omits
node-version. Align with your repo standard (Node 22).- name: Set up Node uses: actions/setup-node@v4 + with: + node-version: 22.github/workflows/build.yml (4)
99-99: Upgrade checkout to v4 for consistencyOther jobs already use
actions/checkout@v4.- uses: actions/checkout@v2 + uses: actions/checkout@v4
109-113: Clippy command: drop stray--or enforce warnings as errorsThe trailing
--has no args and is odd. If you intend to fail on warnings, add-D warnings.- cargo clippy --tests --message-format=json -- > clippy_report.json + cargo clippy --tests --message-format=json > clippy_report.json + # or fail CI on warnings and still emit JSON: + # cargo clippy --tests --message-format=json -- -D warnings > clippy_report.json
72-88: Avoid double-running tests (speed up CI)You run tests via
actions-rs/cargo@v1and again withcargo llvm-cov(which runs tests). Drop the first to reduce time.- - name: Run tests - uses: actions-rs/cargo@v1 - with: - command: test - args: --lib --locked --tests - env: - RUST_BACKTRACE: 1 - - name: Install cargo-llvm-cov uses: taiki-e/install-action@cargo-llvm-cov
16-16: Add top-level default permissions (least privilege)Default to read-only and elevate per-job if needed.
concurrency: group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }} cancel-in-progress: ${{ github.ref_name != 'main' }} + +permissions: + contents: read
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
bun.lockbis excluded by!**/bun.lockb
📒 Files selected for processing (3)
.github/workflows/build.yml(3 hunks).github/workflows/vitest.yml(1 hunks)package.json(1 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
.github/workflows/build.yml
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
🪛 actionlint (1.7.7)
.github/workflows/build.yml
24-24: property "defaults" is not defined in object type {check_skip: {conclusion: string; outcome: string; outputs: {string => string}}}
(expression)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codoki PR Review
- GitHub Check: Codacy Static Code Analysis
🔇 Additional comments (2)
.github/workflows/build.yml (2)
16-18: Concurrency expression looks goodUsing
github.ref_nameand canceling non-main runs is correct and avoids cross-branch cancellations.
35-36: Gating on optimize_ci output is correct
needs+ifwiring is sound and will skipcheck/testwhen instructed (after fixing the outputs bug).Also applies to: 59-60
| cargo clippy --tests --message-format=json -- > clippy_report.json | ||
|
|
||
| - name: Setup sonarqube | ||
| uses: warchant/setup-sonar-scanner@v3 |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin Sonar scanner action to a commit SHA
Another third-party action that should be immutable.
- uses: warchant/setup-sonar-scanner@v3
+ uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: warchant/setup-sonar-scanner@v3 | |
| uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA> |
🤖 Prompt for AI Agents
In .github/workflows/build.yml around line 115, the workflow uses the
third-party action via a mutable tag ("warchant/setup-sonar-scanner@v3"); change
this to an immutable commit SHA by replacing the tag with the specific commit
hash for the v3 release (e.g., "warchant/setup-sonar-scanner@<commit-sha>"),
fetching the latest commit SHA from the action's GitHub repository or release
and updating the workflow file accordingly so the action is pinned to that exact
commit.
|
|
||
| - name: Upload results to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
| uses: codecov/codecov-action@v5.5.1 |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin Codecov action to a commit SHA (supply-chain hardening)
Pinning third-party actions prevents unexpected changes from upstream.
- - name: Upload results to Codecov
- uses: codecov/codecov-action@v5.5.1
+ - name: Upload results to Codecov
+ uses: codecov/codecov-action@<COMMIT_SHA>
with:
token: ${{ secrets.CODECOV_TOKEN }}Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
.github/workflows/vitest.yml around line 26: the workflow references uses:
codecov/codecov-action@v5.5.1 which is an unpinned tag; replace the tag with a
specific commit SHA to pin the action for supply-chain hardening. Locate the
Codecov action usage and update it to uses: codecov/codecov-action@<commit-sha>
(use the exact SHA from the action's GitHub repository release you want), commit
the change, and verify the workflow runs successfully.
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed ea3f08a in 47 seconds. Click for details.
- Reviewed
12lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. package.json:12
- Draft comment:
Added '@vitest/coverage-v8' dependency. Confirm that its version (^3.2.4) aligns with your Vitest version/configuration for consistent coverage reporting. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%None
Workflow ID: wflow_ykDyoobXxGgC4IcP
You can customize
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
package.json (2)
12-12: Enable coverage in CI; the plugin alone doesn’t activate itAdd a coverage script or config so
@vitest/coverage-v8actually produces reports (for Codecov pickup).You can add:
{ "scripts": { "test": "vitest --run", "coverage": "vitest run --coverage" } }
31-31: Movevitestto devDependencies to avoid shipping test tooling to productionKeeps production install smaller and reduces supply-chain surface.
Apply within this hunk:
- "vitest": "^3.2.4"Then add under devDependencies (outside this hunk):
"devDependencies": { "...": "...", "vitest": "^3.2.4" }Optional: pin to an exact patch (or rely on a lockfile) to keep CI deterministic.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
bun.lockbis excluded by!**/bun.lockb
📒 Files selected for processing (1)
package.json(2 hunks)
🧰 Additional context used
🪛 GitHub Check: Codacy Static Code Analysis
package.json
[warning] 31-31: package.json#L31
Package dependencies with variant versions may lead to dependency hijack and confusion attacks.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: Codoki PR Review
There was a problem hiding this comment.
Important
Looks good to me! 👍
Reviewed b7670c5 in 1 minute and 20 seconds. Click for details.
- Reviewed
51lines of code in3files - Skipped
1files when reviewing. - Skipped posting
6draft comments. View those below. - Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.
1. src/types.ts:3
- Draft comment:
Removed unused import from '@cosmjs/proto-signing'. Confirm this removal is intentional and not needed for code generation or type requirements. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%None
2. src/types.ts:18
- Draft comment:
Removed auto-generated comment block. Ensure that if the file is now maintained manually, the regeneration instructions are preserved elsewhere. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%None
3. src/utils.ts:27
- Draft comment:
Added a sleep function. Consider adding an explicit return type (Promise) for improved type clarity. - Reason this comment was not posted:
Confidence changes required:33%<= threshold50%None
4. tests/actions.test.ts:35
- Draft comment:
Avoid using an early return in tests to exit silently. Consider using test.skip or failing the test explicitly if preconditions aren’t met. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
5. tests/actions.test.ts:175
- Draft comment:
Avoid silent exit through an early return in tests. Instead, use an assertion or test.fail so that unmet preconditions are reported. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
6. tests/actions.test.ts:85
- Draft comment:
Remove the large commented-out test block to improve readability and maintainability of the test suite. - Reason this comment was not posted:
Confidence changes required:50%<= threshold50%None
Workflow ID: wflow_bssYaSf1NEh41ov4
You can customize
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| ]).toString('hex'); | ||
| } | ||
|
|
||
| export const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms)); |
There was a problem hiding this comment.
Codacy has a fix for the issue: Return values from promise executor functions cannot be read.
| export const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms)); | |
| export const sleep = (ms: number) => new Promise((r) => {setTimeout(r, ms)}); |
| ]).toString('hex'); | ||
| } | ||
|
|
||
| export const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms)); |
There was a problem hiding this comment.
Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.
| export const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms)); | |
| export const sleep = function(ms: number) { return new Promise((r) => setTimeout(r, ms)) }; |
![codoki-pr-intelligence[bot]](https://avatars.githubusercontent.com/in/1312414?s=60&v=4){kind=small}
| # integration tests | ||
| e2e/gas_reports/* | ||
|
|
||
| .github |
There was a problem hiding this comment.
| .github | |
| # keep CI workflows tracked (do not ignore .github) | |
| # .github |
| with: | ||
| command: clippy | ||
| args: --tests -- -D warnings --message-format=json &> clippy_report.json | ||
| shell: bash |
There was a problem hiding this comment.
| shell: bash | |
| cargo clippy --tests --message-format=json -- -D warnings &> clippy_report.json |
| @@ -23,6 +23,6 @@ jobs: | |||
| run: npx vitest run --coverage | |||
There was a problem hiding this comment.
🔷 Medium: With Vitest v3, coverage needs an explicit provider (e.g., @vitest/coverage-v8). Without it, coverage may be disabled or empty, resulting in misleading Codecov uploads.
| run: npx vitest run --coverage | |
| run: npx vitest run --coverage --coverage.provider=v8 |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/utils.ts (1)
27-27: Type the Promise to satisfy linters; optional: use timers/promises.Add explicit return and executor types to quiet Codacy and clarify intent.
Optional: replace with Node’s timers/promises for a cleaner awaitable.Minimal change:
-export const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms)); +export const sleep = (ms: number): Promise<void> => + new Promise<void>((resolve) => setTimeout(resolve, ms));Optional alternative (outside selected lines):
import { setTimeout as delay } from 'node:timers/promises'; export const sleep = (ms: number) => delay(ms);If Codacy still flags ES2015 usage, ensure ESLint/TS config targets Node 18+ or ES2020+ with
"env": {"node": true}and appropriatelib.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
.gitignore(1 hunks)src/types.ts(0 hunks)src/utils.ts(1 hunks)tests/actions.test.ts(1 hunks)
💤 Files with no reviewable changes (1)
- src/types.ts
🧰 Additional context used
🪛 GitHub Actions: Run tests and upload coverage
tests/actions.test.ts
[error] 22-22: Hook timed out in 10000ms. If this is a long-running hook, pass a timeout value as the last argument or configure it globally with 'hookTimeout'.
🪛 GitHub Check: Codacy Static Code Analysis
src/utils.ts
[warning] 27-27: src/utils.ts#L27
"Promise" is not defined.
[warning] 27-27: src/utils.ts#L27
ES2015 'Promise' class is forbidden.
[warning] 27-27: src/utils.ts#L27
ES2015 arrow function expressions are forbidden.
[warning] 27-27: src/utils.ts#L27
ES2015 block-scoped variables are forbidden.
[warning] 27-27: src/utils.ts#L27
ES2015 modules are forbidden.
[warning] 27-27: src/utils.ts#L27
Missing "r" parameter type annotation.
[warning] 27-27: src/utils.ts#L27
Promise is not supported in op_mini all
[warning] 27-27: src/utils.ts#L27
Restricted async operation "setTimeout"
[warning] 27-27: src/utils.ts#L27
Return values from promise executor functions cannot be read.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Test
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: Codoki PR Review
🔇 Additional comments (1)
tests/actions.test.ts (1)
12-12: Good switch off bun; increase Vitest hook timeout to fix CI error.The CI failure “Hook timed out in 10000ms” points at
beforeAll(Line 22). Given network calls plus sleeps, raise the hook timeout.Apply this diff (outside the selected line to adjust
beforeAllclose):- beforeAll(async () => { + beforeAll(async () => { chain = await getChainData(); collection = chain.contracts.cw721_base.address!; await sleep(4500); cred_acc = chain.contracts.cw82_tba_credentials.address; expect(cred_acc).toBeDefined(); - }); + }, 30000);Alternatively, set
test: { hookTimeout: 30000 }in vitest.config.ts for all suites.
| .github | ||
|
|
There was a problem hiding this comment.
Do not ignore .github — this will block future CI/workflow updates.
Adding .github to .gitignore can prevent adding/renaming workflow files and other GitHub configs in future PRs. Remove it to avoid silently missing CI changes.
Apply this diff:
-.github
-📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| .github |
🤖 Prompt for AI Agents
.gitignore around lines 39-40 contains a line ignoring the .github directory
which blocks adding/updating GitHub workflows and configs; remove the ".github"
entry from .gitignore (delete that line), save and commit the change so the
.github directory and its files will be tracked and future workflow/CI updates
aren’t silently ignored.
Summary by Sourcery
Enhance the GitHub Actions build workflow by renaming it, revising triggers, adding manual dispatch, concurrency control, an optimization job, and fixing Clippy invocation
Bug Fixes:
Enhancements:
CI:
✨
Description by Callstackai
This PR enhances the GitHub Actions build workflow by renaming it, revising triggers, adding manual dispatch, concurrency control, an optimization job, and fixing Clippy invocation. It also updates dependencies and removes unused configurations.
Diagrams of code changes
sequenceDiagram participant Test participant Utils participant Timer Test->>Utils: Import sleep function Utils->>Timer: sleep(ms) Note over Timer: New utility function<br/>for test delays Timer-->>Utils: Promise resolution Utils-->>Test: Delayed executionFiles Changed
This PR includes files in programming languages that we currently do not support. We have not reviewed files with the extensions
.toml. See list of supported languages.Summary by CodeRabbit
Important
Enhance GitHub Actions CI workflow with new features, fix Clippy command, update dependencies, and remove unused configurations.
build.ymlto "Build Package CI".pushandpull_requestevents; addworkflow_dispatchwithbeta_releaseinput.concurrencycontrol to group runs and cancel redundant non-main workflows.optimize_cijob usinggraphite-ci-actionto conditionally skip builds.build.ymlby correcting argument order for--message-format.vitest.yml.vitestand add@vitest/coverage-v8inpackage.json..cargo/config.toml.sleepfunction tosrc/utils.tsand update its usage intests/actions.test.ts.This description was created by
for b7670c5. You can customize this summary. It will automatically update as commits are pushed.