Conversation
AI-Generated Change: - Model: claude-sonnet-4-6 - Intent: add missing CI/CD workflows - Impact: added build-tests, coverage, lint, license_check, pip_audit, repo-health, release-preview, release_workflow, publish_stable, opm-check, conventional-label; also added sympy to test extras to fix test_quantize_success - Verified via: reviewed gh-automations workflow inputs for build-tests and coverage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis pull request establishes a comprehensive CI/CD infrastructure by adding ten GitHub Actions workflows that orchestrate pull request validation, release automation, and repository health monitoring, along with updating test dependencies in ChangesCI/CD Workflow Infrastructure
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Beep boop! Data processing finished. ⚙️I've aggregated the results of the automated checks for this PR below. 📋 Repo HealthHealth report: The repository is thriving! 🌟 ✅ All required files present. Latest Version: ✅ 🏷️ Release PreviewI've performed a final polish on the release notes. 🧼 Current:
✅ PR title follows conventional commit format. 🚀 Release Channel Compatibility Predicted next version:
📊 CoverageEnsuring the logic is battle-tested. ⚔️ ✅ 85.5% total coverage Files below 80% coverage (1 file)
Full report: download the 🔒 Security (pip-audit)Checking for any potential security regressions. 🔄 ✅ No known vulnerabilities found (39 packages scanned). 🔨 Build TestsThe build results are looking solid. 💎 ✅ All versions pass
System.exit(0); // With love from OVOS 🖥️ |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
.github/workflows/lint.yml (1)
11-20: ⚡ Quick winRedundant non-blocking error handling.
Both
continue-on-error: true(Line 11) and|| true(Line 20) suppress lint failures. Dropping|| truewould still keep the job non-blocking (viacontinue-on-error) while letting the step itself surface a red ❌ when ruff finds problems — useful signal in the PR checks UI. As-is, the step is always green and you lose visibility into lint regressions.Proposed fix
- name: Run ruff - run: ruff check . || true + run: ruff check .🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lint.yml around lines 11 - 20, The "Run ruff" step currently masks failures twice: the job-level continue-on-error: true and the step-level shell suffix "|| true"; remove the "|| true" from the run command (the line containing "ruff check . || true") so the step will surface a failing status while the job remains non-blocking via continue-on-error; leave continue-on-error as-is and only change the run value to "ruff check ." in the Run ruff step..github/workflows/coverage.yml (1)
15-15: 💤 Low valueClarify the
install_extrascontract mismatch between workflows
In.github/workflows/coverage.yml,install_extrasis passed as a raw pip argument (-e .[test,ovos]). Thecoverage.ymlreusable workflow documentsinstall_extrasas “extra pip install arguments” (e.g..[dev]/-r ...), whilebuild-tests.ymldocuments it as “pip extras appended to the install command” (e.g.test/dev,test). Add a brief inline comment next toinstall_extras: '-e .[test,ovos]'so this isn’t “normalized” into the wrong format later.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/coverage.yml at line 15, Add a brief inline comment next to the existing install_extras entry to clarify the intended format and avoid downstream normalization: explain that install_extras is being passed as a raw pip argument '-e .[test,ovos]' (not just extras like 'test' or 'dev') so maintainers know this value includes the '-e' editable flag and explicit extras list; reference the install_extras key and the literal '-e .[test,ovos]' in the comment so future edits to the coverage reusable workflow or build-tests.yml preserve the expected contract.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/conventional-label.yaml:
- Around line 6-10: Add an explicit permissions block for the label job so the
action can write labels: in the job named "label" that runs the step using
bcoe/conventional-release-labels@v1, declare least-privilege permissions with
pull-requests: write (and keep other permissions minimal or read-only as needed)
to ensure the GITHUB_TOKEN can call the Issues/PRs API and avoid 403s in
read-only defaults.
- Line 10: Replace the floating action tag with the specific commit SHA: update
the uses reference `bcoe/conventional-release-labels@v1` to the immutable commit
`bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8` so
the workflow running on pull_request_target no longer follows a moving tag and
is pinned to the known commit.
In @.github/workflows/release_workflow.yml:
- Around line 12-13: Replace the loose workflow reference and broad secrets
inheritance with a pinned ref and an explicit secrets list: change the uses
entry currently pointing to
OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev to a commit
SHA or immutable tag (pin the ref) and replace secrets: inherit with an explicit
secrets: mapping that only supplies the secrets the publish-alpha workflow needs
(match the required secret names defined by publish-alpha.yml); apply the same
pin-and-explicit-secrets change for other occurrences (e.g., release-preview.yml
and publish_stable.yml) to ensure immutable inputs and least-privilege secrets.
In @.github/workflows/release-preview.yml:
- Around line 10-11: The reusable workflow invocation in release-preview.yml
uses a mutable ref ("uses:
OpenVoiceOS/gh-automations/.../release-preview.yml@dev") and forwards all
secrets via "secrets: inherit"; change the "uses" ref to a pinned immutable ref
(tag or commit SHA) and remove "secrets: inherit", instead explicitly pass only
the minimum required secrets by name (or omit the secrets block if none are
needed) so secrets are not broadly exposed; update the "uses" line and replace
the "secrets: inherit" entry with an explicit mapping of required secrets (or
remove it) to harden the release-preview workflow.
---
Nitpick comments:
In @.github/workflows/coverage.yml:
- Line 15: Add a brief inline comment next to the existing install_extras entry
to clarify the intended format and avoid downstream normalization: explain that
install_extras is being passed as a raw pip argument '-e .[test,ovos]' (not just
extras like 'test' or 'dev') so maintainers know this value includes the '-e'
editable flag and explicit extras list; reference the install_extras key and the
literal '-e .[test,ovos]' in the comment so future edits to the coverage
reusable workflow or build-tests.yml preserve the expected contract.
In @.github/workflows/lint.yml:
- Around line 11-20: The "Run ruff" step currently masks failures twice: the
job-level continue-on-error: true and the step-level shell suffix "|| true";
remove the "|| true" from the run command (the line containing "ruff check . ||
true") so the step will surface a failing status while the job remains
non-blocking via continue-on-error; leave continue-on-error as-is and only
change the run value to "ruff check ." in the Run ruff step.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0e6d79c1-6bd1-4758-bbc6-818d4bfb1a9b
📒 Files selected for processing (12)
.github/workflows/build-tests.yml.github/workflows/conventional-label.yaml.github/workflows/coverage.yml.github/workflows/license_check.yml.github/workflows/lint.yml.github/workflows/opm-check.yml.github/workflows/pip_audit.yml.github/workflows/publish_stable.yml.github/workflows/release-preview.yml.github/workflows/release_workflow.yml.github/workflows/repo-health.ymlpyproject.toml
| jobs: | ||
| label: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: bcoe/conventional-release-labels@v1 |
There was a problem hiding this comment.
Add an explicit permissions: block — the job needs pull-requests: write to apply labels.
bcoe/conventional-release-labels@v1 calls the Issues/PRs API to add labels using GITHUB_TOKEN. In repositories (or orgs) where the default workflow token is read-only, the labeling step will fail with a 403. Declaring least-privilege permissions explicitly also tightens the security posture of a pull_request_target workflow (which runs with access to repo secrets) and silences the dangerous-triggers concern from static analysis since this job only labels and never checks out PR code.
🛡️ Proposed fix
# auto add labels to PRs
on:
pull_request_target:
types: [ opened, edited ]
name: conventional-release-labels
+permissions:
+ contents: read
+ pull-requests: write
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: bcoe/conventional-release-labels@v1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| jobs: | |
| label: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: bcoe/conventional-release-labels@v1 | |
| # auto add labels to PRs | |
| on: | |
| pull_request_target: | |
| types: [ opened, edited ] | |
| name: conventional-release-labels | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| label: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: bcoe/conventional-release-labels@v1 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/conventional-label.yaml around lines 6 - 10, Add an
explicit permissions block for the label job so the action can write labels: in
the job named "label" that runs the step using
bcoe/conventional-release-labels@v1, declare least-privilege permissions with
pull-requests: write (and keep other permissions minimal or read-only as needed)
to ensure the GITHUB_TOKEN can call the Issues/PRs API and avoid 403s in
read-only defaults.
| label: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: bcoe/conventional-release-labels@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Resolve current v1 tag of bcoe/conventional-release-labels to a commit SHA
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1 --jq '.object'
gh api repos/bcoe/conventional-release-labels/releases --jq '.[0:3] | .[] | {tag_name, published_at}'Repository: TigreGotico/markovonnx
Length of output: 430
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Confirm the targeted workflow line
echo "---- workflow snippet ----"
sed -n '1,80p' .github/workflows/conventional-label.yaml
# 2) Resolve the tag object returned for refs/tags/v1 to the underlying commit SHA
echo "---- resolve tag object -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/tags/b503ca473654e07521c051628c5f1f969e7436da --jq '{sha: .object.sha, object_type: .object.type, tag: .tag}'
# Also resolve tags/v1.3.1, to ensure it matches
echo "---- resolve v1.3.1 tag -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1.3.1 --jq '.object'
EOFRepository: TigreGotico/markovonnx
Length of output: 728
Pin bcoe/conventional-release-labels to an immutable commit SHA
This workflow runs on pull_request_target, so pinning avoids supply-chain risk from a moving tag. bcoe/conventional-release-labels@v1 currently resolves to commit 886f696738527c7be444262c327c89436dfb95a8 (v1.3.1).
Suggested change
- - uses: bcoe/conventional-release-labels@v1
+ - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: bcoe/conventional-release-labels@v1 | |
| - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/conventional-label.yaml at line 10, Replace the floating
action tag with the specific commit SHA: update the uses reference
`bcoe/conventional-release-labels@v1` to the immutable commit
`bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8` so
the workflow running on pull_request_target no longer follows a moving tag and
is pinned to the known commit.
| uses: OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the specific workflow and surrounding lines
ls -la .github/workflows || true
sed -n '1,220p' .github/workflows/release_workflow.yml | nl -ba | sed -n '1,220p'
# Extract the publish_alpha job section (best-effort)
rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|uses:\s*OpenVoiceOS/gh-automations" .github/workflows/release_workflow.yml -n || true
# Find other workflows using the same automation repo/workflow to see if they pin commits and how they handle secrets
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows -S || trueRepository: TigreGotico/markovonnx
Length of output: 949
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the workflow with line numbers (using awk to avoid nl dependency)
awk '{printf "%4d\t%s\n", NR, $0}' .github/workflows/release_workflow.yml | sed -n '1,220p'
# Pull only the relevant bits for publish_alpha
awk 'NR>=1 && NR<=220 {print}' .github/workflows/release_workflow.yml | \
rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|OpenVoiceOS/gh-automations" || true
# Search other workflows for the same automation and for secrets inheritance
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml@|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows || true
# Also check if publish_stable is similarly pinned
rg -n "publish_stable|publish-stable\.yml|OpenVoiceOS/gh-automations" .github/workflows || trueRepository: TigreGotico/markovonnx
Length of output: 2606
Pin the gh-automations ref and restrict secrets for alpha publish automation (publish_alpha)
- In
.github/workflows/release_workflow.ymllines 12-13,uses: OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@devis not pinned to an immutable commit. secrets: inheritgrants the called workflow access to all available repo secrets; switch to an explicitsecrets:list containing only whatpublish-alpha.ymlrequires (the same@dev+secrets: inheritpattern also exists in other workflows in this repo, e.g.,release-preview.yml,publish_stable.yml).
🧰 Tools
🪛 zizmor (1.25.2)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 12-12: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow
(secrets-inherit)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release_workflow.yml around lines 12 - 13, Replace the
loose workflow reference and broad secrets inheritance with a pinned ref and an
explicit secrets list: change the uses entry currently pointing to
OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev to a commit
SHA or immutable tag (pin the ref) and replace secrets: inherit with an explicit
secrets: mapping that only supplies the secrets the publish-alpha workflow needs
(match the required secret names defined by publish-alpha.yml); apply the same
pin-and-explicit-secrets change for other occurrences (e.g., release-preview.yml
and publish_stable.yml) to ensure immutable inputs and least-privilege secrets.
| uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@dev | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant section with line numbers
sed -n '1,200p' .github/workflows/release-preview.yml | nl -ba | sed -n '1,120p'Repository: TigreGotico/markovonnx
Length of output: 109
🌐 Web query:
OpenVoiceOS gh-automations reusable workflow release-preview.yml secrets inherit requirements
💡 Result:
In GitHub Actions, the secrets: inherit keyword is a mechanism used when calling reusable workflows to implicitly pass all secrets from the caller workflow to the called (reusable) workflow [1][2][3]. Regarding your query about OpenVoiceOS release-preview.yml and secret inheritance requirements: 1. Functionality: When you specify secrets: inherit in a job that calls a reusable workflow, the called workflow gains access to all secrets available to the caller (including repository and environment secrets, provided the environment is correctly scoped) [1][3][4]. This avoids the need to explicitly map each individual secret [1][2]. 2. Requirements and Limitations: * Scope: Secret inheritance works only for reusable workflows within the same organization or enterprise [3]. * Principle of Least Privilege: While secrets: inherit simplifies configuration, it is often discouraged by security tooling (e.g., Semgrep rules) because it violates the principle of least privilege by granting the called workflow access to all repository secrets, rather than only those strictly required [5]. * Implementation in OpenVoiceOS: The release-preview.yml in OpenVoiceOS/gh-automations is a standard reusable workflow [6]. If you are implementing this in your own repository, you can call it using: yaml jobs: release-preview: uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@main secrets: inherit 3. Troubleshooting: If secrets are not propagating as expected, ensure you are not chaining workflows incorrectly. Secrets are only passed to directly called workflows [7][3]. In a chain of A > B > C, workflow C will only receive secrets from A if they are passed from A to B, and then from B to C [7][3]. If you continue to face evaluation errors, you may need to explicitly define the required secrets in the secrets map as a fallback [8].
Citations:
- 1: https://stackoverflow.com/questions/71524542/how-to-use-reusable-github-workflows-and-keep-secrets-in-a-single-place
- 2: https://github.blog/changelog/2022-05-03-github-actions-simplify-using-secrets-with-reusable-workflows/
- 3: https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
- 4: https://cloudchronicles.blog/blog/Passing-Environment-Secrets-and-Variables-to-Reusable-Workflows-in-GitHub-Actions/
- 5: semgrep/semgrep-rules@6b4f11f
- 6: https://github.com/OpenVoiceOS/gh-automations
- 7: https://github.com/github/docs/blob/main/content/actions/how-tos/reuse-automations/reuse-workflows.md
- 8: Passing in secrets to reusable workflow does not work actions/runner#2709
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Print file with line numbers (avoid `nl`, since it may not exist)
awk 'NR>=1 && NR<=60 {printf "%d: %s\n", NR, $0}' .github/workflows/release-preview.ymlRepository: TigreGotico/markovonnx
Length of output: 410
Pin the reusable workflow ref and avoid secrets: inherit
In .github/workflows/release-preview.yml (lines 10–11), the job calls OpenVoiceOS/gh-automations/.../release-preview.yml@dev (mutable ref) and forwards all secrets via secrets: inherit, increasing supply-chain and secret-exposure risk in the release preview path.
Suggested hardening diff
- uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@dev
- secrets: inherit
+ uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@<pinned_commit_sha>
+ # Omit secrets unless this reusable workflow explicitly requires them.🧰 Tools
🪛 zizmor (1.25.2)
[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 10-10: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow
(secrets-inherit)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-preview.yml around lines 10 - 11, The reusable
workflow invocation in release-preview.yml uses a mutable ref ("uses:
OpenVoiceOS/gh-automations/.../release-preview.yml@dev") and forwards all
secrets via "secrets: inherit"; change the "uses" ref to a pinned immutable ref
(tag or commit SHA) and remove "secrets: inherit", instead explicitly pass only
the minimum required secrets by name (or omit the secrets block if none are
needed) so secrets are not broadly exposed; update the "uses" line and replace
the "secrets: inherit" entry with an explicit mapping of required secrets (or
remove it) to harden the release-preview workflow.
1 participant
Summary
.github/workflows/at allinstall_extras: 'test,ovos'for build-tests so OPM-dependent tests (test/unittests/test_opm.py) do not fail on importinstall_extras: '-e .[test,ovos]'for coverage (the coverage reusable workflow takes a raw pip argument, not an extras name)opm-checkwithplugin_type: 'auto'— markovonnx registers multiple OPM entry points (opm.lang.detect,opm.postag,opm.keywords,opm.segmentation,opm.g2p,opm.agents.chat,opm.transformer.text)sympyto thetestoptional-dependency group to fixtest_onnx_export.py::TestQuantizeModel::test_quantize_success(was failing due to missingsympyimport)OpenVoiceOS/gh-automationsreusable workflows are pinned to@dev(never a SHA hash)Workflows added
build-tests.ymlcoverage.ymllint.ymllicense_check.ymlpip_audit.ymlrepo-health.ymlrelease-preview.ymlrelease_workflow.ymlpublish_stable.ymlopm-check.ymlconventional-label.yamlRequired secrets
Before pushing workflows to production, ensure these are set at org or repo level:
PYPI_TOKEN— PyPI API tokenMATRIX_TOKEN— Matrix access token🤖 Generated with Claude Code
Summary by CodeRabbit