Register Quality Tiger Team plugin with quality analysis skills#4
Conversation
📝 WalkthroughWalkthroughThis pull request adds a new plugin entry named Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Issues
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@registry.yaml`:
- Around line 142-146: The registry.yaml currently references the plugin repo by
mutable branch name (ref: main) which is a supply-chain risk; change the source
ref in registry.yaml from the branch name to an immutable identifier (a commit
SHA or a signed tag) for the repository specified under source.repo
(antowaddle/Red-Hat-Quality-Tiger-Team) and ensure any tooling that generates
.claude-plugin/marketplace.json also records the same immutable ref (not the
branch) so installs always fetch the pinned revision; update codepaths that read
source.ref to accept and validate SHA/tag formats if needed and re-run
generation so marketplace.json contains the pinned revision as well.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: a27ea2b3-b359-4f85-a94c-6a35155bdb16
📒 Files selected for processing (3)
.claude-plugin/marketplace.jsoncatalog.mdregistry.yaml
| source: | ||
| type: github | ||
| repo: antowaddle/Red-Hat-Quality-Tiger-Team | ||
| ref: main | ||
| skills_dir: .claude/skills |
There was a problem hiding this comment.
Pin plugin source to an immutable revision (CWE-494, CWE-829).
Severity: High. Exploit scenario: if antowaddle/Red-Hat-Quality-Tiger-Team branch main is force-pushed or compromised, future installs can pull attacker-controlled plugin code.
Remediation
source:
type: github
repo: antowaddle/Red-Hat-Quality-Tiger-Team
- ref: main
+ ref: <pinned-commit-sha> # 40-char commit hash for the reviewed releaseThis root-cause fix also removes the same risk in generated .claude-plugin/marketplace.json.
As per coding guidelines, "**: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| source: | |
| type: github | |
| repo: antowaddle/Red-Hat-Quality-Tiger-Team | |
| ref: main | |
| skills_dir: .claude/skills | |
| source: | |
| type: github | |
| repo: antowaddle/Red-Hat-Quality-Tiger-Team | |
| ref: <pinned-commit-sha> # 40-char commit hash for the reviewed release | |
| skills_dir: .claude/skills |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@registry.yaml` around lines 142 - 146, The registry.yaml currently references
the plugin repo by mutable branch name (ref: main) which is a supply-chain risk;
change the source ref in registry.yaml from the branch name to an immutable
identifier (a commit SHA or a signed tag) for the repository specified under
source.repo (antowaddle/Red-Hat-Quality-Tiger-Team) and ensure any tooling that
generates .claude-plugin/marketplace.json also records the same immutable ref
(not the branch) so installs always fetch the pinned revision; update codepaths
that read source.ref to accept and validate SHA/tag formats if needed and re-run
generation so marketplace.json contains the pinned revision as well.
|
/cc @astefanutti |
- Registers the `quality-tiger-team` plugin (`antowaddle/Red-Hat-Quality-Tiger-Team`) in the skills registry - Adds 3 user-invocable skills for RHOAI component quality improvement - Updates `registry.yaml`, `marketplace.json`, and `catalog.md` | Skill | Description | |-------|-------------| | `quality-repo-analysis` | Automated analysis tool that evaluates CI/CD, testing, security, and best practices against gold standards | | `konflux-build-simulator` | Generate GitHub Actions workflows that simulate Konflux builds at PR time to catch failures before merge | | `test-rules-generator` | Extract test patterns from existing tests and generate .claude/rules/ documentation for consistency | ```bash /plugin install quality-tiger-team@opendatahub-skills ```
a449506 to
0544c92
Compare
Remove skills field from quality-tiger-team plugin entry - this field is auto-generated by the sync script and should not be manually added.
| install: "/plugin install test-plan@opendatahub-skills" | ||
| depends_on: [] | ||
|
|
||
| - name: quality-tiger-team |
There was a problem hiding this comment.
What would be a more functionally descriptive name for the plugin? Maybe something like qe-tools or quality-tooling?
| type: github | ||
| repo: antowaddle/Red-Hat-Quality-Tiger-Team | ||
| ref: main | ||
| skills_dir: .claude/skills |
There was a problem hiding this comment.
skills_dir can be removed as it's the default.
| harnesses: | ||
| claude-code: | ||
| install: "/plugin install quality-tiger-team@opendatahub-skills" | ||
| depends_on: [] |
There was a problem hiding this comment.
nit: this can be removed
| skills_dir: .claude/skills | ||
| homepage: https://github.com/antowaddle/Red-Hat-Quality-Tiger-Team | ||
| repository: https://github.com/antowaddle/Red-Hat-Quality-Tiger-Team | ||
| skills: |
There was a problem hiding this comment.
Not sure if you want to expose the workflow-diagram-generator skill?
There was a problem hiding this comment.
Not yet, this was something we were initially just using to chart the progress.
There was a problem hiding this comment.
Sounds good, thanks for confirming.
- Rename quality-tiger-team to quality-tooling - Remove skills_dir (using default .claude/skills) - Remove harnesses section (not needed) - Remove depends_on (empty array not needed) - Regenerate marketplace.json and catalog.md
There was a problem hiding this comment.
♻️ Duplicate comments (1)
registry.yaml (1)
227-230:⚠️ Potential issue | 🔴 CriticalPin plugin source to an immutable revision (CWE-494, CWE-829) — Severity: High
Line 230 uses
ref: main, which is mutable. Exploit scenario: ifantowaddle/Red-Hat-Quality-Tiger-Teammainis force-pushed or compromised, future installs can pull attacker-controlled plugin code.Remediation diff
source: type: github repo: antowaddle/Red-Hat-Quality-Tiger-Team - ref: main + sha: <40-char-reviewed-commit-sha>As per coding guidelines, "
**: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code)".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@registry.yaml` around lines 227 - 230, The registry source currently uses a mutable ref ("ref: main") for source.type=github and repo=antowaddle/Red-Hat-Quality-Tiger-Team; replace that mutable ref with an immutable identifier (a specific commit SHA or a versioned tag/release) so the plugin is pinned to an exact revision—update the ref value under the source block (where repo and type are defined) to a commit SHA or annotated tag instead of "main" and document the chosen immutable ref.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@registry.yaml`:
- Around line 227-230: The registry source currently uses a mutable ref ("ref:
main") for source.type=github and repo=antowaddle/Red-Hat-Quality-Tiger-Team;
replace that mutable ref with an immutable identifier (a specific commit SHA or
a versioned tag/release) so the plugin is pinned to an exact revision—update the
ref value under the source block (where repo and type are defined) to a commit
SHA or annotated tag instead of "main" and document the chosen immutable ref.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 60a566c3-9309-43de-90fc-fb56a5d98e05
📒 Files selected for processing (3)
.claude-plugin/marketplace.jsoncatalog.mdregistry.yaml
✅ Files skipped from review due to trivial changes (1)
- catalog.md
🚧 Files skipped from review as they are similar to previous changes (1)
- .claude-plugin/marketplace.json
| skills_dir: .claude/skills | ||
| homepage: https://github.com/antowaddle/Red-Hat-Quality-Tiger-Team | ||
| repository: https://github.com/antowaddle/Red-Hat-Quality-Tiger-Team | ||
| skills: |
There was a problem hiding this comment.
Sounds good, thanks for confirming.
Summary
quality-tiger-teamplugin (antowaddle/Red-Hat-Quality-Tiger-Team) in the skills registryregistry.yaml,marketplace.json, andcatalog.mdSkills
quality-repo-analysiskonflux-build-simulatortest-rules-generatorInstall
Summary by CodeRabbit
New Features
Documentation