chore(workflows): bin auto-label, nightly-release-test, issue-triage#5271
Conversation
Adopts three workflow changes that already exist on v3-alpha so the eventual v3-alpha → master merge has fewer conflicts to hand-resolve: - auto-label-issues.yml: switch the PR trigger from `pull_request` to `pull_request_target` so the workflow can label PRs from forks. - test-nightly-releases.yml: add a top-level `permissions: contents: read` block (least-privilege hardening). - issue-triage-automation.yml: extend the issue trigger types to include `reopened, labeled, unlabeled` so triage runs on relabels too. No behaviour change for v2 paths. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe auto-label workflow file was removed; the issue-triage workflow’s issue triggers were broadened to include Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/8 reviews remaining, refill in 7 minutes and 17 seconds.Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/auto-label-issues.yml (1)
17-18: Consider adding explicitrefto prevent accidental checkout of untrusted code.With
pull_request_target, if someone later modifies this checkout to use${{ github.event.pull_request.head.sha }}, it would run untrusted fork code with write permissions—a known pwn-request vulnerability. Adding an explicitrefmakes the security posture clear and guards against accidental modifications.🛡️ Suggested hardening
- name: Checkout repository uses: actions/checkout@v3 + with: + ref: ${{ github.event.repository.default_branch }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/auto-label-issues.yml around lines 17 - 18, The checkout step using actions/checkout@v3 lacks an explicit ref which can allow accidental checkout of untrusted code; update the Checkout repository step (actions/checkout@v3) to include an explicit ref input (e.g., set the ref field to a fixed, server-side Git ref/sha such as the PR head SHA variable) so the action always checks out a deterministically specified ref, and ensure no other steps or inputs later override this ref with user-controlled values.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/issue-triage-automation.yml:
- Line 5: The "Request more info" step is currently triggered on all label
events and can repost comments or re-add the awaiting feedback label; modify
that step in the workflow to guard against relabel-triggered runs by adding an
if-condition that only allows the step when github.event.action is
opening/reopening or when the label event specifically matches the
awaiting-feedback label (e.g. github.event.action == 'opened' ||
github.event.action == 'reopened' || (github.event.action == 'labeled' &&
github.event.label.name == 'awaiting feedback')); additionally add a quick
idempotency check inside the step to detect an existing bot comment or existing
'awaiting feedback' label before posting/adding to avoid duplicates (reference
the "Request more info" step and the 'awaiting feedback' label in your changes).
---
Nitpick comments:
In @.github/workflows/auto-label-issues.yml:
- Around line 17-18: The checkout step using actions/checkout@v3 lacks an
explicit ref which can allow accidental checkout of untrusted code; update the
Checkout repository step (actions/checkout@v3) to include an explicit ref input
(e.g., set the ref field to a fixed, server-side Git ref/sha such as the PR head
SHA variable) so the action always checks out a deterministically specified ref,
and ensure no other steps or inputs later override this ref with user-controlled
values.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6fb7340e-f9ef-4585-9297-a203e6967dc9
📒 Files selected for processing (3)
.github/workflows/auto-label-issues.yml.github/workflows/issue-triage-automation.yml.github/workflows/test-nightly-releases.yml
There was a problem hiding this comment.
Pull request overview
Ports workflow security/permissions and trigger adjustments from v3-alpha to reduce future merge conflicts while hardening CI behavior.
Changes:
- Add least-privilege default
contents: readpermissions to the nightly-release test workflow. - Expand issue-triage automation to also run on
reopened,labeled, andunlabeledissue events. - Switch auto-label workflow PR trigger to
pull_request_targetso labeling can run for PRs from forks.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/test-nightly-releases.yml | Adds top-level read-only repo contents permission for least privilege. |
| .github/workflows/issue-triage-automation.yml | Runs triage automation on additional issue event types (including relabels). |
| .github/workflows/auto-label-issues.yml | Uses pull_request_target to enable labeling PRs from forks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| types: [opened, edited, reopened] | ||
| pull_request: | ||
| pull_request_target: | ||
| types: [opened, edited, reopened, synchronize] |
There was a problem hiding this comment.
By switching to pull_request_target, this workflow will run for PRs from forks with the base repo’s GITHUB_TOKEN (and any available secrets). To reduce the security risk, consider hardening the job by pinning all referenced actions to a full commit SHA (and/or at least updating actions/checkout@v3 to @v4) so a compromised/moved tag can’t be used to execute arbitrary code in this elevated context. Also keep ensuring you never checkout github.event.pull_request.head.sha in this workflow.
| issues: | ||
| types: [opened] | ||
| types: [opened, reopened, labeled, unlabeled] |
There was a problem hiding this comment.
Extending the trigger to labeled/unlabeled will re-run the “Request more info” step on every relabel, which can create duplicate comments on the same issue (and re-add awaiting feedback) whenever the issue still matches the bug/body predicates. If the intent is to act only when specific labels change, gate the relevant steps on github.event.action (e.g., only opened/reopened, or only labeled when github.event.label.name is the label you care about), or add a check to avoid posting the same comment repeatedly.
Decided not to keep the auto-labeller — easier to retire than to keep hardening it across the v2/v3 split. Removing it from master here (see companion PR for the same removal on v3-alpha). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Issue triage is moving to a real agent-driven workflow, and the nightly-release "dry run" test workflow has been unused for 7+ months (superseded by the actual nightly-release-v3 and weekly-release-v2 pipelines). Removing both reduces maintenance surface and eliminates two more files from the v3-alpha → master merge. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
Retires three workflows on
masterahead of the v3-alpha → master merge. Companion PR removes the same three files fromv3-alpha, so the merge has zero conflict on any of them.auto-label-issues.yml— retire the auto-labeller (rather than maintaining it across both versions).test-nightly-releases.yml— manual dry-run diagnostic that has not run in 7+ months; the actualnightly-release-v3.yml+weekly-release-v2.ymlexercise the same logic for real.issue-triage-automation.yml— issue triage is moving to a real agent-driven workflow.Test plan
grep -rn "auto-label-issues\|test-nightly-releases\|issue-triage-automation" .githubreturns no matches.🤖 Generated with Claude Code