Skip to content

chore(workflows): bin auto-label, nightly-release-test, issue-triage#5271

Merged
leaanthony merged 3 commits into
masterfrom
chore/workflow-pre-merge-master
Apr 29, 2026
Merged

chore(workflows): bin auto-label, nightly-release-test, issue-triage#5271
leaanthony merged 3 commits into
masterfrom
chore/workflow-pre-merge-master

Conversation

@leaanthony

@leaanthony leaanthony commented Apr 29, 2026

Copy link
Copy Markdown
Member

Summary

Retires three workflows on master ahead of the v3-alpha → master merge. Companion PR removes the same three files from v3-alpha, so the merge has zero conflict on any of them.

  • auto-label-issues.yml — retire the auto-labeller (rather than maintaining it across both versions).
  • test-nightly-releases.yml — manual dry-run diagnostic that has not run in 7+ months; the actual nightly-release-v3.yml + weekly-release-v2.yml exercise the same logic for real.
  • issue-triage-automation.yml — issue triage is moving to a real agent-driven workflow.

Test plan

  • CI green
  • No remaining references: grep -rn "auto-label-issues\|test-nightly-releases\|issue-triage-automation" .github returns no matches.

🤖 Generated with Claude Code

Adopts three workflow changes that already exist on v3-alpha so the
eventual v3-alpha → master merge has fewer conflicts to hand-resolve:

- auto-label-issues.yml: switch the PR trigger from `pull_request` to
  `pull_request_target` so the workflow can label PRs from forks.
- test-nightly-releases.yml: add a top-level `permissions: contents: read`
  block (least-privilege hardening).
- issue-triage-automation.yml: extend the issue trigger types to include
  `reopened, labeled, unlabeled` so triage runs on relabels too.

No behaviour change for v2 paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 29, 2026 11:33
@coderabbitai

coderabbitai Bot commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@leaanthony has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 17 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b311b98-c6ed-4fb8-9b92-0ed2bebb619f

📥 Commits

Reviewing files that changed from the base of the PR and between d861ec1 and c667099.

📒 Files selected for processing (2)
  • .github/workflows/issue-triage-automation.yml
  • .github/workflows/test-nightly-releases.yml
📝 Walkthrough

Walkthrough

The auto-label workflow file was removed; the issue-triage workflow’s issue triggers were broadened to include reopened, labeled, and unlabeled; and the test-nightly-releases workflow now declares top-level permissions: contents: read.

Changes

Cohort / File(s) Summary
Auto-label Workflow Removed
​.github/workflows/auto-label-issues.yml
The entire auto-label workflow file was deleted, removing its issue and pull request event triggers and the job that applied labels (including references to .github/issue-labeler.yml and .github/file-labeler.yml).
Issue Event Triggers Expansion
​.github/workflows/issue-triage-automation.yml
Expanded issue event triggers to run on opened, reopened, labeled, and unlabeled events (previously only opened). No job logic changes reported.
Explicit Permissions Declaration
​.github/workflows/test-nightly-releases.yml
Added a top-level permissions block granting contents: read for the workflow run; job steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibble through YAML, tidy and bright,
I hopped away an old workflow last night.
Triggers stretch wider, permissions set neat,
I thump little paws — automation’s a treat! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description provides clear context and rationale for the changes but does not follow the required template structure with sections like 'Type of change', 'How Has This Been Tested', or completion of the checklist items. Fill in the required template sections including Type of change, test configuration details, and mark relevant checklist items to align with repository standards.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately reflects the main changes: removing auto-label-issues workflow and hardening nightly-release-test workflow permissions, with issue-triage trigger expansion.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/workflow-pre-merge-master

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/8 reviews remaining, refill in 7 minutes and 17 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/auto-label-issues.yml (1)

17-18: Consider adding explicit ref to prevent accidental checkout of untrusted code.

With pull_request_target, if someone later modifies this checkout to use ${{ github.event.pull_request.head.sha }}, it would run untrusted fork code with write permissions—a known pwn-request vulnerability. Adding an explicit ref makes the security posture clear and guards against accidental modifications.

🛡️ Suggested hardening
      - name: Checkout repository
        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.repository.default_branch }}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/auto-label-issues.yml around lines 17 - 18, The checkout
step using actions/checkout@v3 lacks an explicit ref which can allow accidental
checkout of untrusted code; update the Checkout repository step
(actions/checkout@v3) to include an explicit ref input (e.g., set the ref field
to a fixed, server-side Git ref/sha such as the PR head SHA variable) so the
action always checks out a deterministically specified ref, and ensure no other
steps or inputs later override this ref with user-controlled values.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/issue-triage-automation.yml:
- Line 5: The "Request more info" step is currently triggered on all label
events and can repost comments or re-add the awaiting feedback label; modify
that step in the workflow to guard against relabel-triggered runs by adding an
if-condition that only allows the step when github.event.action is
opening/reopening or when the label event specifically matches the
awaiting-feedback label (e.g. github.event.action == 'opened' ||
github.event.action == 'reopened' || (github.event.action == 'labeled' &&
github.event.label.name == 'awaiting feedback')); additionally add a quick
idempotency check inside the step to detect an existing bot comment or existing
'awaiting feedback' label before posting/adding to avoid duplicates (reference
the "Request more info" step and the 'awaiting feedback' label in your changes).

---

Nitpick comments:
In @.github/workflows/auto-label-issues.yml:
- Around line 17-18: The checkout step using actions/checkout@v3 lacks an
explicit ref which can allow accidental checkout of untrusted code; update the
Checkout repository step (actions/checkout@v3) to include an explicit ref input
(e.g., set the ref field to a fixed, server-side Git ref/sha such as the PR head
SHA variable) so the action always checks out a deterministically specified ref,
and ensure no other steps or inputs later override this ref with user-controlled
values.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6fb7340e-f9ef-4585-9297-a203e6967dc9

📥 Commits

Reviewing files that changed from the base of the PR and between e3b472f and 93e9a60.

📒 Files selected for processing (3)
  • .github/workflows/auto-label-issues.yml
  • .github/workflows/issue-triage-automation.yml
  • .github/workflows/test-nightly-releases.yml

Comment thread .github/workflows/issue-triage-automation.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Ports workflow security/permissions and trigger adjustments from v3-alpha to reduce future merge conflicts while hardening CI behavior.

Changes:

  • Add least-privilege default contents: read permissions to the nightly-release test workflow.
  • Expand issue-triage automation to also run on reopened, labeled, and unlabeled issue events.
  • Switch auto-label workflow PR trigger to pull_request_target so labeling can run for PRs from forks.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/test-nightly-releases.yml Adds top-level read-only repo contents permission for least privilege.
.github/workflows/issue-triage-automation.yml Runs triage automation on additional issue event types (including relabels).
.github/workflows/auto-label-issues.yml Uses pull_request_target to enable labeling PRs from forks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/auto-label-issues.yml Outdated
Comment on lines 5 to 7
types: [opened, edited, reopened]
pull_request:
pull_request_target:
types: [opened, edited, reopened, synchronize]

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By switching to pull_request_target, this workflow will run for PRs from forks with the base repo’s GITHUB_TOKEN (and any available secrets). To reduce the security risk, consider hardening the job by pinning all referenced actions to a full commit SHA (and/or at least updating actions/checkout@v3 to @v4) so a compromised/moved tag can’t be used to execute arbitrary code in this elevated context. Also keep ensuring you never checkout github.event.pull_request.head.sha in this workflow.

Copilot uses AI. Check for mistakes.
Comment on lines +4 to +5
issues:
types: [opened]
types: [opened, reopened, labeled, unlabeled]

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extending the trigger to labeled/unlabeled will re-run the “Request more info” step on every relabel, which can create duplicate comments on the same issue (and re-add awaiting feedback) whenever the issue still matches the bug/body predicates. If the intent is to act only when specific labels change, gate the relevant steps on github.event.action (e.g., only opened/reopened, or only labeled when github.event.label.name is the label you care about), or add a check to avoid posting the same comment repeatedly.

Copilot uses AI. Check for mistakes.
Decided not to keep the auto-labeller — easier to retire than to keep
hardening it across the v2/v3 split. Removing it from master here
(see companion PR for the same removal on v3-alpha).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@leaanthony leaanthony changed the title chore(workflows): pre-merge security/perm hardening from v3-alpha chore(workflows): bin auto-label-issues + pre-merge perm hardening Apr 29, 2026
Issue triage is moving to a real agent-driven workflow, and the
nightly-release "dry run" test workflow has been unused for 7+ months
(superseded by the actual nightly-release-v3 and weekly-release-v2
pipelines). Removing both reduces maintenance surface and eliminates
two more files from the v3-alpha → master merge.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@leaanthony leaanthony changed the title chore(workflows): bin auto-label-issues + pre-merge perm hardening chore(workflows): bin auto-label, nightly-release-test, issue-triage Apr 29, 2026
@leaanthony leaanthony merged commit c2cc485 into master Apr 29, 2026
14 of 15 checks passed
@leaanthony leaanthony deleted the chore/workflow-pre-merge-master branch April 29, 2026 11:47
@leaanthony leaanthony mentioned this pull request Apr 29, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants