Skip to content

ci: enforce safer pull request evidence#716

Merged
BigSimmo merged 2 commits into
mainfrom
codex/pr-process-hardening-20260717
Jul 17, 2026
Merged

ci: enforce safer pull request evidence#716
BigSimmo merged 2 commits into
mainfrom
codex/pr-process-hardening-20260717

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 17, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add a trusted, read-only PR metadata policy for outcome-focused titles, concrete verification, and risk/rollback evidence.
  • Correct CI failure triage so PR failures are compared only with the latest completed run of the same workflow on main.
  • Wire policy/triage self-tests into local and hosted gates, document the process, and record the completed exact-SHA cleanup of superseded PR test: harden reliable test execution #699.

Verification

  • npm run check:pr-policy — self-test passed
  • npm run check:ci-triage — self-test passed
  • npm run check:ci-scope — self-test passed
  • npm run check:github-actions — immutable pin check passed
  • Scoped Prettier check — all changed files matched
  • git diff --check
  • npm run verify:pr-local

Verification not run: npm run verify:pr-local was repeatedly blocked by the repository's cross-worktree heavyweight lock while other registered Database tasks were building/testing. Hosted exact-head CI is the required broad gate before merge.

Risk and rollout

  • Risk: medium; this changes required-process workflow behavior and CI failure attribution, but the new pull_request_target job has read-only permissions, checks out the exact trusted base SHA, and never executes PR-head code.
  • Rollback: revert commit 4983a7f31; the independent repository permission settings can be reversed through GitHub settings if they cause an unexpected workflow incompatibility.
  • Provider or production effects: GitHub-only. Read-only default Actions tokens, immutable Action SHA pinning, no Actions-authored approvals, secret push protection, automatic merged-branch deletion, and durable Codex routing labels were applied with explicit authorization. No Supabase, OpenAI, or production-data call ran.

Clinical Governance Preflight

Not applicable: this changes repository process metadata and CI orchestration only; no clinical, retrieval, source, privacy, document-access, or production application behavior changes.

Notes

  • Required-check enforcement will be updated only after this workflow is merged and observed on a fresh PR, avoiding a circular protection lockout.
  • One maintainer currently owns all CODEOWNERS paths, so this does not introduce an impossible self-approval requirement.

Summary by CodeRabbit

  • New Features
    • Added automated pull request policy checks for required sections, verification evidence, and risk/rollback details.
    • Added automated CI failure triage with clearer comparison to the latest successful baseline and improved classification.
    • Extended CI/static PR validation to run the new triage and policy checks.
  • Documentation
    • Updated the pull request template and review/process documentation to require explicit “not run” reasons, and added risk/rollback guidance.
    • Refreshed process hardening and review protocol documentation with the new enforcement expectations.

Add trusted PR evidence validation and exact default-branch CI failure attribution. Document and self-test the safer review workflow.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@supabase

supabase Bot commented Jul 17, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e428230f-9ebb-4fdc-86ec-5464e762d2ae

📥 Commits

Reviewing files that changed from the base of the PR and between 4983a7f and 980aed3.

📒 Files selected for processing (3)
  • docs/branch-review-ledger.md
  • scripts/ci-triage.mjs
  • scripts/pr-policy.mjs
🚧 Files skipped from review as they are similar to previous changes (2)
  • scripts/ci-triage.mjs
  • scripts/pr-policy.mjs

📝 Walkthrough

Walkthrough

Adds a trusted PR metadata policy workflow, shared CI triage helpers, self-tests, PR template guidance, and documentation updates covering verification, risk/rollback evidence, CI attribution, and process governance.

Changes

PR policy enforcement

Layer / File(s) Summary
PR policy contract and evaluator
.github/pull_request_template.md, scripts/pr-policy.mjs, package.json
Adds risk and rollout fields, verification guidance, changed-file classification, PR metadata validation, self-tests, and npm commands.
Trusted PR policy workflow
.github/workflows/pr-policy.yml, .github/workflows/ci.yml, docs/codex-review-protocol.md, docs/process-hardening.md, docs/branch-review-ledger.md
Runs policy evaluation from the base SHA with read-only permissions, reports classifications and failures, and adds policy self-test coverage and process records.

CI triage

Layer / File(s) Summary
Shared CI triage helpers
scripts/ci-triage.mjs, scripts/ci-change-scope.mjs
Adds failed-job extraction, same-workflow default-branch baseline selection, classification, Markdown body generation, CLI self-tests, and workflow-change detection.
CI triage workflow integration
.github/workflows/ci-triage.yml
Loads the shared helpers, exits when no jobs failed, compares against the latest matching default-branch run, and posts the generated triage body.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PullRequest
  participant PRPolicyWorkflow
  participant BaseCheckout
  participant PRPolicyEvaluator
  PullRequest->>PRPolicyWorkflow: pull_request_target metadata
  PRPolicyWorkflow->>BaseCheckout: checkout base SHA
  PRPolicyWorkflow->>PRPolicyEvaluator: evaluate PR metadata and changed files
  PRPolicyEvaluator-->>PRPolicyWorkflow: classification and errors
  PRPolicyWorkflow-->>PullRequest: policy summary and result
Loading
sequenceDiagram
  participant CIWorkflow
  participant GitHubActionsAPI
  participant CITriageHelpers
  participant PullRequest
  CIWorkflow->>GitHubActionsAPI: retrieve failed jobs
  CIWorkflow->>CITriageHelpers: classify failures against default-branch baseline
  CITriageHelpers-->>CIWorkflow: generated triage body
  CIWorkflow->>PullRequest: post triage comment
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main change: tightening PR evidence requirements for safer CI governance.
Description check ✅ Passed Includes the required Summary, Verification, Risk and rollout, and Notes sections, with an explicit reason for the unrun verify:pr-local check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/pr-process-hardening-20260717

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
scripts/ci-triage.mjs (1)

63-107: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Self-test coverage gap: selectLatestDefaultBranchRun returning undefined.

The self-test covers the happy path for all four exports but doesn't test selectLatestDefaultBranchRun with an empty or no-match array (returns undefined), nor classifyFailedJobs with a null mainRun. Both paths are handled correctly in production code, but adding assertions would lock in that behavior.

♻️ Optional: add edge-case assertions
   assert.equal(selectLatestDefaultBranchRun(runs, { currentRunId: 99, defaultBranch: "main" })?.id, 2);
+  assert.equal(selectLatestDefaultBranchRun([], { currentRunId: 99, defaultBranch: "main" }), undefined);
   assert.deepEqual(
     failedJobNames([
       { name: "Build", conclusion: "failure" },
       { name: "Lint", conclusion: "success" },
     ]),
     ["Build"],
   );
   assert.deepEqual(classifyFailedJobs(["Build", "Lint"], runs[0], ["Build"]), [
     { name: "Build", classification: "main-side" },
     { name: "Lint", classification: "needs-investigation" },
   ]);
+  assert.deepEqual(classifyFailedJobs(["Build"], null, []), [
+    { name: "Build", classification: "needs-investigation" },
+  ]);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/ci-triage.mjs` around lines 63 - 107, Add self-test assertions for
the no-match or empty-array case of selectLatestDefaultBranchRun, verifying it
returns undefined, and for classifyFailedJobs with a null mainRun, verifying the
expected needs-investigation classifications. Keep the existing happy-path
assertions unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/pr-policy.mjs`:
- Around line 113-118: Update the clinical-risk validation in the
classification.clinicalRisk branch of scripts/pr-policy.mjs to validate every
required item in the Clinical Governance Preflight checklist defined by
.github/pull_request_template.md, rather than only detecting unchecked boxes.
Require all expected checklist items to be present and checked, and retain the
existing missing-section error behavior.
- Around line 121-130: Update the risk-and-rollout validation in the
classification check around the Risk and Rollback regexes to reject bare
severity values such as “Risk: low” unless they include substantive rationale,
and reject no-op rollback responses such as “Rollback: none..”. Preserve
acceptance of concrete risk explanations and actionable rollback plans while
enforcing the existing error messages.
- Around line 63-74: Update branchLikeTitle so it no longer classifies titles
solely because value contains "/". Retain the codex/claude/copilot prefix
detection and normalized equality check against headRef, allowing
outcome-focused titles such as “fix: handle /api/search failures”.

---

Nitpick comments:
In `@scripts/ci-triage.mjs`:
- Around line 63-107: Add self-test assertions for the no-match or empty-array
case of selectLatestDefaultBranchRun, verifying it returns undefined, and for
classifyFailedJobs with a null mainRun, verifying the expected
needs-investigation classifications. Keep the existing happy-path assertions
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e8cf2745-e933-4eab-a91f-682ddaf4c2e6

📥 Commits

Reviewing files that changed from the base of the PR and between 220de89 and 4983a7f.

📒 Files selected for processing (11)
  • .github/pull_request_template.md
  • .github/workflows/ci-triage.yml
  • .github/workflows/ci.yml
  • .github/workflows/pr-policy.yml
  • docs/branch-review-ledger.md
  • docs/codex-review-protocol.md
  • docs/process-hardening.md
  • package.json
  • scripts/ci-change-scope.mjs
  • scripts/ci-triage.mjs
  • scripts/pr-policy.mjs

Comment thread scripts/pr-policy.mjs
Comment thread scripts/pr-policy.mjs
Comment thread scripts/pr-policy.mjs
Require the full governance checklist, substantive risk and rollback evidence, and preserve valid slash-bearing outcome titles. Cover CI triage fallback paths.
@BigSimmo
BigSimmo merged commit f870e5c into main Jul 17, 2026
40 checks passed
@BigSimmo
BigSimmo deleted the codex/pr-process-hardening-20260717 branch July 17, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant