Skip to content

Add unreviewed-merge detector (SOC 2 compliance)#464

Merged
luke-mino-altherr merged 1 commit into
mainfrom
add-unreviewed-merge-detector
May 28, 2026
Merged

Add unreviewed-merge detector (SOC 2 compliance)#464
luke-mino-altherr merged 1 commit into
mainfrom
add-unreviewed-merge-detector

Conversation

@luke-mino-altherr

Copy link
Copy Markdown
Contributor

Adds the unreviewed-merge detector for SOC 2 compliance.

On every push to main, this workflow finds the associated PR. If it was merged without an approving review, the reusable workflow at Comfy-Org/github-workflows files a tracking issue in Comfy-Org/unreviewed-merges with labels and (if provided) the inline Justification: line from the PR body.

Action required before merge

The UNREVIEWED_MERGES_TOKEN repo secret must be configured. It is a fine-grained PAT with issues:write on Comfy-Org/unreviewed-merges. Without it the workflow run will fail with a clear error message.

Approval mode

See the comment in the file. This repo uses latest-per-reviewer because of its branch-protection / stale-review-dismissal configuration.

Reusable workflow pin

Pinned to Comfy-Org/github-workflows@4d9cb6b87f953bb7cd69954280e1465fb9bd2040 (v1). The trailing # v1 comment matches the moving tag. Bump via Dependabot/Renovate.

Calls the reusable workflow at Comfy-Org/github-workflows. On every
push to main, finds the associated PR, and if it was merged without an
approving review, files a tracking issue in Comfy-Org/unreviewed-merges.

approval-mode: latest-per-reviewer

Requires the UNREVIEWED_MERGES_TOKEN secret (fine-grained PAT with
issues:write on Comfy-Org/unreviewed-merges) to be configured.
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label May 28, 2026
@codecov

codecov Bot commented May 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main     #464   +/-   ##
=======================================
  Coverage   83.25%   83.25%           
=======================================
  Files          45       45           
  Lines        6801     6801           
=======================================
  Hits         5662     5662           
  Misses       1139     1139           
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 204eb603-2ed7-46a9-a102-1fdea7e463bb

📥 Commits

Reviewing files that changed from the base of the PR and between 30ba66f and de44725.

📒 Files selected for processing (1)
  • .github/workflows/detect-unreviewed-merge.yml

📝 Walkthrough

Walkthrough

This PR adds a new GitHub Actions workflow that detects unreviewed merges to main and master branches. It configures per-commit concurrency, enforces read-only permissions, and delegates detection to a pinned reusable workflow with per-reviewer approval tracking—ensuring that no code slips through without a proper review (no commits without review commendations, if you will).

Changes

Unreviewed Merge Detection Workflow

Layer / File(s) Summary
Detect unreviewed merges on main/master
.github/workflows/detect-unreviewed-merge.yml
Adds the Detect Unreviewed Merge workflow triggered on push to main/master with per-commit concurrency, read-only contents and pull-requests permissions, and a detect job that calls the pinned Comfy-Org/github-workflows reusable workflow configured with approval-mode: latest-per-reviewer and the UNREVIEWED_MERGES_TOKEN secret.
🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-unreviewed-merge-detector
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch add-unreviewed-merge-detector

Comment @coderabbitai help to get the list of available commands and usage tips.

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label May 28, 2026
@luke-mino-altherr
luke-mino-altherr merged commit 72ec7a8 into main May 28, 2026
9 checks passed
@luke-mino-altherr
luke-mino-altherr deleted the add-unreviewed-merge-detector branch May 28, 2026 19:36
skishore23 added a commit that referenced this pull request Jun 11, 2026
…nto the run/ package + single-client architecture

Upstream (dffa5c1..a392f55) carried five telemetry/tracking commits; most
of #461/#463 was already on this branch, so the merge mainly ports #465 and
#468 into our architecture:

- PostHog dual-send + lifecycle events (#461): already present in our
  tracking.py (_dispatch fan-out) and cmdline.py run lifecycle; conflicts
  resolved to our superset (keeps _ensure_user_id(persist=), submit_feedback,
  submit_agent_review, _consent_enabled).
- DO_NOT_TRACK / COMFY_NO_TELEMETRY (#463): already present; kept ours.
- cli: event prefix (#465): took upstream's POSTHOG_EVENT_PREFIX in
  tracking.py PostHogProvider.capture + upstream's prefix tests in
  tests/comfy_cli/test_tracking_providers.py.
- Comfy-Usage-Source header (#468): run.py was deleted here, so the header +
  extra_data.comfy_usage_source landed in comfy_cli/command/run/execution.py
  (WorkflowExecution.queue) and comfy_cli/comfy_client.py (Client._request
  header on every local/cloud request, submit_prompt extra_data);
  generate/client.py auto-merged upstream's header. Adapted
  tests/comfy_cli/cloud/test_client.py extra_data assertions accordingly.
- SOC2 unreviewed-merge detector (#464) + pytest.yml codecov bump: taken
  from upstream as-is.
- uv.lock: took upstream then regenerated with `uv lock` (posthog already a
  dependency here).
- Upstream's non-TTY auto-consent assertion in test_tracking.py kept at our
  deliberate behavior (non-interactive sessions do NOT auto-enable tracking).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants