ci(bump-callers): move caller list to CURSOR_REVIEW_CALLERS variable + mask repo names#27
ci(bump-callers): move caller list to CURSOR_REVIEW_CALLERS variable + mask repo names#27mattmillerai wants to merge 1 commit into
Conversation
…+ mask repo names (BE-3046)
The caller list was hardcoded in this PUBLIC workflow, enumerating private/
internal repo names in the file (leaked via public PRs) and in the publicly
viewable run logs. Move it to the repo-level Actions variable
CURSOR_REVIEW_CALLERS (a JSON array of {repo,file,label}), parsed with jq into
the existing repo|file|label tuples, and ::add-mask:: every repo name so run
logs show *** instead. Hard-fail loudly on a missing/empty/invalid variable so
a silent no-op dispatcher is impossible. Adding a future caller now needs no
public commit — just a variable edit (documented in the header).
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 34 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
ELI-5
This workflow used to keep a list of every repo that runs cursor-review written right inside the file — and this repo is public, so anyone could read the list of our private repos, both in the file and in the (also public) run logs. This PR moves that list out of the file into a private Actions variable the workflow reads at run time, and blacks out (
***) every repo name in the logs. Same behavior, no more leaks. Adding a repo later is now a variable edit, not a public commit.What changed
CALLERS=( … )array from the workflow.CURSOR_REVIEW_CALLERS— a JSON array of{"repo","file","label"}objects — parsed withjqinto the exact samerepo|file|labeltuples the existingbump_one()loop already consumes (no downstream changes). A variable, not a secret: this is config, and secrets are write-only via the API.::add-mask::ed immediately after parsing, before any loop that echoes it, so all per-repo output ("<repo>: PR opened", per-repo warnings, the final failure summary) shows***in the public logs instead of the repo name.::error::+exit 1) if the variable is missing, empty/whitespace, not a JSON array, empty array, or has any entry lacking a non-emptyrepo/file— a silent no-op dispatcher is not possible.gh variable set CURSOR_REVIEW_CALLERS …) in the header, and noted the canonicalcallers.jsonshould live in a private infra/ops repo as a reviewed source of truth.Verification
python3 yaml.safe_load— YAML valid.shellcheck -S warningon the extracted run script — clean (exit 0).repo, entry with emptyrepo→ all hard-fail withexit 1; valid input → parses, emits an::add-mask::per repo, and produces correct tuples (incl. missing-label→ empty label).CURSOR_REVIEW_CALLERSvariable through the parser: it yields exactly the 12 tuples, byte-for-byte identical to the previous hardcoded list plusComfy-Org/evals(the addition from ci: add Comfy-Org/evals as a cursor-review caller #25). No behavior change forbump_one().Comfy-Org/github-workflows(this repo) appears anywhere in the file.Judgment calls / notes for the reviewer
evals), so acceptance-criterion 4's seed step is done. No further seeding needed.comfy-infrain the header as the canonical-JSON home, butcomfy-infrais one of the private repos this ticket protects, and AC feat: add reusable cursor-review workflow + centralized assets #1 says no repo name beyondgithub-workflowsmay appear in the file. AC feat: add reusable cursor-review workflow + centralized assets #1 wins (it's the whole point), so the header says "a private infra/ops repo" generically rather than naming it.workflow_dispatchrun with clean logs) is a post-merge human step, not verified here — deliberately.workflow_dispatchruns the workflow version from the default branch, so this logic isn't dispatchable until it's merged; and dispatching the real workflow would open live SHA-bump PRs across all 12 caller repos (a side effect I won't trigger from a test). The masking is proven by inspection: every log statement echoes${REPO}/${FAILED[*]}(the fullComfy-Org/<repo>string), and each such string is::add-mask::ed before the loop. Recommend oneworkflow_dispatchafter merge to confirm the logs render***.evalsto the old hardcoded array, which this PR deletes. Sinceevalsis already in the seeded variable, ci: add Comfy-Org/evals as a cursor-review caller #25 is effectively superseded — recommend closing it (or merge it first and rebase this, either works; the variable already reflects the intended final state).Comfy-Org/ComfyUIis a substring ofComfy-Org/ComfyUI_frontend, so masking can render the latter as***/***_frontend— both are public repos, and none of the 8 private repos are substrings of one another, so no private name leaks.