Skip to content

feat: implement issue #465 — Restrict auto-rebase fan-out to review-ready PRs (free, plan-independent mitigation)#468

Merged
don-petry merged 4 commits into
mainfrom
dev-lead/issue-465-20260615-1642
Jun 15, 2026
Merged

feat: implement issue #465 — Restrict auto-rebase fan-out to review-ready PRs (free, plan-independent mitigation)#468
don-petry merged 4 commits into
mainfrom
dev-lead/issue-465-20260615-1642

Conversation

@don-petry

@don-petry don-petry commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Closes #465

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

  • New Features

    • Added eligibility controls to auto-rebase workflow with configurable modes (review-ready default, all).
    • Introduced new workflow inputs: eligibility, ready_label (default: auto-rebase:ready), and tooling_ref for flexible PR update rules.
  • Documentation

    • Updated auto-rebase workflow documentation with eligibility criteria and configuration guidance.
  • Tests

    • Added comprehensive test suite for auto-rebase eligibility logic validation.

…eady PRs (free, plan-independent mitigation)
@don-petry
don-petry requested a review from a team as a code owner June 15, 2026 16:51
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 43 minutes and 59 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a7069096-ecfc-435e-be51-5d1fcda7bcdb

📥 Commits

Reviewing files that changed from the base of the PR and between ca0bf55 and 707afbc.

📒 Files selected for processing (3)
  • .github/scripts/auto-rebase/lib/eligibility.sh
  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/auto-rebase-tests.yml
📝 Walkthrough

Walkthrough

Adds a side-effect-free Bash eligibility predicate library (eligibility.sh) with three functions that gate the auto-rebase reusable workflow to review-ready PRs. The workflow gains three new workflow_call inputs, a tooling checkout step, and a reworked per-PR eligibility evaluation loop. A bats test suite with shellcheck CI coverage and updated standards documentation accompany the change.

Changes

Auto-rebase eligibility gating

Layer / File(s) Summary
Eligibility predicate library
.github/scripts/auto-rebase/lib/eligibility.sh, .github/scripts/auto-rebase/README.md
Defines auto_rebase_has_current_approval (per-reviewer latest-state logic via jq), auto_rebase_has_ready_label (label name match), and auto_rebase_pr_eligible (mode-based gate returning 0/1/2). README documents all function contracts, approval semantics, and eligibility modes.
Reusable workflow integration
.github/workflows/auto-rebase-reusable.yml
Adds eligibility, ready_label, and tooling_ref workflow_call inputs. Inserts a step to check out the tooling repo and source eligibility.sh. Reworks the per-PR loop to fetch draft status, labels, and reviews, then evaluate auto_rebase_pr_eligible — skipping ineligible PRs or failing on unknown mode.
Bats test suite and CI workflow
test/workflows/auto-rebase/eligibility.bats, test/workflows/auto-rebase/helpers/setup.bash, .github/workflows/auto-rebase-tests.yml
setup.bash exports TT_REPO_ROOT/TT_SCRIPTS_DIR and temp-dir helpers. eligibility.bats covers all three predicate functions including review-state transitions, label presence, and the exit-code-2 unknown-mode path. auto-rebase-tests.yml CI workflow runs shellcheck and bats on path-filtered triggers with concurrency controls.
Standards documentation
standards/ci-standards.md, standards/workflows/auto-rebase.yml
Documents the eligibility model (modes, approval semantics, predicate location, unit-test coverage) in ci-standards and adds example with: input usage to the workflow standards file.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: restricting auto-rebase fan-out to review-ready PRs to address issue #465, which directly matches the PR's primary objective.
Linked Issues check ✅ Passed All key requirements from issue #465 are met: PR eligibility restricted to non-draft with APPROVED review or auto-rebase:ready label [lib/eligibility.sh], configurable workflow input [auto-rebase-reusable.yml], merge-method preservation, conflict-resolution sentinel maintained, documentation updated [standards/ci-standards.md, standards/workflows/auto-rebase.yml].
Out of Scope Changes check ✅ Passed All changes are within scope: auto-rebase library implementation, workflow updates, test suite, and documentation directly address issue #465 requirements without extraneous modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev-lead/issue-465-20260615-1642

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #468
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-15T17:22:33Z

@don-petry

Copy link
Copy Markdown
Contributor Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-15T17:22:33Z

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 16:52

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces supporting logic and eligibility predicates for the org-level auto-rebase reusable workflow, restricting branch updates to eligible PRs to reduce redundant CI runs. It includes bash/jq scripts, documentation updates, and comprehensive bats unit tests. The review feedback suggests optimizing the jq logic in auto_rebase_has_current_approval using reduce instead of group_by for better performance, and recommends adopting double brackets [[ ... ]] for conditional tests in Bash to improve robustness and style consistency.

Comment thread .github/scripts/auto-rebase/lib/eligibility.sh
Comment thread .github/scripts/auto-rebase/lib/eligibility.sh Outdated
Comment thread .github/scripts/auto-rebase/lib/eligibility.sh Outdated
Comment thread .github/scripts/auto-rebase/lib/eligibility.sh Outdated
@don-petry
don-petry disabled auto-merge June 15, 2026 16:53
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Files changed: None
Skipped (informational): 0
**Status:** Quality Gate passed — no actionable issues found. The PR is clear.
```
The PR is in good shape with all checks passing. The SonarCloud analysis found no new issues or security hotspots.

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 16:53
@don-petry
don-petry disabled auto-merge June 15, 2026 16:54
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 16:59
@don-petry
don-petry disabled auto-merge June 15, 2026 16:59

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 86-92: The checkout step for the auto-rebase tooling repository
does not disable credential persistence, creating an unnecessary security risk.
Add `persist-credentials: false` to the `with` section of the "Checkout
auto-rebase tooling" step (the
`actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` action) since the
step only reads files from the external repository and does not require
authentication credentials to remain in git config.
- Around line 128-136: The `auto_rebase_has_current_approval` function expects a
single JSON array, but the `gh api --paginate` command outputs multiple separate
JSON arrays when reviews span multiple pages. Modify the pipeline at line 128 to
combine the paginated JSON arrays into a single consolidated array before
passing to the function. Use a JSON processor tool to slurp or concatenate all
paginated results into one array structure that matches the function's expected
input format.

In @.github/workflows/auto-rebase-tests.yml:
- Around line 38-40: The concurrency group includes ${{ github.sha }} which
creates a unique identifier for every commit, making cancel-in-progress
ineffective since it only cancels runs within the same group. Remove the ${{
github.sha }} component from the concurrency group in the auto-rebase-tests.yml
workflow, keeping only ${{ github.ref }} so that all runs on the same branch
share the same group and cancel-in-progress can properly cancel prior runs when
a new commit is pushed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 93e7d568-bb18-4d8a-8d1e-6d13fb5599eb

📥 Commits

Reviewing files that changed from the base of the PR and between 384917b and ca0bf55.

📒 Files selected for processing (8)
  • .github/scripts/auto-rebase/README.md
  • .github/scripts/auto-rebase/lib/eligibility.sh
  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/auto-rebase-tests.yml
  • standards/ci-standards.md
  • standards/workflows/auto-rebase.yml
  • test/workflows/auto-rebase/eligibility.bats
  • test/workflows/auto-rebase/helpers/setup.bash

Comment thread .github/workflows/auto-rebase-reusable.yml
Comment thread .github/workflows/auto-rebase-reusable.yml Outdated
Comment thread .github/workflows/auto-rebase-tests.yml
@don-petry

Copy link
Copy Markdown
Contributor Author

@coderabbitai resolve

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #468
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-15T17:32:41Z

@don-petry

Copy link
Copy Markdown
Contributor Author

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-15T17:32:41Z

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 17:02
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 15, 2026
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
✅ Action performed

Comments resolved and changes approved.

@don-petry
don-petry disabled auto-merge June 15, 2026 17:03
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — waiting on PR blockers (intent: fix-reviews)

PR: #468
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-15T17:37:30Z

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 17:07
@don-petry
don-petry disabled auto-merge June 15, 2026 17:08
@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 17:09
@don-petry
don-petry disabled auto-merge June 15, 2026 17:10
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
1. ✓ **Security: persist-credentials** — Added `persist-credentials: false` to checkout step in `.github/workflows/auto-rebase-reusable.yml`
2. ✓ **JSON pagination** — Fixed `gh api --paginate` handling by adding `jq -s 'add | .'` to combine paginated arrays
3. ✓ **Concurrency group** — Removed `${{ github.sha }}` component from `.github/workflows/auto-rebase-tests.yml` concurrency group
---
## Status
**Bot:** (SonarQube Cloud)  
**Issues addressed:** 0 (Quality Gate passed; prior CodeRabbit issues already fixed)  
**Files changed:** None needed  
**Skipped (already resolved):** 3 CodeRabbit findings (fixed in commit d103112)
**Conclusion:** The PR is in excellent shape with all checks passing and quality gates met. No further action required.

@don-petry
don-petry enabled auto-merge (squash) June 15, 2026 17:12

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 707afbcc3d57e6687c3f710b5fd03a06425dd207
Review mode: triage-approved (single reviewer)

Summary

Implements issue #465: restricts the auto-rebase reusable workflow's fan-out to review-ready PRs via a new tunable eligibility input (default review-ready, escape hatch all). Decision logic is extracted into pure, unit-tested predicates in .github/scripts/auto-rebase/lib/eligibility.sh, backed by an 18-case bats suite and a dedicated shellcheck+bats CI gate. +446/-4 across 8 files; docs and standards updated to match.

Linked issue analysis

Linked issue #465 (restrict auto-rebase fan-out to review-ready PRs — free, plan-independent mitigation) is substantively addressed. The workflow now gates each behind PR on auto_rebase_pr_eligible: review-ready requires non-draft AND (a current APPROVED review OR the auto-rebase:ready label). Approval is read from actual review states (latest decision review per reviewer wins; CHANGES_REQUESTED/DISMISSED cancel an earlier APPROVED) rather than reviewDecision, which is correct since reviewDecision is null on repos without required reviews. The all mode preserves the original unrestricted behavior as an escape hatch.

Findings

No blocking issues. Confirmed the triage assessment and verified all prior bot findings are resolved in the reviewed commit:

  • CodeRabbit (CHANGES_REQUESTED, later dismissed/approved): (1) checkout step now has persist-credentials: false; (2) paginated reviews are consolidated with gh api --paginate ... | jq -s 'add' before reaching the single-array predicate; (3) auto-rebase-tests.yml concurrency group is auto-rebase-tests-${{ github.ref }} with no github.sha, so cancel-in-progress works. CodeRabbit posted 'Comments resolved and changes approved.'
  • Gemini (non-blocking): group_by replaced with a single-pass O(N) reduce; all conditionals migrated to [[ ... ]].
    Security review: the new tooling checkout is SHA-pinned (actions/checkout v6.0.3), defaults to the v1 ref, disables credential persistence, and sources only the org's own pure predicate script — no untrusted PR content flows into executed code. Job permissions (contents/pull-requests: write) are unchanged and remain the minimum needed for update-branch. Branch-name interpolation in the compare call is pre-existing and unchanged by this PR.
    Risk noted as MEDIUM because the change modifies a reusable GitHub Actions workflow, but it is well-structured, SHA-pinned, and unit-tested with no residual security smell.

CI status

All required checks green: Lint and bats, ShellCheck, Lint, CodeQL (Analyze actions), SonarCloud (Quality Gate passed), Secret scan (gitleaks), AgentShield, Agent Security Scan, pr-auto-review, dev-lead/dispatch. Audit/relay jobs SKIPPED as expected (no matching ecosystems). mergeStateStatus is BLOCKED solely on REVIEW_REQUIRED (the org-leads review this agent fills); mergeable is MERGEABLE.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry
don-petry merged commit 1ada2aa into main Jun 15, 2026
22 checks passed
@don-petry
don-petry deleted the dev-lead/issue-465-20260615-1642 branch June 15, 2026 17:13

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 707afbcc3d57e6687c3f710b5fd03a06425dd207
Review mode: triage-approved (single reviewer)

Summary

Implements issue #465: restricts the auto-rebase reusable workflow's fan-out to review-ready PRs via a new tunable eligibility input (default review-ready, escape hatch all). Decision logic is extracted into pure, unit-tested predicates in .github/scripts/auto-rebase/lib/eligibility.sh, backed by an 18-case bats suite plus a dedicated shellcheck+bats CI gate. +446/-4 across 8 files; docs and standards updated to match.

Linked issue analysis

Linked issue #465 (restrict auto-rebase fan-out to review-ready PRs — free, plan-independent mitigation) is substantively addressed. Each behind PR is now gated by auto_rebase_pr_eligible: review-ready requires non-draft AND (a current APPROVED review OR the auto-rebase:ready label); all preserves the original unrestricted fan-out as an escape hatch. Approval is computed from actual review states (latest decision review per reviewer wins; CHANGES_REQUESTED/DISMISSED cancels an earlier APPROVED) rather than reviewDecision, which is correct since reviewDecision is null on repos without required reviews.

Findings

Triage assessment confirmed — no blocking issues. Independently verified against the diff at the reviewed commit:

  • Eligibility predicate logic is sound: auto_rebase_has_current_approval uses a single-pass reduce keyed by reviewer login (last decision wins) then any(. == "APPROVED"); empty/COMMENTED-only inputs correctly return not-approved. Covered by 18 bats cases including approve→changes, changes→approve, dismissed, and multi-reviewer scenarios.
  • All prior bot findings resolved in code: (1) tooling checkout has persist-credentials: false; (2) paginated reviews are consolidated via gh api --paginate ... | jq -s 'add | .' before the single-array predicate; (3) auto-rebase-tests.yml concurrency group is auto-rebase-tests-${{ github.ref }} with no github.sha, so cancel-in-progress works. Gemini suggestions also applied (group_by→reduce; conditionals migrated to [[ ... ]]). CodeRabbit posted 'Comments resolved and changes approved.'
  • Security: the new tooling checkout is SHA-pinned (actions/checkout v6.0.3), defaults to the v1 ref, disables credential persistence, and sources only the org's own pure predicate script — no untrusted PR content flows into executed code. Job permissions (contents/pull-requests: write) are unchanged and remain the minimum for update-branch.
  • No unresolved review threads and no unanswered human-reviewer questions: the don-petry MEMBER comments are automated dev-lead agent actions, and the latest ones at the head SHA report 'no-changes'. No human reviews are pending.
    Risk noted as MEDIUM because the change modifies a reusable GitHub Actions workflow, but it is well-structured, SHA-pinned, and unit-tested with no residual security smell.

CI status

All required checks green: Lint and bats, ShellCheck, Lint, CodeQL (Analyze actions), SonarCloud (Quality Gate passed), Secret scan (gitleaks), AgentShield, Agent Security Scan, pr-auto-review, dev-lead/dispatch. Audit/relay jobs SKIPPED as expected (no matching ecosystems). reviewDecision is APPROVED; mergeable is reported as UNKNOWN by the API at fetch time (transient), with no failing checks.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

don-petry added a commit that referenced this pull request Jun 24, 2026
…(restores review-ready gate) (#528)

* fix(auto-rebase): source predicate from reusable's own commit, not @v1

The reusable defaulted `tooling_ref` to `v1` and checked out
petry-projects/.github@v1 to source lib/eligibility.sh. But eligibility.sh
landed in #468 (after the v1 tag), so every run failed with:

  .auto-rebase-tooling/.github/scripts/auto-rebase/lib/eligibility.sh: No such file or directory
  ##[error]Process completed with exit code 1.

This broke auto-rebase in petry-projects/.github itself (local `./` ref →
default tooling_ref=v1) and would break every consumer the moment the
restriction reached them. The review-ready gate (#465) was therefore live
nowhere.

Fix: default tooling_ref to empty and resolve the checkout to
`github.job_workflow_sha` — the commit SHA of this reusable file for the run.
The predicate is now always sourced from the exact same commit as the
workflow that uses it, eliminating version skew. `tooling_ref` remains an
explicit override for end-to-end branch testing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019LUUSUQHqwLWZ583SAs41K

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Restrict auto-rebase fan-out to review-ready PRs (free, plan-independent mitigation)

2 participants