feat: implement issue #465 — Restrict auto-rebase fan-out to review-ready PRs (free, plan-independent mitigation)#468
Conversation
…eady PRs (free, plan-independent mitigation)
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
More reviews will be available in 43 minutes and 59 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughAdds a side-effect-free Bash eligibility predicate library ( ChangesAuto-rebase eligibility gating
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #468 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
There was a problem hiding this comment.
Code Review
This pull request introduces supporting logic and eligibility predicates for the org-level auto-rebase reusable workflow, restricting branch updates to eligible PRs to reduce redundant CI runs. It includes bash/jq scripts, documentation updates, and comprehensive bats unit tests. The review feedback suggests optimizing the jq logic in auto_rebase_has_current_approval using reduce instead of group_by for better performance, and recommends adopting double brackets [[ ... ]] for conditional tests in Bash to improve robustness and style consistency.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 86-92: The checkout step for the auto-rebase tooling repository
does not disable credential persistence, creating an unnecessary security risk.
Add `persist-credentials: false` to the `with` section of the "Checkout
auto-rebase tooling" step (the
`actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` action) since the
step only reads files from the external repository and does not require
authentication credentials to remain in git config.
- Around line 128-136: The `auto_rebase_has_current_approval` function expects a
single JSON array, but the `gh api --paginate` command outputs multiple separate
JSON arrays when reviews span multiple pages. Modify the pipeline at line 128 to
combine the paginated JSON arrays into a single consolidated array before
passing to the function. Use a JSON processor tool to slurp or concatenate all
paginated results into one array structure that matches the function's expected
input format.
In @.github/workflows/auto-rebase-tests.yml:
- Around line 38-40: The concurrency group includes ${{ github.sha }} which
creates a unique identifier for every commit, making cancel-in-progress
ineffective since it only cancels runs within the same group. Remove the ${{
github.sha }} component from the concurrency group in the auto-rebase-tests.yml
workflow, keeping only ${{ github.ref }} so that all runs on the same branch
share the same group and cancel-in-progress can properly cancel prior runs when
a new commit is pushed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 93e7d568-bb18-4d8a-8d1e-6d13fb5599eb
📒 Files selected for processing (8)
.github/scripts/auto-rebase/README.md.github/scripts/auto-rebase/lib/eligibility.sh.github/workflows/auto-rebase-reusable.yml.github/workflows/auto-rebase-tests.ymlstandards/ci-standards.mdstandards/workflows/auto-rebase.ymltest/workflows/auto-rebase/eligibility.batstest/workflows/auto-rebase/helpers/setup.bash
|
@coderabbitai resolve |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #468 |
|
Note @don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
✅ Action performedComments resolved and changes approved. |
Dev-Lead — fix-bot-comment (applied)Changes committed and pushed. |
Dev-Lead — waiting on PR blockers (intent: fix-reviews)PR: #468 |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 707afbcc3d57e6687c3f710b5fd03a06425dd207
Review mode: triage-approved (single reviewer)
Summary
Implements issue #465: restricts the auto-rebase reusable workflow's fan-out to review-ready PRs via a new tunable eligibility input (default review-ready, escape hatch all). Decision logic is extracted into pure, unit-tested predicates in .github/scripts/auto-rebase/lib/eligibility.sh, backed by an 18-case bats suite and a dedicated shellcheck+bats CI gate. +446/-4 across 8 files; docs and standards updated to match.
Linked issue analysis
Linked issue #465 (restrict auto-rebase fan-out to review-ready PRs — free, plan-independent mitigation) is substantively addressed. The workflow now gates each behind PR on auto_rebase_pr_eligible: review-ready requires non-draft AND (a current APPROVED review OR the auto-rebase:ready label). Approval is read from actual review states (latest decision review per reviewer wins; CHANGES_REQUESTED/DISMISSED cancel an earlier APPROVED) rather than reviewDecision, which is correct since reviewDecision is null on repos without required reviews. The all mode preserves the original unrestricted behavior as an escape hatch.
Findings
No blocking issues. Confirmed the triage assessment and verified all prior bot findings are resolved in the reviewed commit:
- CodeRabbit (CHANGES_REQUESTED, later dismissed/approved): (1) checkout step now has
persist-credentials: false; (2) paginated reviews are consolidated withgh api --paginate ... | jq -s 'add'before reaching the single-array predicate; (3)auto-rebase-tests.ymlconcurrency group isauto-rebase-tests-${{ github.ref }}with nogithub.sha, so cancel-in-progress works. CodeRabbit posted 'Comments resolved and changes approved.' - Gemini (non-blocking):
group_byreplaced with a single-pass O(N)reduce; all conditionals migrated to[[ ... ]].
Security review: the new tooling checkout is SHA-pinned (actions/checkout v6.0.3), defaults to thev1ref, disables credential persistence, and sources only the org's own pure predicate script — no untrusted PR content flows into executed code. Job permissions (contents/pull-requests: write) are unchanged and remain the minimum needed for update-branch. Branch-name interpolation in thecomparecall is pre-existing and unchanged by this PR.
Risk noted as MEDIUM because the change modifies a reusable GitHub Actions workflow, but it is well-structured, SHA-pinned, and unit-tested with no residual security smell.
CI status
All required checks green: Lint and bats, ShellCheck, Lint, CodeQL (Analyze actions), SonarCloud (Quality Gate passed), Secret scan (gitleaks), AgentShield, Agent Security Scan, pr-auto-review, dev-lead/dispatch. Audit/relay jobs SKIPPED as expected (no matching ecosystems). mergeStateStatus is BLOCKED solely on REVIEW_REQUIRED (the org-leads review this agent fills); mergeable is MERGEABLE.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 707afbcc3d57e6687c3f710b5fd03a06425dd207
Review mode: triage-approved (single reviewer)
Summary
Implements issue #465: restricts the auto-rebase reusable workflow's fan-out to review-ready PRs via a new tunable eligibility input (default review-ready, escape hatch all). Decision logic is extracted into pure, unit-tested predicates in .github/scripts/auto-rebase/lib/eligibility.sh, backed by an 18-case bats suite plus a dedicated shellcheck+bats CI gate. +446/-4 across 8 files; docs and standards updated to match.
Linked issue analysis
Linked issue #465 (restrict auto-rebase fan-out to review-ready PRs — free, plan-independent mitigation) is substantively addressed. Each behind PR is now gated by auto_rebase_pr_eligible: review-ready requires non-draft AND (a current APPROVED review OR the auto-rebase:ready label); all preserves the original unrestricted fan-out as an escape hatch. Approval is computed from actual review states (latest decision review per reviewer wins; CHANGES_REQUESTED/DISMISSED cancels an earlier APPROVED) rather than reviewDecision, which is correct since reviewDecision is null on repos without required reviews.
Findings
Triage assessment confirmed — no blocking issues. Independently verified against the diff at the reviewed commit:
- Eligibility predicate logic is sound:
auto_rebase_has_current_approvaluses a single-passreducekeyed by reviewer login (last decision wins) thenany(. == "APPROVED"); empty/COMMENTED-only inputs correctly return not-approved. Covered by 18 bats cases including approve→changes, changes→approve, dismissed, and multi-reviewer scenarios. - All prior bot findings resolved in code: (1) tooling checkout has
persist-credentials: false; (2) paginated reviews are consolidated viagh api --paginate ... | jq -s 'add | .'before the single-array predicate; (3) auto-rebase-tests.yml concurrency group isauto-rebase-tests-${{ github.ref }}with nogithub.sha, so cancel-in-progress works. Gemini suggestions also applied (group_by→reduce; conditionals migrated to[[ ... ]]). CodeRabbit posted 'Comments resolved and changes approved.' - Security: the new tooling checkout is SHA-pinned (actions/checkout v6.0.3), defaults to the
v1ref, disables credential persistence, and sources only the org's own pure predicate script — no untrusted PR content flows into executed code. Job permissions (contents/pull-requests: write) are unchanged and remain the minimum for update-branch. - No unresolved review threads and no unanswered human-reviewer questions: the don-petry MEMBER comments are automated dev-lead agent actions, and the latest ones at the head SHA report 'no-changes'. No human reviews are pending.
Risk noted as MEDIUM because the change modifies a reusable GitHub Actions workflow, but it is well-structured, SHA-pinned, and unit-tested with no residual security smell.
CI status
All required checks green: Lint and bats, ShellCheck, Lint, CodeQL (Analyze actions), SonarCloud (Quality Gate passed), Secret scan (gitleaks), AgentShield, Agent Security Scan, pr-auto-review, dev-lead/dispatch. Audit/relay jobs SKIPPED as expected (no matching ecosystems). reviewDecision is APPROVED; mergeable is reported as UNKNOWN by the API at fetch time (transient), with no failing checks.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
…(restores review-ready gate) (#528) * fix(auto-rebase): source predicate from reusable's own commit, not @v1 The reusable defaulted `tooling_ref` to `v1` and checked out petry-projects/.github@v1 to source lib/eligibility.sh. But eligibility.sh landed in #468 (after the v1 tag), so every run failed with: .auto-rebase-tooling/.github/scripts/auto-rebase/lib/eligibility.sh: No such file or directory ##[error]Process completed with exit code 1. This broke auto-rebase in petry-projects/.github itself (local `./` ref → default tooling_ref=v1) and would break every consumer the moment the restriction reached them. The review-ready gate (#465) was therefore live nowhere. Fix: default tooling_ref to empty and resolve the checkout to `github.job_workflow_sha` — the commit SHA of this reusable file for the run. The predicate is now always sourced from the exact same commit as the workflow that uses it, eliminating version skew. `tooling_ref` remains an explicit override for end-to-end branch testing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019LUUSUQHqwLWZ583SAs41K * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>



Closes #465
Implemented by dev-lead agent. Please review.
Summary by CodeRabbit
New Features
review-readydefault,all).eligibility,ready_label(default:auto-rebase:ready), andtooling_reffor flexible PR update rules.Documentation
Tests