ci(dev-lead): pin .github to @dev-lead/ring0 + accept ring channels in audit#503
Conversation
…g channels Staged canary rollout of dev-lead v1.4.0 (versioning.md Phase 2, #499/#500). - .github/workflows/dev-lead.yml: pin the dev-lead caller to the new dev-lead/ring0 channel (+ agent_ref: dev-lead/ring0). This repo previously pinned @main (bleeding edge); ring0 gives it a controlled canary slot that rolls forward/back via a central tag move. - scripts/compliance-audit.sh (check_dev_lead_stub): accept the staged-canary channels dev-lead/{stable,next,ring<N>} for both the uses: pin and agent_ref, not just stable. Still rejects @main and frozen @vX.Y.Z/@<sha> (callers must pin a moving channel). Needed so ring-pinned consumers (e.g. TalkTerm@ring1) aren't flagged dev-lead-stub-pin. Ring plan: .github-private→next · .github→ring0 · TalkTerm→ring1 · rest→stable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Caution Review failedPull request was closed or merged during review No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe dev-lead workflow stub is re-pinned from ChangesChannel-aware dev-lead stub compliance
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the compliance audit script to support additional release channels (such as "next" and "ring") in addition to "stable" for the dev-lead workflow and agent reference. The reviewer noted that the script does not enforce that both the "uses:" pin and the "agent_ref" parameter use the exact same channel, which could lead to mismatched versions. A code suggestion was provided to extract the channel from the "uses:" pin and ensure "agent_ref" matches it.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: f29a6a4867b6ac500683fa8ed76a457d2788619a
Review mode: triage-approved (single reviewer)
Summary
Staged-canary rollout (dev-lead v1.4.0, versioning.md Phase 2 #499/#500): pins this repo's dev-lead caller to the moving dev-lead/ring0 channel and threads agent_ref: dev-lead/ring0, and teaches check_dev_lead_stub() in compliance-audit.sh to accept the dev-lead/{stable,next,ring<N>} channel set (still rejecting @main, @vX.Y.Z, and @<sha>). The audit now extracts the channel from the uses: pin and requires agent_ref to match that exact channel, closing the split-brain gap raised by gemini-code-assist. 185-line bats suite covers extraction, happy-path matching, and split-brain mismatch cases.
Linked issue analysis
No closingIssuesReferences. PR is part of the tracked #781/#499/#500 release rollout and is self-describing; companion PRs (.github-private#856 → next, TalkTerm#306 → ring1) named in the body. No linked issue to substantively close.
Findings
No blocking findings.
- Workflow pin moves from
@main(bleeding edge) to the org-internal moving channel@dev-lead/ring0— this is the intended self-host channel model, not a third-party-action SHA-pin concern. Same-org first-party reusable workflow. - gemini-code-assist's split-brain concern (uses: vs agent_ref channel drift) is addressed: the audit extracts
uses_channeland enforcesagent_ref: dev-lead/$uses_channelexactly; falls back to the channel-set check only when no channel pin is found. - Secret-scanning MCP tool not available in this run; gitleaks CI check passed and the diff (workflow YAML + shell regex + bats) contains no credential material.
- Note:
mergeStateStatusis BEHIND main (mergeable=MERGEABLE) — needs a branch update before merge, not a review blocker.
CI status
All required checks green: Lint, ShellCheck, Agent Security Scan, Secret scan (gitleaks), Compliance Audit Tests (Lint and bats), CodeQL, SonarCloud (Quality Gate passed), AgentShield, CodeRabbit. Dependency-audit ecosystem jobs and dependabot-automerge SKIPPED (not applicable). No failing checks. No CHANGES_REQUESTED reviews; gemini COMMENTED, coderabbit DISMISSED.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
2 participants
Part of the staged canary rollout of dev-lead v1.4.0 (the #781 release + accumulated main), per versioning.md Phase 2 (#499/#500).
Two changes:
.github/workflows/dev-lead.yml— pin the dev-lead caller to the newdev-lead/ring0channel (+agent_ref: dev-lead/ring0). This repo previously pinned@main(bleeding edge); ring0 gives it a controlled canary slot advanced/rolled-back by a central tag move.scripts/compliance-audit.sh(check_dev_lead_stub) — accept the staged-canary channelsdev-lead/{stable,next,ring<N>}for theuses:pin andagent_ref, not juststable. Still rejects@mainand frozen@vX.Y.Z/@<sha>. Required so ring-pinned consumers (TalkTerm→ring1) don't tripdev-lead-stub-pin.Ring plan (all channels cut at
dev-lead/v1.4.0;stableuntouched): .github-private→next· .github→ring0· TalkTerm→ring1· everyone else→stable.Companion PRs: petry-projects/.github-private#856 (next), petry-projects/TalkTerm#306 (ring1).
🤖 Generated with Claude Code
Summary by CodeRabbit
Tests
Chores