fix: harden dbt review action version lookup and credential write

[anandgupta42]

What does this PR do?

Re-lands the github/review composite-action hardening onto main. These three follow-ups were surfaced by the multi-model review of #900 and were originally opened as #910 — but #910 was accidentally merged into #900's feature branch (fix/v0.8.4-dbt-review-launch) after #900 had already squash-merged to main, so the changes never reached main. This PR targets main directly and supersedes #910.

• Authenticate the release-version lookup. The fallback path (non-semver github.action_ref — a branch, SHA, or main) calls releases/latest unauthenticated (IP-limited to 60 req/hr). It now passes ${{ github.token }}, lifting the limit to 1,000 req/hr so busy runners aren't throttled into the latest fallback.
• Never cache a floating latest. When the version resolved to latest it was used as a static cache key, so one rate-limited/offline lookup pinned that binary forever. The cache step is now gated with if: steps.version.outputs.version != 'latest'; a resolved semver caches normally, latest falls through to a fresh install.
• Keep the hosted API key out of jq argv. The credential write read the key via --arg key "$IN_ALT_KEY" (visible in argv; printed under ACTIONS_STEP_DEBUG → set -x). It now reads from the environment inside the jq program ($ENV.IN_ALT_KEY).

None of these are regressions; the golden @vX.Y.Z path never hits the release-API lookup and is unaffected.

Type of change

• Bug fix / hardening (non-breaking change)
• New feature
• Breaking change
• Documentation

Issue for this PR

Closes #909

How did you verify your code works?

Four adversarial tests in release-v0.8.5-adversarial.test.ts (run the action's real shell with fake curl/jq on PATH):

• the release lookup attaches Authorization: Bearer <token> when GITHUB_TOKEN is present;
• it omits the header and still resolves the version when no token is set (verifies the ${AUTH[@]+"${AUTH[@]}"} empty-array idiom is safe under set -u, back to bash 3.2);
• the Cache altimate-code step is gated on steps.version.outputs.version != 'latest';
• the hosted-credential write keeps the API key out of the jq argv (asserts the secret is absent from captured args and the program uses $ENV.IN_ALT_KEY).

Local checks (all green on this branch, cherry-picked cleanly onto current main):

• bun test test/skill/release-v0.8.5-adversarial.test.ts → 13 pass.
• bun run script/upstream/analyze.ts --markers --base main --strict → ok.
• prettier --check on the changed test file → clean. Action YAML parses.

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (CHANGELOG)
• My changes generate no new warnings
• I have added tests that prove my fix is effective
• New and existing unit tests pass locally with my changes

🤖 Generated with Claude Code

---

Summary by cubic

Hardens the github/review composite action to reduce rate-limit failures, prevent stale binary caching, and keep the hosted API key out of process args. Improves reliability for busy runners and avoids secret exposure.

• Bug Fixes
  • Authenticates the releases/latest lookup with ${{ github.token }} to lift limits to 1,000 req/hr.
  • Skips caching when the resolved version is 'latest'; semver versions still cache normally.
  • Writes the hosted API key via env inside jq ($ENV.IN_ALT_KEY) instead of --arg to keep it out of argv and debug logs.
  • Semver tags (vX.Y.Z) continue to bypass the API lookup and behave as before.

^{Written for commit 981d238. Summary will update on new commits.}

Summary by CodeRabbit

• Bug Fixes

  • GitHub release-version lookup is now rate-limit resilient and authenticates with GitHub token
  • Fixed caching behavior when resolved version is "latest"

• Security

  • Hosted API key is no longer exposed in command-line arguments; now read from environment instead

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: cc3f6cc9-bbfb-4e5f-a807-509cabf7e629

📥 Commits

Reviewing files that changed from the base of the PR and between 3572f1c and 981d238.

📒 Files selected for processing (3)

• CHANGELOG.md
• github/review/action.yml
• packages/opencode/test/skill/release-v0.8.5-adversarial.test.ts

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

📝 Walkthrough

Walkthrough

The PR hardens the altimate-code GitHub action for v0.8.5 by adding Bearer token authentication to the release lookup API call (lifting rate limits when GITHUB_TOKEN is available), skipping binary caching for the floating latest version, and moving the hosted Altimate API key from command-line jq arguments to environment variables for credential safety. Test coverage verifies all three behaviors.

Changes

GitHub Release Action Security & Resilience v0.8.5

Layer / File(s)	Summary
GitHub API Authentication and Conditional Caching github/review/action.yml, CHANGELOG.md	The version-resolution curl request conditionally includes an Authorization: Bearer header when GITHUB_TOKEN is present, lifting GitHub API rate limits. The "Cache altimate-code" step is gated to skip when the resolved version is latest, preventing stale binary pinning. Changelog documents the fix and repositions related entries.
Credential Security via Environment Variables github/review/action.yml, CHANGELOG.md	Altimate API key is sourced from the IN_ALT_KEY environment variable inside the jq program rather than passed via --arg, keeping the secret out of process argument visibility and debug output. Changelog adds a Security note.
Test Assertion Refactoring and Feature Coverage packages/opencode/test/skill/release-v0.8.5-adversarial.test.ts	Filesystem sentinel assertions are refactored to expanded forms. New tests verify Authorization header presence/absence based on token presence, cache step bypass for latest, and jq credential safety (asserting the API secret is absent from captured jq argv while structured inputs are received).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Harden dbt review action: authenticate version lookup, skip latest-cache, keep API key out of jq argv #909: PR directly addresses the fixes for authenticated GitHub release lookup, conditional caching for floating versions, and environment-based credential handling to prevent argv exposure.

Suggested labels

contributor, needs-review:blocked

Poem

🐰 A token wrapped in Bearer's shield,
GitHub's rate-limit now revealed,
Secrets safe in env's embrace,
No argv trails to leave a trace,
Tests confirm each guardian dance.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dbt-review-action-hardening-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}