ci(pre-commit): auth tflint via GITHUB_TOKEN + retry transient flakes (closes #564)

[cristim]

Summary

Fixes the recurring Run pre-commit CI failure (issue #564) caused by terraform_tflint's tflint --init hitting the GitHub Releases API anonymously. Two-part fix:

1. Expose secrets.GITHUB_TOKEN to the Run pre-commit step. tflint --init reads GITHUB_TOKEN natively; with it set the rate limit jumps from 60/hr per shared runner IP to 5000/hr per workflow-run token. Eliminates the rate-limit failure class entirely.

2. Wrap with nick-fields/retry@v3.0.2 (SHA-pinned at ce71cc2ab81d554ebbe88c79ab5975992d79ba08 per project policy feedback_sha_pin_current_major.md): 3 attempts with 90s wait, 15-minute timeout. Defense-in-depth for the residual transient flakes (GitHub Releases availability blips, plugin download timeouts) that the token cannot fix.

Most recent observation of this failure: PR #696's pre-commit job. The actual code in that PR was clean; only this CI-infra hook tripped.

Diff

.github/workflows/pre-commit.yml (+21/-1):

• Added GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} to the step's env: block.
• Changed the step from run: to uses: nick-fields/retry@<SHA> # v3.0.2 with command: carrying the previous shell line.
• Comment block explains both the token fix (issue ci(pre-commit): tflint --init hits GitHub anonymous rate limit; pass GITHUB_TOKEN to authenticate plugin downloads #564 root cause) and the retry wrapper (defense in depth).

Test plan

• Local YAML parses (python3 -c "import yaml; yaml.safe_load(...)")
• CI's own Run pre-commit job for this PR is the first end-to-end test (this commit is intentionally tiny and self-validating)
• Three consecutive CI runs across PRs in the same hour all pass without a tflint rate-limit failure (post-merge observation; acceptance criterion from ci(pre-commit): tflint --init hits GitHub anonymous rate limit; pass GITHUB_TOKEN to authenticate plugin downloads #564)

Cross-references

• Closes ci(pre-commit): tflint --init hits GitHub anonymous rate limit; pass GITHUB_TOKEN to authenticate plugin downloads #564
• Triggered by the PR fix(ri-exchange): picker UI + offering-id validation + AWS 4xx mapping (closes #695) #696 failure mode
• Memory entries applied: feedback_sha_pin_current_major.md (SHA-pinned action), feedback_ci_tool_version_pin.md (tflint version is already pinned elsewhere in the workflow)

Summary by CodeRabbit

• Chores
  • Improved reliability of pre-commit checks in CI by adding retry attempts and increasing step timeouts.
  • Extended overall workflow timeout to allow longer runs and accommodate retries.
  • Set authentication for hook downloads to ensure terraform/tflint-related hooks can fetch resources while preserving an existing skip for terraform validation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42be5662-a42a-4c0d-9f24-d8424a77f0e3

📥 Commits

Reviewing files that changed from the base of the PR and between 607afea and dc639b6.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yml

---

📝 Walkthrough

Walkthrough

The workflow job-level timeout was raised to 35 minutes. The Run pre-commit step now runs via nick-fields/retry@v3, exposes GITHUB_TOKEN in the step environment, preserves SKIP: terraform_validate, and configures retry params: timeout_minutes: 10, max_attempts: 3, retry_wait_seconds: 90.

Changes

Pre-commit Retry and Token Configuration

Layer / File(s)	Summary
Job timeout and pre-commit retry wrapper .github/workflows/pre-commit.yml	Job-level timeout-minutes increased to 35. Run pre-commit is wrapped with nick-fields/retry@v3, sets GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} in the step env, keeps SKIP: terraform_validate, and configures timeout_minutes: 10, max_attempts: 3, retry_wait_seconds: 90 while invoking pre-commit run --all-files via the wrapper.

Sequence Diagram

sequenceDiagram
  participant Runner
  participant RetryAction as nick-fields/retry
  participant PreCommit as pre-commit
  participant GitHubAPI as GitHub_API
  Runner->>RetryAction: start step (env: GITHUB_TOKEN, SKIP: terraform_validate)
  RetryAction->>PreCommit: run "pre-commit run --all-files" (command)
  PreCommit->>GitHubAPI: fetch plugin releases (uses GITHUB_TOKEN for auth)
  RetryAction->>RetryAction: on failure, wait 90s and retry (max 3 attempts, timeout 10m per attempt)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

urgency/this-sprint, effort/s

Poem

🐰 I hopped into CI, brave and spry,
I gave the token a wink and a try,
When hooks would stall,
I retried them all,
Now pre-commit hops past rate-limit sky.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding GITHUB_TOKEN authentication and retry logic to fix tflint rate-limit failures.
Linked Issues check	✅ Passed	The PR exposes GITHUB_TOKEN to the Run pre-commit step as required by issue #564, enabling authenticated tflint requests to GitHub API.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the tflint rate-limit issue; no out-of-scope modifications detected beyond the stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/564-tflint-token

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pre-commit.yml:
- Around line 202-204: The retry configuration is inconsistent: you set retry
plugin params timeout_minutes: 15, max_attempts: 3, retry_wait_seconds: 90 while
the overall job has timeout-minutes: 15, so retries may never run; either reduce
timeout_minutes in the nick-fields/retry block to a value that allows up to 3
attempts within the job cap (e.g., ~4 minutes per attempt accounting for
retry_wait_seconds) or increase the job-level timeout-minutes to cover
max_attempts * timeout_minutes + retry waits; update the keys timeout_minutes,
max_attempts, and/or the job's timeout-minutes accordingly to ensure the retry
policy can actually execute all attempts.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 490f2372-a613-4999-9f33-df2e4c9085f9

📥 Commits

Reviewing files that changed from the base of the PR and between 423e87c and 607afea.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yml

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

The agent generated fixes only for .github/workflows/ files, which cannot be committed due to permission restrictions. Please apply these changes manually.

---

⚠️ 1 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/pre-commit.yml — 1 change:

Lines 199–205

           SKIP: terraform_validate
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          timeout_minutes: 15
+          timeout_minutes: 4
           max_attempts: 3
           retry_wait_seconds: 90
           command: pre-commit run --all-files

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.