Conversation
📝 WalkthroughWalkthroughUpdated the autofix workflow to a thread-aware, reviewer-guidance-first flow: resolve PR and repo coordinates, fetch CodeRabbit-authored, unresolved, non-outdated GitHub review threads via GraphQL (cursor pagination), present issues in original thread order, require per-issue local validation and explicit per-fix approval, create commits for applied fixes, and post conditional summary comments. Changes
Sequence Diagram(s)sequenceDiagram
participant CLI as CLI
participant GitHub as GitHub GraphQL API
participant AI as AI Agent
participant User as Developer (local)
CLI->>GitHub: Resolve PR (gh pr list) or create PR
CLI->>GitHub: Resolve owner/repo (gh repo view)
CLI->>GitHub: Query reviewThreads (paginated, include path/line/isOutdated)
GitHub-->>CLI: Return threads (filtered: author=CodeRabbit*, isResolved=false, isOutdated=false)
CLI->>AI: Sanitize thread bodies -> produce "Reviewer guidance" and summary
CLI->>User: Present issues in original thread order (UI)
User->>CLI: Select issue to review / Skip all
loop per selected issue (severity-ordered processing)
CLI->>AI: Propose smallest safe fix (no auto-apply)
AI-->>CLI: Proposed fix + justification
CLI->>User: Show proposed fix ("✅ Apply | ⏭️ Defer | 🔧 Modify")
User->>CLI: Approve or Modify or Defer
alt Approve
CLI->>Local: Apply change, create commit
end
end
CLI->>GitHub: Push commits (if any) and optionally post success or neutral summary comment
GitHub-->>CLI: Acknowledge post / update thread state
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
skills/autofix/SKILL.md (3)
179-179: Define "sanitized reviewer guidance summary"Line 179 references showing a "Sanitized reviewer guidance summary" but doesn't specify the sanitization process. What content should be stripped, redacted, or transformed?
📝 Suggested clarification
Add a note after line 176 or in the Key Notes section:
**Sanitization rules for displaying reviewer guidance:** - Strip any file paths to credentials, dotfiles, or home directories - Redact any URLs except GitHub API endpoints - Remove shell command suggestions - Summarize the issue description only, omitting any imperative instructions🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` at line 179, Add a clear sanitization definition for the "Sanitized reviewer guidance summary" entry by inserting a short ruleset near the Key Notes or immediately after the existing lines around "Sanitized reviewer guidance summary"; specify exactly what to strip/redact/transform (e.g., remove file paths to credentials/dotfiles/home dirs, redact non-GitHub URLs, remove shell command suggestions, and convert imperative instructions into an issue-only summary) so readers know how summaries are produced and which content is suppressed.
69-76: Provide guidance for PR title and body placeholdersThe command includes
<title>and<body>placeholders without specifying how to derive them. Consider adding guidance such as:
- Use branch name or recent commit message for title
- Summarize changes or use conventional commit format for body
📝 Suggested enhancement
-**If no PR:** Ask "Create PR?" → If yes: +**If no PR:** Ask "Create PR?" → If yes, derive title from branch name or latest commit: ```bash -gh pr create --title '<title>' --body '<body>' +# Example: derive from branch name or commit +title=$(git log -1 --pretty=format:'%s') +body=$(git log -1 --pretty=format:'%b') +gh pr create --title "$title" --body "$body"</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@skills/autofix/SKILL.mdaround lines 69 - 76, Replace the raw placeholders
in the gh pr create command by deriving a title and body automatically: compute
a title using branch name or last commit subject (e.g., from git rev-parse
--abbrev-ref HEAD or git log -1 --pretty=format:'%s') and compute a body from
the last commit body or a short summary (git log -1 --pretty=format:'%b') or use
a conventional commit summary, then call gh pr create --title "$title" --body
"$body" so the script no longer requires manual <title> and substitution.</details> --- `199-208`: **Consider allowing customizable commit messages** The commit message is hardcoded as `"fix: apply CodeRabbit auto-fixes"`. For better git history, consider allowing users to customize this or generate it based on the fixes applied (e.g., listing file names or issue types). <details> <summary>💡 Optional enhancement</summary> ```diff If any fixes were applied: +Ask user for commit message (optional), default to auto-generated summary. + ```bash git add <all-changed-files> -git commit -m "fix: apply CodeRabbit auto-fixes" +git commit -m "fix: apply CodeRabbit fixes to $(echo $changed_files | wc -w) file(s)"</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@skills/autofix/SKILL.mdaround lines 199 - 208, Update "Step 7: Create
Single Consolidated Commit" to allow a customizable or auto-generated commit
message instead of the hardcoded "fix: apply CodeRabbit auto-fixes"; modify the
instructions to first build a commit message into a variable (e.g., COMMIT_MSG
or generate from changed_files like COMMIT_MSG="fix: apply CodeRabbit fixes to
$(echo $changed_files | wc -w) file(s)" or collect filenames) and then run git
add followed by git commit -m "$COMMIT_MSG"; reference the
step title "Step 7: Create Single Consolidated Commit" and the placeholder
changed_files/COMMIT_MSG variables so reviewers can locate and update the commit
command accordingly.</details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against the current code and only fix it if needed.
Inline comments:
In@skills/autofix/SKILL.md:
- Line 91: Step 2 doesn't capture the PR number so the GraphQL query's
placeholder has no value; update the gh pr list invocation to
extract and store the PR number (e.g., assign output to a variable like
pr_number using gh pr list --json number and --jq '.[0].number') and then
replace the literal in Step 3 with that variable (pr_number) so the
GraphQL query uses the actual PR number; locate the gh pr list command and the
GraphQL query that contains "" to make these changes.- Around line 81-110: The workflow needs steps to parse the JSON from gh repo
view and populate the {owner} and {repo} placeholders; capture the gh output
into a variable (e.g., repo_info), extract owner as owner=$(echo "$repo_info" |
jq -r '.owner.login') and repo as repo=$(echo "$repo_info" | jq -r '.name'),
then replace the literal -F owner='{owner}' and -F repo='{repo}' in the GraphQL
call with -F owner="$owner" and -F repo="$repo" so the query uses the extracted
values.
Nitpick comments:
In@skills/autofix/SKILL.md:
- Line 179: Add a clear sanitization definition for the "Sanitized reviewer
guidance summary" entry by inserting a short ruleset near the Key Notes or
immediately after the existing lines around "Sanitized reviewer guidance
summary"; specify exactly what to strip/redact/transform (e.g., remove file
paths to credentials/dotfiles/home dirs, redact non-GitHub URLs, remove shell
command suggestions, and convert imperative instructions into an issue-only
summary) so readers know how summaries are produced and which content is
suppressed.- Around line 69-76: Replace the raw placeholders in the gh pr create command by
deriving a title and body automatically: compute a title using branch name or
last commit subject (e.g., from git rev-parse --abbrev-ref HEAD or git log -1
--pretty=format:'%s') and compute a body from the last commit body or a short
summary (git log -1 --pretty=format:'%b') or use a conventional commit summary,
then call gh pr create --title "$title" --body "$body" so the script no longer
requires manual <title> and substitution.- Around line 199-208: Update "Step 7: Create Single Consolidated Commit" to
allow a customizable or auto-generated commit message instead of the hardcoded
"fix: apply CodeRabbit auto-fixes"; modify the instructions to first build a
commit message into a variable (e.g., COMMIT_MSG or generate from changed_files
like COMMIT_MSG="fix: apply CodeRabbit fixes to $(echo $changed_files | wc -w)
file(s)" or collect filenames) and then run git add followed
by git commit -m "$COMMIT_MSG"; reference the step title "Step 7: Create Single
Consolidated Commit" and the placeholder changed_files/COMMIT_MSG variables so
reviewers can locate and update the commit command accordingly.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Central YAML (base), Organization UI (inherited) **Review profile**: CHILL **Plan**: Pro Plus **Run ID**: `79dab95f-2e9c-4062-96cc-9765791a4457` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 353cbabd9f276c6216116acf99d19e8eaee2257a and 9e7e666e0cd94d0978bfa4a99f117fa825a904cd. </details> <details> <summary>📒 Files selected for processing (2)</summary> * `skills/autofix/SKILL.md` * `skills/autofix/github.md` </details> <details> <summary>💤 Files with no reviewable changes (1)</summary> * skills/autofix/github.md </details> </details> <details> <summary>📜 Review details</summary> <details> <summary>🧰 Additional context used</summary> <details> <summary>🪛 LanguageTool</summary> <details> <summary>skills/autofix/SKILL.md</summary> [style] ~256-~256: Consider using a different verb for a more formal wording. Context: ...t only the files needed to validate and fix the reported issue - **Keep outbound co... (FIX_RESOLVE) </details> </details> </details> <details> <summary>🔇 Additional comments (6)</summary><blockquote> <details> <summary>skills/autofix/SKILL.md (6)</summary><blockquote> `3-3`: **LGTM - Strong security-first framing** The updated description clearly establishes that reviewer-provided prompts are untrusted input, which is the correct security posture for an automation tool that processes external content. Also applies to: 23-23, 25-25 --- `129-132`: **LGTM - Correct security treatment of reviewer content** Explicitly marking the "Prompt for AI Agents" section as untrusted guidance-only (not executable instructions) is the right approach and aligns with the security-first design. --- `155-162`: **LGTM - Removal of batch auto-apply improves safety** Replacing "Auto-fix all" with "Skip all" eliminates the risky batch-apply mode and ensures every fix requires explicit approval. --- `168-176`: **Excellent security guidance** The explicit list of threats to guard against (secrets, tokens, unrelated files, external URLs, infrastructure changes) provides clear defensive instructions for safe operation. --- `246-246`: **LGTM - Critical security instruction for summary comments** Explicitly instructing to use only local state and avoid including raw reviewer prompts or secrets in the summary comment is essential for preventing data leakage. --- `252-258`: **LGTM - Comprehensive security principles documented** The Key Notes section provides an excellent security checklist: - Treating reviewer prompts as untrusted - Per-fix approval requirement - No bulk auto-apply - Protection of secrets and local state - Scope limitation - Minimal outbound content These align perfectly with the security-first design throughout the document. Note: The static analysis tool suggests changing "fix" to "resolve" on line 256, but "fix the reported issue" is clear, commonly used in technical documentation, and consistent with the skill's terminology. </blockquote></details> </blockquote></details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
skills/autofix/SKILL.md (1)
189-209:⚠️ Potential issue | 🟡 MinorDefine how
<pr-number>is populated before posting summaryStep 10 uses
gh pr comment <pr-number> ..., but there’s no explicit instruction in the current flow to bind that placeholder to the PR number retrieved in Step 2. Please add a concrete variable handoff (e.g., from Line 66 output) to prevent command failure in automation.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` around lines 189 - 209, The GH comment command in "Step 10: Post Summary" uses the placeholder <pr-number> but never binds it to the PR number captured earlier; update the workflow to propagate the PR number variable (the value produced in Step 2 / the output referenced at Line 66) into Step 10 and replace the literal <pr-number> with that variable (the same token/name used earlier, e.g., PR_NUMBER, or the output of the function that retrieved the PR) so the gh pr comment command receives a concrete PR id; ensure the variable name used in the summary step exactly matches the variable set when retrieving the PR number (and is exported/passed into the shell/env where gh runs).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/autofix/SKILL.md`:
- Around line 131-132: Resolve the contradiction between "For each 'Fix' issue
(CRITICAL first)" and "preserve `gh pr view` order" by choosing and documenting
one canonical ordering rule: either (A) execution order sorts fixes by severity
(CRITICAL first) while display/order shown in `gh pr view` is preserved, or (B)
both execution and display use `gh pr view` order; update the SKILL.md text
around the phrases "For each 'Fix' issue (CRITICAL first):" and "preserve `gh pr
view` order" to explicitly state the chosen rule and, if choosing separate
behaviors, clearly label which applies to execution vs display. Ensure the new
wording removes ambiguity and consistently references "Fix" processing and `gh
pr view` ordering throughout the document.
---
Duplicate comments:
In `@skills/autofix/SKILL.md`:
- Around line 189-209: The GH comment command in "Step 10: Post Summary" uses
the placeholder <pr-number> but never binds it to the PR number captured
earlier; update the workflow to propagate the PR number variable (the value
produced in Step 2 / the output referenced at Line 66) into Step 10 and replace
the literal <pr-number> with that variable (the same token/name used earlier,
e.g., PR_NUMBER, or the output of the function that retrieved the PR) so the gh
pr comment command receives a concrete PR id; ensure the variable name used in
the summary step exactly matches the variable set when retrieving the PR number
(and is exported/passed into the shell/env where gh runs).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 915fba37-e49e-4732-a757-83b6e307006b
📒 Files selected for processing (2)
README.mdskills/autofix/SKILL.md
✅ Files skipped from review due to trivial changes (1)
- README.md
📜 Review details
🧰 Additional context used
🪛 LanguageTool
skills/autofix/SKILL.md
[style] ~221-~221: Consider using a different verb for a more formal wording.
Context: ...t only the files needed to validate and fix the reported issue - **Keep outbound co...
(FIX_RESOLVE)
🔀 Multi-repo context coderabbitai/bitbucket
::shell:none
#!/bin/bash
echo "No further commands; summarizing findings."
Findings:
-
package.json scripts reference ts-autofix (used post-openapi generation):
- package.json: lines around script entries for "postopenapi-typescript:cloud" and "postopenapi-typescript:server" and dependency "ts-autofix". [::coderabbitai/bitbucket::]
-
pnpm-lock and package.json list ts-autofix package (dependency entry). [::coderabbitai/bitbucket::]
-
No usage of GitHub CLI flow ("gh pr view") or GraphQL reviewThreads found in repository search results. (Search for "gh pr view", "reviewThreads" returned no matches.) [::coderabbitai/bitbucket::]
-
README mentions CodeRabbit and the package
@coderabbitai/bitbucket; no docs referencing the previous autofix/github workflow. [::coderabbitai/bitbucket::]
Conclusion:
- The PR's documentation/workflow changes are relevant only insofar as this repo invokes "ts-autofix" as a post-generation tool. There are no code-level consumers of the SKILL.md GitHub CLI flow or GraphQL review-thread extraction in this repository. Recommend verifying whether the "ts-autofix" CLI/automation used here relies on any behavior described in the removed github.md (e.g., automated batch apply vs. manual prompts).
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
skills/autofix/SKILL.md (1)
242-266:⚠️ Potential issue | 🟡 MinorClarify how to populate placeholders in the summary comment.
The example heredoc (lines 247-262) contains placeholders like
<file-count>,<issue-count>,<commit-sha>, and<branch-name>, and line 264 instructs "Write this comment from local state only." However, the workflow doesn't document how to replace these placeholders with actual values before posting the comment.📝 Recommended documentation addition
Add clarification before the code block:
### Step 10: Post Summary **REQUIRED after all issues reviewed:** + +Populate the following from local state: +- `<file-count>`: Number of files modified +- `<issue-count>`: Number of issues fixed +- `<commit-sha>`: Result of `git rev-parse HEAD` +- `<branch-name>`: Result of `git branch --show-current` + +Example implementation: ```bash +file_count=$(git diff --name-only HEAD~1 | wc -l) +issue_count=<tracked-from-step-6> +commit_sha=$(git rev-parse HEAD) +branch_name=$(git branch --show-current) + -gh pr comment "$pr_number" --body "$(cat <<'EOF' +gh pr comment "$pr_number" --body "$(cat <<EOF ## Fixes Applied Successfully -Fixed <file-count> file(s) based on <issue-count> CodeRabbit feedback item(s). +Fixed ${file_count} file(s) based on ${issue_count} CodeRabbit feedback item(s). **Files modified:** - \`path/to/file-a.ts\` - \`path/to/file-b.ts\` -**Commit:** \`<commit-sha>\` +**Commit:** \`${commit_sha}\` -The latest autofix changes are on the \`<branch-name>\` branch. +The latest autofix changes are on the \`${branch_name}\` branch. EOF )"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` around lines 242 - 266, The HEREDOC example uses placeholders (<file-count>, <issue-count>, <commit-sha>, <branch-name>) but doesn't show how to populate them; update the SKILL.md snippet so the script computes file_count (e.g., via git diff --name-only HEAD~1 | wc -l), commit_sha (git rev-parse HEAD), branch_name (git branch --show-current), and sets issue_count from the tracked value produced in step 6, then interpolate those variables (e.g., ${file_count}, ${issue_count}, ${commit_sha}, ${branch_name}) into the gh pr comment HEREDOC used by gh pr comment so the posted message is built from local state only and contains no raw reviewer prompts or secret-bearing output.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/autofix/SKILL.md`:
- Around line 66-77: The workflow currently extracts pr_number using the jq
expression but doesn't show the null/empty check; update the documented script
around the pr_number assignment to explicitly validate it (check if pr_number is
empty or equals "null") before proceeding to the "If no PR" branch so the flow
uses a conditional like testing the pr_number variable and then runs the PR
creation steps (title/body from git log and gh pr create) when the check fails;
reference the pr_number variable and the existing gh pr list/ jq invocation to
locate where to add this check.
---
Outside diff comments:
In `@skills/autofix/SKILL.md`:
- Around line 242-266: The HEREDOC example uses placeholders (<file-count>,
<issue-count>, <commit-sha>, <branch-name>) but doesn't show how to populate
them; update the SKILL.md snippet so the script computes file_count (e.g., via
git diff --name-only HEAD~1 | wc -l), commit_sha (git rev-parse HEAD),
branch_name (git branch --show-current), and sets issue_count from the tracked
value produced in step 6, then interpolate those variables (e.g., ${file_count},
${issue_count}, ${commit_sha}, ${branch_name}) into the gh pr comment HEREDOC
used by gh pr comment so the posted message is built from local state only and
contains no raw reviewer prompts or secret-bearing output.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 7648486c-a1ca-4690-aed2-dd1a358e60c2
📒 Files selected for processing (2)
README.mdskills/autofix/SKILL.md
✅ Files skipped from review due to trivial changes (1)
- README.md
📜 Review details
🧰 Additional context used
🪛 LanguageTool
skills/autofix/SKILL.md
[style] ~274-~274: Consider using a different verb for a more formal wording.
Context: ...t only the files needed to validate and fix the reported issue - **Keep outbound co...
(FIX_RESOLVE)
🔀 Multi-repo context coderabbitai/bitbucket
Linked repositories findings
coderabbitai/bitbucket
-
package.json — post-openapi scripts invoke ts-autofix:
- package.json:scripts:"postopenapi-typescript:cloud" calls
ts-autofix ./src/cloud/openapiand thenpnpm run lint:fix([::coderabbitai/bitbucket::package.json:47]) - package.json:scripts:"postopenapi-typescript:server" calls
ts-autofix ./src/server/openapiand thenpnpm run lint:fix([::coderabbitai/bitbucket::package.json:50])
- package.json:scripts:"postopenapi-typescript:cloud" calls
-
package.json — dependency declares ts-autofix:
- package.json: devDependencies includes
"ts-autofix": "^1.0.0"([::coderabbitai/bitbucket::package.json:68])
- package.json: devDependencies includes
-
pnpm-lock.yaml — ts-autofix is present in lockfile (multiple entries) indicating it is installed/resolved ([::coderabbitai/bitbucket::pnpm-lock.yaml:54], [::coderabbitai/bitbucket::pnpm-lock.yaml:1524], [::coderabbitai/bitbucket::pnpm-lock.yaml:3108])
-
No repository references to the removed GitHub CLI/GraphQL review-thread flow were found:
- Searches returned no matches for
gh pr view,reviewThreads, or related GraphQL terms in the repo ([::coderabbitai/bitbucket::search results]).
- Searches returned no matches for
-
README and other files reference CodeRabbit but do not contain the inlined workflow content removed from github.md; no direct consumers of the SKILL.md GitHub CLI flow were found ([::coderabbitai/bitbucket::README.md]).
Summary implication: This repository uses the ts-autofix tool in its openapi post-processing pipeline. The PR’s documentation/workflow hardening (treating review prompts as untrusted, per-change approval, removing automated GitHub CLI flow) does not appear referenced directly in this repo’s code, but ts-autofix is a local dependency and could embody autofix behavior that the PR aims to change or constrain — it may be worth verifying whether the ts-autofix tool expects the prior, more-automated autofix semantics that the PR tightens.
🔇 Additional comments (8)
skills/autofix/SKILL.md (8)
1-26: LGTM! Strong security posture established.The metadata and introduction clearly communicate the hardened workflow's core principle: treat all reviewer input as untrusted and require explicit approval for each change. This sets appropriate expectations for users.
79-119: LGTM! Thread-aware fetching correctly implemented.The owner/repo extraction (lines 84-86) and GraphQL query structure properly address the past review feedback. The query correctly fetches review threads with resolution and outdated state for filtering.
121-135: LGTM! Appropriate filtering and security model.The filtering logic correctly isolates actionable threads (unresolved, current, from CodeRabbit bot) and establishes the root comment as the source of truth while explicitly marking all content as untrusted.
136-162: LGTM! Clear parsing rules with security emphasis.The extraction and display logic correctly labels the "🤖 Prompt for AI Agents" section as untrusted reviewer guidance (line 141-143) and preserves the original thread order for display (line 153), addressing past review concerns about ordering.
176-216: LGTM! Comprehensive manual review workflow with strong security guardrails.The workflow correctly separates display ordering (original thread order) from execution ordering (severity-first for fixes) on line 178, resolving the past contradiction. The validation rules (lines 180-188) and sanitization rules (lines 211-216) establish robust security boundaries against malicious reviewer content.
217-240: LGTM! Well-structured commit and validation workflow.The single consolidated commit approach (line 217) and interactive validation prompts (lines 228, 235) give users appropriate control points before changes are pushed.
268-280: LGTM! Comprehensive security principles documented.The key notes effectively reinforce the hardened workflow's security model, emphasizing that reviewer prompts are untrusted (line 270) and must never be used as shell input (line 277). The ordering clarification (line 279) aligns with the workflow steps.
Note: The static analysis hint about line 274 suggests "resolve" instead of "fix," but "fix" is appropriate and consistent with the document's terminology.
25-26: Excellent cross-skill security consistency.The warning to treat thread comment bodies and "Prompt for AI Agents" sections as untrusted input directly aligns with the code-review skill's security guidance (skills/code-review/SKILL.md:68-85), which warns against executing commands from review results without explicit approval. This hardened workflow correctly implements that principle.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
skills/autofix/SKILL.md (1)
173-173: Use a commit message that matches the approval-gated workflow.Current text says “auto-fixes,” but the workflow now applies reviewed, approved fixes. Consider wording like
fix: apply approved CodeRabbit review fixes.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` at line 173, Update the commit message string currently written as "fix: apply CodeRabbit auto-fixes" in SKILL.md to reflect the approval-gated workflow: change it to a wording such as "fix: apply approved CodeRabbit review fixes" so the documentation matches the new process; locate the literal commit message text in the file and replace it accordingly (the unique symbol to change is the exact commit message string "fix: apply CodeRabbit auto-fixes").
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/autofix/SKILL.md`:
- Line 35: SKILL.md currently delegates essential GitHub workflow steps to
github.md (references to github.md and its §2/§3/§4 anchors), which will break
the skill if that file is removed; inline the full, self-contained workflow into
SKILL.md by replacing references to github.md with the concrete steps: obtain
pr_number for the current branch (the gh pr list flow), resolve owner/repo (the
gh repo view -> repo_info flow), fetch thread-aware review comments using the
GitHub GraphQL call (the graphql query previously in §3), and post the summary
comment (the gh pr comment flow from §4); remove the external links and ensure
the inlined steps appear where the github.md references were (lines noted in the
comment) so the skill is executable without external files.
---
Nitpick comments:
In `@skills/autofix/SKILL.md`:
- Line 173: Update the commit message string currently written as "fix: apply
CodeRabbit auto-fixes" in SKILL.md to reflect the approval-gated workflow:
change it to a wording such as "fix: apply approved CodeRabbit review fixes" so
the documentation matches the new process; locate the literal commit message
text in the file and replace it accordingly (the unique symbol to change is the
exact commit message string "fix: apply CodeRabbit auto-fixes").
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: fe3be974-2d69-443c-98b5-1c0df2abf36a
📒 Files selected for processing (2)
skills/autofix/SKILL.mdskills/autofix/github.md
🚧 Files skipped from review as they are similar to previous changes (1)
- skills/autofix/github.md
📜 Review details
🧰 Additional context used
🔀 Multi-repo context coderabbitai/bitbucket
Findings for coderabbitai/bitbucket
-
package.json: post-openapi scripts call ts-autofix for generated OpenAPI types:
- "postopenapi-typescript:cloud": "ts-autofix ./src/cloud/openapi && pnpm run lint:fix"
- "postopenapi-typescript:server": "ts-autofix ./src/server/openapi && pnpm run lint:fix"
[::coderabbitai/bitbucket::package.json]
-
package.json devDependencies declare ts-autofix (^1.0.0) (potential consumer of autofix semantics changed by the PR).
[::coderabbitai/bitbucket::package.json] -
pnpm-lock.yaml contains entries for ts-autofix (shows it is resolved/installed here).
[::coderabbitai/bitbucket::pnpm-lock.yaml] -
Repository search found no references to GitHub CLI/GraphQL review thread usage (no matches for gh pr, reviewThreads) — suggests the PR’s GitHub workflow changes are documentation/workflow-level and not directly referenced in this repo’s code.
[::coderabbitai/bitbucket::search results]
Implication: The primary cross-repo impact is that this repo uses the ts-autofix tool in its post-openapi pipeline; if the PR changes expected autofix behaviors or the public workflow of autofix tools, verify ts-autofix’s behavior/contract (or update package usage) to ensure the hardened workflow/documentation changes don’t conflict with CI scripts that invoke automatic fixes.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
skills/autofix/SKILL.md (1)
35-35:⚠️ Potential issue | 🟠 MajorAvoid referencing
github.md; keepSKILL.mdfully canonicalThis line reintroduces dependency on
github.mdand conflicts with the “inline workflow + remove github.md” direction. Please remove the cross-reference and keep only one authoritative procedure here.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` at line 35, Remove the cross-reference to github.md in SKILL.md so SKILL.md remains the single canonical, executable workflow; specifically edit the sentence "Reusable GitHub command primitives are also mirrored in [github.md](./github.md), but this skill remains fully executable from `SKILL.md` alone." to drop the bracketed link and any mention of github.md, leaving a statement that the skill is fully executable from SKILL.md only (ensure no other lines in SKILL.md reference github.md).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@skills/autofix/github.md`:
- Line 5: The file skills/autofix/github.md is reintroducing a second source of
truth; remove this file (or replace its content with a single redirect/note) and
ensure any references to the helper point to SKILL.md instead so the `autofix`
skill uses the inlined workflow in SKILL.md; update any callers or documentation
that referenced skills/autofix/github.md to reference SKILL.md (or the `autofix`
section inside it) to prevent drift.
- Around line 41-42: The docs instruct rerunning with `-F cursor="$end_cursor"`
but don't show parsing/looping on `pageInfo.hasNextPage`/`endCursor`, which can
drop threads after 100; update the procedure to (1) make an initial GraphQL
request without `-F cursor=...`, (2) parse the response's `pageInfo.hasNextPage`
and `pageInfo.endCursor` for the reviewThreads connection, (3) if `hasNextPage`
is true set `-F cursor="$endCursor"` for the next request and repeat until
`hasNextPage` is false, and (4) accumulate results across pages so all review
threads are returned (refer to the `-F cursor` flag, `pageInfo.hasNextPage`, and
`pageInfo.endCursor` in the docs).
---
Duplicate comments:
In `@skills/autofix/SKILL.md`:
- Line 35: Remove the cross-reference to github.md in SKILL.md so SKILL.md
remains the single canonical, executable workflow; specifically edit the
sentence "Reusable GitHub command primitives are also mirrored in
[github.md](./github.md), but this skill remains fully executable from
`SKILL.md` alone." to drop the bracketed link and any mention of github.md,
leaving a statement that the skill is fully executable from SKILL.md only
(ensure no other lines in SKILL.md reference github.md).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 9b098c21-18ff-4403-a324-158eaedbd216
📒 Files selected for processing (2)
skills/autofix/SKILL.mdskills/autofix/github.md
📜 Review details
🧰 Additional context used
🪛 LanguageTool
skills/autofix/SKILL.md
[uncategorized] ~35-~35: The official name of this software platform is spelled with a capital “H”.
Context: ...ommand primitives are also mirrored in github.md, but this skill remain...
(GITHUB)
[uncategorized] ~35-~35: The official name of this software platform is spelled with a capital “H”.
Context: ...imitives are also mirrored in github.md, but this skill remains fully execu...
(GITHUB)
[style] ~152-~152: This phrasing could be wordy, so try replacing it with something more concise.
Context: ...es"))) | length ' ``` If the count is greater than 0: Inform "⏳ Review in progress, try ...
(MORE_THAN_EXCEEDS)
[style] ~318-~318: Consider using a different verb for a more formal wording.
Context: ...t only the files needed to validate and fix the reported issue - **Keep outbound co...
(FIX_RESOLVE)
skills/autofix/github.md
[grammar] ~3-~3: Use a hyphen to join words.
Context: ...dling rules for CodeRabbit review-thread based skills. Use this helper when a sk...
(QB_NEW_EN_HYPHEN)
🔀 Multi-repo context coderabbitai/bitbucket
Linked repositories findings
coderabbitai/bitbucket
-
package.json defines post-openapi scripts that invoke ts-autofix:
- "postopenapi-typescript:cloud": "ts-autofix ./src/cloud/openapi && pnpm run lint:fix"
- "postopenapi-typescript:server": "ts-autofix ./src/server/openapi && pnpm run lint:fix"
[::coderabbitai/bitbucket::package.json:47,50]
-
ts-autofix is declared as a devDependency and is present in pnpm-lock.yaml (ts-autofix@1.0.0), so CI/local pipelines will run the ts-autofix tool as part of the OpenAPI generation flow.
[::coderabbitai/bitbucket::package.json:68][::coderabbitai/bitbucket::pnpm-lock.yaml:1524] -
Repository search found no usages of the GitHub CLI/GraphQL reviewThreads workflow primitives introduced by the PR (no matches for "gh pr" or "reviewThreads"), indicating the PR's GitHub workflow documentation/behavior changes are not referenced in this codebase. The main cross-repo surface is the ts-autofix invocation.
[::coderabbitai/bitbucket::rg search results]
Implication: The PR hardening autofix documentation/workflow is relevant because this repository invokes ts-autofix in automated post-openapi steps. Reviewers should ensure the hardened workflow/expectations for autofix tools (no auto-apply, per-change approval, sanitized prompts, etc.) do not conflict with CI scripts that expect ts-autofix to automatically modify generated code. Verification may include confirming ts-autofix's runtime behavior/version and whether its contract changed or requires CI/script updates.
There was a problem hiding this comment.
♻️ Duplicate comments (2)
skills/autofix/SKILL.md (1)
35-35:⚠️ Potential issue | 🟠 MajorRemove the
github.mdmirror reference to keepSKILL.mdcanonical.Even with “fully executable” wording, this keeps dual documentation alive and conflicts with the “inline + remove
github.md” objective. MakeSKILL.mdthe only source and drop this cross-reference.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/SKILL.md` at line 35, Remove the cross-reference to github.md so SKILL.md is the canonical source: edit the sentence containing "Reusable GitHub command primitives are also mirrored in [github.md](./github.md), but this skill remains fully executable from `SKILL.md` alone." and delete the bracketed mirror reference (or remove the whole clause), leaving SKILL.md as the sole source; ensure the final text no longer mentions github.md anywhere in SKILL.md.skills/autofix/github.md (1)
5-5:⚠️ Potential issue | 🟠 Major
github.mdremains a second source of truth and conflicts with PR intent.This line explicitly keeps
skills/autofix/github.mdas an ongoing companion, which contradicts the objective to inline workflow intoSKILL.mdand remove this file. Please remove this file (or reduce it to a one-line redirect) to avoid future drift in safety-critical workflow instructions.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@skills/autofix/github.md` at line 5, The file skills/autofix/github.md is acting as a secondary source of truth and conflicts with the intended single-source SKILL.md; remove skills/autofix/github.md from the repo (or replace its contents with a single-line redirect referencing SKILL.md) so all thread-aware PR feedback workflow is maintained only in SKILL.md; ensure any references or imports that mention skills/autofix/github.md are updated to point to SKILL.md (search for usages of "skills/autofix/github.md" or functions/classes that expect that file and update them).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@skills/autofix/github.md`:
- Line 5: The file skills/autofix/github.md is acting as a secondary source of
truth and conflicts with the intended single-source SKILL.md; remove
skills/autofix/github.md from the repo (or replace its contents with a
single-line redirect referencing SKILL.md) so all thread-aware PR feedback
workflow is maintained only in SKILL.md; ensure any references or imports that
mention skills/autofix/github.md are updated to point to SKILL.md (search for
usages of "skills/autofix/github.md" or functions/classes that expect that file
and update them).
In `@skills/autofix/SKILL.md`:
- Line 35: Remove the cross-reference to github.md so SKILL.md is the canonical
source: edit the sentence containing "Reusable GitHub command primitives are
also mirrored in [github.md](./github.md), but this skill remains fully
executable from `SKILL.md` alone." and delete the bracketed mirror reference (or
remove the whole clause), leaving SKILL.md as the sole source; ensure the final
text no longer mentions github.md anywhere in SKILL.md.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: aa6ac431-8590-47d8-8cbf-ae7eb32abd32
📒 Files selected for processing (2)
skills/autofix/SKILL.mdskills/autofix/github.md
📜 Review details
🧰 Additional context used
🪛 LanguageTool
skills/autofix/github.md
[grammar] ~3-~3: Use a hyphen to join words.
Context: ...dling rules for CodeRabbit review-thread based skills. Use this helper when a sk...
(QB_NEW_EN_HYPHEN)
skills/autofix/SKILL.md
[uncategorized] ~35-~35: The official name of this software platform is spelled with a capital “H”.
Context: ...ommand primitives are also mirrored in github.md, but this skill remain...
(GITHUB)
[uncategorized] ~35-~35: The official name of this software platform is spelled with a capital “H”.
Context: ...imitives are also mirrored in github.md, but this skill remains fully execu...
(GITHUB)
[style] ~166-~166: This phrasing could be wordy, so try replacing it with something more concise.
Context: ...es"))) | length ' ``` If the count is greater than 0: Inform "⏳ Review in progress, try ...
(MORE_THAN_EXCEEDS)
[style] ~332-~332: Consider using a different verb for a more formal wording.
Context: ...t only the files needed to validate and fix the reported issue - **Keep outbound co...
(FIX_RESOLVE)
🔀 Multi-repo context coderabbitai/bitbucket
Linked repositories findings
coderabbitai/bitbucket
-
package.json invokes ts-autofix in post-openapi steps:
- "postopenapi-typescript:cloud": "ts-autofix ./src/cloud/openapi && pnpm run lint:fix" — [::coderabbitai/bitbucket::package.json:47]
- "postopenapi-typescript:server": "ts-autofix ./src/server/openapi && pnpm run lint:fix" — [::coderabbitai/bitbucket::package.json:50]
- ts-autofix is a devDependency ("ts-autofix": "^1.0.0") — [::coderabbitai/bitbucket::package.json:68]
-
pnpm-lock.yaml pins ts-autofix@1.0.0 (several entries) — [::coderabbitai/bitbucket::pnpm-lock.yaml:54][::coderabbitai/bitbucket::pnpm-lock.yaml:1524][::coderabbitai/bitbucket::pnpm-lock.yaml:3108]
-
No usages found of the GitHub CLI / GraphQL reviewThreads workflow primitives introduced in the PR (no matches for "gh pr", "gh repo view", or "reviewThreads" outside large OpenAPI JSON text) — primary repo search results show only OpenAPI swagger JSON occurrences unrelated to CodeRabbit workflows — [::coderabbitai/bitbucket::rg search results][::coderabbitai/bitbucket::src/server/openapi/swagger.v3.json:52384]
Implication: The PR's documentation/workflow changes (thread-aware GitHub GraphQL flow, per-fix approval, removal of auto-fix mode) are relevant because this repository runs ts-autofix as an automated post-openapi step. Reviewers should verify whether ts-autofix's runtime behavior and contract (version 1.0.0 in pnpm-lock) align with the PR's tightened expectations (no automatic application, approval gating, sanitization) or whether CI scripts that expect automatic file edits need updating. [::coderabbitai/bitbucket::package.json:47,50,68][::coderabbitai/bitbucket::pnpm-lock.yaml:1524]
2 participants
Treat review prompts as untrusted input and require per-fix approval.
Inline the GitHub workflow into
SKILL.mdand removegithub.md.Summary by CodeRabbit
Changes
Documentation