fix(ci): implement issue #419 labeler hardening

[ashleyshaw]

Closes #419

What changed

• Removed the dormant actions/labeler@v5 execution path from .github/workflows/labeling.yml
• Added fail-fast config schema validation before labeling execution
• Added scripts/validation/validate-labeling-configs.cjs for labels.yml, issue-types.yml, and labeler.yml
• Updated workflow/governance/migration docs to reflect unified labeling runtime

Validation

• node scripts/validation/validate-labeling-configs.cjs
• npx spectral lint .github/workflows/labeling.yml --ruleset .spectral-workflows.cjs
• npx markdownlint-cli2 docs/WORKFLOWS.md docs/AUTOMATION_GOVERNANCE.md docs/MIGRATION.md

Summary by CodeRabbit

• Chores

  • Enhanced labeling workflow with automated configuration validation at runtime to ensure consistency and prevent misconfigurations.
  • Removed deprecated labeling action in favor of a unified labeling agent approach.

• Documentation

  • Updated automation governance and workflow documentation to reflect the refined labeling process and new validation requirements.
  • Added migration notes documenting the labeling workflow improvements.

[coderabbitai]

Warning

Review limit reached

@ashleyshaw, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 99270b8e-c89c-4c85-848d-71ee4c157db5

📥 Commits

Reviewing files that changed from the base of the PR and between 7f2349c and 7928c71.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• docs/MIGRATION.md
• package.json

Note

.coderabbit.yml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized keys: "auto_labels", "auto_assign", "auto_review"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

The PR hardens the labeling automation by introducing a Node.js schema validator that enforces YAML structure constraints on three canonical configuration files, integrates this validator as a CI fail-fast gate in the labeling workflow before label assignment, removes the deprecated actions/labeler action, and documents the workflow changes.

Changes

Labeling Workflow Hardening with Schema Validation

Layer / File(s)	Summary
Configuration schema validator implementation scripts/validation/validate-labeling-configs.cjs	New CLI script validates .github/labels.yml, .github/issue-types.yml, and .github/labeler.yml schemas: labels and issue-types require specific array shapes with name/label fields; labeler.yml enforces each rule set contains at least one of head-branch or changed-files. Fails with exit code 1 on parse or validation errors.
Workflow validation gate and labeler cleanup .github/workflows/labeling.yml	Adds a "Validate labeling config schema" step that runs the new validator after npm ci, establishing a fail-fast CI gate. Removes the previously disabled actions/labeler@v5 step, leaving only the unified labeling.agent.js for label assignment.
Documentation of workflow hardening and migration notes docs/WORKFLOWS.md, docs/AUTOMATION_GOVERNANCE.md, docs/MIGRATION.md	WORKFLOWS.md documents the pre-label validation guardrail. AUTOMATION_GOVERNANCE.md removes the actions/labeler@v5 reference. MIGRATION.md adds a dated entry (2026-05-27) explaining the retirement of actions/labeler@v5, unified runtime location, and new CI validation gate.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• [Build/CI] Re-enable actions/labeler with canonical schema-compatible config #419: This PR directly addresses the labeler hardening and schema validation concerns by retiring actions/labeler, adding runtime schema validation for the three canonical YAML files, and centralizing label assignment to labeling.agent.js.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description covers key changes and validation steps but lacks critical sections from the template like Risk Assessment, How to Test, and Checklist items required for release automation.	Add Risk Assessment (level and impact), How to Test section with prerequisites and test steps, and complete the global DoD checklist to meet template requirements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: implementing issue #419 labeler hardening by removing the dormant actions/labeler step and adding schema validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/issue-419-labeler-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request retires the native actions/labeler@v5 in favor of a unified labeling agent runtime, and introduces a fail-fast validation script (validate-labeling-configs.cjs) to verify configuration schemas before execution. The feedback suggests strengthening the validation script by adding type checks for optional label fields (such as color, description, and aliases) and verifying that head-branch and changed-files are strings or arrays of strings to prevent runtime issues.

[gemini-code-assist]

The current validation for labels.yml only checks the presence of the name field. However, label definitions can also include color, description, and aliases (as seen in docs/AUTOMATION_GOVERNANCE.md).

Adding type checks for these fields prevents runtime issues in the labeling agent. Specifically, validating that color is a string is crucial because unquoted numeric hex colors (e.g., 123456) are parsed as numbers by js-yaml, which can corrupt the hex value.

function assertLabelConfig(labels) {
  if (!Array.isArray(labels)) {
    fail(".github/labels.yml must be an array");
  }
  labels.forEach((item, index) => {
    if (typeof item === "string") return;
    if (!item || typeof item !== "object" || typeof item.name !== "string") {
      fail("Invalid labels.yml entry at index " + index);
    }
    if (item.color !== undefined && typeof item.color !== "string") {
      fail("color in labels.yml entry at index " + index + " must be a string (wrap in quotes if numeric)");
    }
    if (item.description !== undefined && typeof item.description !== "string") {
      fail("description in labels.yml entry at index " + index + " must be a string");
    }
    if (item.aliases !== undefined) {
      if (!Array.isArray(item.aliases) || item.aliases.some(a => typeof a !== "string")) {
        fail("aliases in labels.yml entry at index " + index + " must be an array of strings");
      }
    }
  });
}

[gemini-code-assist]

The current validation for labeler.yml only checks for the presence of head-branch or changed-files keys, but does not validate their types. If these fields are misconfigured (e.g., set to a boolean, number, or an array containing non-string values), it could cause runtime errors or unexpected behavior in the labeling agent.

Adding type validation ensures that both fields are either a string or an array of strings.

function assertLabelerConfig(labeler) {
  if (!labeler || typeof labeler !== "object" || Array.isArray(labeler)) {
    fail(".github/labeler.yml must be an object map");
  }

  for (const [label, rules] of Object.entries(labeler)) {
    if (!rules || typeof rules !== "object" || Array.isArray(rules)) {
      fail("Rule for '" + label + "' must be an object");
    }

    const hasHeadBranch = Object.prototype.hasOwnProperty.call(
      rules,
      "head-branch"
    );
    const hasChangedFiles = Object.prototype.hasOwnProperty.call(
      rules,
      "changed-files"
    );

    if (!hasHeadBranch && !hasChangedFiles) {
      fail(
        "Rule for '" + label + "' must include at least one of 'head-branch' or 'changed-files'"
      );
    }

    if (hasHeadBranch) {
      const val = rules["head-branch"];
      if (typeof val !== "string" && !Array.isArray(val)) {
        fail("head-branch in rule for '" + label + "' must be a string or an array");
      }
      if (Array.isArray(val) && val.some(v => typeof v !== "string")) {
        fail("head-branch array in rule for '" + label + "' must contain only strings");
      }
    }

    if (hasChangedFiles) {
      const val = rules["changed-files"];
      if (typeof val !== "string" && !Array.isArray(val)) {
        fail("changed-files in rule for '" + label + "' must be a string or an array");
      }
      if (Array.isArray(val) && val.some(v => typeof v !== "string")) {
        fail("changed-files array in rule for '" + label + "' must contain only strings");
      }
    }
  }
}

[github-actions]

🔍 Reviewer Summary for PR #427

CI Status: ❌ pending
Files changed: 7

Recommendations

• CI checks not green

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/MIGRATION.md`:
- Around line 94-95: Update the prose to UK English by replacing the phrase
"labeling workflow" with "labelling workflow" while keeping code identifiers
unchanged (leave `actions/labeler@v5`, `labeler.yml` and filenames like
`labeling.agent.js` intact); edit the sentence containing "actions/labeler@v5
execution was retired from the labeling workflow..." so it reads "...retired
from the labelling workflow..." and ensure no other code tokens are modified.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: da8d6596-8c03-4180-9c43-7007fb267a1d

📥 Commits

Reviewing files that changed from the base of the PR and between 6c41bab and 7f2349c.

📒 Files selected for processing (5)

• .github/workflows/labeling.yml
• docs/AUTOMATION_GOVERNANCE.md
• docs/MIGRATION.md
• docs/WORKFLOWS.md
• scripts/validation/validate-labeling-configs.cjs

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use UK English in prose for consistency.

Please change “labeling workflow” to “labelling workflow” in this sentence (keep code identifiers like labeling.agent.js unchanged).

As per coding guidelines, "Keep wording in UK English."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/MIGRATION.md` around lines 94 - 95, Update the prose to UK English by
replacing the phrase "labeling workflow" with "labelling workflow" while keeping
code identifiers unchanged (leave `actions/labeler@v5`, `labeler.yml` and
filenames like `labeling.agent.js` intact); edit the sentence containing
"actions/labeler@v5 execution was retired from the labeling workflow..." so it
reads "...retired from the labelling workflow..." and ensure no other code
tokens are modified.

[github-actions]

🔍 Reviewer Summary for PR #427

CI Status: ✅ success
Files changed: 7

Recommendations

• Ready to proceed pending human review

[github-actions]

🔍 Reviewer Summary for PR #427

CI Status: ❌ pending
Files changed: 7

Recommendations

• CI checks not green

[github-actions]

🔍 Reviewer Summary for PR #427

CI Status: ❌ pending
Files changed: 5

Recommendations

• CI checks not green