Fix route failure ocp#585
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: M Sajid Mansoori <mmansoor@redhat.com>
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow for PR comments that validates ChangesReady-for-review Slack workflow
MTA-846 live test skip
Sequence Diagram(s)sequenceDiagram
participant PR author
participant GitHub Actions workflow
participant GitHub API
participant "./.github/actions/slack-incoming-webhook"
PR author->>GitHub Actions workflow: /ready-for-review or /ready-for-review-reset comment
GitHub Actions workflow->>GitHub API: fetch PR details and labels
alt /ready-for-review-reset
GitHub Actions workflow->>GitHub API: delete ready-for-review-notified label
else /ready-for-review
GitHub Actions workflow->>GitHub API: post +1 reaction
GitHub Actions workflow->>./.github/actions/slack-incoming-webhook: send PR title, URL, and author
GitHub Actions workflow->>GitHub API: add ready-for-review-notified label
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Test Coverage ReportTotal: 47.6% Per-package coverage
Full function-level detailsPosted by CI |
Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr-ready-for-review-slack.yml:
- Around line 63-71: The label reset and notify paths are treating all gh api
failures as benign, which hides permission or API errors and breaks duplicate
suppression. Update the delete flow around the ready-for-review-notified label
and the label-writing logic in the notify path to distinguish “not found” from
real request failures, checking gh api exit status/output explicitly and
surfacing non-404 failures as workflow errors. Use the reset block and the
notification block in pr-ready-for-review-slack.yml as the targets to make
failure handling consistent and explicit.
- Around line 78-82: The duplicate-notification guard in the Slack workflow is
reading labels from the stale event payload, so a queued run can miss a label
added by an earlier job. Update the check in the workflow step that uses jq and
pr_number to fetch the PR’s current labels at runtime before deciding to skip,
then keep the existing should_notify=false and exit behavior when
ready-for-review-notified is already present.
- Around line 8-11: The workflow permissions are broader than needed because
pr-ready-for-review-slack only reads PR data and writes through issue APIs, so
reduce the pull-requests permission from write to read in the workflow
permissions block. Keep contents: read and issues: write unchanged, and adjust
the permissions near the top of the workflow so the gh api call for pull state
still works while limiting token scope.
- Around line 23-24: The Checkout step in the workflow uses a mutable
actions/checkout tag and keeps credentials persisted by default. Update the
Checkout step to reference the immutable SHA for actions/checkout instead of
actions/checkout@v4, and set persist-credentials to false since this workflow
does not need Git credentials after checkout. Use the Checkout step as the
locator for the change.
- Around line 108-110: The shell steps that call gh api in the workflow are
interpolating steps.guard.outputs.comment_id and steps.guard.outputs.pr_number
directly, which should be moved into env variables first and validated as
numeric before use. Update the affected run blocks around the gh api calls to
read from env, add a simple numeric check before constructing the API path, and
keep the logic localized to the guard output handling so the script does not
embed untrusted expressions directly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 921134dd-fc79-43c8-9c24-0a444638011b
📒 Files selected for processing (2)
.github/workflows/pr-ready-for-review-slack.ymle2e-tests/tests/tier0/mta_846_validate_single_incompatible_route_live_test.go
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ref_json="$(gh api repos/actions/checkout/git/ref/tags/v4)"
sha="$(jq -r '.object.sha' <<<"$ref_json")"
type="$(jq -r '.object.type' <<<"$ref_json")"
if [[ "$type" == "tag" ]]; then
gh api "repos/actions/checkout/git/tags/${sha}" --jq '.object.sha'
else
printf '%s\n' "$sha"
fiRepository: migtools/crane
Length of output: 193
Pin actions/checkout to an immutable SHA and disable credential persistence.
The actions/checkout@v4 tag currently resolves to commit 34e114876b0b11c390a56381ad16ebd13914f8d5. Pinning directly prevents unexpected changes if the tag is updated. Since this workflow does not require persisted Git credentials beyond the checkout step, set persist-credentials: false.
Rewrite
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-ready-for-review-slack.yml around lines 23 - 24, The
Checkout step in the workflow uses a mutable actions/checkout tag and keeps
credentials persisted by default. Update the Checkout step to reference the
immutable SHA for actions/checkout instead of actions/checkout@v4, and set
persist-credentials to false since this workflow does not need Git credentials
after checkout. Use the Checkout step as the locator for the change.
Source: Linters/SAST tools
There was a problem hiding this comment.
Not a part of this PR anymore.
There was a problem hiding this comment.
@msajidmansoori12, got it — thanks for the clarification. Since that workflow change is no longer part of #585, this comment doesn’t apply to the current PR.
|
/coderabbit summary |
* feat: add PR ready-for-review Slack notification workflow * feat: refine PR ready-for-review Slack workflow Co-authored-by: Cursor <cursoragent@cursor.com> * feat: improve ready-for-review Slack workflow * Skip route test for ocp because ocp has route resource Signed-off-by: M Sajid Mansoori <mmansoor@redhat.com> * chore: remove pr-ready-for-review slack workflow from branch Co-authored-by: Cursor <cursoragent@cursor.com> --------- Signed-off-by: M Sajid Mansoori <mmansoor@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Summary by CodeRabbit