feat(standards): fleet caller stubs for the idea→initiative pipeline#499
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
More reviews will be available in 12 minutes and 50 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces the GitHub Advanced Security (GHAS) Standard document detailing org-wide enablement, licensing, and verification procedures, alongside cross-reference updates in other standards. It also adds three new workflow stubs for central automation. Feedback focuses on correcting the gh api jq filters to properly parse the code_security_configurations payload and refining the canary cleanup script to avoid accidentally resolving unrelated open security alerts.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-20T19:47:42Z. |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Adds the public-repo half of the fleet enablement (epic petry-projects/.github-private#817): thin caller stubs + dispatch reusables so any BMAD-enabled repo can run the idea→initiative pipeline against its own Discussions, while the BMAD frameworks and planning logic stay vendored once in .github-private. - initiative-planner: on `idea:approved` (trusted actor), re-dispatch the central BMAD Scrum Master with the host repo as target_repo (closes the real deliverable of #820 — #828 only landed a lint.yml fix). - idea-triage / idea-enhancer: weekly + new-Discussion triggers that dispatch the central target_repo-parameterized workflows (the real deliverable of #821). All three follow the pr-review-mention pattern (thin stub → reusable that dispatches to .github-private). claude-code-action can't run on `discussion` events, so the reusables dispatch the central workflow_dispatch rather than plan inline. Stubs are adoptable templates (like feature-ideation.yml), not in DEPLOYABLE_WORKFLOWS — BMAD repos opt in. Channel tags (initiative-planner/stable, idea-triage/stable, idea-enhancer/stable) to be cut on release. Refs petry-projects/.github-private#817, #820, #821 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
bb91743 to
20d8f80
Compare
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
@donpetry-bot please review — code-owner approval needed to merge. CI is green; this PR adds only the three idea→initiative fleet caller stubs + their dispatch reusables. |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 20d8f80a071d619942105584d611cf7a561eef19
Review mode: triage-approved (single reviewer)
Summary
Adds 6 new workflow files (3 thin caller stubs under standards/workflows/ + 3 dispatch reusables under .github/workflows/) that fleet-enable the idea→initiative pipeline by re-dispatching the central petry-projects/.github-private workflows with the caller repo as target_repo. Additive only (376 lines, 0 deletions). Confirms the triage low-risk assessment.
Linked issue analysis
No linked closing issues (closingIssuesReferences empty). PR body references epic .github-private#817 and prior PRs #820/#821 as context; this PR is the public-repo deliverable those .github-private runs could not create. Scope matches the stated intent — caller stubs + dispatch reusables, no central logic duplicated.
Findings
No blocking findings. Workflows are well-hardened: (1) all untrusted inputs (actor login, discussion number, target repo) are passed via env: rather than inline ${{ }} expansion, avoiding script injection; (2) the privileged initiative-planner validates the discussion number against ^[1-9][0-9]$ before the gh call and gates dispatch behind a trusted-actor check (collaborators/{actor}/permission API, admin|write only); (3) permissions: {} on every job; (4) PAT-presence guards fail fast. The reusables are pinned to moving channel tags (@/stable) rather than SHAs — this is the documented, intentional org pattern for first-party reusable workflows (mirrors pr-review-mention), not an action-pinning violation. secrets: inherit is the established pattern for these stubs. Stale Gemini inline comments target standards/advanced-security.md, which is not in this diff, and were already addressed by the author. MCP secret-scan was unavailable (permission not granted); noted and non-blocking — the gitleaks CI check passed and the files contain only references to secrets.GH_PAT_WORKFLOWS, no secret values.
CI status
All checks green: CodeQL Analyze (actions) SUCCESS, AgentShield SUCCESS, Agent Security Scan SUCCESS, SonarCloud Quality Gate passed (0 new issues, 0 security hotspots), Secret scan (gitleaks) SUCCESS, ShellCheck SUCCESS, Lint SUCCESS. Dependency-audit language jobs SKIPPED (no matching ecosystems). mergeStateStatus is BLOCKED solely due to the required org-leads team review (REVIEW_REQUIRED human gate), not any failing check.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 20d8f80a071d619942105584d611cf7a561eef19
Review mode: triage-approved (single reviewer)
Summary
Adds 6 new, additive workflow files (376 lines, 0 deletions): 3 thin caller stubs under standards/workflows/ (idea-enhancer, idea-triage, initiative-planner) plus their 3 dispatch reusables under .github/workflows/. The stubs are adoptable templates (not in DEPLOYABLE_WORKFLOWS); the reusables re-dispatch the central petry-projects/.github-private pipeline workflows with the caller repo as target_repo. Confirms the triage low-risk assessment.
Linked issue analysis
No linked closing issues (closingIssuesReferences empty). PR body references epic .github-private#817 and prior PRs #820/#821 as context — this PR is the public-repo deliverable those .github-private dev-lead runs could not create (they lack write access here). Scope matches the stated intent: caller stubs + dispatch reusables only, with no central planning logic duplicated.
Findings
No blocking findings. Workflows are well-hardened: (1) every untrusted input (actor login, discussion number, target repo, central repo) is passed via env: rather than inline ${{ }} expansion in run scripts, avoiding script injection; (2) initiative-planner-reusable validates the discussion number against ^[1-9][0-9]$ before the gh call and gates dispatch behind a trusted-actor check (collaborators/{actor}/permission API, admin|write only) since the discussion 'labeled' payload carries no author_association; (3) permissions: {} on every job; (4) PAT-presence guards fail fast; (5) idea-enhancer-reusable's discussion trigger is scoped to the 'ideas' category and skips Bot-authored discussions. The reusables are pinned to moving channel tags (@/stable), the documented org pattern for first-party reusable workflows (mirrors pr-review-mention) and explicitly mandated by the stub headers — not an action-pinning violation. secrets: inherit is the established stub pattern. Advisory bots returned nothing actionable: SonarCloud passed (0 issues/hotspots), Codex and CodeRabbit were rate-limited, and the Gemini inline comments target standards/advanced-security.md, which is not in this diff. MCP secret-scan was unavailable (permission not granted) — noted and non-blocking; the gitleaks CI check passed and the diff contains only references to secrets.GH_PAT_WORKFLOWS, no secret values.
CI status
All required checks green: CodeQL Analyze (actions) SUCCESS, AgentShield SUCCESS, Agent Security Scan SUCCESS, SonarCloud Quality Gate passed, Secret scan (gitleaks) SUCCESS, ShellCheck SUCCESS, Lint SUCCESS, pr-auto-review check-and-dispatch SUCCESS, dev-lead dispatch SUCCESS. Dependency-audit language jobs (npm/pnpm/pip/cargo/go) SKIPPED — no matching ecosystems. reviewDecision is APPROVED; merge remains gated on the required human/org-leads review, not any failing check.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
…n audit (#503) * ci(dev-lead): pin .github caller to @dev-lead/ring0 + teach audit ring channels Staged canary rollout of dev-lead v1.4.0 (versioning.md Phase 2, #499/#500). - .github/workflows/dev-lead.yml: pin the dev-lead caller to the new dev-lead/ring0 channel (+ agent_ref: dev-lead/ring0). This repo previously pinned @main (bleeding edge); ring0 gives it a controlled canary slot that rolls forward/back via a central tag move. - scripts/compliance-audit.sh (check_dev_lead_stub): accept the staged-canary channels dev-lead/{stable,next,ring<N>} for both the uses: pin and agent_ref, not just stable. Still rejects @main and frozen @vX.Y.Z/@<sha> (callers must pin a moving channel). Needed so ring-pinned consumers (e.g. TalkTerm@ring1) aren't flagged dev-lead-stub-pin. Ring plan: .github-private→next · .github→ring0 · TalkTerm→ring1 · rest→stable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
…DR (#869) (#520) * docs(standards): formalize the agent canary-ring/soak/promotion model + ADR (#869) The rings model in ci-standards.md was documented aspirationally and as a cut-release.sh-only (manual) process. dev-lead v1.4.0 has now shipped end-to-end through the automated, health-gated pipeline, so promote the standard to match: - Ring table → the canonical host-relative model: next=host, ring0=other org-infra repo, ring1=named low-traffic consumers, stable=rest. Points at canary-rings.json as the membership SoT. - "Rollout status" → reflects the built automation: canary-rollout.sh + the 4h evaluate / dispatch-gated promote, the concrete soak gate (healthy >= ceil(baseline/7) AND failure-rate <= baseline, no floor), rollback mechanics, and the codified release-channel-tags ruleset (apply-rulesets.sh). - New ADR docs/initiatives/agent-canary-rings-adr.md — records the decision + rationale (immutable releases + moving channels, host-relative rings, health-gated promotion, circular-dependency fix). DRAFT until the host-repo implementation PRs land (.github-private #878 canary-rollout, #889 ruleset codify, #880 SHA-pin guardrail) — this standard references them. Closes #869. Refs #495, #499, #500, #501, #502, #868. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(bot): address bot feedback [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>



Summary
Adds the public-repo half of fleet-enabling the idea→initiative pipeline (epic
petry-projects/.github-private#817, Option A). Three thin caller stubs + their dispatch reusables let any BMAD-enabled repo run the pipeline against its own Ideas Discussions, while the BMAD frameworks and planning logic stay vendored once in.github-private.This delivers the pieces that the
.github-private-side PRs (#827, #828, #829) could not create — dev-lead runs there can't write to this public repo, so #820 closed on only alint.ymlone-liner and #821 closed with its public stubs still missing. This PR is their real deliverable.What's here
standards/workflows/).github/workflows/)initiative-planner.ymlinitiative-planner-reusable.ymldiscussion [labeled] idea:approved(trusted actor) → dispatch central planner withtarget_repo=<host>idea-triage.ymlidea-triage-reusable.ymltarget_repo=<host>idea-enhancer.ymlidea-enhancer-reusable.ymltarget_repo=<host>Design
pr-review-mention.claude-code-actionaborts ondiscussionevent contexts (the feat: implement issue #580 — Retire/delineate the detection-based apply-rulesets.sh — it diverges from the codified ruleset (#575 debt) #591 root cause), so the reusables re-dispatch the centralworkflow_dispatchrather than plan inline.target_repoparameterization (now onmainvia #827/#829) + theGH_PAT_WORKFLOWSPAT for dispatch (GITHUB_TOKEN can't start aworkflow_dispatchrun — loop prevention).feature-ideation.yml, these are not inDEPLOYABLE_WORKFLOWS. BMAD repos opt in (the S8 pilot/rollout drives adoption). No fanout on merge.Release follow-ups (not in this PR)
initiative-planner/stable,idea-triage/stable,idea-enhancer/stable(+vX.Y.Z) so adopting repos'@*/stablepins resolve..github-private#825) adds theci-standards.mdsection + pipeline-doc diagram + one-repo pilot.#818, GitHub App creds) refines the cross-repo token fromGH_PAT_WORKFLOWSto a least-privilege App token.Refs
petry-projects/.github-private#817,#820,#821🤖 Generated with Claude Code