Conversation
|
Warning Review limit reached
Your plan currently allows 1 review/hour. Refill in 44 minutes and 1 second. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. 📝 WalkthroughWalkthroughThis PR updates external tool versions and configuration pins, then adds a Makefile-based mechanism to override the GitHub Actions sync workflow's cron schedule via a configurable variable, enabling teams to customize sync timing without manual workflow file edits. ChangesDependency and Workflow Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Rhiza template reference to v0.11.0 and syncs template-managed metadata/configuration accordingly, including tooling and workflow dependencies.
Changes:
- Bump Rhiza template reference from
v0.10.9tov0.11.0(and update lock SHA/ref + sync timestamp). - Add a configurable
RHIZA_SYNC_SCHEDULEoverride mechanism applied post-sync to.github/workflows/rhiza_sync.yml. - Update Rhiza tooling version and bump
docker/login-actionused in the release workflow.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.rhiza/template.yml |
Points the repo at Rhiza template branch v0.11.0. |
.rhiza/template.lock |
Locks the template ref/SHA to v0.11.0 and records latest sync time. |
.rhiza/rhiza.mk |
Adds RHIZA_SYNC_SCHEDULE and an internal target to rewrite the sync workflow cron after make sync. |
.rhiza/.rhiza-version |
Updates the Rhiza tool version used by uvx rhiza>=... in workflows/Make targets. |
.github/workflows/rhiza_release.yml |
Bumps docker/login-action patch/minor version for container registry login. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/rhiza_release.yml:
- Line 372: Replace the mutable tag reference "uses: docker/login-action@v4.2.0"
with a pinned commit SHA for docker/login-action (e.g., "uses:
docker/login-action@<full-commit-sha>"); to do this, look up the exact commit
SHA for the v4.2.0 release in the docker/login-action repository (or use the
latest secure commit you intend) and substitute that SHA so the workflow uses
the immutable ref instead of the tag.
In @.rhiza/rhiza.mk:
- Around line 111-115: The Make target _apply-sync-schedule uses a sed regex
that fails to match the YAML list-item shape (“- cron: '...'”); update the sed
substitution in _apply-sync-schedule so it accepts an optional leading list
marker (the hyphen plus optional whitespace), allows optional whitespace
before/after the cron key, and robustly handles single-quoted, double-quoted, or
unquoted cron scalars when replacing the schedule value (ensure the replacement
writes the new RHIZA_SYNC_SCHEDULE value back as a valid YAML scalar).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: cf3a521f-044e-46c9-aef4-8fb69ebaab1e
⛔ Files ignored due to path filters (1)
.rhiza/template.lockis excluded by!**/*.lock
📒 Files selected for processing (4)
.github/workflows/rhiza_release.yml.rhiza/.rhiza-version.rhiza/rhiza.mk.rhiza/template.yml
| - name: Login to Container Registry | ||
| if: steps.check_publish.outputs.should_publish == 'true' | ||
| uses: docker/login-action@v4.1.0 | ||
| uses: docker/login-action@v4.2.0 |
There was a problem hiding this comment.
Pin docker/login-action to a full commit SHA, not a mutable tag.
Using @v4.2.0 violates the pinned-action policy and weakens supply-chain guarantees. Please pin to the exact commit digest for this release.
Suggested change
- uses: docker/login-action@v4.2.0
+ uses: docker/login-action@<full_commit_sha_for_v4.2.0>#!/bin/bash
# Read-only check for unpinned GitHub Actions references in workflows.
rg -nP '^\s*uses:\s*[^@]+@(?:v?\d+(?:\.\d+){0,2}|main|master)$' .github/workflows🧰 Tools
🪛 zizmor (1.25.2)
[error] 372-372: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/rhiza_release.yml at line 372, Replace the mutable tag
reference "uses: docker/login-action@v4.2.0" with a pinned commit SHA for
docker/login-action (e.g., "uses: docker/login-action@<full-commit-sha>"); to do
this, look up the exact commit SHA for the v4.2.0 release in the
docker/login-action repository (or use the latest secure commit you intend) and
substitute that SHA so the workflow uses the immutable ref instead of the tag.
| _apply-sync-schedule: ## (internal) apply RHIZA_SYNC_SCHEDULE override to GitHub Actions sync workflow | ||
| @if [ "$(RHIZA_SYNC_SCHEDULE)" != "0 0 * * 1" ] && [ -f .github/workflows/rhiza_sync.yml ]; then \ | ||
| sed -i.bak "s|cron: '[^']*'|cron: '$(RHIZA_SYNC_SCHEDULE)'|" .github/workflows/rhiza_sync.yml && rm -f .github/workflows/rhiza_sync.yml.bak; \ | ||
| printf "${BLUE}[INFO] Applied custom sync schedule: $(RHIZA_SYNC_SCHEDULE)${RESET}\n"; \ | ||
| fi |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify current cron line style in workflow and whether current sed pattern can match it.
# Expected: cron line exists and uses single quotes if keeping current implementation.
if [ -f .github/workflows/rhiza_sync.yml ]; then
rg -n 'cron:' .github/workflows/rhiza_sync.yml
else
echo ".github/workflows/rhiza_sync.yml not found in this checkout"
fiRepository: tschm/cs
Length of output: 99
Adjust cron substitution to match the current YAML list-item shape while improving quote/style robustness.
.github/workflows/rhiza_sync.ymlcurrently contains- cron: '0 0 * * 1', so the existingsedreplacement (cron: '[^']*') should apply today.- The proposed
sedregex anchored to^[[:space:]]*cron:would not match this line because it doesn’t allow the leading-list marker—if making this more resilient, include that prefix and handle single-quoted, double-quoted, and/or unquoted YAML scalars.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.rhiza/rhiza.mk around lines 111 - 115, The Make target _apply-sync-schedule
uses a sed regex that fails to match the YAML list-item shape (“- cron: '...'”);
update the sed substitution in _apply-sync-schedule so it accepts an optional
leading list marker (the hyphen plus optional whitespace), allows optional
whitespace before/after the cron key, and robustly handles single-quoted,
double-quoted, or unquoted cron scalars when replacing the schedule value
(ensure the replacement writes the new RHIZA_SYNC_SCHEDULE value back as a valid
YAML scalar).
Summary
make sync🤖 Generated with Claude Code
Summary by CodeRabbit