ci: keep release please PRs green#450
Merged
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
🔇 Additional comments (9)
📝 WalkthroughSummary by CodeRabbit
WalkthroughValidator now normalizes PR bodies and detects Release Please–generated release-branch PRs to skip template checks. The pr-template-check workflow passes PR head ref and head repo to the validator. Release-please commit uses ChangesRelease Please PR Template Validation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
github-actions
Bot
added
the
area:ci
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/desktop/scripts/ci/pr-template-check.js`:
- Around line 32-36: The Release-Please bypass in isReleasePleasePr (and the
other similar checks at the other occurrences) trusts only headRef and body,
which is spoofable; update isReleasePleasePr to also validate provenance by
requiring options.head?.repo?.full_name equals the trusted repository name (pass
that value from the workflow via env into options, e.g., github_repository) and
optionally check options.actor is a trusted bot; change the function to verify
options.headRef.startsWith(RELEASE_PLEASE_HEAD_PREFIX) &&
isReleasePleaseGeneratedBody(body) && options.head?.repo?.full_name ===
options.trustedRepo (and/or a trusted actor check), and wire the workflow env
values into options when invoking this function and the other occurrences at the
noted locations so only bona fide release-please PRs can bypass validation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 76617852-75f7-4689-b0d6-8093e3d100c5
📒 Files selected for processing (5)
.github/workflows/pr-template-check.yml.github/workflows/release-please.ymlapps/desktop/scripts/ci/pr-template-check.jsapps/desktop/tests/ci/pr-template-check.test.jsapps/desktop/tests/ci/release-workflow-environments.test.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
- GitHub Check: CodeQL (javascript-typescript)
- GitHub Check: CodeQL (rust)
- GitHub Check: Rust Checks
- GitHub Check: Frontend Quality
- GitHub Check: Frontend Tests
- GitHub Check: Desktop E2E Smoke (Windows)
🔇 Additional comments (4)
.github/workflows/pr-template-check.yml (1)
29-30: LGTM!.github/workflows/release-please.yml (1)
111-112: LGTM!apps/desktop/tests/ci/pr-template-check.test.js (1)
29-35: LGTM!Also applies to: 37-43, 45-66, 70-77
apps/desktop/tests/ci/release-workflow-environments.test.ts (1)
45-47: LGTM!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the two release automation failure modes seen on #449:
--no-verifyso Husky pre-commit hooks do not block automation-only metadata commitsRelated issue or RFC
Related to #449.
AI assistance disclosure
AI assisted with CI log analysis, regression tests, and implementation.
Testing evidence
pnpm.cmd --dir apps/desktop exec vitest run --configLoader runner tests/ci/pr-template-check.test.js tests/ci/release-workflow-environments.test.tspnpm.cmd format:checkpnpm.cmd lint:checkpnpm.cmd type:checkpnpm.cmd test:typecheckRisk notes
Low. Changes are limited to release/PR CI workflows and PR-template validation for Release Please branches.
Screenshots or recordings
N/A.
Checklist
--no-verifyrelease formatting commits.