Skip to content

ci: add aireceipts pr-check (notice-only cost receipt)#105

Open
anandgupta42 wants to merge 4 commits into
mainfrom
dogfood/aireceipts-pr-check
Open

ci: add aireceipts pr-check (notice-only cost receipt)#105
anandgupta42 wants to merge 4 commits into
mainfrom
dogfood/aireceipts-pr-check

Conversation

@anandgupta42

@anandgupta42 anandgupta42 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Adds a notice-only aireceipts cost-receipt check (pr-check) — one self-contained workflow, no external reusable workflow, no org Actions-policy change. Never fails a build; posts an aireceipts cost receipt only once a branch carries an aireceipts receipt ref, otherwise a quiet no-op. Coexists with any existing check; remove anytime by deleting the file. Part of an org-wide aireceipts dogfood.


Note

Low Risk
Single new CI workflow with read contents and PR write only; failures are ignored and there is no application or auth logic change.

Overview
Adds a new GitHub Actions workflow .github/workflows/aireceipts.yml that runs on every pull request and invokes aireceipts-cli pr-check via npx to post an optional AI cost receipt on the PR.

The job is notice-only: continue-on-error: true so the check never fails the build. It uses pull-requests: write and GH_TOKEN for PR comments, with concurrency keyed by ref so overlapping runs cancel. No checkout step—behavior depends on the CLI and branch receipt refs as described in the PR.

Reviewed by Cursor Bugbot for commit b427963. Bugbot is set up for automated code reviews on this repo. Configure here.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 80d6849f7a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Make the notice-only check non-blocking

Because this is a plain run step, any non-zero exit from npx or aireceipts-cli marks the new aireceipts job as failed. In cases like an npm registry/install failure, a CLI regression, or a GitHub API permission error on a PR, this turns the intended notice-only receipt into a red PR check; add continue-on-error: true or otherwise swallow failures if this workflow must never block builds.

Useful? React with 👍 / 👎.

Comment on lines +10 to +12
- run: npx -y aireceipts-cli@latest pr-check
env:
GH_TOKEN: ${{ github.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid giving the PR token to an unpinned install

This step gives GH_TOKEN with pull-requests: write to the entire npx ...@latest process, so on same-repository PRs any newly published aireceipts-cli version or npm install/lifecycle code gets a writable PR token before this repo has reviewed that code. Pin the CLI to a vetted version and avoid exposing the token during package installation (or otherwise use a trusted, pinned action) so a bad npm release cannot immediately mutate PRs across the repo.

Useful? React with 👍 / 👎.

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Missing continue-on-error: true — a tool failure fails this check

The PR describes this as a "notice-only" check that "never fails a build," but this run step has no continue-on-error: true. If npx aireceipts-cli@latest pr-check exits non-zero (npm/network errors, a broken @latest release, or any CLI exception), the check job fails and appears as a red check on the PR — potentially blocking merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@kilo-code-bot

kilo-code-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 13 @latest with a pull-requests: write token remains an unpinned supply-chain risk — still open (intentional revert to @latest; already covered by an active review comment).
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 1 issue (the previous missing-continue-on-error finding is now fixed by the new commit; @latest supply-chain risk remains)

Fix these issues in Kilo Cloud

Previous Review Summaries (3 snapshots, latest commit ed1328e)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit ed1328e)

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 @latest with pull-requests: write token reintroduces an unpinned supply-chain risk (reverts the @0.5.0 pin).
.github/workflows/aireceipts.yml 10 Still missing continue-on-error: true; a CLI/npx failure fails the check job, contradicting the notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 2 issues

Fix these issues in Kilo Cloud

Previous review (commit f13c3a2)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 Missing continue-on-error: true — a CLI/npx failure fails the check job, contradicting the "never fails a build" notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 1 issue

Fix these issues in Kilo Cloud

Previous review (commit 80d6849)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 Missing continue-on-error: true — a CLI/npx failure fails the check job, contradicting the "never fails a build" notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 1 issue

Fix these issues in Kilo Cloud


Reviewed by glm-5.2 · Input: 33.3K · Output: 19.1K · Cached: 308.8K

Comment thread .github/workflows/aireceipts.yml Outdated
check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@0.5.0 pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Missing continue-on-error: true — a tool failure fails this check job

The PR describes this as a "notice-only" check that "never fails a build," but this run step still has no continue-on-error: true. If npx aireceipts-cli@0.5.0 pr-check exits non-zero (npm/network errors, a broken CLI release, or any unhandled exception), the check job fails and renders as a red check on the PR — which can block merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@anandgupta42

Copy link
Copy Markdown
Contributor Author

Hi @suryaiyer95 @kulvirgit — could one of you give this a quick review + approve when you get a moment? 🙏

It's a notice-only aireceipts cost-receipt check (a single .github/workflows/aireceipts.yml, pull-requests: write, never fails a build — it posts a cost receipt only once a branch carries an aireceipts ref, otherwise a quiet no-op). Part of an org-wide aireceipts dogfood; it's blocked only on the required 1 approving review. Remove anytime by deleting the file. Thanks!

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: @latest reintroduces an unpinned supply-chain risk with a write token

This commit reverts the @0.5.0 pin (added explicitly for "supply-chain: no mutable @latest with write token") back to @latest. Since the step exposes GH_TOKEN with pull-requests: write, every run resolves and executes whatever aireceipts-cli version is @latest at run time — so a compromised or broken newly published release runs with PR-write capability before this repo has reviewed it. If the floating version is intentional, consider isolating the install step from the write token (or otherwise limiting the token's blast radius) to reduce the risk.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@anandgupta42

Copy link
Copy Markdown
Contributor Author

Hi @suryaiyer95 👋 — friendly nudge as the top contributor here.

This is a lightweight aireceipts dogfood PR (part of an org-wide rollout). It adds a notice-only pr-check GitHub Action that posts a deterministic, cited cost receipt comment on a PR only when a receipt ref is present — and does nothing otherwise. It touches no existing workflow, adds no required check, and never blocks a merge.

CI is green. Could you give it a quick review + merge when you have a moment? (It needs one approving review from someone with write access — admin bypass is off here.) Happy to answer any questions. Thanks! 🙏

@anandgupta42

Copy link
Copy Markdown
Contributor Author

Thanks for the automated review — addressed:

  • continue-on-error: true added on the step. This check is notice-only and now stays green even if npx/aireceipts-cli exits non-zero (npm/network hiccup, a broken release, or a CLI exception) — honoring the "never fails a build" intent.
  • concurrency added (cancel-in-progress: true) so rapid pushes can't race to post duplicate receipts or burn extra runner minutes.

Intentional, left as-is:

  • @latest (not pinned): deliberate per aireceipts SPEC-0064 — the check auto-adopts each vetted release (the latest tag is force-moved only by the package's own publish workflow). The surface is bounded — it's a first-party package, and with continue-on-error the step can never block a build. Keeping auto-adoption is a maintainer decision.
  • Fork PRs: pull_request grants a read-only token on forks, so the receipt comment is simply skipped there (fork PRs stay notice-only, by design). We deliberately do not use pull_request_target, which would run untrusted fork code with a write token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant