Conversation
…c/validate/ Extract all inline business logic from pr-validation.yml into 7 reusable composite actions under src/validate/. Add dry_run input, fix script injection risks (use env vars instead of direct interpolation), fix notify ref for external callers, and update conventions to prohibit workflow_dispatch on reusable workflows due to injection risk.
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
…d of COMP_NAME The workflow was using COMP_NAME to build configmap/secret template paths (e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml) but the actual directory structure uses VALUES_KEY names (e.g. templates/inbound/configmap.yaml). This caused the if [ -f ] check to silently fail, resulting in detected env vars never being injected into configmap/secret templates. Changes: - Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths - Update create_secret_template to take VALUES_KEY as single arg - Add ::warning:: annotations when template files are not found Closes #167
…eferences Resolves SC2086 (double quote to prevent globbing) and SC2129 (group redirects) shellcheck warnings flagged by the PR lint analysis.
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs - Move inputs.base_branch to env var to prevent code injection in step summary - Add inline comment dismissing untrusted-checkout false positive
Update all rules and commands (Claude, Cursor, AGENTS.md) to require third-party actions to be pinned by commit SHA instead of mutable tags. LerianStudio org actions remain pinned by release tag.
fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
…branch refs for testing
Consolidate 9 parallel jobs into 4 with a 2-tier architecture: - Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast - Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing faster feedback on blocking validation failures.
CHANGELOG.md is now generated by semantic-release, so the reminder comment is unnecessary noise. Removed the comment step, github-token and dry-run inputs from the composite.
The composite already auto-skips when the target branch is not in target_branches_for_source_check (default: main), so enabling by default is safe and avoids silent misconfiguration.
Rewrite pr-description composite to: - Extract content under "## Description" heading and strip HTML comments - Fail if description section is empty or below min-length - Fail if no "Type of Change" checkbox is checked - Remove github-token input (no API calls needed) - Consolidate two github-script steps into one Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
Replace the warning-only assignee and linked issues checks with an actionable auto-assign: if no assignee is set, assign the PR author automatically. Bot accounts are skipped.
- Check current labels before removing/adding — skip entirely if the correct size label is already set - Only remove stale size labels that actually exist on the PR - Remove the XL comment (generic noise on every sync)
…y SHA - Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md is auto-generated by semantic-release - Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs across all validate composites
Display results as two tables (Blocking / Advisory) instead of flat lines. Skipped checks now use ⏭️ instead of⚠️ for clarity.
- Remove stale check_changelog references from docs and examples - Remove pr-changelog from jobs table and pr-checks-summary README - Fix related-workflow links to current doc naming - Make missing "Type of Change" section an error, not a warning - Add null-safety for pr.assignees in pr-metadata - Add dry-run gate to pr-metadata auto-assign - Fix yamllint inline-comment spacing in pr-labels
- Align min_description_length default to 30 (matches composite) - Remove stale check_changelog from self-pr-validation.yml - Update metadata feature description in docs - Validate min-length input against NaN in pr-description
…dation refactor(pr-validation): modularize workflow into composites
fix(lint): enforce SHA pinning for externals, warnings for internals
* fix(pr-validation): pin composite refs to v1.20.0 * fix(pr-blocking-collect): add README and pin ref to v1.20.0 * fix(pr-blocking-collect): use branch ref for testing * docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
# Conflicts: # .github/workflows/pr-validation.yml
When the semantic-release backmerge plugin fails to push directly to develop (non-fast-forward), create a PR from main→develop instead of failing the entire release. The release tag and GitHub release are already published at this point. - Add continue-on-error to semantic-release step - If release published but step failed → create backmerge PR - If release not published and step failed → propagate error - Check for existing backmerge PR to avoid duplicates
🛡️ CodeQL Analysis ResultsLanguages analyzed: ✅ No security issues found. 🔍 View full scan logs | 🛡️ Security tab |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/release-workflow.md (1)
82-85:⚠️ Potential issue | 🟡 MinorInputs table is out of sync with the workflow.
The workflow defines
filter_paths,shared_paths, andpath_levelinputs for monorepo support, but these are missing from the documentation.📝 Proposed fix to add missing inputs
| Input | Type | Default | Description | |-------|------|---------|-------------| | `semantic_version` | string | `23.0.8` | Semantic release version to use | | `runner_type` | string | `firmino-lxc-runners` | GitHub runner type | +| `filter_paths` | string | `''` | Newline-separated list of path prefixes to filter. If not provided, treats as single app repo. | +| `shared_paths` | string | `''` | Newline-separated path patterns that trigger a build for ALL components when matched. | +| `path_level` | string | `'2'` | Limits the path to the first N segments (e.g., 2 → "apps/agent") |As per coding guidelines: "Flag if inputs table is out of sync with the corresponding workflow changes in this PR."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/release-workflow.md` around lines 82 - 85, The inputs table in release-workflow.md is missing the monorepo-related workflow inputs; update the table to include `filter_paths`, `shared_paths`, and `path_level` with their correct types (likely `string` or `string[]` as used in the workflow), sensible defaults, and clear descriptions matching the workflow behavior (e.g., `filter_paths` — paths to watch for changes, `shared_paths` — paths shared across packages, `path_level` — depth level for package path resolution); ensure the names exactly match the workflow input keys so docs stay in sync with the workflow (reference inputs `filter_paths`, `shared_paths`, `path_level` and adjust types/defaults to match the workflow implementation).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-validation.yml:
- Line 122: Replace the mutable feature-branch ref for the reusable workflow
pr-blocking-collect with a stable release tag: change the uses entry
"LerianStudio/github-actions-shared-workflows/src/validate/pr-blocking-collect@fix/pin-refs-v1.20.0"
to reference the repository's released tag (for example "@v1.20.0" or the
appropriate published release) so the workflow uses a permanent, non-mutable
ref.
---
Outside diff comments:
In `@docs/release-workflow.md`:
- Around line 82-85: The inputs table in release-workflow.md is missing the
monorepo-related workflow inputs; update the table to include `filter_paths`,
`shared_paths`, and `path_level` with their correct types (likely `string` or
`string[]` as used in the workflow), sensible defaults, and clear descriptions
matching the workflow behavior (e.g., `filter_paths` — paths to watch for
changes, `shared_paths` — paths shared across packages, `path_level` — depth
level for package path resolution); ensure the names exactly match the workflow
input keys so docs stay in sync with the workflow (reference inputs
`filter_paths`, `shared_paths`, `path_level` and adjust types/defaults to match
the workflow implementation).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6ece92ad-142f-4cc6-88cb-9a8e5b87f9e7
📒 Files selected for processing (5)
.github/workflows/pr-validation.yml.github/workflows/release.ymldocs/release-workflow.mdsrc/validate/pr-blocking-collect/README.mdsrc/validate/pr-blocking-collect/action.yml
Create src/config/backmerge-pr composite that creates a PR when the semantic-release backmerge push fails (non-fast-forward). Checks for existing open PRs to avoid duplicates. Replace inline shell in release.yml with the composite call.
# Conflicts: # .github/workflows/pr-validation.yml # .github/workflows/release.yml
bedatty
had a problem deploying
to
create_release
GitHub Actions
Failure
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/config/backmerge-pr/action.yml`:
- Around line 50-56: The PR_BODY multi-line string is indented in the script so
every line gets leading spaces; replace the inline quoted assignment with a
heredoc to preserve intended formatting — e.g. set PR_BODY using PR_BODY=$(cat
<<'EOF' ... EOF) (or <<-'EOF' if you need to strip leading tabs) and paste the
unindented markdown between the EOF markers; update the assignment that
currently defines PR_BODY in action.yml to use this heredoc form so the PR
description has no unwanted leading whitespace.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4bb17dc6-4382-4f61-93ee-f326e51150ab
📒 Files selected for processing (4)
.github/workflows/pr-validation.yml.github/workflows/release.ymlsrc/config/backmerge-pr/README.mdsrc/config/backmerge-pr/action.yml
bedatty
dismissed stale reviews from coderabbitai[bot] and coderabbitai[bot]
All comments addressed.
bedatty
had a problem deploying
to
create_release
GitHub Actions
Failure
bedatty
changed the title
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/config/backmerge-pr/action.yml`:
- Around line 19-25: The output description for pr-url is incorrect relative to
the implementation: update the outputs block to reflect actual behavior (or
change the behavior). Specifically, either modify the description of
outputs.pr-url (and optionally outputs.pr-number) to state that pr_url is
populated even when an existing PR is found (it comes from
steps.create-pr.outputs.pr_url), or change the logic in the create-pr step to
leave pr_url empty for existing PRs; reference the outputs keys
"pr-url"/"pr-number" and the step "steps.create-pr.outputs.pr_url" to locate
where to update the description or behavior.
- Around line 50-59: The YAML parse error comes from the unindented heredoc
assigned to PR_BODY inside the run: | block; update the PR_BODY heredoc so all
its lines (the "## Description" line through the closing EOF) are indented to
the same level as the first content line inside the block scalar, ensuring the
closing EOF matches that indentation, or alternatively replace the heredoc with
an indented read-style heredoc variant; make this change around the PR_BODY
assignment that references VERSION, SOURCE_BRANCH and TARGET_BRANCH so the
pipeline no longer fails YAML validation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 709270f7-ce2a-422b-aedf-eb0a5d39c3cf
📒 Files selected for processing (2)
.github/workflows/release.ymlsrc/config/backmerge-pr/action.yml
Comment on lines
+19
to
+25
| outputs: | ||
| pr-url: | ||
| description: URL of the created PR (empty if PR already existed or was not needed) | ||
| value: ${{ steps.create-pr.outputs.pr_url }} | ||
| pr-number: | ||
| description: Number of the created or existing PR | ||
| value: ${{ steps.create-pr.outputs.pr_number }} |
There was a problem hiding this comment.
Output description contradicts implementation.
Line 21 states pr-url is "empty if PR already existed" but the implementation at lines 43-46 sets pr_url for existing PRs. Either update the description or the behavior.
Suggested fix
outputs:
pr-url:
- description: URL of the created PR (empty if PR already existed or was not needed)
+ description: URL of the created or existing backmerge PR
value: ${{ steps.create-pr.outputs.pr_url }}
pr-number:
description: Number of the created or existing PR🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/config/backmerge-pr/action.yml` around lines 19 - 25, The output
description for pr-url is incorrect relative to the implementation: update the
outputs block to reflect actual behavior (or change the behavior). Specifically,
either modify the description of outputs.pr-url (and optionally
outputs.pr-number) to state that pr_url is populated even when an existing PR is
found (it comes from steps.create-pr.outputs.pr_url), or change the logic in the
create-pr step to leave pr_url empty for existing PRs; reference the outputs
keys "pr-url"/"pr-number" and the step "steps.create-pr.outputs.pr_url" to
locate where to update the description or behavior.
Simplify pr-description to only check: - At least one "Type of Change" checkbox is marked - At least one "Testing" checkbox is marked Remove min-length content validation that was blocking PRs with valid template usage (e.g., merge PRs with CodeRabbit summaries).
bedatty
had a problem deploying
to
create_release
GitHub Actions
Failure
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/pr-validation.yml (2)
135-135:⚠️ Potential issue | 🟡 MinorFix yamllint spacing warning.
Pipeline reports: "too few spaces before comment: expected 2".
Proposed fix
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-validation.yml at line 135, Yamllint warns about too few spaces before the inline comment on the uses line; update the line containing "uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6" to ensure there are two spaces before the "#" (i.e., replace the single space before the comment with two spaces); also scan for other inline comments in the workflow file and apply the same two-space convention to satisfy yamllint.
198-204: 🧹 Nitpick | 🔵 TrivialLine-length warnings are non-blocking.
Lines 200 and 202 exceed 200 characters. Per repo configuration,
line-lengthis a warning, not an error. These long lines are due to inline ternary expressions for status/failed_jobs. Refactoring is optional but would improve readability.Optional: Extract status logic to a prior step
- name: Compute notification status id: notify-status run: | if [[ "${{ needs.blocking-checks.outputs.source-branch-result }}" == "failure" ]] || \ [[ "${{ needs.blocking-checks.outputs.title-result }}" == "failure" ]] || \ [[ "${{ needs.blocking-checks.outputs.description-result }}" == "failure" ]]; then echo "status=failure" >> "$GITHUB_OUTPUT" else echo "status=success" >> "$GITHUB_OUTPUT" fiThen reference
${{ steps.notify-status.outputs.status }}in the workflow call.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-validation.yml around lines 198 - 204, The long inline ternaries in the GitHub Actions call to LerianStudio/github-actions-shared-workflows (the "uses: ... slack-notify.yml" step) cause >200 char lines; extract the logic into prior steps (e.g., a step with id notify-status to compute a single status output and optionally a step like notify-failed-jobs to assemble the failed_jobs string) and then pass those outputs into the workflow call via ${{ steps.notify-status.outputs.status }} and ${{ steps.notify-failed-jobs.outputs.failed_jobs }} (update the "status" and "failed_jobs" inputs to reference those step outputs instead of the inline ternaries).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/validate/pr-description/action.yml`:
- Line 8: The YAML linter warning is caused by missing spacing before the inline
comment on the uses line; update the line containing uses:
actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd (the
actions/github-script version comment) to include two spaces before the "#" so
there is one space between the value and the comment (e.g., add a single space
before the version comment) to satisfy yamllint's "too few spaces before
comment" rule.
---
Outside diff comments:
In @.github/workflows/pr-validation.yml:
- Line 135: Yamllint warns about too few spaces before the inline comment on the
uses line; update the line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6" to ensure there
are two spaces before the "#" (i.e., replace the single space before the comment
with two spaces); also scan for other inline comments in the workflow file and
apply the same two-space convention to satisfy yamllint.
- Around line 198-204: The long inline ternaries in the GitHub Actions call to
LerianStudio/github-actions-shared-workflows (the "uses: ... slack-notify.yml"
step) cause >200 char lines; extract the logic into prior steps (e.g., a step
with id notify-status to compute a single status output and optionally a step
like notify-failed-jobs to assemble the failed_jobs string) and then pass those
outputs into the workflow call via ${{
steps.notify-status.outputs.status }} and ${{
steps.notify-failed-jobs.outputs.failed_jobs }} (update the "status" and
"failed_jobs" inputs to reference those step outputs instead of the inline
ternaries).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: b2936243-d239-48d9-822b-00af89b3b384
📒 Files selected for processing (3)
.github/workflows/pr-validation.ymlsrc/validate/pr-description/README.mdsrc/validate/pr-description/action.yml
| using: composite | ||
| steps: | ||
| - name: Validate PR description | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 |
There was a problem hiding this comment.
Fix yamllint spacing warning.
Pipeline reports: "too few spaces before comment: expected 2". Add a space before the version comment.
Proposed fix
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+ uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 |
🧰 Tools
🪛 GitHub Actions: Self — PR Validation
[warning] 8-8: Yamllint warning: too few spaces before comment: expected 2 (comments)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/validate/pr-description/action.yml` at line 8, The YAML linter warning is
caused by missing spacing before the inline comment on the uses line; update the
line containing uses:
actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd (the
actions/github-script version comment) to include two spaces before the "#" so
there is one space between the value and the comment (e.g., add a single space
before the version comment) to satisfy yamllint's "too few spaces before
comment" rule.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
src/validate/pr-description/action.yml (1)
8-8:⚠️ Potential issue | 🟡 MinorFix yamllint spacing warning.
Pipeline reports
too few spaces before comment: expected 2. Add one space before#.Proposed fix
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/validate/pr-description/action.yml` at line 8, The YAML linter warning is due to only one space before the inline comment on the actions usage line; edit the line that references actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd (the uses: entry) and add one more space so there are two spaces before the "# v8" comment, resolving the "too few spaces before comment" yamllint error.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@src/validate/pr-description/action.yml`:
- Line 8: The YAML linter warning is due to only one space before the inline
comment on the actions usage line; edit the line that references
actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd (the uses: entry)
and add one more space so there are two spaces before the "# v8" comment,
resolving the "too few spaces before comment" yamllint error.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7fcf288c-2593-4c70-918f-545277c8fe25
📒 Files selected for processing (1)
src/validate/pr-description/action.yml
lerian-studio
added
size/M
bedatty
added a commit
that referenced
this pull request
Mar 26, 2026
* refactor(pr-validation): modularize workflow into composites under src/validate/
Extract all inline business logic from pr-validation.yml into 7 reusable
composite actions under src/validate/. Add dry_run input, fix script injection
risks (use env vars instead of direct interpolation), fix notify ref for
external callers, and update conventions to prohibit workflow_dispatch on
reusable workflows due to injection risk.
* fix(pr-validation): address CodeRabbit and CodeQL review findings
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
* fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
The workflow was using COMP_NAME to build configmap/secret template paths
(e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml)
but the actual directory structure uses VALUES_KEY names
(e.g. templates/inbound/configmap.yaml).
This caused the if [ -f ] check to silently fail, resulting in detected
env vars never being injected into configmap/secret templates.
Changes:
- Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths
- Update create_secret_template to take VALUES_KEY as single arg
- Add ::warning:: annotations when template files are not found
Closes #167
* fix(helm-update-chart): quote GITHUB_OUTPUT and GITHUB_STEP_SUMMARY references
Resolves SC2086 (double quote to prevent globbing) and SC2129 (group
redirects) shellcheck warnings flagged by the PR lint analysis.
* fix(helm-update-chart): resolve CodeQL medium findings
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs
- Move inputs.base_branch to env var to prevent code injection in step summary
- Add inline comment dismissing untrusted-checkout false positive
* docs(rules): enforce commit SHA pinning for third-party actions
Update all rules and commands (Claude, Cursor, AGENTS.md) to require
third-party actions to be pinned by commit SHA instead of mutable tags.
LerianStudio org actions remain pinned by release tag.
* refactor(pr-validation): extract pr-checks-summary composite and use branch refs for testing
* fix(pr-validation): add missing README and fix broken doc link
* refactor(pr-validation): optimize to 2-tier fail-fast model
Consolidate 9 parallel jobs into 4 with a 2-tier architecture:
- Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast
- Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes
Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing
faster feedback on blocking validation failures.
* fix(pr-changelog): remove comment logic — changelog is auto-generated
CHANGELOG.md is now generated by semantic-release, so the reminder
comment is unnecessary noise. Removed the comment step, github-token
and dry-run inputs from the composite.
* fix(pr-validation): default enforce_source_branches to true
The composite already auto-skips when the target branch is not in
target_branches_for_source_check (default: main), so enabling by
default is safe and avoids silent misconfiguration.
* fix(pr-description): validate real content instead of raw length
Rewrite pr-description composite to:
- Extract content under "## Description" heading and strip HTML comments
- Fail if description section is empty or below min-length
- Fail if no "Type of Change" checkbox is checked
- Remove github-token input (no API calls needed)
- Consolidate two github-script steps into one
Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
* feat(pr-metadata): auto-assign PR author instead of warning
Replace the warning-only assignee and linked issues checks with an
actionable auto-assign: if no assignee is set, assign the PR author
automatically. Bot accounts are skipped.
* fix(pr-size): skip label update when unchanged and remove XL comment
- Check current labels before removing/adding — skip entirely if the
correct size label is already set
- Only remove stale size labels that actually exist on the PR
- Remove the XL comment (generic noise on every sync)
* fix(pr-labels): pin actions/labeler to commit SHA
* refactor(pr-validation): remove changelog check and pin all actions by SHA
- Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md
is auto-generated by semantic-release
- Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs
across all validate composites
* fix(pr-checks-summary): use markdown tables grouped by tier
Display results as two tables (Blocking / Advisory) instead of flat
lines. Skipped checks now use ⏭️ instead of ⚠️ for clarity.
* fix(pr-validation): address CodeRabbit review findings
- Remove stale check_changelog references from docs and examples
- Remove pr-changelog from jobs table and pr-checks-summary README
- Fix related-workflow links to current doc naming
- Make missing "Type of Change" section an error, not a warning
- Add null-safety for pr.assignees in pr-metadata
- Add dry-run gate to pr-metadata auto-assign
- Fix yamllint inline-comment spacing in pr-labels
* fix(pr-validation): sync defaults, fix caller, update docs
- Align min_description_length default to 30 (matches composite)
- Remove stale check_changelog from self-pr-validation.yml
- Update metadata feature description in docs
- Validate min-length input against NaN in pr-description
* fix(pr-validation): pin composite refs to v1.19.1-beta.2
* fix(lint): enforce SHA pinning for externals, warnings for internals
fix(lint): enforce SHA pinning for externals, warnings for internals
* fix(pr-validation): pin composite refs to v1.20.0
* fix(pr-blocking-collect): add README and pin ref to v1.20.0
* fix(pr-blocking-collect): use branch ref for testing
* docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
* fix(pr-validation): pin composite refs to v1.20.0 (#172)
* fix(pr-validation): pin composite refs to v1.20.0
* fix(pr-blocking-collect): add README and pin ref to v1.20.0
* fix(pr-blocking-collect): use branch ref for testing
* docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
* feat(release): fallback to PR when backmerge push fails
When the semantic-release backmerge plugin fails to push directly to
develop (non-fast-forward), create a PR from main→develop instead of
failing the entire release. The release tag and GitHub release are
already published at this point.
- Add continue-on-error to semantic-release step
- If release published but step failed → create backmerge PR
- If release not published and step failed → propagate error
- Check for existing backmerge PR to avoid duplicates
* fix(pr-validation): pin composite refs to v1.20.1
* feat(release): extract backmerge fallback into reusable composite
Create src/config/backmerge-pr composite that creates a PR when the
semantic-release backmerge push fails (non-fast-forward). Checks for
existing open PRs to avoid duplicates. Replace inline shell in
release.yml with the composite call.
* fix(release): use @develop ref for backmerge-pr composite
* fix(backmerge-pr): use heredoc to avoid indentation in PR body
* fix(pr-description): validate checkboxes only, not description content
Simplify pr-description to only check:
- At least one "Type of Change" checkbox is marked
- At least one "Testing" checkbox is marked
Remove min-length content validation that was blocking PRs with valid
template usage (e.g., merge PRs with CodeRabbit summaries).
* fix(pr-description): simplify to empty body check only
* fix(ci): use @develop ref for pr-description, sync backmerge-pr
---------
Co-authored-by: Gandalf <gandalf@lerian.studio>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions Shared Workflows
Description
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None.
Testing
@developor the beta tagCaller repo / workflow run:
Related Issues
Closes #
Summary by CodeRabbit
New Features
Documentation
Chores