Add CodeRabbit AI Review Workflow for Automated Code Reviews

[anatolyshipitz]

Add CodeRabbit AI Review Workflow for Automated Code Reviews

• Introduced a new GitHub Actions workflow for automated code reviews using CodeRabbit AI.

• The workflow triggers on pull requests (opened, edited, synchronize) and manual dispatch, allowing for flexible review processes.

• Implemented two main jobs: banner posting for onboarding notifications and AI-powered code review execution.

• Added functionality to detect missing API keys (CODERABBIT_TOKEN, OPENAI_API_KEY) with setup reminders and documentation links.

• Enhanced review process with commit SHA tracking to prevent duplicate reviews for the same commit.

• Configured CodeRabbit to focus exclusively on actual problems (bugs, security issues, performance, code quality) while ignoring minor style issues and documentation gaps.

• Added concurrency control to cancel in-progress reviews when new commits are pushed.

• Implemented custom system message to ensure reviews provide actionable inline comments with structured format (category, current code, suggestion, impact explanation).

Docs: https://wiki.gluzdov.com/doc/coderabbit-review-workflow-setup-6CqNB5aHtY

This integration aims to streamline code review and improve code quality through automated AI analysis while maintaining focus on significant issues only.

[github-actions]

CodeRabbit

🤖 CodeRabbit AI Review Available

To request a code review from CodeRabbit AI, add [coderabbit-ai-review] to your PR title.

CodeRabbit will analyze your code and provide feedback on:

• Logic and correctness
• Security issues
• Performance optimizations
• Code quality and best practices
• Error handling
• Maintainability

Note: Reviews are only performed when [coderabbit-ai-review] is present in the PR title.

[github-actions]

🔍 Vulnerabilities of temporal-test:latest

📦 Image Reference temporal-test:latest

digest	sha256:17e54ff5e9a181d1bdbf7334ce9637f9c3934d54a65427ae36a5743f46487f15
vulnerabilities
platform	linux/amd64
size	218 MB
packages	358

📦 Base Image alpine:3

also known as	3.21 3.21.3 latest
digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilities

stdlib 1.23.6 (golang) pkg:golang/stdlib@1.23.6 Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

stdlib 1.23.2 (golang) pkg:golang/stdlib@1.23.2 Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

golang.org/x/crypto 0.32.0 (golang) pkg:golang/golang.org/x/crypto@0.32.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.042% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.259% EPSS Percentile 49th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

curl 8.12.1-r0 (apk) pkg:apk/alpine/curl@8.12.1-r0?os_name=alpine&os_version=3.21 Affected range <8.14.1-r2 Fixed version 8.14.1-r2 EPSS Score 0.073% EPSS Percentile 22nd percentile Description Affected range <8.14.1-r0 Fixed version 8.14.1-r0 EPSS Score 0.064% EPSS Percentile 20th percentile Description

golang.org/x/oauth2 0.26.0 (golang) pkg:golang/golang.org/x/oauth2@0.26.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.104% EPSS Percentile 29th percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

golang.org/x/oauth2 0.7.0 (golang) pkg:golang/golang.org/x/oauth2@0.7.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.104% EPSS Percentile 29th percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

golang.org/x/crypto 0.36.0 (golang) pkg:golang/golang.org/x/crypto@0.36.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.042% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

openssl 3.3.3-r0 (apk) pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21 Affected range <3.3.5-r0 Fixed version 3.3.5-r0 EPSS Score 0.034% EPSS Percentile 9th percentile Description

c-ares 1.34.3-r0 (apk) pkg:apk/alpine/c-ares@1.34.3-r0?os_name=alpine&os_version=3.21 Affected range <1.34.5-r0 Fixed version 1.34.5-r0 EPSS Score 0.135% EPSS Percentile 34th percentile Description

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.36.4 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation@0.36.4#google.golang.org/grpc/otelgrpc Affected range <0.46.0 Fixed version 0.46.0 EPSS Score 3.680% EPSS Percentile 87th percentile Description The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service.

github.com/golang-jwt/jwt/v4 4.5.1 (golang) pkg:golang/github.com/golang-jwt/jwt@4.5.1#v4 Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.055% EPSS Percentile 17th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

github.com/golang-jwt/jwt 3.2.2+incompatible (golang) pkg:golang/github.com/golang-jwt/jwt@3.2.2%2Bincompatible Asymmetric Resource Consumption (Amplification) Affected range >=3.2.0 <=3.2.2 Fixed version Not Fixed CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.055% EPSS Percentile 17th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

golang.org/x/crypto 0.35.0 (golang) pkg:golang/golang.org/x/crypto@0.35.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.042% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[killev]

Looks Good.