fix(workflows): update pinned SHA to commit with reusable/ directory#36
Merged
Conversation
GitHub Actions does not support the ./ relative path syntax for reusable workflows in subdirectories. Replaced all uses of ./.github/workflows/reusable/*.yml with the full YiAgent/OpenCI/.github/workflows/reusable/*.yml@SHA format, which supports subdirectory paths and is valid per GitHub docs. This fixes the broken workflow names (showing file paths instead of name: field values) and the workflow dispatch failures.
Switch from HEAD SHA to manifest-pinned SHA d280a64 for all YiAgent/OpenCI reusable workflow references, matching the verify-sha hook requirement. Also update two BATS tests that asserted the old ./ relative path pattern, and suppress a SC2016 false positive where $ is intentional grep BRE syntax.
SHA d280a64 predates the reusable/ subdirectory reorganization — at that commit the directory does not exist, causing GitHub Actions to fail with "workflow file issue" before any job starts. Updated all 24 references and manifest.yml to ebe8fca which is the first main-branch commit confirmed to contain .github/workflows/reusable/*.yml.
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe PR updates the repository to externalize and pin its reusable workflows and actions to a specific YiAgent/OpenCI commit SHA, replacing local relative references with remote pinned versions. It adds SHA consistency verification, automated bumping infrastructure, and supporting tooling to manage the pinned dependency. ChangesExternalize and Pin YiAgent/OpenCI Workflows with SHA Verification & Automation
Sequence DiagramsequenceDiagram
actor Developer as Developer
participant Main as main branch
participant Workflow as on-main-bump-sha.yml
participant Script as bump-self-sha.sh
participant Manifest as manifest.yml
participant WorkflowFiles as .github/workflows/*.yml
participant PR as GitHub PR
Developer->>Main: Push to main
Main->>Workflow: Trigger Auto-bump self SHA
Workflow->>Workflow: Read YiAgent/OpenCI SHA from manifest.yml
Workflow->>Workflow: Check if .github/workflows/reusable/ exists at that SHA
Workflow->>Workflow: Compare against current HEAD
alt SHA is stale or missing
Workflow->>Script: Execute bump-self-sha.sh
Script->>Script: Fetch REMOTE/BASE_BRANCH
Script->>Script: Walk back up to 20 commits for commit containing .github/workflows/reusable/
Script->>Script: Read current SHA from manifest.yml
Script->>Script: Validate new SHA differs from old
Script->>Manifest: Replace old SHA with new SHA
Script->>WorkflowFiles: Replace old SHA refs in all workflow files
Script->>Workflow: Report completion
Workflow->>Main: Commit manifest.yml + workflow files to new branch
Workflow->>Main: Push chore/bump-self-sha-${NEW_SHA:0:8}
Workflow->>PR: Open PR back to main
else SHA is current
Workflow->>Workflow: Skip bump steps
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
tests/actions/on-issue-routing.bats (1)
99-103: ⚡ Quick winAssert SHA pinning in the reusable workflow matcher.
The current grep only checks the workflow path;
@mainwould still pass. Tighten this to require a commit SHA format.Proposed test hardening
- count=$(grep -c 'uses: YiAgent/OpenCI/.github/workflows/reusable/issue\.yml' "$ENTRY") + count=$(grep -c 'uses: YiAgent/OpenCI/.github/workflows/reusable/issue\.yml@[0-9a-f]\{40\}$' "$ENTRY")🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tests/actions/on-issue-routing.bats` around lines 99 - 103, The test "all four jobs call the same reusable workflow reusable/issue.yml" currently greps only the path and allows a branch like `@main`; change the grep to assert SHA pinning by matching the uses line including a commit SHA format (e.g. requires @ followed by a 40-hex SHA). Update the command that sets count (which references ENTRY) to use an extended/Perl regex (grep -E or -P) that matches "uses: YiAgent/OpenCI/.github/workflows/reusable/issue\.yml@[0-9a-f]{40}" so only pinned commits count.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tests/actions/on-pr-routing.bats`:
- Around line 43-45: Update the test "single checks job calls reusable pr.yml
workflow" to assert the workflow reference includes a 40-character SHA suffix,
not just the file path: modify the grep invocation that inspects "$ENTRY" (the
check in the test function) so it requires 'uses:
YiAgent/OpenCI/.github/workflows/reusable/pr\.yml@' followed by a 40-character
hex SHA (0-9a-f or A-F) pattern; this ensures the reusable workflow is pinned to
a commit SHA instead of just the path.
---
Nitpick comments:
In `@tests/actions/on-issue-routing.bats`:
- Around line 99-103: The test "all four jobs call the same reusable workflow
reusable/issue.yml" currently greps only the path and allows a branch like
`@main`; change the grep to assert SHA pinning by matching the uses line including
a commit SHA format (e.g. requires @ followed by a 40-hex SHA). Update the
command that sets count (which references ENTRY) to use an extended/Perl regex
(grep -E or -P) that matches "uses:
YiAgent/OpenCI/.github/workflows/reusable/issue\.yml@[0-9a-f]{40}" so only
pinned commits count.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0187ff2e-39e6-43ca-bdb6-3c5d501a1980
📒 Files selected for processing (14)
.github/workflows/agent.yml.github/workflows/ci.yml.github/workflows/dependencies.yml.github/workflows/deploy.yml.github/workflows/docs.yml.github/workflows/issue-ops.yml.github/workflows/observability.yml.github/workflows/on-maintenance.yml.github/workflows/pull-request.yml.github/workflows/release.yml.github/workflows/reusable/ci.ymlmanifest.ymltests/actions/on-issue-routing.batstests/actions/on-pr-routing.bats
Comment on lines
43
to
45
| @test "single checks job calls reusable pr.yml workflow" { | ||
| grep -q 'uses: \.\/\.github\/workflows\/reusable\/pr\.yml' "$ENTRY" | ||
| grep -q 'uses: YiAgent/OpenCI/.github/workflows/reusable/pr\.yml' "$ENTRY" | ||
| } |
There was a problem hiding this comment.
Strengthen assertion to enforce SHA pin format.
Line 44 currently matches only the workflow path, so it won’t fail if @<sha> is accidentally removed. Assert a 40-char commit suffix explicitly.
Suggested test update
- grep -q 'uses: YiAgent/OpenCI/.github/workflows/reusable/pr\.yml' "$ENTRY"
+ grep -Eq '^[[:space:]]*uses:[[:space:]]*YiAgent/OpenCI/\.github/workflows/reusable/pr\.yml@[0-9a-f]{40}[[:space:]]*$' "$ENTRY"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| @test "single checks job calls reusable pr.yml workflow" { | |
| grep -q 'uses: \.\/\.github\/workflows\/reusable\/pr\.yml' "$ENTRY" | |
| grep -q 'uses: YiAgent/OpenCI/.github/workflows/reusable/pr\.yml' "$ENTRY" | |
| } | |
| `@test` "single checks job calls reusable pr.yml workflow" { | |
| grep -Eq '^[[:space:]]*uses:[[:space:]]*YiAgent/OpenCI/\.github/workflows/reusable/pr\.yml@[0-9a-f]{40}[[:space:]]*$' "$ENTRY" | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@tests/actions/on-pr-routing.bats` around lines 43 - 45, Update the test
"single checks job calls reusable pr.yml workflow" to assert the workflow
reference includes a 40-character SHA suffix, not just the file path: modify the
grep invocation that inspects "$ENTRY" (the check in the test function) so it
requires 'uses: YiAgent/OpenCI/.github/workflows/reusable/pr\.yml@' followed by
a 40-character hex SHA (0-9a-f or A-F) pattern; this ensures the reusable
workflow is pinned to a commit SHA instead of just the path.
Two changes to prevent the "SHA predates reusable/ directory" class of failures from reaching CI: 1. verify-sha-consistency.sh: after the existing consistency check, verify that any self-referencing entry (currently YiAgent/OpenCI) actually has the required directory (.github/workflows/reusable/) at the pinned SHA. Error message explicitly points to bump-self-sha.sh. 2. scripts/bump-self-sha.sh: automates the SHA update workflow. Fetches the latest main-branch HEAD, walks back until a commit with reusable/ is found, then atomically updates manifest.yml and all workflow files. Supports --dry-run for preview. Usage: bash scripts/bump-self-sha.sh
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/scripts/verify-sha-consistency.sh:
- Around line 224-227: The current code silences git errors when running git
ls-tree into tree_output, causing shallow-clone cases where the commit object is
missing to surface as "SHA Missing Structure"; change the logic to first verify
the commit object exists by running git cat-file -e "$self_sha" (without
redirecting stderr) and if that fails call emit_error with a distinct message
like "SHA Missing Commit" explaining the commit object is not available locally,
then only run git ls-tree "$self_sha" "$self_required_path/" (as before) to
detect a missing directory and emit the existing "SHA Missing Structure" error
using emit_error when tree_output is empty.
In `@scripts/bump-self-sha.sh`:
- Around line 33-39: The ancestor walk can fail in shallow clones; after
resolving remote_sha (variable remote_sha) and before performing the ancestor
walk, detect a shallow repository (presence of .git/shallow or git rev-parse
--is-shallow-repository) and deepen/unshallow the repo by fetching more history
from REMOTE/BASE_BRANCH (use git fetch --unshallow or git fetch --depth=<n> from
REMOTE for BASE_BRANCH) so the subsequent ancestor traversal succeeds; ensure
the fetch call logs errors and falls back cleanly to die() if the
deepen/unshallow fails.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 9256845e-91d8-420e-bde5-05ca9c1ecc79
📒 Files selected for processing (2)
.github/scripts/verify-sha-consistency.shscripts/bump-self-sha.sh
Comment on lines
+224
to
+227
| tree_output="$(git ls-tree "$self_sha" "$self_required_path/" 2>/dev/null || true)" | ||
| if [ -z "$tree_output" ]; then | ||
| emit_error "SHA Missing Structure" \ | ||
| "manifest.yml: $self_name SHA $self_sha has no '$self_required_path/' directory. Run scripts/bump-self-sha.sh to update to a valid commit." |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
sha="$(yq -r '.deps["YiAgent/OpenCI"] // ""' manifest.yml)"
echo "is_shallow=$(git rev-parse --is-shallow-repository)"
echo "manifest_sha=$sha"
if git cat-file -e "${sha}^{commit}" 2>/dev/null; then
echo "commit_object_present=yes"
else
echo "commit_object_present=no (likely shallow clone or missing fetch)"
fiRepository: YiAgent/OpenCI
Length of output: 101
🏁 Script executed:
# Find the target file and check its content
find . -name "verify-sha-consistency.sh" -type fRepository: YiAgent/OpenCI
Length of output: 102
🏁 Script executed:
# Read the file to see lines around 224-227
if [ -f ".github/scripts/verify-sha-consistency.sh" ]; then
wc -l ".github/scripts/verify-sha-consistency.sh"
sed -n '210,240p' ".github/scripts/verify-sha-consistency.sh"
fiRepository: YiAgent/OpenCI
Length of output: 1296
🏁 Script executed:
# Also check the full context of the function containing this code
if [ -f ".github/scripts/verify-sha-consistency.sh" ]; then
sed -n '200,250p' ".github/scripts/verify-sha-consistency.sh"
fiRepository: YiAgent/OpenCI
Length of output: 1661
🏁 Script executed:
# Check if git cat-file -e works as expected and how git ls-tree behaves
# Let's examine the git documentation/behavior in context
# First, verify the SELF_REFS pattern and how manifest.yml is used
grep -n "SELF_REFS" ".github/scripts/verify-sha-consistency.sh" | head -20Repository: YiAgent/OpenCI
Length of output: 242
🏁 Script executed:
# Check if there are any other usages of git ls-tree in the script
grep -n "git ls-tree" ".github/scripts/verify-sha-consistency.sh"Repository: YiAgent/OpenCI
Length of output: 231
🏁 Script executed:
# Verify the manifest.yml structure to understand the data being validated
if [ -f "manifest.yml" ]; then
cat manifest.yml
fiRepository: YiAgent/OpenCI
Length of output: 15767
Distinguish missing commit objects from missing directory structure in shallow clones.
Line 224 swallows git ls-tree errors with 2>/dev/null || true, causing shallow clones to produce false "SHA Missing Structure" errors even when the path exists in the commit but the commit object itself is unavailable locally. Check commit-object availability first using git cat-file -e, emit a more specific error, and only then perform the path check.
Suggested fix
for self_name in "${!SELF_REFS[@]}"; do
self_required_path="${SELF_REFS[$self_name]}"
self_sha="$(echo "$manifest_map" | awk -F'\t' -v key="$self_name" '$1 == key { print $2; exit }')"
[ -z "$self_sha" ] && continue
+ if ! git cat-file -e "${self_sha}^{commit}" 2>/dev/null; then
+ emit_error "Missing Commit Object" \
+ "manifest.yml: $self_name SHA $self_sha is not present in the local clone. Fetch more history (e.g., checkout with fetch-depth: 0) and rerun."
+ continue
+ fi
+
# git ls-tree returns non-empty output when the path exists at that SHA.
tree_output="$(git ls-tree "$self_sha" "$self_required_path/" 2>/dev/null || true)"
if [ -z "$tree_output" ]; then
emit_error "SHA Missing Structure" \
"manifest.yml: $self_name SHA $self_sha has no '$self_required_path/' directory. Run scripts/bump-self-sha.sh to update to a valid commit."
fi
done📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| tree_output="$(git ls-tree "$self_sha" "$self_required_path/" 2>/dev/null || true)" | |
| if [ -z "$tree_output" ]; then | |
| emit_error "SHA Missing Structure" \ | |
| "manifest.yml: $self_name SHA $self_sha has no '$self_required_path/' directory. Run scripts/bump-self-sha.sh to update to a valid commit." | |
| for self_name in "${!SELF_REFS[@]}"; do | |
| self_required_path="${SELF_REFS[$self_name]}" | |
| self_sha="$(echo "$manifest_map" | awk -F'\t' -v key="$self_name" '$1 == key { print $2; exit }')" | |
| [ -z "$self_sha" ] && continue | |
| if ! git cat-file -e "${self_sha}^{commit}" 2>/dev/null; then | |
| emit_error "Missing Commit Object" \ | |
| "manifest.yml: $self_name SHA $self_sha is not present in the local clone. Fetch more history (e.g., checkout with fetch-depth: 0) and rerun." | |
| continue | |
| fi | |
| # git ls-tree returns non-empty output when the path exists at that SHA. | |
| tree_output="$(git ls-tree "$self_sha" "$self_required_path/" 2>/dev/null || true)" | |
| if [ -z "$tree_output" ]; then | |
| emit_error "SHA Missing Structure" \ | |
| "manifest.yml: $self_name SHA $self_sha has no '$self_required_path/' directory. Run scripts/bump-self-sha.sh to update to a valid commit." | |
| fi | |
| done |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/scripts/verify-sha-consistency.sh around lines 224 - 227, The
current code silences git errors when running git ls-tree into tree_output,
causing shallow-clone cases where the commit object is missing to surface as
"SHA Missing Structure"; change the logic to first verify the commit object
exists by running git cat-file -e "$self_sha" (without redirecting stderr) and
if that fails call emit_error with a distinct message like "SHA Missing Commit"
explaining the commit object is not available locally, then only run git ls-tree
"$self_sha" "$self_required_path/" (as before) to detect a missing directory and
emit the existing "SHA Missing Structure" error using emit_error when
tree_output is empty.
Comment on lines
+33
to
+39
| info "Fetching $REMOTE/$BASE_BRANCH ..." | ||
| git fetch --quiet "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \ | ||
| die "Cannot fetch $REMOTE/$BASE_BRANCH. Check your remote and network access." | ||
|
|
||
| remote_sha="$(git rev-parse "refs/remotes/$REMOTE/$BASE_BRANCH" 2>/dev/null)" || \ | ||
| die "Could not resolve $REMOTE/$BASE_BRANCH after fetch." | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
remote="${REMOTE:-origin}"
branch="${BASE_BRANCH:-main}"
echo "is_shallow=$(git rev-parse --is-shallow-repository)"
git fetch --quiet "$remote" "$branch"
tip="$(git rev-parse "refs/remotes/$remote/$branch")"
echo "remote_tip=$tip"
if git rev-parse "${tip}^" >/dev/null 2>&1; then
echo "parent_available=yes"
else
echo "parent_available=no (deepen/unshallow needed for ancestry walk)"
fiRepository: YiAgent/OpenCI
Length of output: 147
🏁 Script executed:
# First, let's locate and read the script file
fd -type f -name 'bump-self-sha.sh' | head -5Repository: YiAgent/OpenCI
Length of output: 229
🏁 Script executed:
# Once located, read lines around 33-39 and 58-59 to understand the context
cat -n scripts/bump-self-sha.sh | sed -n '30,65p'Repository: YiAgent/OpenCI
Length of output: 1536
🏁 Script executed:
# Test the actual ancestor walk scenario more thoroughly
# Check how many commits are available after fetch and if walk can complete
cat > /tmp/test_ancestor_walk.sh << 'EOF'
#!/usr/bin/env bash
set -euo pipefail
remote="${REMOTE:-origin}"
branch="${BASE_BRANCH:-main}"
workflow_search=".github/workflows/reusable"
echo "=== Initial State ==="
echo "is_shallow=$(git rev-parse --is-shallow-repository)"
echo -e "\n=== Fetching remote ==="
git fetch --quiet "$remote" "$branch" 2>/dev/null
remote_sha="$(git rev-parse "refs/remotes/$remote/$branch")"
echo "remote_sha=$remote_sha"
echo -e "\n=== Testing ancestor walk (simulating the script loop) ==="
candidate="$remote_sha"
max_iterations=5
iterations=0
while [ $iterations -lt $max_iterations ]; do
iterations=$((iterations + 1))
echo " Iteration $iterations: candidate=$candidate"
# Check if parent is available
if ! git rev-parse "${candidate}^" >/dev/null 2>&1; then
echo " ERROR: Parent of $candidate not available in shallow clone!"
echo " Shallow clone depth insufficient for ancestor walk."
break
fi
# In real script, would check if commit contains workflow_search
# For now, just move to parent
candidate="$(git rev-parse "${candidate}^")"
done
if [ $iterations -eq $max_iterations ]; then
echo " Walk completed $max_iterations iterations successfully"
fi
EOF
bash /tmp/test_ancestor_walk.shRepository: YiAgent/OpenCI
Length of output: 606
🏁 Script executed:
# Create a fresh shallow clone with depth=1 to test the actual failure scenario
temp_dir=$(mktemp -d)
cd "$temp_dir"
git clone --depth=1 https://github.com/YiAgent/OpenCI.git test_repo 2>&1 | head -10
cd test_repo
echo "=== Extreme shallow (depth=1) ==="
echo "is_shallow=$(git rev-parse --is-shallow-repository)"
# Now simulate what bump-self-sha.sh does
remote="origin"
branch="main"
git fetch --quiet "$remote" "$branch" 2>/dev/null
remote_sha="$(git rev-parse "refs/remotes/$remote/$branch")"
echo "remote_sha=$remote_sha"
# Try to access parent (this should fail in depth=1)
if git rev-parse "${remote_sha}^" >/dev/null 2>&1; then
echo "parent_available=yes"
else
echo "parent_available=no (THIS IS THE FAILURE CASE)"
fi
cd /
rm -rf "$temp_dir"Repository: YiAgent/OpenCI
Length of output: 297
Make ancestor walk robust for shallow repositories.
The ancestor walk at lines 58-59 fails in shallow clones when parent commits are unavailable, terminating with "Ran out of history..." even when valid ancestors exist remotely. This is a real problem in CI environments and local shallow clones. Deepen or unshallow the repository before the walk to ensure this script works reliably in all scenarios.
Suggested fix
info "Fetching $REMOTE/$BASE_BRANCH ..."
-git fetch --quiet "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \
- die "Cannot fetch $REMOTE/$BASE_BRANCH. Check your remote and network access."
+git fetch --quiet "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \
+ die "Cannot fetch $REMOTE/$BASE_BRANCH. Check your remote and network access."
+
+# Ensure ancestry walk works in shallow clones.
+if [ "$(git rev-parse --is-shallow-repository 2>/dev/null || echo false)" = "true" ]; then
+ git fetch --quiet --deepen=100 "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \
+ git fetch --quiet --unshallow "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \
+ die "Repository is shallow and could not be deepened; cannot walk commit ancestry."
+fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| info "Fetching $REMOTE/$BASE_BRANCH ..." | |
| git fetch --quiet "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \ | |
| die "Cannot fetch $REMOTE/$BASE_BRANCH. Check your remote and network access." | |
| remote_sha="$(git rev-parse "refs/remotes/$REMOTE/$BASE_BRANCH" 2>/dev/null)" || \ | |
| die "Could not resolve $REMOTE/$BASE_BRANCH after fetch." | |
| info "Fetching $REMOTE/$BASE_BRANCH ..." | |
| git fetch --quiet "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \ | |
| die "Cannot fetch $REMOTE/$BASE_BRANCH. Check your remote and network access." | |
| # Ensure ancestry walk works in shallow clones. | |
| if [ "$(git rev-parse --is-shallow-repository 2>/dev/null || echo false)" = "true" ]; then | |
| git fetch --quiet --deepen=100 "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \ | |
| git fetch --quiet --unshallow "$REMOTE" "$BASE_BRANCH" 2>/dev/null || \ | |
| die "Repository is shallow and could not be deepened; cannot walk commit ancestry." | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@scripts/bump-self-sha.sh` around lines 33 - 39, The ancestor walk can fail in
shallow clones; after resolving remote_sha (variable remote_sha) and before
performing the ancestor walk, detect a shallow repository (presence of
.git/shallow or git rev-parse --is-shallow-repository) and deepen/unshallow the
repo by fetching more history from REMOTE/BASE_BRANCH (use git fetch --unshallow
or git fetch --depth=<n> from REMOTE for BASE_BRANCH) so the subsequent ancestor
traversal succeeds; ensure the fetch call logs errors and falls back cleanly to
die() if the deepen/unshallow fails.
Two additions to prevent the "SHA predates reusable/ directory" class of failures from ever reaching main: 1. reusable/pr.yml: new verify-sha job (needs: preflight) that runs verify-sha-consistency.sh on every PR. The enrich/Stage-2 gate now depends on it, so a bad SHA blocks the merge button. 2. on-main-bump-sha.yml: post-merge workflow that fires on every push to main. Checks whether the YiAgent/OpenCI SHA in manifest.yml is current and structurally valid; if not, runs bump-self-sha.sh and opens an auto-PR so the manifest never drifts out of sync without human action.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/reusable/pr.yml:
- Around line 363-369: Replace the unpinned "Install yq" step that downloads
from the `latest` URL with a pinned release approach: introduce or use an
environment variable (e.g., YQ_VERSION) and download the binary for that exact
tag (for example v4.44.1) instead of `latest`, and validate the download
(compare a provided checksum variable like YQ_SHA256 or use a known container
image) before installing; update the step named "Install yq" in this workflow
and apply the same change to the equivalent steps in the other workflows
mentioned (the reusable/ci.yml and on-main-bump-sha.yml occurrences) so all yq
downloads are pinned and verified.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: a1ee82eb-233f-4408-b5d4-aa41e996ea47
📒 Files selected for processing (2)
.github/workflows/on-main-bump-sha.yml.github/workflows/reusable/pr.yml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/on-main-bump-sha.yml
Comment on lines
+363
to
+369
| - name: Install yq | ||
| run: | | ||
| if ! command -v yq >/dev/null 2>&1; then | ||
| sudo wget -qO /usr/local/bin/yq \ | ||
| https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | ||
| sudo chmod +x /usr/local/bin/yq | ||
| fi |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --hidden --glob '!.git' '\byq\b|verify-sha-consistency' .github || true
sed -n '1,220p' .github/scripts/verify-sha-consistency.shRepository: YiAgent/OpenCI
Length of output: 10860
Pin the yq download to a specific release version.
This gate downloads yq from the latest release URL, introducing an unpinned external dependency in a merge check designed to validate pinned SHAs. This contradicts the purpose of the SHA validation gate and reintroduces a supply-chain risk.
The repo already demonstrates a pinned approach in .github/workflows/on-maintenance.yml (using YQ_VERSION environment variable). Apply the same pattern here: either hardcode a release version (e.g., v4.44.1) or reference an environment variable, and verify the download using a checksum or a container image that provides a known version.
Also apply the same fix to .github/workflows/reusable/ci.yml (line 336) and .github/workflows/on-main-bump-sha.yml (line 37), which have the same unpinned pattern.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/reusable/pr.yml around lines 363 - 369, Replace the
unpinned "Install yq" step that downloads from the `latest` URL with a pinned
release approach: introduce or use an environment variable (e.g., YQ_VERSION)
and download the binary for that exact tag (for example v4.44.1) instead of
`latest`, and validate the download (compare a provided checksum variable like
YQ_SHA256 or use a known container image) before installing; update the step
named "Install yq" in this workflow and apply the same change to the equivalent
steps in the other workflows mentioned (the reusable/ci.yml and
on-main-bump-sha.yml occurrences) so all yq downloads are pinned and verified.
|
This was referenced May 4, 2026
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
d280a64was used as the pinned ref for allYiAgent/OpenCIreusable workflow calls, but that commit predates thereusable/subdirectory reorganization — the directory simply does not exist therereusable/ci.yml(or anyreusable/*.yml) at that SHA → every caller workflow fails immediately with "workflow file issue" before any job starts (0 jobs run)@d280a64references and themanifest.ymlsource-of-truth entry toebe8fca3260dce68d34d51b74703169e776bc72d, which is the first main-branch commit confirmed to contain.github/workflows/reusable/*.ymlTest plan
ci,agent,dependencies,deploy,docs,issue-ops,observability,on-maintenance,pull-request,release) now start jobs successfullyverify-sha-consistencypre-commit hook passes (335 uses, 0 errors — verified locally)testworkflow still passes (unrelated to this fix;ANTHROPIC_API_KEYmust be updated separately to fix the Live Eval job)Need help on this PR? Tag
@codesmithwith what you need.Summary by CodeRabbit