Skip to content

fix(workflows): standardize model/api-base-url params for custom LLM#38

Merged
YiWang24 merged 4 commits into
mainfrom
fix/reusable-workflow-paths
May 4, 2026
Merged

fix(workflows): standardize model/api-base-url params for custom LLM#38
YiWang24 merged 4 commits into
mainfrom
fix/reusable-workflow-paths

Conversation

@YiWang24

@YiWang24 YiWang24 commented May 4, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Standardize api-base-url secret name: issue-ops.yml was using API_BASE_URL, all other callers use ANTHROPIC_BASE_URL. Now unified.
  • Replace secrets: inherit with explicit secret mapping in pull-request.yml to prevent silent secret name mismatches.
  • Add model input (from vars.AI_MODEL repo variable) to pull-request.yml, issue-ops.yml, and docs.yml so the AI model can be configured without code changes.
  • Fix bump-self-sha.sh to use perl -pi instead of sed -i'' for cross-platform compatibility (macOS BSD sed was creating .yml-e backup files).
  • Fix grep -P (Linux-only) → grep -E in bats tests for macOS compatibility.
  • Add *.yml-e to .gitignore to prevent future accidental commits of sed backup files.

To use GLM 5.1 (or any OpenAI-compatible LLM via proxy)

Set these in repo Settings → Secrets and variables:

Kind Name Value
Secret ANTHROPIC_API_KEY Your API key
Secret ANTHROPIC_BASE_URL Anthropic-compatible proxy URL
Variable AI_MODEL Model name (e.g. glm-4-flash)

Test plan

  • All local pre-push hooks pass (bats 622/622, verify-sha, actionlint, yamllint)
  • PR CI gate runs successfully on this PR
  • vars.AI_MODEL absent → uses reusable workflow default (claude-sonnet-4-5-20250929)

View in Codesmith
Need help on this PR? Tag @codesmith with what you need.

  • Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

  • Chores
    • Updated CI/CD pipeline workflows to use newer reusable workflow versions for improved stability and security.
    • Enhanced workflow configuration with explicit secret handling and model parameter support.
    • Updated build and dependency management scripts for improved maintainability.

YiWang24 added 4 commits May 3, 2026 23:14
@YiWang24
fix(workflows): standardize model/api-base-url for custom LLM
eead9e5 
- Replace API_BASE_URL with ANTHROPIC_BASE_URL in issue-ops.yml
- Replace secrets:inherit with explicit mapping in pull-request.yml
- Add model input (vars.AI_MODEL) to pull-request, issue-ops, docs
@YiWang24
fix(tests): update PR routing test for explicit secret mapping
f42d0b3
@YiWang24
chore(manifest): bump YiAgent/OpenCI SHA to be43e4e
acb09e2
@YiWang24
fix(scripts): use perl -pi for portable in-place sed on macOS/Linux
5b18a26
@qodo-code-review

qodo-code-review Bot commented May 4, 2026

Copy link
Copy Markdown 
ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

@coderabbitai

coderabbitai Bot commented May 4, 2026
edited
Loading

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflow files and configuration are updated to pin reusable workflows and actions to a new YiAgent/OpenCI commit SHA. Secret references are renamed from API_BASE_URL to ANTHROPIC_BASE_URL, and a new model input is added to issue-ops workflow. Tooling scripts and .gitignore are also updated accordingly.

Changes

YiAgent/OpenCI Dependency Update & Wiring

Layer / File(s) Summary
Dependency Manifest
manifest.yml		 YiAgent/OpenCI SHA pinned from ebe8fca3... to be43e4ef... in deps:.
Reusable Workflow References
.github/workflows/agent.yml, ci.yml, dependencies.yml, deploy.yml, docs.yml, observability.yml, on-maintenance.yml, pull-request.yml, release.yml, reusable/ci.yml		 Pinned commit SHAs for reusable workflows and actions updated from ebe8fca3... to be43e4ef... across all jobs and steps that reference YiAgent/OpenCI.
Secrets & Inputs Wiring
issue-ops.yml, pull-request.yml		 issue-ops.yml adds new workflow_dispatch input model and updates api-base-url secret from API_BASE_URL to ANTHROPIC_BASE_URL across lifecycle, ingest, maintenance, and manual jobs. pull-request.yml replaces secrets: inherit with explicit ANTHROPIC_API_KEY and ANTHROPIC_BASE_URL mappings and adds model input sourced from vars.AI_MODEL.
Tooling & Configuration
scripts/bump-self-sha.sh, .gitignore		 bump-self-sha.sh replaces sed -i'' with perl -pi for SHA substitution. .gitignore removes .act.env rule and adds .act.env*.yml-e and *.yaml-e patterns.
Test Updates
tests/actions/on-pr-routing.bats		 Test case updated to assert anthropic-api-key secret is passed instead of verifying secrets: inherit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

Poem

🐰 A hop forward, SHAs dance and sway,
New OpenCI workflows light the way,
Secrets renamed, inputs flow,
Configuration updated, watch us grow!
Tools refined with Perl's embrace,
One version forward—a steady pace. 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly and specifically summarizes the main change: standardizing model and API base URL parameters across workflows for custom LLM support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/reusable-workflow-paths

Review rate limit: 9/10 reviews remaining, refill in 6 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented May 4, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

coderabbitai[bot]
coderabbitai Bot reviewed May 4, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.gitignore (1)

41-44: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix likely typo in .gitignore ignore pattern (*.yaml-e*.yml-e).

The PR intent was to ignore sed-created macOS backup files with the *.yml-e suffix, but the current .gitignore ignores *.yaml-e (line 43). If backups are truly named *.yml-e, this pattern won’t match and the backups could still be accidentally committed.

🛠️ Proposed fix 
 # act local testing
 .act.env*.yml-e
-*.yaml-e
+*.yml-e
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 41 - 44, Replace the incorrect ignore pattern
'*.yaml-e' with the intended '*.yml-e' in the .gitignore so sed-created macOS
backup files with the .yml-e suffix are actually ignored; locate the existing
'*.yaml-e' entry and change it to '*.yml-e' (ensure no other duplicate patterns
conflict).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/issue-ops.yml:
- Around line 69-74: The workflow always passes vars.AI_MODEL to the reusable
job, ignoring a manually provided inputs.model; update the job input for model
(the "model:" under the reusable "uses: YiAgent/OpenCI/.../issue.yml"
invocation) to prefer inputs.model and fall back to vars.AI_MODEL (e.g., use an
expression that evaluates inputs.model first, then vars.AI_MODEL, then empty
string) so a workflow_dispatch with inputs.model actually overrides the
maintenance run.

In @.github/workflows/pull-request.yml:
- Around line 37-39: The reusable PR workflow lost inherited secrets by
replacing secrets: inherit with an explicit two-entry map (anthropic-api-key and
api-base-url); restore the missing optional secrets used by the reusable
workflow (codecov-token, sonar-token, snyk-token, release-pat) by either
switching back to secrets: inherit or adding explicit mappings for
codecov-token, sonar-token, snyk-token and release-pat alongside
anthropic-api-key and api-base-url so the reusable workflow
(.github/workflows/reusable/pr.yml) receives non-null values.

In `@tests/actions/on-pr-routing.bats`:
- Around line 59-60: The test "checks job passes anthropic-api-key secret"
currently only greps for the key name; update it to assert the full mapped value
so miswiring fails the test—read the ENTRY content and grep or assert that the
secret is mapped exactly to the expected value (e.g., the YAML/DSL entry for
anthropic-api-key maps to secrets.ANTHROPIC_API_KEY); modify the assertion in
the test (referencing the test name and the ENTRY variable) to check the full
mapping string rather than just the key name.

---

Outside diff comments:
In @.gitignore:
- Around line 41-44: Replace the incorrect ignore pattern '*.yaml-e' with the
intended '*.yml-e' in the .gitignore so sed-created macOS backup files with the
.yml-e suffix are actually ignored; locate the existing '*.yaml-e' entry and
change it to '*.yml-e' (ensure no other duplicate patterns conflict).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1299d86c-3fcf-4f0d-ba3e-adf0e93cdc6a

📥 Commits

Reviewing files that changed from the base of the PR and between be43e4e and 5b18a26.

📒 Files selected for processing (15)
  • .github/workflows/agent.yml
  • .github/workflows/ci.yml
  • .github/workflows/dependencies.yml
  • .github/workflows/deploy.yml
  • .github/workflows/docs.yml
  • .github/workflows/issue-ops.yml
  • .github/workflows/observability.yml
  • .github/workflows/on-maintenance.yml
  • .github/workflows/pull-request.yml
  • .github/workflows/release.yml
  • .github/workflows/reusable/ci.yml
  • .gitignore
  • manifest.yml
  • scripts/bump-self-sha.sh
  • tests/actions/on-pr-routing.bats

Comment thread .github/workflows/issue-ops.yml
Comment on lines 69 to +74
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'maintenance')
uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
with:
mode: maintenance
runner: blacksmith-32vcpu-ubuntu-2404
model: ${{ vars.AI_MODEL || '' }}

@coderabbitai coderabbitai Bot May 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

workflow_dispatch model override is ignored for maintenance runs.

At Line 69, manual dispatch with mode=maintenance routes to this job, but Line 74 always uses vars.AI_MODEL. That drops inputs.model even when explicitly provided.

Suggested fix 
   maintenance:
     if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'maintenance')
@@
-      model: ${{ vars.AI_MODEL || '' }}
+      model: ${{ (github.event_name == 'workflow_dispatch' && inputs.model) || vars.AI_MODEL || '' }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/issue-ops.yml around lines 69 - 74, The workflow always
passes vars.AI_MODEL to the reusable job, ignoring a manually provided
inputs.model; update the job input for model (the "model:" under the reusable
"uses: YiAgent/OpenCI/.../issue.yml" invocation) to prefer inputs.model and fall
back to vars.AI_MODEL (e.g., use an expression that evaluates inputs.model
first, then vars.AI_MODEL, then empty string) so a workflow_dispatch with
inputs.model actually overrides the maintenance run.

Comment thread .github/workflows/pull-request.yml
Comment on lines +37 to +39
secrets:
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }}

@coderabbitai coderabbitai Bot May 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pass the rest of the reusable PR secrets explicitly.

This two-entry map regresses the previous secrets: inherit behavior: .github/workflows/reusable/pr.yml still accepts codecov-token, sonar-token, snyk-token, and release-pat, so those integrations will now see null even when the repo secrets are configured. Please either map the remaining optional secrets here as well or narrow the reusable workflow surface in the same PR.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 37 - 39, The reusable PR
workflow lost inherited secrets by replacing secrets: inherit with an explicit
two-entry map (anthropic-api-key and api-base-url); restore the missing optional
secrets used by the reusable workflow (codecov-token, sonar-token, snyk-token,
release-pat) by either switching back to secrets: inherit or adding explicit
mappings for codecov-token, sonar-token, snyk-token and release-pat alongside
anthropic-api-key and api-base-url so the reusable workflow
(.github/workflows/reusable/pr.yml) receives non-null values.

Comment thread tests/actions/on-pr-routing.bats
Comment on lines +59 to +60
@test "checks job passes anthropic-api-key secret" {
grep -q 'anthropic-api-key:' "$ENTRY"

@coderabbitai coderabbitai Bot May 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert the mapped secret value, not only the key name.

At Line 60, this check passes even if anthropic-api-key is wired to the wrong secret. Assert the full mapping to secrets.ANTHROPIC_API_KEY to catch silent miswiring.

Suggested test hardening 
 `@test` "checks job passes anthropic-api-key secret" {
-  grep -q 'anthropic-api-key:' "$ENTRY"
+  grep -Eq 'anthropic-api-key:\s*\$\{\{\s*secrets\.ANTHROPIC_API_KEY\s*\}\}' "$ENTRY"
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@test "checks job passes anthropic-api-key secret" {
grep -q 'anthropic-api-key:' "$ENTRY"
`@test` "checks job passes anthropic-api-key secret" {
grep -Eq 'anthropic-api-key:\s*\$\{\{\s*secrets\.ANTHROPIC_API_KEY\s*\}\}' "$ENTRY"
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tests/actions/on-pr-routing.bats` around lines 59 - 60, The test "checks job
passes anthropic-api-key secret" currently only greps for the key name; update
it to assert the full mapped value so miswiring fails the test—read the ENTRY
content and grep or assert that the secret is mapped exactly to the expected
value (e.g., the YAML/DSL entry for anthropic-api-key maps to
secrets.ANTHROPIC_API_KEY); modify the assertion in the test (referencing the
test name and the ENTRY variable) to check the full mapping string rather than
just the key name.

@YiWang24 YiWang24 merged commit 5c725a9 into main May 4, 2026
11 checks passed
@YiWang24 YiWang24 deleted the fix/reusable-workflow-paths branch May 4, 2026 04:02
This was referenced May 4, 2026
Closed
Closed
Merged
Merged
Merged
Closed
Merged
Merged
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@YiWang24