fix(ci): resolve ci-self-test file issue and live eval failures

[YiWang24]

Summary

• ci-self-test.yml: GitHub only allows local uses: ./ refs for top-level .github/workflows/ files, not subdirectories. Replaced uses: ./.github/workflows/reusable/self-test.yml with the external SHA ref — same behavior, actually parseable by GitHub.
• test.yml: Agentic › Live Claude Eval was hitting api.anthropic.com with the GLM key and getting 401. Added ANTHROPIC_BASE_URL to both live eval env blocks so the GLM proxy is used. Also fall back to vars.AI_MODEL for the eval model name.
• on-main-bump-sha.yml: SHA bump was failing with "refusing to allow a GitHub App to create or update workflow files without workflows permission". GITHUB_TOKEN cannot push workflow file changes; switched checkout to use MY_GITHUB_TOKEN (PAT with workflow scope, sourced from Doppler infra project).

Test plan

• ci-self-test workflow now runs successfully on push/PR (instead of "workflow file issue" at 0s)
• Agentic › Live Claude Eval passes on push to main using GLM 5.1 via ANTHROPIC_BASE_URL
• on-main-bump-sha SHA bump workflow can push workflow file changes
• All 622 BATS tests pass (updated self-test-routing.bats test for the new external ref pattern)

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Tests

  • Updated assertions and test scripts to match CI workflow wiring and runner label changes; fixed shell-test script issues to avoid runtime errors.

• Chores

  • Updated CI workflows to use newer pinned reusable workflow revisions.
  • Added explicit checkout authentication and improved test environment variable fallback.
  • Tightened local agent permission/command allowances and adjusted runner label configuration.

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[coderabbitai]

📝 Walkthrough

Walkthrough

Update many GitHub Actions reusable-workflow pins to a new commit SHA, adjust one checkout step to pass an explicit token, add Anthropic env/model fallback in live eval steps, modify runner/label expectations and test assertions, tighten .claude allowed commands, and fix small test script shell issues.

Changes

Reusable workflow pins, resolve-openci, and manifest

Layer / File(s)	Summary
Data / Manifest manifest.yml	Updated YiAgent/OpenCI deps entry to new commit SHA (...6fa715e8002e...).
Reusable action pin .github/workflows/reusable/ci.yml	Replaced actions/_common/resolve-openci action refs with the new pinned commit across multiple jobs/stages.
Workflow wiring (bulk) .github/workflows/*.yml (ci.yml, agent.yml, docs.yml, deploy.yml, dependencies.yml, observability.yml, pull-request.yml, issue-ops.yml, on-maintenance.yml, release.yml, ci-self-test.yml, agent.yml, etc.)	Many jobs’ uses: references updated to point at YiAgent/OpenCI/...@6fa715e8002e19bf22f938dd1814967b78190946 replacing older pinned SHAs; inputs/secrets/runner wiring unchanged.
Tests / Routing expectations tests/actions/self-test-routing.bats	Updated test to expect fully-qualified SHA-pinned uses: reference for the self-test reusable workflow.

Local CI config, runner labels, tests, and scripts

Layer / File(s)	Summary
Runner labels .github/actionlint.yaml	Removed blacksmith-2vcpu-ubuntu-2404 from self-hosted-runner.labels (leaving blacksmith-32vcpu-ubuntu-2404).
Test assertions tests/actions/on-issue-routing.bats, tests/actions/on-pr-routing.bats	Adjusted assertions to expect blacksmith-2vcpu-ubuntu-2404 runner in workflows (test patterns updated).
Checkout auth .github/workflows/on-main-bump-sha.yml	actions/checkout with: now includes token: ${{ secrets.MY_GITHUB_TOKEN }} alongside existing settings.
Live eval env/model fallback .github/workflows/test.yml	Agentic-live eval steps add ANTHROPIC_BASE_URL to env and change EVAL_MODEL fallback to `inputs.eval-model
Claude permissions .claude/settings.local.json	Replaced a set of broadly allowed shell commands with a narrower, workflow/manifest-focused allowlist (specific grep/sed/gh/bump-self-sha commands and targeted actionlint checks).
Shell/test script fixes tests/e2e/live-e2e-verify.sh, tests/e2e/run-live-tests.sh	Removed unused variable initialization and invalid top-level local declarations; added a shellcheck disable comment and removed skip_reason extraction from validate_issue_plan.

Sequence Diagram(s)

(Skipped — changes are configuration, pinning, tests, and small scripting fixes without a new multi-component runtime control flow that requires visualization.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(workflows): standardize model/api-base-url params for custom LLM #38: Updates the same GitHub workflow reusable pins and relates to test/assertion changes that validate pinned references.
• fix(workflows): update pinned SHA to commit with reusable/ directory #36: Also modifies multiple workflow job uses: pins to new YiAgent/OpenCI commit SHAs across similar files.
• fix(workflows): replace relative reusable paths with full org/repo refs #35: Related replacement of local relative workflow uses: paths with fully-qualified remote refs and corresponding test updates.

Poem

🐇 I hopped through SHAs with a careful paw,
Pinned each workflow to a steadier law.
Token in checkout, Claude’s URL set,
Tests tidied up — no runtime fret.
🥕 Pipelines hum; the rabbit grins in awe.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing CI workflow issues (ci-self-test file reference and live eval failures with authentication).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/reusable-workflow-paths

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/reusable-workflow-paths

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci-self-test.yml:
- Line 45: The reusable workflow reference in the `uses` step points to a
subdirectory path which GitHub Actions disallows; move the reusable workflow
file into the top-level workflows directory and update the `uses:
YiAgent/OpenCI/.github/workflows/reusable/self-test.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1`
entry to reference the new top-level file name (e.g., `uses:
YiAgent/OpenCI/.github/workflows/self-test.yml@...`) so the workflow is
loadable; keep the same commit/sha portion and ensure the moved file name
matches the `uses` entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d59ea458-652a-40b1-82d3-936da213cc32

📥 Commits

Reviewing files that changed from the base of the PR and between 6fa715e and 32995c0.

📒 Files selected for processing (4)

• .github/workflows/ci-self-test.yml
• .github/workflows/on-main-bump-sha.yml
• .github/workflows/test.yml
• tests/actions/self-test-routing.bats

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/settings.local.json:
- Around line 74-85: The wildcard entry "Bash(bash *)" in the list loosens the
policy and nullifies the previous tight allowlist (e.g., "Bash(bash
/Users/.../bump-self-sha.sh --dry-run)" and "Bash(bash
.github/scripts/verify-sha-consistency.sh)"); remove the wildcard or replace it
with explicit allowed invocations (exact commands or a precise path pattern) so
only the intended scripts (bump-self-sha.sh, verify-sha-consistency.sh, etc.)
are permitted and arbitrary repo scripts or inline shells cannot be run.
- Line 86: The entry "Bash(gh secret *)" grants too-broad GitHub CLI
permissions; change this to "Bash(gh secret list)" so only read/list access is
allowed. Locate the settings entry containing the string "Bash(gh secret *)" and
replace it with "Bash(gh secret list)" to restrict the scope to listing secrets
only.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6364a42f-1ac9-4ae0-b773-a9ea1be45f02

📥 Commits

Reviewing files that changed from the base of the PR and between 32995c0 and 7d191a7.

📒 Files selected for processing (22)

• .claude/settings.local.json
• .github/actionlint.yaml
• .github/workflows/agent.yml
• .github/workflows/ci-self-test.yml
• .github/workflows/ci.yml
• .github/workflows/dependencies.yml
• .github/workflows/deploy.yml
• .github/workflows/docs.yml
• .github/workflows/issue-ops.yml
• .github/workflows/observability.yml
• .github/workflows/on-main-bump-sha.yml
• .github/workflows/on-maintenance.yml
• .github/workflows/pull-request.yml
• .github/workflows/release.yml
• .github/workflows/reusable/ci.yml
• .github/workflows/test.yml
• manifest.yml
• tests/actions/on-issue-routing.bats
• tests/actions/on-pr-routing.bats
• tests/actions/self-test-routing.bats
• tests/e2e/live-e2e-verify.sh
• tests/e2e/run-live-tests.sh

💤 Files with no reviewable changes (1)

• tests/e2e/run-live-tests.sh

✅ Files skipped from review due to trivial changes (7)

• .github/workflows/pull-request.yml
• .github/workflows/docs.yml
• .github/workflows/ci-self-test.yml
• .github/workflows/ci.yml
• .github/workflows/on-main-bump-sha.yml
• .github/workflows/dependencies.yml
• tests/e2e/live-e2e-verify.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Bash(bash *) undoes the tightening in this block.

The explicit bump-self-sha.sh --dry-run and verify-sha-consistency.sh entries above become moot once arbitrary bash invocations are allowed again, because this wildcard can run any repo script or inline shell.

Suggested change

-      "Bash(bash *)",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Bash(chmod +x /Users/wy/projects/yiagent/OpenCI/scripts/bump-self-sha.sh)",
	"Bash(bash /Users/wy/projects/yiagent/OpenCI/scripts/bump-self-sha.sh --dry-run)",
	"Bash(sed -i s/ebe8fca3260dce68d34d51b74703169e776bc72d/__TRACKED_VAR__/ manifest.yml)",
	"Bash(bash .github/scripts/verify-sha-consistency.sh)",
	"Bash(grep -n \"^jobs:\\\\|^ [a-z].*:\\\\s*$\\\\|needs:\" /Users/wy/projects/yiagent/OpenCI/.github/workflows/reusable/pr.yml)",
	"Bash(grep -n \"^ [a-z].*:\\\\s*$\\\\|needs:\\\\|gate\\\\|summary\" /Users/wy/projects/yiagent/OpenCI/.github/workflows/reusable/pr.yml)",
	"Bash(command -v actionlint)",
	"Bash(echo \"exit: $?\")",
	"Bash(sed -n '25,45p' .github/workflows/docs.yml)",
	"Bash(sed -n '35,65p' .github/workflows/deploy.yml)",
	"Bash(sed -n '115,130p' .github/workflows/on-maintenance.yml)",
	"Bash(bash *)",
	"Bash(chmod +x /Users/wy/projects/yiagent/OpenCI/scripts/bump-self-sha.sh)",
	"Bash(bash /Users/wy/projects/yiagent/OpenCI/scripts/bump-self-sha.sh --dry-run)",
	"Bash(sed -i s/ebe8fca3260dce68d34d51b74703169e776bc72d/__TRACKED_VAR__/ manifest.yml)",
	"Bash(bash .github/scripts/verify-sha-consistency.sh)",
	"Bash(grep -n \"^jobs:\\\\|^ [a-z].*:\\\\s*$\\\\|needs:\" /Users/wy/projects/yiagent/OpenCI/.github/workflows/reusable/pr.yml)",
	"Bash(grep -n \"^ [a-z].*:\\\\s*$\\\\|needs:\\\\|gate\\\\|summary\" /Users/wy/projects/yiagent/OpenCI/.github/workflows/reusable/pr.yml)",
	"Bash(command -v actionlint)",
	"Bash(echo \"exit: $?\")",
	"Bash(sed -n '25,45p' .github/workflows/docs.yml)",
	"Bash(sed -n '35,65p' .github/workflows/deploy.yml)",
	"Bash(sed -n '115,130p' .github/workflows/on-maintenance.yml)",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/settings.local.json around lines 74 - 85, The wildcard entry
"Bash(bash *)" in the list loosens the policy and nullifies the previous tight
allowlist (e.g., "Bash(bash /Users/.../bump-self-sha.sh --dry-run)" and
"Bash(bash .github/scripts/verify-sha-consistency.sh)"); remove the wildcard or
replace it with explicit allowed invocations (exact commands or a precise path
pattern) so only the intended scripts (bump-self-sha.sh,
verify-sha-consistency.sh, etc.) are permitted and arbitrary repo scripts or
inline shells cannot be run.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which `gh secret` subcommands are available before narrowing this entry.
gh secret --help
gh secret list --help
gh secret set --help
gh secret delete --help

Repository: YiAgent/OpenCI

Length of output: 6740

---

Scope gh secret down to list only.

gh secret * permits both set and delete operations, which exceed the read-only scope needed for workflow/SHA inspection. Use gh secret list instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/settings.local.json at line 86, The entry "Bash(gh secret *)" grants
too-broad GitHub CLI permissions; change this to "Bash(gh secret list)" so only
read/list access is allowed. Locate the settings entry containing the string
"Bash(gh secret *)" and replace it with "Bash(gh secret list)" to restrict the
scope to listing secrets only.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud