Skip to content

ci: opt into org leaderboard metrics collection#213

Merged
UNC1739 merged 1 commit into
mainfrom
chore/leaderboard-metrics
Jul 6, 2026
Merged

ci: opt into org leaderboard metrics collection#213
UNC1739 merged 1 commit into
mainfrom
chore/leaderboard-metrics

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Opts this repo into the org-wide engineering leaderboard by calling the reusable workflow in praetorian-inc/.github. On every merged PR, per-author line stats are collected and sent to the Guard leaderboard ingestion queue (feeds the Code and Assists columns).

  • The required leaderboard GitHub environment has already been created on this repo (no protection rules).
  • The three org-level variables the workflow needs (ENGINEER_EMAIL_MAP, LEADERBOARD_METRICS_ROLE_ARN, LEADERBOARD_METRICS_QUEUE_URL) are visible to all org repos.
  • No AWS changes needed: the OIDC trust policy keys on the reusable workflow ref, not the calling repo.

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 30 minutes

Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 38dbe7bb-9ac7-4f2f-a01d-675a26e51b85

📥 Commits

Reviewing files that changed from the base of the PR and between 1e54a6e and 9ac30b7.

📒 Files selected for processing (1)
  • .github/workflows/leaderboard-metrics.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/leaderboard-metrics

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review

Critical Issues

None.

Security

  • .github/workflows/leaderboard-metrics.yml:10 and .github/workflows/leaderboard-metrics.yml:14: this grants id-token: write to a pull_request_target workflow while delegating execution to praetorian-inc/.github/...@main. Because @main is mutable, future changes in that external reusable workflow immediately receive OIDC token minting ability in this repo’s privileged PR-target context. Pin the reusable workflow to an immutable commit SHA, ideally with the same version-comment pattern used elsewhere in .github/workflows.

Suggestions

No suggestions.


Reviewed by Codex (gpt-5.5)

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gemini Review

Critical Issues

None.

Security

No security concerns flagged.

Suggestions

  • Pin Reusable Workflow by SHA: Consider pinning the reusable workflow (praetorian-inc/.github/.github/workflows/leaderboard-metrics.yml@main) to a specific commit SHA (along with a version comment). The rest of the repository adheres to this practice for workflows under praetorian-inc/public-workflows (as enforced by verify-pins.yml) to ensure consistent supply-chain security and immutability.

Reviewed by Gemini (gemini-3.1-pro-preview)

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Review

Critical issues

  • The trigger is pull_request_target: types: [closed], which fires for every closed PR — including PRs closed without merging. The description says "on every merged PR," so unless the reusable workflow (praetorian-inc/.github@main) internally gates on github.event.pull_request.merged == true, this collects/sends metrics for abandoned PRs too. Please confirm the reusable workflow filters on merged, or add if: github.event.pull_request.merged == true at the job level here.

Security

  • The reusable workflow is referenced by the mutable ref @main while this caller grants id-token: write. If that ref is moved or the .github repo is compromised, an attacker inherits OIDC token minting against LEADERBOARD_METRICS_ROLE_ARN. Prefer pinning to a commit SHA for anything holding id-token: write.
  • pull_request_target runs in the trusted base-repo context with secret/OIDC access. Confirm the reusable workflow does NOT check out and execute untrusted PR head code (build scripts, install hooks, etc.) — line-stat collection should operate on metadata/diffs only. This is the primary pull_request_target foot-gun and cannot be verified from this repo.

Test coverage

N/A — CI workflow YAML only, no production *.go/*.ts/*.py changes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9ac30b7c86

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

id-token: write

jobs:
metrics:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Guard metrics collection to merged PRs

When a PR is closed without being merged, this pull_request_target.closed trigger still invokes the reusable metrics workflow because the caller job has no if: github.event.pull_request.merged == true guard. For abandoned PRs or externally submitted PRs that are simply closed, any ingestion done by the reusable workflow will count unmerged line churn and grant the OIDC-enabled job unnecessarily, which corrupts the leaderboard the commit says should be fed only by merged PRs.

Useful? React with 👍 / 👎.

@UNC1739 UNC1739 merged commit 819f7b9 into main Jul 6, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants