Skip to content

chore: re-point leaderboard-metrics to public-workflows#218

Merged
nsportsman merged 1 commit into
mainfrom
chore/leaderboard-repoint
Jul 7, 2026
Merged

chore: re-point leaderboard-metrics to public-workflows#218
nsportsman merged 1 commit into
mainfrom
chore/leaderboard-repoint

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Re-points the leaderboard-metrics caller from praetorian-inc/.github (internal) to praetorian-inc/public-workflows (public).

GitHub forbids a public repo from calling a reusable workflow in an internal repo, so on public repos the current caller fails at startup (workflow was not found) and every merged PR permanently loses its leaderboard metric. Internal repos are re-pointed too so the org has one canonical host. No IAM change needed: the deployed trust matches repo:praetorian-inc/*:* for both hosts.

Ref: ENG-4165

🤖 Generated with Claude Code

praetorian-inc/.github is internal; GitHub forbids public repos from
calling internal reusable workflows (startup failure: 'workflow was not
found'). public-workflows is public and serves all caller visibilities.
Ref: ENG-4165.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 56 minutes

Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0092928b-e87e-48b3-9459-fbd67607f221

📥 Commits

Reviewing files that changed from the base of the PR and between 5d33e00 and f26cf09.

📒 Files selected for processing (1)
  • .github/workflows/leaderboard-metrics.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/leaderboard-repoint

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gemini Review

Critical Issues

None.

Security

No security concerns flagged.

Suggestions

No suggestions.


Reviewed by Gemini (gemini-3.1-pro-preview)

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review

Critical Issues

None.

Security

  • .github/workflows/leaderboard-metrics.yml:14 now calls praetorian-inc/public-workflows at mutable ref @main. This is inconsistent with the repo’s other public-workflows calls, which are pinned to commit SHAs, and it leaves a pull_request_target workflow with id-token: write dependent on whatever main points to at runtime.

Suggestions

  • Pin leaderboard-metrics.yml to a reviewed commit SHA, with the matching version comment pattern used by the other workflows.

Reviewed by Codex (gpt-5.5)

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Review

Critical issues

None. Single-line re-point of the reusable-workflow reference; matches the stated rationale (a public repo cannot call a reusable workflow that lives in an internal repo). One thing to confirm before merge: that praetorian-inc/public-workflows/.github/workflows/leaderboard-metrics.yml@main actually exists and exposes the same capability_map input, otherwise the job still fails with "workflow was not found" at startup.

Security

  • Runs on pull_request_target with id-token: write, so it executes with elevated permissions in the base-repo context; sourcing it from a public repo widens who can propose changes to that upstream workflow vs. the internal one (acceptable since both are org-owned, but worth noting).
  • The reference is pinned to a mutable @main branch rather than a commit SHA (pre-existing pattern, not introduced here); for a privileged pull_request_target caller, pinning to a SHA avoids an upstream main change silently altering behavior.

Test coverage

N/A - CI workflow config change, no production .go/.ts/*.py code affected.

@nsportsman nsportsman merged commit f461a61 into main Jul 7, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant