chore: re-point leaderboard-metrics to public-workflows#218
Conversation
praetorian-inc/.github is internal; GitHub forbids public repos from calling internal reusable workflows (startup failure: 'workflow was not found'). public-workflows is public and serves all caller visibilities. Ref: ENG-4165. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 56 minutes Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Codex Review
Critical Issues
None.
Security
.github/workflows/leaderboard-metrics.yml:14now callspraetorian-inc/public-workflowsat mutable ref@main. This is inconsistent with the repo’s otherpublic-workflowscalls, which are pinned to commit SHAs, and it leaves apull_request_targetworkflow withid-token: writedependent on whatevermainpoints to at runtime.
Suggestions
- Pin
leaderboard-metrics.ymlto a reviewed commit SHA, with the matching version comment pattern used by the other workflows.
Reviewed by Codex (gpt-5.5)
There was a problem hiding this comment.
Claude Review
Critical issues
None. Single-line re-point of the reusable-workflow reference; matches the stated rationale (a public repo cannot call a reusable workflow that lives in an internal repo). One thing to confirm before merge: that praetorian-inc/public-workflows/.github/workflows/leaderboard-metrics.yml@main actually exists and exposes the same capability_map input, otherwise the job still fails with "workflow was not found" at startup.
Security
- Runs on pull_request_target with id-token: write, so it executes with elevated permissions in the base-repo context; sourcing it from a public repo widens who can propose changes to that upstream workflow vs. the internal one (acceptable since both are org-owned, but worth noting).
- The reference is pinned to a mutable @main branch rather than a commit SHA (pre-existing pattern, not introduced here); for a privileged pull_request_target caller, pinning to a SHA avoids an upstream main change silently altering behavior.
Test coverage
N/A - CI workflow config change, no production .go/.ts/*.py code affected.
Re-points the leaderboard-metrics caller from
praetorian-inc/.github(internal) topraetorian-inc/public-workflows(public).GitHub forbids a public repo from calling a reusable workflow in an internal repo, so on public repos the current caller fails at startup (
workflow was not found) and every merged PR permanently loses its leaderboard metric. Internal repos are re-pointed too so the org has one canonical host. No IAM change needed: the deployed trust matchesrepo:praetorian-inc/*:*for both hosts.Ref: ENG-4165
🤖 Generated with Claude Code