chore: adopt quality-zero-platform wrappers#19
Conversation
Co-authored-by: Codex <noreply@openai.com>
|
Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔 |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (25)
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| tool: ${{ inputs.tool || 'coverage' }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
- In general, the fix is to explicitly set
permissionsfor the workflow/job so thatGITHUB_TOKENhas only the minimum scopes needed. Since this job primarily appears to orchestrate a reusable workflow and passes only inputs/secrets, a safe starting point iscontents: read. - The best minimal-impact fix is to add a
permissionsblock at the workflow (top) level so it applies to all jobs that don’t override it. Based on the snippet, there’s only one job, so this will cover it. Usepermissions: contents: readas a conservative default; if the reusable workflow later needs additional permissions, they can be added explicitly there or here. - Concretely, in
.github/workflows/quality-zero-backlog.yml, insert apermissions:section after theon:block (after line 12) and beforejobs:(line 13). This keeps the YAML structure clear and standard. - No imports or external methods are needed; just the YAML
permissionsmapping added at the root level.
| @@ -10,6 +10,9 @@ | ||
| required: true | ||
| default: coverage | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| backlog-sweep: | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main |
| if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'failure' | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| failure_context: ${{ inputs.failure_context || 'Quality Zero Gate' }} | ||
| sha: ${{ github.event.workflow_run.head_sha || github.sha }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, explicitly set permissions for the workflow so the GITHUB_TOKEN is limited to the minimal scope needed. Since this workflow only orchestrates a reusable workflow and doesn’t perform any writes itself, we can safely default to read-only repository access (contents: read) at the workflow root, which applies to all jobs that don’t override it.
The best fix without changing existing functionality is to add a permissions block at the top level of .github/workflows/quality-zero-remediation.yml, alongside name and on. This will ensure that the remediate job, and any other jobs added later (unless they override permissions), will use a read-only token by default. Concretely, insert:
permissions:
contents: readbetween the name: and on: keys. No additional imports, methods, or other definitions are needed; this is purely a YAML configuration change within the shown file.
| @@ -1,5 +1,8 @@ | ||
| name: Quality Zero Remediation | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["Quality Zero Gate"] |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fe8a39e195
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: quality-zero-gate | ||
| path: quality-zero-gate | ||
| aggregate-gate: | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@main |
There was a problem hiding this comment.
Pin reusable workflow refs to immutable commits
Using @main for an external reusable workflow makes the quality gate non-deterministic, because upstream branch updates can change or break this repository’s CI behavior without any local code change; it also increases supply-chain risk since this job inherits secrets. The same mutable-ref pattern is used across the new wrapper workflows, so each uses: should be pinned to a commit SHA and only bumped intentionally.
Useful? React with 👍 / 👎.
Co-authored-by: Codex <noreply@openai.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5716427ccf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - run: npm run visual:chromatic:archive | ||
| - run: npx --yes chromatic --playwright --project-token=${{ secrets.CHROMATIC_PROJECT_TOKEN }} | ||
| env: | ||
| CHROMATIC_ARCHIVE_LOCATION: frontend/webcoder_ui/test-results |
There was a problem hiding this comment.
Use archive path relative to the configured working directory
This job sets defaults.run.working-directory to frontend/webcoder_ui (line 19), but then passes CHROMATIC_ARCHIVE_LOCATION: frontend/webcoder_ui/test-results to the Chromatic CLI. Because the final run step also executes from frontend/webcoder_ui, that env var points to a nested path (frontend/webcoder_ui/frontend/webcoder_ui/test-results) instead of the archive generated by npm run visual:chromatic:archive, so the upload step can fail even when Playwright archiving succeeded.
Useful? React with 👍 / 👎.
Point the quality-zero platform, gate, and Codecov analytics workflows at the controller-managed parity baseline so protected-branch pushes evaluate the same scanner stack as pull requests. Co-authored-by: Codex <noreply@openai.com>
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cd56d949f9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| jobs: | ||
| backlog-sweep: | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main |
There was a problem hiding this comment.
Pin backlog reusable workflow ref to an immutable SHA
Using reusable-backlog-sweep.yml@main makes the scheduled backlog run non-deterministic: upstream changes on main can alter or break this repository’s behavior without any local commit, and this job currently inherits secrets. Pinning this uses: reference to a commit SHA (as already done in other wrapper workflows in this commit) keeps executions reproducible and reduces supply-chain risk.
Useful? React with 👍 / 👎.
| jobs: | ||
| remediate: | ||
| if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'failure' | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main |
There was a problem hiding this comment.
Pin remediation reusable workflow ref to an immutable SHA
The remediation job calls reusable-remediation-loop.yml@main, so behavior can change whenever the upstream branch moves, even if this repository is unchanged; because the job also uses secrets: inherit, this is a risky mutable dependency for an automated failure-handling path. Pinning to a specific commit SHA avoids unexpected drift and aligns with the pinned wrapper usage elsewhere.
Useful? React with 👍 / 👎.
| pull_request: | ||
| branches: [main, master] |
There was a problem hiding this comment.
Guard secret-backed visual jobs on pull_request events
This workflow runs on pull_request but depends on APPLITOOLS_API_KEY; for forked PRs GitHub does not provide repository secrets, so the visual step fails regardless of code correctness. The same pattern exists in the Chromatic workflow with CHROMATIC_PROJECT_TOKEN, which can block external contributions if these checks are required. Add an if guard for secret availability or restrict secret-backed runs to trusted events.
Useful? React with 👍 / 👎.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
Superseded: the Quality Zero Platform (QZP) machinery has been retired in favor of the lean 'quality' gate (#91). Closing the QZP-wrapper adoption PR. |




Summary
quality-zero-platformwrapper workflowsAGENTS.mdto point contributors at the canonical local verify commandNotes