fix(ci): correct compounding indentation in reusable-ci-pipeline.yml#4
fix(ci): correct compounding indentation in reusable-ci-pipeline.yml#4chitcommit wants to merge 5 commits into
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughReformatted the GitHub Actions reusable workflow YAML to correct Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 43 minutes and 41 seconds.Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/reusable-ci-pipeline.yml:
- Around line 123-128: The workflow uses secrets in step-level if conditions
(the "Snyk scan" step with if: secrets.SNYK_TOKEN != '') which actionlint
disallows; move SNYK_TOKEN into the parent job's env block (e.g., add
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} under the job-level env) and update the
step's if to reference env.SNYK_TOKEN (e.g., if: env.SNYK_TOKEN != '') so the
"Snyk scan" step (uses: snyk/actions/node@master) conditions on env.* instead of
secrets.*.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 37c1971b-160e-4b8a-b659-8143270da1da
📒 Files selected for processing (1)
.github/workflows/reusable-ci-pipeline.yml
| - name: Snyk scan | ||
| if: secrets.SNYK_TOKEN != '' | ||
| uses: snyk/actions/node@master | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
workflow="$(fd -a '^reusable-ci-pipeline\.yml$' .github/workflows | head -n 1)"
echo "Checking for direct secrets context in if conditionals..."
rg -n '^\s*if:\s*(\$\{\{\s*)?secrets\.' "$workflow"
echo "If actionlint is installed, run the full workflow validation:"
if command -v actionlint >/dev/null 2>&1; then
actionlint "$workflow"
fiRepository: chittyfoundation/.github
Length of output: 1112
Move secrets to job-level env and condition on env.* instead.
actionlint validation fails because secrets context is not allowed in if: conditionals at lines 124 and 140. Move these secrets to job-level env and reference env.* in the conditions.
Proposed fix
security:
name: Security Scan
needs: detect
if: inputs.run-security
runs-on: ubuntu-latest
+ env:
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
steps:
- uses: actions/checkout@v4
- name: npm audit
if: needs.detect.outputs.language == 'node'
working-directory: ${{ inputs.working-directory }}
run: npm audit --audit-level=moderate || true
- name: Snyk scan
- if: secrets.SNYK_TOKEN != ''
+ if: env.SNYK_TOKEN != ''
uses: snyk/actions/node@master
continue-on-error: true
env:
- SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+ SNYK_TOKEN: ${{ env.SNYK_TOKEN }}
ai-review:
name: AI Review
if: inputs.run-ai-review && github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
+ env:
+ ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
steps:
- uses: actions/checkout@v4
- name: Claude Review
- if: secrets.ANTHROPIC_API_KEY != ''
+ if: env.ANTHROPIC_API_KEY != ''
uses: anthropics/claude-code-action@beta
with:
- anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+ anthropic_api_key: ${{ env.ANTHROPIC_API_KEY }}
model: "claude-sonnet-4-20250514"
timeout_minutes: 10🧰 Tools
🪛 actionlint (1.7.12)
[error] 124-124: context "secrets" is not allowed here. available contexts are "env", "github", "inputs", "job", "matrix", "needs", "runner", "steps", "strategy", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details
(expression)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/reusable-ci-pipeline.yml around lines 123 - 128, The
workflow uses secrets in step-level if conditions (the "Snyk scan" step with if:
secrets.SNYK_TOKEN != '') which actionlint disallows; move SNYK_TOKEN into the
parent job's env block (e.g., add SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} under
the job-level env) and update the step's if to reference env.SNYK_TOKEN (e.g.,
if: env.SNYK_TOKEN != '') so the "Snyk scan" step (uses:
snyk/actions/node@master) conditions on env.* instead of secrets.*.
Additional finding from chittyschema audit (2026-04-30)Confirming this PR's diagnosis from a downstream perspective and adding two items the reviewer should know before merging: 1. The dispatch failure has been silent across the entire org for 8+ monthsThe malformed YAML was committed in This is bigger than "callers are broken" — it's "no caller has ever actually run these jobs in production." Reviewers should expect new failures to surface on next PRs after merge. 2.
|
| Caller | Inputs passed |
|---|---|
chittyfoundation/chittyschema |
node-version, run-ai-review, run-governance |
chittyfoundation/chittyid |
node-version, run-tests, run-lint, run-ai-review, run-governance |
chittyos/chittyentity |
python-version, run-tests, run-lint, run-ai-review |
This PR fixes the YAML indentation but doesn't declare run-governance. The moment dispatch starts working, chittyschema and chittyid PRs will fail with an unknown-input error — trading one dispatch failure for another. Either declare run-governance here (as a no-op input until governance steps are wired) or remove the input from the callers in the same atomic change.
I have a draft local diff that adds run-governance as a declared no-op input — happy to push it onto this branch if helpful, or open a stacked PR after this merges.
3. Considered alternative
chittyfoundation/chittyschema recently added a standalone tests.yml (PR #32) that doesn't depend on this reusable and works fine. Deleting the reusable + having each caller use standalone workflows is genuinely simpler — but pushes governance/ai-review/security boilerplate to N callers. Centralization still has value once the file actually runs, so my vote is fix-then-merge here, not delete.
Risk callout for the reviewer
Once this merges, expect new red CI on next PRs in chittyschema, chittyid, chittyentity as long-suppressed lint / test / audit issues surface. Triage as they appear.
Doctrine: chittycanon://gov/governance#no-mocks-no-fakes — a CI job that has never dispatched is the same shape of lie as mocked test data.
|
Note Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it. Generating unit tests... This may take up to 20 minutes. |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. ⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission. |
|
✅ Unit tests committed locally. Commit: |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tests/test_reusable_ci_pipeline.py`:
- Around line 551-565: Tests define a local DETECT_SCRIPT string and use it
instead of the workflow's actual detect step, so they can drift from
jobs.detect.steps[id=detect].run; update the remaining tests that use
DETECT_SCRIPT (including those around lines 568-586) to accept and pass a
detect_script argument and wire that argument through to the helper that
executes the detection so the tests invoke jobs.detect.steps[id=detect].run
content instead of the hardcoded DETECT_SCRIPT constant; look for references to
DETECT_SCRIPT and the test helper functions and replace calls to use the
detect_script parameter (defaulting to the workflow step content when not
provided).
- Around line 93-103: The test_all_inputs_present currently asserts
inputs.keys() equals a fixed set, which breaks callers that include optional
keys like "run-governance"; change the assertion to ensure the required keys are
a subset of inputs (e.g., assert
expected_required_keys.issubset(set(inputs.keys()))) or explicitly allow
optional keys by checking equality with a superset (e.g.,
set(inputs.keys()).issuperset(expected_required_keys)), updating the
test_all_inputs_present function to use the subset/superset check so callers
that pass "run-governance" or other optional inputs do not fail.
- Around line 659-662: The test calls subprocess.run(["bash","-c",
DETECT_SCRIPT], cwd=str(tmp_path), env=env) but doesn't assert it succeeded and
also uses the ambiguous variable name `l` in the list comprehension; update the
subprocess invocation to ensure success (e.g., pass check=True or capture the
CompletedProcess and assert result.returncode == 0) and change the comprehension
to use a clear variable name like `line` when building `lines = [line for line
in f.read().splitlines() if line.startswith("language=")]`, leaving the
subsequent assert len(lines) == 1 unchanged.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 033aec4b-00c4-4f31-96c7-c2401067a448
⛔ Files ignored due to path filters (1)
tests/__pycache__/test_reusable_ci_pipeline.cpython-311-pytest-9.0.3.pycis excluded by!**/*.pyc
📒 Files selected for processing (1)
tests/test_reusable_ci_pipeline.py
| def test_all_inputs_present(self, inputs): | ||
| expected = { | ||
| "node-version", | ||
| "python-version", | ||
| "run-tests", | ||
| "run-lint", | ||
| "run-security", | ||
| "run-ai-review", | ||
| "working-directory", | ||
| } | ||
| assert set(inputs.keys()) == expected |
There was a problem hiding this comment.
Input-schema assertions currently lock in a known caller incompatibility.
The suite enforces exactly 7 inputs, but PR context already identifies active callers passing run-governance. This test currently blesses a contract that will fail those callers once dispatch is restored.
Suggested change
def test_all_inputs_present(self, inputs):
expected = {
"node-version",
"python-version",
"run-tests",
"run-lint",
"run-security",
"run-ai-review",
+ "run-governance",
"working-directory",
}
assert set(inputs.keys()) == expected
@@
def test_inputs_count_is_seven(self, workflow):
inputs = workflow[True]["workflow_call"]["inputs"]
- assert len(inputs) == 7
+ assert len(inputs) == 8Also applies to: 678-680
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@tests/test_reusable_ci_pipeline.py` around lines 93 - 103, The
test_all_inputs_present currently asserts inputs.keys() equals a fixed set,
which breaks callers that include optional keys like "run-governance"; change
the assertion to ensure the required keys are a subset of inputs (e.g., assert
expected_required_keys.issubset(set(inputs.keys()))) or explicitly allow
optional keys by checking equality with a superset (e.g.,
set(inputs.keys()).issuperset(expected_required_keys)), updating the
test_all_inputs_present function to use the subset/superset check so callers
that pass "run-governance" or other optional inputs do not fail.
|
Note Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it. Generating unit tests... This may take up to 20 minutes. |
|
Note Docstrings generation - SUCCESS |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. ⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission. |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. The branch was updated while autofix was in progress. Please try again. |
Docstrings generation was requested by @chitcommit. The following files were modified: * `tests/test_reusable_ci_pipeline.py` These file types are not supported: * `.github/workflows/reusable-ci-pipeline.yml`
|
Note Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it. Generating unit tests... This may take up to 20 minutes. |
|
✅ Unit tests committed locally. Commit: |
|
✅ Unit tests committed locally. Commit: |
1 participant
Problem
The YAML in
reusable-ci-pipeline.ymlhas compounding indentation corruption — each nested level adds 6+ extra spaces, causing every caller repo to fail with:Fix
Rewrote the file with correct 2-space indentation. No logic changed — all inputs, secrets, and job steps are identical.
Downstream impact
All repos using
uses: chittyfoundation/.github/.github/workflows/reusable-ci-pipeline.yml@mainare currently broken. This unblocks them immediately on merge.🤖 Generated with Claude Code
Summary by CodeRabbit