Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
277 changes: 277 additions & 0 deletions .coderabbit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,277 @@
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
language: "en-US"
early_access: false

reviews:
profile: "chill"
request_changes_workflow: false
high_level_summary: true
high_level_summary_instructions: >
Evaluate this pull request against the legacy Expertiza Danger policy as well as normal Rails review quality.
Call out violations in pull request size, file scope, work-in-progress titles, TODO/FIXME markers,
debug statements, missing tests, schema-without-migration changes, config-file churn, vendor/factory changes,
and shallow RSpec patterns.
review_status: true
review_details: true
commit_status: true
fail_commit_status: false
collapse_walkthrough: false
changed_files_summary: true
sequence_diagrams: false
estimate_code_review_effort: true
assess_linked_issues: true
related_issues: true
related_prs: true
suggested_labels: true
suggested_reviewers: false
auto_apply_labels: false
auto_assign_reviewers: false
in_progress_fortune: false
poem: false
enable_prompt_for_ai_agents: false

labeling_instructions:
- label: "api"
instructions: "Apply when controllers, routes, request specs, serializers, or Swagger docs change."
- label: "database"
instructions: "Apply when models, migrations, schema, associations, or data integrity rules change."
- label: "workflow"
instructions: "Apply when GitHub Actions, CI, bot behavior, or automation files change."
- label: "security"
instructions: "Apply when authentication, authorization, secrets handling, or workflow permissions change."
- label: "tests"
instructions: "Apply when RSpec coverage or test helpers are added or modified."

path_filters:
- "!coverage/**"
- "!tmp/**"
- "!log/**"
- "!storage/**"
- "!public/assets/**"
- "!vendor/bundle/**"
- "!*.log"
- "!*.ibd"

path_instructions:
- path: "app/controllers/**/*.rb"
instructions: |
Review authorization, strong parameters, HTTP status codes, and response shape consistency.
Flag N+1 queries, missing request-spec coverage, and behavior changes not reflected in Swagger docs.

- path: "app/models/**/*.rb"
instructions: |
Focus on associations, validations, callbacks, transactions, STI and polymorphic behavior,
foreign keys, data integrity, and query efficiency.

- path: "app/serializers/**/*.rb"
instructions: |
Check backward compatibility of response payloads and accidental exposure of internal or sensitive fields.

- path: "app/mailers/**/*.rb"
instructions: |
Check mailer/template consistency, recipient safety, and avoid debug output or sensitive data leaks.

- path: "config/routes.rb"
instructions: |
Flag duplicate or shadowed routes, surprising non-RESTful patterns, and route changes without matching request specs.

- path: "db/migrate/**/*.rb"
instructions: |
Review for reversibility, null constraints, indexes, foreign keys, destructive data changes,
and alignment with db/schema.rb and affected model behavior.

- path: "db/schema.rb"
instructions: |
If schema changes, verify there is a corresponding migration and that indexes, constraints,
and associated tests stay aligned.

- path: "spec/models/**/*.rb"
instructions: |
Check that model specs cover validations, associations, callbacks, and important edge cases
with meaningful assertions instead of shallow examples.
Also apply the legacy Danger policy: discourage `create(` in unit tests when `build` or doubles are enough,
reject `.should`, skipped/focused specs, wildcard matcher overuse, missing expectations, matcher-less expectations,
and expectations that only prove values are not nil, empty, or zero.

- path: "spec/controllers/**/*.rb"
instructions: |
Apply the same legacy RSpec policy used in Expertiza Danger checks:
avoid `create(` when lighter test setup would work, avoid `.should`,
avoid skipped/focused specs, and flag shallow controller expectations.

- path: "spec/requests/**/*.rb"
instructions: |
Check authentication, authorization, invalid input, response payload assertions, and failure cases.
When endpoints change, expect Swagger docs to stay aligned.
Apply the legacy shallow-test rules: each new test should have a meaningful expectation,
avoid commented-out expectations, and do not rely only on page content or non-nil checks.

- path: "swagger/**/*.yml"
instructions: |
Check for drift between documented endpoints and controller or request-spec behavior.

- path: ".github/workflows/**/*.{yml,yaml}"
instructions: |
Review GitHub Actions for unsafe pull_request_target usage, overly broad permissions, secrets exposure,
skipped-job logic, artifact passing, and brittle PR-comment behavior.

- path: "Dangerfile"
instructions: |
Preserve the legacy Expertiza Danger policy. If replacing or changing a Danger rule,
verify the equivalent behavior exists in CodeRabbit, GitHub Actions, or another documented enforcement path.

- path: "Gemfile"
instructions: |
Non-maintainer Gemfile changes should be scrutinized closely. Prefer existing gems when possible
and call out dependency additions or lockfile churn without strong justification.

- path: "Gemfile.lock"
instructions: |
Flag lockfile-only churn, IDE-generated noise, or dependency graph changes that are not explained in the PR.

- path: "*.md"
instructions: |
Non-maintainer documentation changes should be questioned unless they are clearly part of the intended work.

- path: "*.yml"
instructions: |
Treat YAML changes as sensitive, especially workflow, environment, and configuration files.
Call out changes that look unrelated to the stated task.

- path: ".rspec"
instructions: |
Changing `.rspec` is sensitive. Flag it unless the PR clearly justifies altering the global test runner behavior.

- path: "config.ru"
instructions: |
Treat Rack entrypoint changes as sensitive and require a clear reason in the PR description.

- path: "setup.sh"
instructions: |
Treat setup script changes as sensitive and require a clear reason in the PR description.

- path: "vendor/**"
instructions: |
Flag vendor directory changes unless the PR clearly explains why vendored files must change.

- path: "spec/factories/**"
instructions: |
Non-maintainer changes to factories should be scrutinized. Ensure they are necessary and do not hide weak tests.

- path: "Dockerfile"
instructions: |
Review base image choices, layer ordering, cleanup, and security-sensitive package installation.

- path: "bin/*"
instructions: |
Check shell safety, idempotence, and environment assumptions for developer setup scripts.

auto_review:
enabled: true
drafts: false
auto_incremental_review: true
auto_pause_after_reviewed_commits: 3
ignore_title_keywords:
- "WIP"
- "DRAFT"
- "[WIP]"

pre_merge_checks:
override_requested_reviewers_only: false
title:
mode: "warning"
requirements: "Use a concise, imperative title that names the subsystem changed."
custom_checks:
- name: "schema-without-migration"
mode: "warning"
instructions: |
Warn if db/schema.rb changes but no file under db/migrate/ changes in the same pull request.

- name: "behavior-change-needs-tests"
mode: "warning"
instructions: |
Warn when files under app/controllers/, app/models/, config/routes.rb, or db/migrate/ change
without meaningful updates under spec/models/ or spec/requests/.

- name: "workflow-security"
mode: "warning"
instructions: |
Warn on GitHub Actions changes that use pull_request_target with PR-head checkout,
overbroad write permissions, or token and secrets exposure patterns.

- name: "config-and-setup-scrutiny"
mode: "warning"
instructions: |
Warn when config/database.yml, config/storage.yml, config/credentials.yml.enc, config.ru, setup.sh,
or workflow files change without a clear explanation in the pull request summary.

- name: "todo-temp-debug-artifacts"
mode: "warning"
instructions: |
Warn when the pull request introduces TODO or FIXME markers, debug print statements,
temp or cache artifacts, or generated local-state files such as results.txt or safe.log.

- name: "legacy-pr-scope-and-title"
mode: "warning"
instructions: |
Warn on pull requests larger than roughly 500 LoC, touching more than 30 files,
course-project PRs under roughly 50 LoC, duplicated commit messages, or WIP titles.

- name: "legacy-config-file-guardrails"
mode: "warning"
instructions: |
For non-maintainers, warn on changes to Gemfile, Gemfile.lock, .gitignore, .rspec, Dangerfile,
Rakefile, config.ru, setup.sh, YAML files, Markdown files, vendor/**, and spec/factories/** unless clearly justified.

- name: "legacy-rspec-hygiene"
mode: "warning"
instructions: |
Warn on skipped, pending, or focused specs; `.should`; unnecessary helper requires;
text fixtures under spec; and weak/shallow expectations such as wildcard matcher overuse,
no expectations, commented-out expectations, matcher-less expectations, or non-real-value assertions.

- name: "legacy-global-debug-code"
mode: "warning"
instructions: |
Warn on newly introduced global variables, class variables, or debugging statements such as puts, print,
binding.pry, debugger, or console.log.

tools:
github-checks:
enabled: true
timeout_ms: 300000
rubocop:
enabled: true
brakeman:
enabled: true
actionlint:
enabled: true
gitleaks:
enabled: true
hadolint:
enabled: true
shellcheck:
enabled: true
markdownlint:
enabled: true
yamllint:
enabled: true

chat:
auto_reply: true
allow_non_org_members: true
art: false

knowledge_base:
web_search:
enabled: false
code_guidelines:
enabled: true
filePatterns:
- "CODERABBIT_GUIDELINES.md"
learnings:
scope: "local"
issues:
scope: "local"
pull_requests:
scope: "local"
2 changes: 1 addition & 1 deletion .github/workflows/CommentPR.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,5 +40,5 @@ jobs:
```
${{ steps.read_files.outputs.test_output }}
```
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

11 changes: 5 additions & 6 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -155,12 +155,11 @@ jobs:
name: code-coverage-artifacts
path: coverage/

- name: Upload code-coverage report to code-climate
run: |
export GIT_BRANCH="${GITHUB_REF/refs\/heads\//}"
gem install codeclimate-test-reporter
cc-test-reporter sum-coverage coverage/codeclimate.*.json
cc-test-reporter after-build -t simplecov -r ${{ secrets.CC_TEST_REPORTER_ID }}
- name: Upload code-coverage report to qlty
uses: qltysh/qlty-action/coverage@v2
with:
token: ${{ secrets.CC_TEST_REPORTER_ID }}
files: coverage/coverage.json

docker:
needs: test
Expand Down
Loading
Loading