chore(standards): synced file(s) with hallelx2/dev-standards#5
chore(standards): synced file(s) with hallelx2/dev-standards#5hallelx2 wants to merge 10 commits into
Conversation
|
Warning Review limit reached
Next review available in: 58 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (13)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Reviewer's GuideAdds shared AI agent standards, review rubrics, and reusable security/Jules review GitHub workflows by syncing them from hallelx2/dev-standards, enabling consistent automated reviews and security scanning across the repo. Sequence diagram for automated Jules PR security review workflowsequenceDiagram
actor Developer
participant GitHub
participant jules_review_workflow as jules-review.yml
participant Guard_step as Guard_only_run_when_a_Jules_key_is_configured
participant Jules_action as sanjay3290/jules-pr-reviewer@main
Developer->>GitHub: open/synchronize/ready_for_review PR
GitHub->>jules_review_workflow: trigger pull_request event
jules_review_workflow->>Guard_step: run guard step
alt JULES_API_KEY present
Guard_step-->>jules_review_workflow: enabled=true
jules_review_workflow->>Jules_action: run Jules security review
Jules_action-->>GitHub: post security-focused PR review
else JULES_API_KEY missing
Guard_step-->>GitHub: log skipping message
end
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In
.github/workflows/security.reusable.yml, consider pinningsecurego/gosec@masterto a specific release tag or SHA to avoid unexpected behavior when themasterbranch changes. - Similarly, in
.github/workflows/jules-review.yml, usingsanjay3290/jules-pr-reviewer@maincould introduce breaking changes over time; pinning to a version or commit SHA would make the workflow more stable and auditable.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `.github/workflows/security.reusable.yml`, consider pinning `securego/gosec@master` to a specific release tag or SHA to avoid unexpected behavior when the `master` branch changes.
- Similarly, in `.github/workflows/jules-review.yml`, using `sanjay3290/jules-pr-reviewer@main` could introduce breaking changes over time; pinning to a version or commit SHA would make the workflow more stable and auditable.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Pull request overview
This PR syncs shared engineering standards and GitHub automation from hallelx2/dev-standards into this repository, establishing consistent AI-agent guidance and baseline security/review workflows.
Changes:
- Adds repo-level agent/review standards (
AGENTS.md) and Copilot review baseline instructions. - Introduces path-scoped review rubrics and specialized agent profiles under
.github/instructions/and.github/agents/. - Adds security scanning and optional “Jules” automated review workflows under
.github/workflows/.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| AGENTS.md | Adds shared engineering/review standards for human + AI agents. |
| .github/copilot-instructions.md | Adds baseline Copilot PR review rubric and priorities. |
| .github/instructions/backend.instructions.md | Adds Go-specific review checklist for .go files. |
| .github/instructions/frontend.instructions.md | Adds TypeScript/Next/CSS review checklist for frontend files. |
| .github/instructions/security.instructions.md | Adds universal security review checklist applied to all files. |
| .github/agents/backend-reviewer.agent.md | Defines a specialized backend reviewer agent profile. |
| .github/agents/frontend-reviewer.agent.md | Defines a specialized frontend reviewer agent profile. |
| .github/agents/security-reviewer.agent.md | Defines an adversarial security reviewer agent profile. |
| .github/agents/test-reliability-reviewer.agent.md | Defines a test/reliability reviewer agent profile. |
| .github/workflows/security.yml | Adds a caller workflow that runs the shared security reusable workflow on PRs and main pushes. |
| .github/workflows/security.reusable.yml | Adds reusable security scanners (gitleaks, Trivy, gosec) for consistent cross-repo scanning. |
| .github/workflows/jules-review.yml | Adds optional automated Jules security review workflow gated on JULES_API_KEY. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: ./.github/workflows/security.reusable.yml | ||
| secrets: inherit |
| - name: gitleaks | ||
| uses: gitleaks/gitleaks-action@v2 | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} |
| - name: Trivy filesystem scan | ||
| uses: aquasecurity/trivy-action@0.28.0 | ||
| with: |
| - name: gosec | ||
| if: steps.detect.outputs.is_go == 'true' | ||
| uses: securego/gosec@master | ||
| with: | ||
| args: -no-fail -fmt text ./... |
| - name: Jules security review | ||
| if: steps.guard.outputs.enabled == 'true' | ||
| uses: sanjay3290/jules-pr-reviewer@main | ||
| with: | ||
| jules-api-key: ${{ secrets.JULES_API_KEY }} | ||
| github-token: ${{ github.token }} |
fc89bdd to
21ae366
Compare
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
6f0b3aa to
0f70703
Compare
3c981ce to
29107cc
Compare
29107cc to
a84e2cf
Compare
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Install Trivy (latest binary — avoids the action's broken setup-trivy pin) | ||
| run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin |
| # Local reference — the reusable file is synced into THIS repo too, so each repo | ||
| # is self-contained and this works whether dev-standards is public or private. | ||
| uses: ./.github/workflows/security.reusable.yml | ||
| secrets: inherit |
| - package-ecosystem: github-actions | ||
| directory: "/" | ||
| schedule: | ||
| interval: weekly | ||
| labels: [dependencies, security] |
| - package-ecosystem: npm | ||
| directory: "/" | ||
| schedule: | ||
| interval: weekly | ||
| open-pull-requests-limit: 5 | ||
| commit-message: | ||
| prefix: "ci" | ||
| include: scope | ||
| labels: [dependencies, security] |
| name: Secrets (gitleaks) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
| name: Node/TS deps (npm audit) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
| id: detect | ||
| run: | | ||
| if [ -f package.json ]; then echo "is_node=true" >> "$GITHUB_OUTPUT"; else echo "is_node=false" >> "$GITHUB_OUTPUT"; fi | ||
| - uses: actions/setup-node@v4 |
| name: Python deps + SAST (pip-audit + bandit) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
| id: detect | ||
| run: | | ||
| if ls requirements*.txt pyproject.toml setup.py >/dev/null 2>&1; then echo "is_py=true" >> "$GITHUB_OUTPUT"; else echo "is_py=false" >> "$GITHUB_OUTPUT"; fi | ||
| - uses: actions/setup-python@v5 |
| name: Vulns + misconfig (Trivy) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
a84e2cf to
969eee4
Compare
Synced AI-review standards from hallelx2/dev-standards.
…m remote '.github/copilot-instructions.md' Synced AI-review standards from hallelx2/dev-standards.
…b/agents/' Synced AI-review standards from hallelx2/dev-standards.
…tions.md' from remote '.github/instructions/backend.instructions.md' Synced AI-review standards from hallelx2/dev-standards.
…ctions.md' from remote '.github/instructions/frontend.instructions.md' Synced AI-review standards from hallelx2/dev-standards.
…ctions.md' from remote '.github/instructions/security.instructions.md' Synced AI-review standards from hallelx2/dev-standards.
… remote '.github/workflows/security.yml' Synced AI-review standards from hallelx2/dev-standards.
…yml' from remote '.github/workflows/security.reusable.yml' Synced AI-review standards from hallelx2/dev-standards.
…from remote '.github/workflows/jules-review.yml' Synced AI-review standards from hallelx2/dev-standards.
….github/dependabot.yml' Synced AI-review standards from hallelx2/dev-standards.
969eee4 to
5039b38
Compare
synced local file(s) with hallelx2/dev-standards.
Changed files
AGENTS.mdfrom remoteAGENTS.md.github/copilot-instructions.mdfrom remote.github/copilot-instructions.md.github/agents/and copied all sub files/folders from remote directory.github/agents/.github/instructions/backend.instructions.mdfrom remote.github/instructions/backend.instructions.md.github/instructions/frontend.instructions.mdfrom remote.github/instructions/frontend.instructions.md.github/instructions/security.instructions.mdfrom remote.github/instructions/security.instructions.md.github/workflows/security.ymlfrom remote.github/workflows/security.yml.github/workflows/security.reusable.ymlfrom remote.github/workflows/security.reusable.yml.github/workflows/jules-review.ymlfrom remote.github/workflows/jules-review.yml.github/dependabot.ymlwith remote.github/dependabot.ymlThis PR was created automatically by the repo-file-sync-action workflow run #29023833923