fix: dedup contract + worker PR contract + conflict-resolver trigger gating#41
Open
norrietaylor wants to merge 5 commits into
Open
fix: dedup contract + worker PR contract + conflict-resolver trigger gating#41norrietaylor wants to merge 5 commits into
norrietaylor wants to merge 5 commits into
Conversation
Every PR sync was spinning up the detect job (and surfacing as a PR check) even when no worker PRs were in conflict. The main-side push + 6h scheduled backstop already cover the actual signal — a default-branch advance creating new conflicts on open worker PRs — so the pull_request trigger was pure overhead and observable latency on high-throughput repos. The detect-job `if:` guard against fork PRs is no longer reachable; trimmed. Closes #19 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The docs-patrol chore was filing identical issues across re-runs because the prose said "apply the dedup procedure" without defining how the finding-id slug had to be constructed for the same drift to produce a byte-identical marker on a re-run. The agent was emitting a marker that varied per run. Spell out the marker format explicitly: `<doc-path>` is lowercase relative path, `<concise-identity>` is a stable per-drift slug (e.g. `missing-file::<claimed-path>`) that MUST NOT include run-scoped data (timestamps, run ids, SHAs). State the invariant: two re-runs over the same working tree must produce a byte-identical marker. Inline the dedup procedure into the chore (rather than delegating via "see safe-output-create-issue.md") with explicit handling for the three search outcomes (no match, one match, multiple matches) and a pointer to the MCP tool name in the allowlist. Set `update-issue.target: '*'` so the chore can call update_issue from schedule/dispatch contexts; otherwise the runtime rejects with "not running in issue context" (ch-oracles#31, same root cause). Closes #20 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… under workflow_dispatch
Audit chores (chore-style-{rust,python,go,toml,ncl}, dependency-review,
test-coverage-detector) defaulted to `update-issue.target: 'triggering'`,
which the gh-aw safe-output runtime only honors when the workflow itself
fires from an issue-event context. These chores run on schedule and
workflow_dispatch, so every update_issue call was rejected with:
✗ Message 1 (update_issue) failed: Target is "triggering" but not
running in issue context, skipping update_issue
Net effect: the dedup search (find existing finding-issue by finding-id
marker) worked, but the update path silently no-opped — `updatedAt` never
advanced on re-runs.
Set `target: '*'` on each chore's update-issue config so the agent can
pass an explicit issue_number from its dedup search. Tighten the
cross-chore idempotency contract in shared/safe-output-create-issue.md to
state issue_number is REQUIRED (the runtime is not in an issue-event
context and will reject omitted-number calls).
Closes #31
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…r PRs worker-fix was opening PRs whose title started with `[worker:<label>]` but the PR itself had `labels: []` and `autoMergeRequest: null`. This breaks the runbook F3 contract: consumer queries like `gh pr list --label agent:doc-drift` miss every worker PR, and the auto-merge promise from the chore prose was never honored. Configure the chore's create-pull-request safe-output the same way trivial-dep-bump-* does: `auto-merge: true` plus the baseline `agent:auto-merge` label declared statically in the workflow. The runtime keys declarative auto-merge enablement off this label. Spell out in the worker-fix prose that the agent MUST pass an explicit `labels:` array on the create_pull_request call carrying the candidate issue's slot label (`agent:lint:python`, `agent:doc-drift`, etc.) — these are dynamic per candidate and cannot live in the workflow config. The runtime merges the agent-supplied label with the declarative baseline. label-classification validator: agent:auto-merge previously had a single glob writer (`trivial-dep-bump-*`); broaden the schema to accept a list of globs and extend the auto-merge entry to include `worker-fix`. Update templates/.github/AGENTS.md to reflect the new writer set. Closes #33 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughThis PR enables deduplication and auto-merge for automated chore and worker workflows across multiple GitHub Actions contexts by adding explicit safe-output targeting, hardening finding-id markers, expanding label classification, and removing spurious triggers. Six chore-style workflows plus dependency-review and test-coverage-detector add wildcard targeting to support ChangesSafe-outputs context-targeting for chore workflows
Doc-drift dedup hardening and finding-id marker contract
Worker-fix PR auto-merge and slot-label baseline
Label classification: agent:auto-merge writer expansion
PR conflict resolver: remove pull_request trigger
🎯 3 (Moderate) | ⏱️ ~20 minutes
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Owner
Author
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/docs-patrol.md (1)
141-147: ⚡ Quick winUse one placeholder name for the dedup slug across marker and query.
Line 143 defines
<concise-identity>, but Line 169 switches to<identity>. Keep this token name identical to reduce agent ambiguity when constructing/searching the marker.Suggested edit
- query `is:issue is:open label:agent:doc-drift "finding-id: doc-drift::n-a::<doc-path>::<identity>" in:body`. + query `is:issue is:open label:agent:doc-drift "finding-id: doc-drift::n-a::<doc-path>::<concise-identity>" in:body`.Also applies to: 167-170
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs-patrol.md around lines 141 - 147, The doc uses two different placeholder names for the deduplication slug (<concise-identity> vs <identity>), which will confuse agents; pick one token (preferably <concise-identity>) and replace every instance of the other token so the marker and query use the identical placeholder for the dedup slug (update the definition under the dedup/slug section and the later example/stale-command block where the alternate <identity> appears). Ensure the chosen token is used consistently in the examples and the slug-format sentence describing allowed characters.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/worker-fix.lock.yml:
- Line 1509: The Safe Outputs config currently sets create_pull_request.draft as
a string ("${{ false }}") which violates the workflow schema expecting a
boolean; update the create_pull_request.draft entry used in the generated
safeoutputs/config.json and the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON to be an
actual JSON boolean (draft: false) instead of a quoted string, ensuring the
create_pull_request object remains valid and matches the schema for draft:type
boolean.
---
Nitpick comments:
In @.github/workflows/docs-patrol.md:
- Around line 141-147: The doc uses two different placeholder names for the
deduplication slug (<concise-identity> vs <identity>), which will confuse
agents; pick one token (preferably <concise-identity>) and replace every
instance of the other token so the marker and query use the identical
placeholder for the dedup slug (update the definition under the dedup/slug
section and the later example/stale-command block where the alternate <identity>
appears). Ensure the chosen token is used consistently in the examples and the
slug-format sentence describing allowed characters.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ac00e1dd-d2fd-49ce-beda-7f1de0396b5e
📒 Files selected for processing (32)
.github/workflows/chore-style-go.lock.yml.github/workflows/chore-style-go.md.github/workflows/chore-style-ncl.lock.yml.github/workflows/chore-style-ncl.md.github/workflows/chore-style-python.lock.yml.github/workflows/chore-style-python.md.github/workflows/chore-style-rust.lock.yml.github/workflows/chore-style-rust.md.github/workflows/chore-style-toml.lock.yml.github/workflows/chore-style-toml.md.github/workflows/dependency-review.lock.yml.github/workflows/dependency-review.md.github/workflows/docs-patrol.lock.yml.github/workflows/docs-patrol.md.github/workflows/test-coverage-detector.lock.yml.github/workflows/test-coverage-detector.md.github/workflows/worker-fix.lock.yml.github/workflows/worker-fix.mdscripts/label-classes.ymlscripts/test-label-classification.pyshared/safe-output-create-issue.mdtemplates/.github/AGENTS.mdworkflows/chore-style-go.mdworkflows/chore-style-ncl.mdworkflows/chore-style-python.mdworkflows/chore-style-rust.mdworkflows/chore-style-toml.mdworkflows/dependency-review.mdworkflows/docs-patrol.mdworkflows/test-coverage-detector.mdworkflows/worker-fix.mdwrappers/pr-conflict-resolver.yml
Addresses CodeRabbit feedback on PR #41. - worker-fix.md: draft is now literal false (was ${{ false }} which gh-aw renders as the string "${{ false }}" in the safe-outputs config JSON — schema expects boolean). - docs-patrol.md: rename <identity> to <concise-identity> in the dedup search query so the placeholder name matches the marker definition higher in the file.
Owner
Author
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four related chore-contract defects, all in the same PR because they share the dedup/worker-PR/safe-output surface:
pull_requesttrigger from the wrapper. Main-sidepush+ 6h scheduled backstop +workflow_dispatchstill cover the actual signal (default-branch advance creating new conflicts on open worker PRs). The detect-job's now-unreachable fork-PRif:guard is trimmed.doc-pathlowercase relative path;concise-identitya stable per-drift slug likemissing-file::<claimed-path>, no run-scoped data) and inlined the dedup procedure with explicit handling for the no-match / one-match / many-match cases.update_issuerejected as "not running in issue context". Audit chores (chore-style-{rust,python,go,toml,ncl}, docs-patrol, dependency-review, test-coverage-detector) all defaulted toupdate-issue.target: 'triggering', which the gh-aw safe-output runtime only honors when the workflow fires from an issue-event context. These chores run on schedule + dispatch, so every update_issue call silently no-opped. Settarget: '*'on each so the agent can pass an explicitissue_numberfrom its dedup search. Tightened the shared idempotency contract inshared/safe-output-create-issue.mdto stateissue_numberis REQUIRED.auto-merge: true+ a baselineagent:auto-mergelabel statically in the workflow (runtime keys auto-merge enablement off the label). The dynamic per-candidate slot label (agent:doc-drift,agent:lint:python, etc.) is added at agent call time via thelabels:parameter on the safe-output. Extended thelabel-classes.ymlvalidator to accept a list of writer globs sinceagent:auto-mergenow has two writer families (trivial-dep-bump-*andworker-fix).Test plan
gh aw compileclean against all 14 workflow sourcesfor src in workflows/*.md; do diff -q "$src" ".github/workflows/$(basename "$src")"; done— mirror cleanpython3 scripts/audit-wrapper-permissions.py wrappers/*.yml— 14 wrappers, 0 violationspython3 scripts/test-safe-output-allowlists.py— allowlists match prosepython3 scripts/test-chore-consistency.py— 14 chores consistent across all four surfacespython3 scripts/test-label-classification.py— 18 labels across 14 workflows (after broadening theagent:auto-mergewriter glob to a list)actionlint -colorcleangominimal/spectacles-testto confirm: (a) re-running an audit chore updates the existing finding-issue'supdatedAtinstead of filing a duplicate, (b) worker-fix PRs carry the issue-slot label + have auto-merge enabledCloses #19
Closes #20
Closes #31
Closes #33