✨ Add fallback for loading version manifest from remote URL

[denialhaag]

This PR adds a fallback for loading the version manifest from the remote URL. This allows us to use new versions of MLIR without necessarily releasing a new version of the action.

Furthermore, this PR updates the release of v1.4.0.

[coderabbitai]

Warning

Review limit reached

@denialhaag, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 45 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 180197a7-42dd-474d-933d-fdfde654faa1

📥 Commits

Reviewing files that changed from the base of the PR and between 7bead59 and 56e6b4c.

📒 Files selected for processing (1)

• CHANGELOG.md

📝 Walkthrough

Walkthrough

Adds explicit remote manifest fetching (loadManifestFromRemote with 30s timeout) and a forceRemote option to loadManifest/getManifestEntries; getManifestEntries now retries with remote-only loading when local manifest yields no matches. Minor test comment wording changes for timeouts.

Changes

Manifest Loading and Fallback

Layer / File(s)	Summary
Manifest loading infrastructure with remote option src/utils/download.ts	New loadManifestFromRemote() helper fetches the remote version-manifest.json with configurable GITHUB_ACTION_REPOSITORY/GITHUB_ACTION_REF and a 30-second timeout. loadManifest(forceRemote) now accepts forceRemote: when true, it loads remotely; when false, it attempts a local read and falls back to remote only on ENOENT.
Fallback retry logic in getManifestEntries src/utils/download.ts	getManifestEntries(forceRemote = false) calls loadManifest(forceRemote), filters entries, and if no matches are found and forceRemote is false, logs a debug message and retries with forceRemote = true. If still empty, the prior "No … archive found for LLVM …" error is thrown.
Test timeout comment standardization __tests__/integration.test.ts, __tests__/update-known-versions.test.ts	Updated inline comments to standardize timeout wording (e.g., "time-out" → "timeout", "10 minute timeout" → "10-minute timeout") without behavioral changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• munich-quantum-software/setup-mlir#111: Also adds remote version-manifest.json fetching with repo/ref URL construction and a timeout-based fallback; related to the manifest remote-fallback changes.

Poem

A rabbit hops through manifests with care,
Local first, then remote — a fallback pair 🐰
Thirty seconds waiting for the file to appear,
Retry once more if the archive's not near,
Then nibble logs and hop away with cheer. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main change: adding a fallback mechanism to load the version manifest from a remote URL, which is the primary feature implemented across the modified files.
Description check	✅ Passed	The PR description accurately describes the main changes: adding a fallback for loading the version manifest from a remote URL and mentions the v1.4.0 release.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch get-version-manifest-from-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/download.ts`:
- Line 87: Replace the hardcoded 30000ms AbortSignal.timeout with a configurable
timeout value: read an integer from an env var (e.g.
process.env.DOWNLOAD_TIMEOUT_MS) or a function parameter, parse it to a number
with a safe fallback to 30000, validate it (>=0), and pass that value into
AbortSignal.timeout instead of the literal; update any callers or export an
option if the download function (refer to the AbortSignal.timeout usage in this
file) is invoked elsewhere so the timeout can be overridden in tests/CI.
- Around line 79-83: Document and validate the environment-derived repo/ref
before building manifestUrl: add a short comment near actionRepo/actionRef
explaining these come from GitHub Actions runtime (GITHUB_ACTION_REPOSITORY and
GITHUB_ACTION_REF) and that defaults are used when running locally or outside
the marketplace; then validate/sanitize actionRepo (must match owner/repo
pattern like /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/) and actionRef (allow safe ref
chars like /^[A-Za-z0-9_.\-\/]+$/), log a warning and fall back to the defaults
if validation fails, and ensure manifestUrl is only constructed from the
validated/sanitized values (referencing actionRepo, actionRef, manifestUrl).
- Around line 55-63: When entries.length === 0 and !forceRemote (the fallback
branch that calls getManifestEntries(version, platform, architecture, debug,
true)), add a debug log using core.debug before calling the remote retry so it's
visible why we’re falling back; import core at the top of the file and log a
message referencing version, platform, architecture and that local manifest had
no matching entries and we are retrying remotely to aid debugging.
- Line 94: The code currently returns (await response.json()) as ManifestEntry[]
without runtime validation; change this to parse the JSON into a variable,
verify it's an array (Array.isArray) and that each element contains the required
ManifestEntry properties (check presence and types of the fields declared on the
ManifestEntry type), and throw a descriptive error if validation fails; update
the return to the validated array (or map/normalize items) so callers receive a
well-formed ManifestEntry[] instead of blindly casting the response.json()
result.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 622fa451-e80e-40d8-932f-9476d786c2e7

📥 Commits

Reviewing files that changed from the base of the PR and between 47e48e3 and a33a4aa.

⛔ Files ignored due to path filters (2)

• dist/index.js is excluded by !**/dist/**
• dist/index.js.map is excluded by !**/dist/**, !**/*.map

📒 Files selected for processing (1)

• src/utils/download.ts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main     #191      +/-   ##
==========================================
- Coverage   88.97%   88.65%   -0.32%     
==========================================
  Files           7        7              
  Lines         381      388       +7     
  Branches       90       94       +4     
==========================================
+ Hits          339      344       +5     
- Misses         42       44       +2     

Flag	Coverage Δ
integration-macos-15	81.70% <100.00%> (-0.19%)	⬇️
integration-macos-15-intel	81.44% <100.00%> (-0.19%)	⬇️
integration-ubuntu-24.04	81.18% <100.00%> (-0.18%)	⬇️
integration-ubuntu-24.04-arm	81.44% <100.00%> (-0.19%)	⬇️
integration-windows-11-arm	87.37% <100.00%> (-0.30%)	⬇️
integration-windows-2025	87.11% <100.00%> (-0.29%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/utils/download.ts	95.12% <100.00%> (-4.88%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[denialhaag]

@burgholzer, do you have any input on the open CodeRabbit comments? I feel like they are all a stretch. 🤔

[burgholzer]

@burgholzer, do you have any input on the open CodeRabbit comments? I feel like they are all a stretch. 🤔

All of them sound overly defensive. I'd simply ignore them.

[burgholzer]

This looks good to me!

[denialhaag]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.