fix: pin pr-review-mention reusable to d3d768d SHA#268
Conversation
The @v1 tag in petry-projects/.github pointed to commit 0cb4bba which predates the existence of pr-review-mention-reusable.yml, causing a parse-time "workflow was not found" error in all caller repos. Pin the uses: line in the standards template to the correct SHA (d3d768d, the latest main commit containing the reusable) and add a fanout reminder so the template and callers stay in sync going forward. The v1 tag has been force-moved to d3d768d and a new v2 tag cut at the same SHA to unblock production immediately. Closes #267 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pr-review-mention.yml workflow to pin a specific commit SHA and adds documentation regarding the update process. Feedback indicates that pinning internal reusable workflows to a SHA violates the organization's Action Pinning Policy, which requires using version tags like @v1 or @main. It is recommended to use the @v2 tag instead and to update the documentation to refer to versions or tags rather than SHAs to ensure consistency with established standards.
There was a problem hiding this comment.
Pull request overview
Pins the pr-review-mention-reusable.yml reference in the template caller stub to a specific SHA (d3d768d) to resolve a stale v1 tag that pointed to a commit predating the reusable workflow file, and adds a maintenance note to the AGENTS comment block.
Changes:
- Replace
@v1ref with@d3d768dabb7f28cc63283cdfe48630da53700e50 # mainSHA pin - Add fanout reminder to the template's instructional comment block
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
Superseded by automated re-review at
|
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 82af6400b900ef57439c26fce5c70042aa7fb2eb
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)
Summary
The PR correctly fixes a broken @v1 tag by pinning to the full commit SHA (d3d768d). The triage-flagged tension between SHA pinning and the @v2 tag recommendation dissolves on close reading: the linked issue (#267), authored by the org owner, explicitly mandates the SHA pin form and states it matches ci-standards.md action-pinning policy. Gemini's suggestion to use @v2 instead appears to be a false positive — mutable tags are exactly what caused the original breakage, and the issue was written with full awareness that @v2 exists at the same SHA. All CI gates pass (CodeQL success, SonarQube 0 issues).
Findings
- INFO: Gemini flagged SHA pinning as violating the org's Action Pinning Policy and recommended @v2 instead. However, the authoritative issue #267 (authored by org owner don-petry) explicitly specifies this exact SHA pin form and states it 'matches ci-standards.md action-pinning policy'. The v2 tag exists at the same SHA but is mutable — using it would recreate the same drift problem that caused this incident. SHA pin is the correct, immutable form here.
- INFO: Issue #267 Scope lists 5 files across 4 repos. This PR covers only the standards template (1 of 5 files). Fanout PRs for TalkTerm (#173) and bmad-bgreat-suite (#147) are noted as open drafts in the PR description; google-app-scripts was also mentioned. These are intentionally separate PRs per the issue's Execution Order — this PR is scoped correctly.
- INFO: All required CI checks passed: CodeQL (success), SonarQube Quality Gate (0 new issues, 0 security hotspots), CodeRabbit (rate-limited, no findings recorded). No failures blocking merge on technical grounds — block is purely REVIEW_REQUIRED from org-leads team.
- MINOR: The added comment says 'When publishing a new SHA of this reusable' — slightly ambiguous. It could mean 'when the reusable file changes and a new pinnable commit exists'. Consider 'When updating this reusable (new SHA on main)' for clarity, but this is cosmetic and not a blocker.
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
|
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 705273df88128ddbc7b6e7a7d393b326fb95aecc
Review mode: triage-approved (single reviewer)
Summary
Triage already cleared this PR as low-risk; this is a confirmation pass. The change is a tightly-scoped 3-line update to standards/workflows/pr-review-mention.yml: bumps uses: from @v1 (broken — pointed to a commit predating the reusable file) to @v2, and adds a fanout-reminder comment to the AGENTS header block. All CI gates pass.
Linked issue analysis
Issue #267 (authored by org owner) specifies that v1 is force-moved to d3d768d AND a new v2 tag is cut at the same SHA. The issue's "Pin form in YAML" section recommended an explicit SHA pin, but Gemini reviewer flagged that the file's own header comment block and the org's internal-ref policy prescribe tag pinning (@v1/@v2) for org-internal reusables. The author correctly pivoted to @v2, which the issue itself confirms resolves to the same d3d768d SHA. This PR scope is the standards template only — fanout PRs for TalkTerm (#173), bmad-bgreat-suite (#147), and google-app-scripts (#272) are intentionally tracked separately per the issue's Execution Order.
Findings
- INFO: PR body still references the SHA-pin form ("Pin
standards/workflows/pr-review-mention.ymlto SHAd3d768d...") which is now stale after the@v2pivot. Cosmetic only — doc drift in the PR description, not in code. Consider editing the PR body if it will be used as the squash-commit message. - INFO: The Step-5 fanout reminder added at line 16–17 matches the wording suggested by issue #267 closely ("When publishing a new version of this reusable, also update this template and open a fanout PR across all caller repos."). Good preventive measure against future template/caller drift.
- INFO: The author's deviation from the issue's literal SHA-pin form is a defensible judgment call: the file header at lines 8–9 explicitly documents tag-bump (
@v1→@v2) as the expected upgrade path for this caller stub. Gemini's review independently flagged the SHA form as inconsistent with that documented convention. Tag mutability risk (the original root cause) is mitigated here because@v2is a freshly cut tag at a known-good SHA, not a long-lived rolling tag.
CI status
All required checks green: CodeQL success, SonarCloud Quality Gate passed (0 new issues, 0 security hotspots), Lint, ShellCheck, AgentShield, Agent Security Scan, Claude Code — all SUCCESS. CodeRabbit was rate-limited (no findings recorded, not a failure). Merge state is BLOCKED solely on REVIEW_REQUIRED.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
Summary
standards/workflows/pr-review-mention.ymlto SHAd3d768dabb7f28cc63283cdfe48630da53700e50(latestmain)Root cause: The
v1lightweight tag pointed to commit0cb4bba1which predatespr-review-mention-reusable.yml, causing a parse-timeworkflow was not founderror in every caller repo.Tag operations already applied (out-of-band):
v1force-moved →d3d768d(unblocks production immediately)v2cut atd3d768dFanout PRs (all draft):
0cb4bba1)Note:
.github/workflows/pr-review-mention.ymlin this repo already uses a local./ref and does not need updating.Closes #267
Generated with Claude Code