Skip to content

Feature: Autonomous Repository Management & Intelligence Ecosystem#92

Open
NITISH-R-G wants to merge 2 commits into
mainfrom
feat/autonomous-repo-management-12050011992550968239
Open

Feature: Autonomous Repository Management & Intelligence Ecosystem#92
NITISH-R-G wants to merge 2 commits into
mainfrom
feat/autonomous-repo-management-12050011992550968239

Conversation

@NITISH-R-G

@NITISH-R-G NITISH-R-G commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Implements the core requirements for an advanced, autonomous, self-improving, and contributor-friendly open-source repository. Leveraging GitHub's free capabilities, this commit introduces automated repository maintenance workflows, contributor management mechanisms (issue/PR templates, greetings, stale issue handling), CI validation for both Python and frontend build checks, AI-powered code reviews, and automatic generation of repository artifacts such as SBOMs, architecture diagrams, and knowledge graphs.


PR created automatically by Jules for task 12050011992550968239 started by @NITISH-R-G

Summary by Sourcery

Introduce automated repository maintenance, documentation generation, and contributor experience workflows for the project.

New Features:

  • Add a Python tool to generate a JSON knowledge graph of Python files, classes, and functions in the repository.
  • Add a Python tool that auto-generates a documentation index from markdown files in the docs directory.
  • Set up GitHub Pages deployment for the docs directory.
  • Introduce an issue reporting template and a pull request template to standardize community contributions.
  • Add a Code of Conduct and contributing guidelines to formalize project governance and contribution expectations.

Enhancements:

  • Configure a repository maintenance workflow to auto-fix lint issues, generate architecture diagrams, produce SBOMs, and commit generated artifacts.
  • Add a CI workflow that runs backend tests with pytest and frontend build checks via Node.js on pushes and pull requests.
  • Introduce greeting automation for first-time issue authors and pull request contributors.
  • Configure a stale issue and pull request management workflow to automatically mark and close inactive items.
  • Add an AI-powered code review workflow that runs on pull requests.

Introduces a comprehensive suite of tools and GitHub Actions to automate repository maintenance, CI, code quality, security, and contributor engagement.

- Added community health files (`CODE_OF_CONDUCT.md`, `CONTRIBUTING.md`, issue/PR templates).
- Created `greetings.yml` for new contributors.
- Created `stale.yml` for automated issue management.
- Set up `ci.yml` for Python and Node.js testing.
- Created `ai-review.yml` for automated PR reviews using CodeRabbit.
- Implemented `repo-maintenance.yml` to automatically generate architecture diagrams, an SBOM, and sync documentation.
- Added custom Python tools (`docs_sync.py`, `generate_knowledge_graph.py`) to build dynamic knowledge graphs and markdown indices.

Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@sourcery-ai

sourcery-ai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Reviewer's Guide

This PR introduces automated repository maintenance, CI, documentation, and contributor experience tooling using GitHub Actions plus two Python utilities for docs indexing and Python-code knowledge graph generation, alongside basic community health files and templates.

Sequence diagram for ai_review GitHub_Action on_pull_request

sequenceDiagram
  actor Developer
  participant GitHub
  participant ai_review_workflow
  participant coderabbit_action

  Developer->>GitHub: create pull_request
  GitHub->>ai_review_workflow: pull_request opened/synchronize
  ai_review_workflow->>coderabbit_action: run coderabbitai/openai-pr-reviewer@latest
  coderabbit_action-->>GitHub: post review comments on PR
Loading

Flow diagram for repository_maintenance GitHub_Action workflow

flowchart TD
  trigger_push[[push to main/master]] --> maintenance_job
  trigger_pr[[pull_request to main/master]] --> maintenance_job

  maintenance_job[maintenance job]

  maintenance_job --> checkout["actions/checkout@v4"]
  maintenance_job --> setup_python["actions/setup-python@v5 (3.12)"]
  maintenance_job --> install_deps["Install dependencies via uv"]
  maintenance_job --> ruff_fix["ruff check --fix ."]
  maintenance_job --> gen_kg["python tools/generate_knowledge_graph.py"]
  maintenance_job --> sync_docs["python tools/docs_sync.py"]
  maintenance_job --> arch_diagram["pydeps . -o docs/arch.svg"]
  maintenance_job --> sbom["uv run cyclonedx-py environment -o bom.json"]
  maintenance_job --> commit_push["Commit and push generated artifacts"]
Loading

File-Level Changes

Change Details Files
Add Python tool to generate a JSON knowledge graph of Python files, classes, and functions for the repository.
  • Walk the repository tree excluding common non-source directories and collect .py files.
  • Parse each Python file with ast, create file/class/function nodes, and connect them via contains edges.
  • Write the resulting graph to docs/knowledge_graph.json and expose a CLI entry via main guard.
tools/generate_knowledge_graph.py
Introduce an automated repository maintenance workflow that formats code, generates docs artifacts, SBOM, and commits them back to the repository.
  • Set up Python with uv, install tooling (pydeps, cyclonedx-bom, ruff).
  • Run Ruff autofix, generate the knowledge graph and documentation index, produce an architecture diagram SVG, and generate a CycloneDX SBOM.
  • Automatically commit and push updated docs/ and bom.json on pushes and PRs to main/master.
.github/workflows/repo-maintenance.yml
Add CI workflow for backend and frontend, ensuring tests and builds run on pushes and pull requests.
  • Set up Python 3.12 and uv, install project dev dependencies, and run pytest over the tests directory.
  • Set up Node.js 22, install frontend dependencies in the web directory, and run the frontend build command.
  • Trigger CI on pushes and pull requests to main/master branches.
.github/workflows/ci.yml
Enable automatic deployment of the docs directory to GitHub Pages.
  • Configure Pages permissions and concurrency for the docs deployment.
  • Checkout the repository, configure Pages, upload ./docs as an artifact, and deploy via the official deploy-pages action.
  • Trigger deployment on pushes to main and via manual workflow dispatch.
.github/workflows/pages.yml
Add an issue reporting template and a standardized pull request template to improve contributor workflow.
  • Define a guided issue template collecting bug/feature description, reproduction steps, environment details, and extra context.
  • Provide a PR template with sections for description, change type, testing, and a contribution checklist referencing Python and web test commands.
.github/ISSUE_TEMPLATE/issue_template.md
.github/pull_request_template.md
Introduce automated greetings for first-time issue and PR authors.
  • Use actions/github-script to detect first-time contributors and distinguish issues vs PRs.
  • Post a tailored welcome comment with guidance and expectations when appropriate.
.github/workflows/greetings.yml
Add a scheduled workflow to mark and close stale issues and pull requests.
  • Schedule a daily run of actions/stale with custom stale and close messages.
  • Configure time thresholds for marking items as stale and closing them.
  • Grant write permissions on issues and pull requests for automation.
.github/workflows/stale.yml
Configure AI-powered PR review using the coderabbit OpenAI reviewer action.
  • Trigger AI review on PR open and synchronize events.
  • Pass GitHub and OpenAI credentials via secrets and configure reviewer options for non-trivial changes.
.github/workflows/ai-review.yml
Add basic community health documentation including a Code of Conduct and contributing guidelines.
  • Document expected behavior, unacceptable conduct, and enforcement for community interactions.
  • Provide a lightweight contributing guide covering issue usage, branching, testing commands, PR process, and rebasing expectations.
CODE_OF_CONDUCT.md
CONTRIBUTING.md
Add a Python docs synchronization utility that auto-generates a documentation index from markdown files.
  • Walk the docs directory to discover markdown files excluding index.md.
  • Generate docs/index.md with a sorted, human-readable list of links based on filenames.
  • Expose a main guard to run sync_docs as a script.
tools/docs_sync.py

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NITISH-R-G has reached the 50-credit limit for trial accounts. To continue receiving code reviews, upgrade your plan.

@github-actions

Copy link
Copy Markdown

Failed to generate code suggestions for PR

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • The repo-maintenance.yml workflow auto-runs Ruff fixes and commits/pushes on every push/PR to main/master, which can unexpectedly mutate contributor branches (and may fail for forks); consider restricting auto-commits to a maintenance branch or scheduled job instead of normal pushes/PRs.
  • In tools/generate_knowledge_graph.py, the file_ids map is populated but never used and the graph only encodes file→class/function containment; either remove the unused mapping or extend the graph to include richer relationships (e.g., imports, inheritance, function calls) if this is meant to be a knowledge graph.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The `repo-maintenance.yml` workflow auto-runs Ruff fixes and commits/pushes on every push/PR to main/master, which can unexpectedly mutate contributor branches (and may fail for forks); consider restricting auto-commits to a maintenance branch or scheduled job instead of normal pushes/PRs.
- In `tools/generate_knowledge_graph.py`, the `file_ids` map is populated but never used and the graph only encodes file→class/function containment; either remove the unused mapping or extend the graph to include richer relationships (e.g., imports, inheritance, function calls) if this is meant to be a knowledge graph.

## Individual Comments

### Comment 1
<location path="tools/generate_knowledge_graph.py" line_range="55" />
<code_context>
+                            "target": class_id,
+                            "type": "contains"
+                        })
+                    elif isinstance(node, ast.FunctionDef):
+                        func_id = f"func_{file_id}_{node.name}"
+                        graph["nodes"].append({
</code_context>
<issue_to_address>
**suggestion:** Async functions are not included in the knowledge graph.

The current logic only handles `ast.FunctionDef`, so `async def` functions (`ast.AsyncFunctionDef`) are omitted from the graph. Please update the function node generation to also include `AsyncFunctionDef` for full coverage.

Suggested implementation:

```python
                    elif isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
                        func_id = f"func_{file_id}_{node.name}"
                        graph["nodes"].append({

```

1. No extra imports are required; `ast.AsyncFunctionDef` is already available via the existing `import ast`.
2. Ensure any downstream logic that might rely on distinguishing sync vs async functions (if present elsewhere in the file) is still correct; currently this change treats both as generic "function" nodes in the graph.
</issue_to_address>

### Comment 2
<location path=".github/workflows/ci.yml" line_range="42-43" />
<code_context>
+    - name: Install Frontend dependencies
+      run: cd web && npm install
+
+    - name: Run Frontend tests
+      run: cd web && npm run build
</code_context>
<issue_to_address>
**suggestion:** Step name suggests tests, but the command only performs a build.

This step is named `Run Frontend tests` but only runs `npm run build`, which is usually a production build, not tests. If you have a separate test command (e.g., `npm test`), either run that here or rename the step to accurately reflect that it’s just building.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

"target": class_id,
"type": "contains"
})
elif isinstance(node, ast.FunctionDef):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Async functions are not included in the knowledge graph.

The current logic only handles ast.FunctionDef, so async def functions (ast.AsyncFunctionDef) are omitted from the graph. Please update the function node generation to also include AsyncFunctionDef for full coverage.

Suggested implementation:

                    elif isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
                        func_id = f"func_{file_id}_{node.name}"
                        graph["nodes"].append({
  1. No extra imports are required; ast.AsyncFunctionDef is already available via the existing import ast.
  2. Ensure any downstream logic that might rely on distinguishing sync vs async functions (if present elsewhere in the file) is still correct; currently this change treats both as generic "function" nodes in the graph.

Comment thread .github/workflows/ci.yml
Comment on lines +42 to +43
- name: Run Frontend tests
run: cd web && npm run build

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Step name suggests tests, but the command only performs a build.

This step is named Run Frontend tests but only runs npm run build, which is usually a production build, not tests. If you have a separate test command (e.g., npm test), either run that here or rename the step to accurately reflect that it’s just building.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@NITISH-R-G, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to continue beyond rate limits. You'll only pay for additional reviews ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information, and refer to the rate limits docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 17be595e-f89e-4f62-8ef1-e9a03fe15993

📥 Commits

Reviewing files that changed from the base of the PR and between 6c81268 and 4fa6637.

📒 Files selected for processing (5)
  • .github/workflows/ai-review.yml
  • .github/workflows/ci.yml
  • .github/workflows/repo-maintenance.yml
  • tools/docs_sync.py
  • tools/generate_knowledge_graph.py
📝 Walkthrough

Walkthrough

Adds GitHub community health files (issue template, PR template, Code of Conduct, Contributing guide) and seven GitHub Actions workflows (CI, AI review, greetings, stale, Pages deployment, repo maintenance). Also adds two Python tooling scripts (generate_knowledge_graph.py, docs_sync.py) invoked by the maintenance workflow.

Changes

Community Health Files

Layer / File(s) Summary
Issue/PR templates and community docs
.github/ISSUE_TEMPLATE/issue_template.md, .github/pull_request_template.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md
Adds structured issue and PR templates, a Code of Conduct, and a Contributing guide.

GitHub Actions Workflows

Layer / File(s) Summary
CI workflow
.github/workflows/ci.yml
Runs pytest and npm run build on push/PR to main/master with Python 3.12 and Node.js 22.
AI review, greetings, and stale workflows
.github/workflows/ai-review.yml, .github/workflows/greetings.yml, .github/workflows/stale.yml
Adds AI PR reviewer on open/synchronize, first-time contributor welcome comments, and nightly stale issue/PR management.
Repo maintenance and Pages deployment
.github/workflows/repo-maintenance.yml, .github/workflows/pages.yml
Runs ruff, knowledge graph generation, docs sync, pydeps, and SBOM generation with auto-commit on push/PR; deploys ./docs to GitHub Pages on push to main.

Python Tooling Scripts

Layer / File(s) Summary
Knowledge graph generator and docs index sync
tools/generate_knowledge_graph.py, tools/docs_sync.py
generate_knowledge_graph.py walks the repo AST and writes docs/knowledge_graph.json; docs_sync.py scans docs/ for Markdown files and regenerates docs/index.md.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐇 Hop hop, new workflows in place,
Templates and conduct set the pace,
The knowledge graph grows file by file,
Stale issues rest for quite a while,
Pages deploy with a gentle push—
This rabbit approves with a joyful whoosh! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and broadly matches the PR’s main focus on repository automation and contributor tooling.
Description check ✅ Passed The description clearly matches the changeset, covering workflows, templates, docs tooling, and governance files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/autonomous-repo-management-12050011992550968239

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

- Corrected installation paths for `uv` in CI environments to target `$HOME/.local/bin/uv` instead of `$HOME/.cargo/bin/uv`.
- Fixed the CodeRabbit AI PR reviewer action to use a specific stable version (`v1.17.1`) as `latest` was not resolving correctly.
- Addressed Ruff lint/formatting failures in tools scripts.

Co-authored-by: NITISH-R-G <225521762+NITISH-R-G@users.noreply.github.com>

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NITISH-R-G has reached the 50-credit limit for trial accounts. To continue receiving code reviews, upgrade your plan.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 22

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ai-review.yml:
- Around line 3-14: The review workflow currently depends on OPENAI_API_KEY
inside the review job, which breaks for forked pull requests because that secret
is unavailable. Update the ai-review workflow to guard the
coderabbitai/openai-pr-reviewer step against forked PRs or switch the
secret-dependent execution to a trusted trigger like pull_request_target, using
the review job and its env block as the main places to adjust.
- Around line 11-18: The workflow step using coderabbitai/openai-pr-reviewer is
pinned to a mutable tag, which should be replaced with an immutable commit
reference. Update the uses entry in ai-review.yml to point to a specific commit
SHA instead of the current tag, keeping the rest of the workflow step unchanged
so the PR review action remains deterministic and secure.
- Around line 7-18: The review job in the ai-review workflow is relying on
default GITHUB_TOKEN scopes instead of explicitly declaring the minimal
permissions needed. Update the review job definition for
coderabbitai/openai-pr-reviewer@latest to include job-level permissions with
contents: read and pull-requests: write so the action can read the repository
and post PR comments without broader access.

In @.github/workflows/ci.yml:
- Around line 13-15: The CI job currently exposes more GitHub token access than
needed after checkout. Update the workflow around the `actions/checkout@v4` step
and the job that runs `pytest`, `npm install`, and `npm run build` to use an
explicit read-only `permissions` block and set `persist-credentials: false` on
checkout so repository scripts do not inherit or reuse the checkout credential.
- Around line 23-29: The CI workflow’s Install uv step is executing a remote
installer from an unpinned URL, so update the .github/workflows/ci.yml job to
use a pinned uv release or a versioned action instead of piping the live
install.sh script. Keep the Install dependencies step using the installed uv
binary, but ensure the uv setup is sourced from a fixed version so the workflow
remains reproducible and safer to run.
- Around line 13-18: The workflow still uses mutable GitHub Actions tags, so
update the actions in ci.yml to immutable commit SHAs instead of version tags.
Replace the usages of actions/checkout, actions/setup-python, and
actions/setup-node in the CI job with their full pinned SHAs, keeping the same
step structure while ensuring each action reference is fixed to a specific
commit.

In @.github/workflows/greetings.yml:
- Line 13: The workflow currently uses a legacy actions/github-script major, so
update the greeting workflow to the currently supported major and pin it to a
specific full commit SHA instead of a moving tag. Make the change in the step
that references actions/github-script so the action version is both upgraded and
immutable.
- Around line 9-30: The welcome job in greetings.yml calls
github.rest.issues.createComment(), but the workflow job does not declare the
required issues: write permission. Update the welcome job’s permissions to grant
only issues: write, and keep the script logic in the github-script step
unchanged; if this workflow must handle forked pull requests, note that
pull_request runs still receive a read-only token and will need a different
event or permission strategy.
- Around line 25-30: The comment posting in the github-script step is not
awaited, so the workflow can finish before the issue comment is actually
created. Update the createComment call in the greetings workflow to be awaited
and keep the logic in the same step so the promise resolves before the action
exits. Use the github.rest.issues.createComment invocation as the target for the
fix.

In @.github/workflows/pages.yml:
- Around line 3-7: The Pages workflow is uploading the checked-out ./docs
directory instead of the freshly generated docs, so update the deployment flow
around the Pages job in pages.yml to use generated artifacts rather than stale
source files. Either add the docs generation step to this workflow before the
upload, or change the Pages publish inputs to consume the output from
repo-maintenance.yml; reference the workflow jobs that use
actions/upload-pages-artifact and any docs generation step so the deployment
always reflects the latest generated docs.
- Around line 26-35: The GitHub Pages workflow still references moving action
tags in the checkout/configure-pages/upload-pages-artifact/deploy-pages steps,
so update those action references to immutable full commit SHAs. Keep the same
jobs and step names, but replace the version tags on actions/checkout,
actions/configure-pages, actions/upload-pages-artifact, and actions/deploy-pages
with pinned SHAs so the workflow remains stable and safer.

In @.github/workflows/repo-maintenance.yml:
- Around line 3-10: The maintenance workflow is currently triggered on
pull_request with contents: write, which allows unreviewed PR code to run before
a write-enabled push step. Update the repo-maintenance workflow so the job that
uses checkout and repository-controlled tooling runs only on trusted push
events, and separate any PR validation into a read-only path. Keep the
push-based maintenance logic in the workflow jobs that invoke the
checkout/tooling steps and the write-back action, and remove pull_request from
the trigger for the write-enabled path.
- Around line 26-30: The Install dependencies step in the workflow uses an
unpinned curl | sh installer before the job can commit and push changes, which
is unsafe in a write-enabled job. Update the setup in the workflow to use a
pinned installer source or replace it with a pinned action for installing uv,
and keep the dependency installation via the existing uv commands in the same
job.
- Around line 16-22: The repo-maintenance workflow uses mutable GitHub Actions
tags for steps that can write back to the repository, so replace the
`actions/checkout` and `actions/setup-python` versions in the workflow with
pinned commit SHAs. Update the existing checkout and Python setup steps in
`.github/workflows/repo-maintenance.yml` to use immutable references instead of
`@v4` and `@v5`, keeping the same step names and inputs.

In @.github/workflows/stale.yml:
- Around line 3-20: The scheduled stale workflow is mutating and currently has
no concurrency control, so overlapping runs can duplicate comments or race
closures. Add a concurrency group to the workflow in the stale job configuration
so only one run of the scheduled workflow proceeds at a time, and make sure the
group is unique to this workflow (using the workflow name or similar identifier)
with in-progress cancellation enabled.
- Around line 7-9: The workflow grants write permissions at the top level, which
makes them apply to every job in the file. Move the `issues` and `pull-requests`
write permissions into the `jobs.stale` job instead, keeping the scope limited
to the stale action and preventing future jobs from inheriting them.
- Around line 15-20: The stale workflow uses the mutable actions/stale@v8 tag,
so update the action reference in the stale job to a pinned full commit SHA
instead of the tag. Keep the existing stale-issue-message, stale-pr-message,
days-before-stale, and days-before-close settings unchanged, and adjust only the
actions/stale step to use the immutable SHA.

In `@CODE_OF_CONDUCT.md`:
- Around line 25-27: The Enforcement section in CODE_OF_CONDUCT.md currently
mentions contacting “the project team” without a concrete reporting path; update
that section to include a specific reporting contact such as a dedicated email
address or reporting form link so incidents can be submitted directly. Keep the
change localized to the Enforcement text and make sure the new contact method is
clearly identified alongside the existing confidentiality language.

In `@CONTRIBUTING.md`:
- Around line 17-21: Update the branch terminology in the Pull Request
instructions to use main instead of master. In the “Make a Pull Request”
section, revise the wording around the default branch reference so both mentions
in that paragraph consistently refer to main; this change is isolated to the
CONTRIBUTING.md guidance text and should preserve the rest of the instructions
unchanged.

In `@tools/docs_sync.py`:
- Around line 1-24: The issue is that tools/docs_sync.py is not Ruff-formatted
and is causing the python-quality check to fail. Run Ruff format on the
sync_docs module and keep the same behavior while aligning import spacing,
function body formatting, and any other style changes Ruff applies, especially
around sync_docs and the __main__ entrypoint.

In `@tools/generate_knowledge_graph.py`:
- Around line 14-19: The traversal in generate_knowledge_graph.py is using
substring matching and unstable walk order, which can skip valid paths and
produce nondeterministic file IDs. Update the directory filtering inside the
os.walk loop to check path components in dirpath rather than any(exclude in
dirpath), and make the walk deterministic by sorting both dirnames and filenames
before processing them in the file_id_counter assignment logic. Keep the changes
localized to the traversal and ID-generation flow so docs/knowledge_graph.json
stays stable across runs.
- Around line 1-77: The file needs Ruff formatting before merge because
`python-quality` is failing on style. Run the formatter on
`generate_knowledge_graph` and keep the existing logic intact, ensuring the
imports, spacing, and any multiline structures match Ruff’s expected formatting
so the file no longer triggers a reformat diff.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ef38bba1-31a0-4c12-9b0f-aad6aac9ebe9

📥 Commits

Reviewing files that changed from the base of the PR and between c110413 and 6c81268.

📒 Files selected for processing (12)
  • .github/ISSUE_TEMPLATE/issue_template.md
  • .github/pull_request_template.md
  • .github/workflows/ai-review.yml
  • .github/workflows/ci.yml
  • .github/workflows/greetings.yml
  • .github/workflows/pages.yml
  • .github/workflows/repo-maintenance.yml
  • .github/workflows/stale.yml
  • CODE_OF_CONDUCT.md
  • CONTRIBUTING.md
  • tools/docs_sync.py
  • tools/generate_knowledge_graph.py
📜 Review details
⚠️ CI failures not shown inline (13)

GitHub Actions: AI Code Review / review: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]GITHUB_TOKEN Permissions
 Contents: read
 Metadata: read
 Packages: read
 ##[endgroup]
 Secret source: Actions
 Prepare workflow directory
 Prepare all required actions
 Getting action download info
 ##[error]Unable to resolve action `coderabbitai/openai-pr-reviewer`, not found

GitHub Actions: AI Code Review / 0_review.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]GITHUB_TOKEN Permissions
 Contents: read
 Metadata: read
 Packages: read
 ##[endgroup]
 Secret source: Actions
 Prepare workflow directory
 Prepare all required actions
 Getting action download info
 ##[error]Unable to resolve action `coderabbitai/openai-pr-reviewer`, not found

GitHub Actions: CI / 0_test.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run $HOME/.cargo/bin/uv venv
 �[36;1m$HOME/.cargo/bin/uv venv�[0m
 �[36;1m$HOME/.cargo/bin/uv pip install -e ".[dev]"�[0m
 shell: /usr/bin/bash -e {0}
 env:
   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
 ##[endgroup]
 /home/runner/work/_temp/e7f1eb3d-b2c3-4955-b6a3-2e1ada02151e.sh: line 1: /home/runner/.cargo/bin/uv: No such file or directory
 ##[error]Process completed with exit code 127.

GitHub Actions: CI / test: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run $HOME/.cargo/bin/uv venv
 �[36;1m$HOME/.cargo/bin/uv venv�[0m
 �[36;1m$HOME/.cargo/bin/uv pip install -e ".[dev]"�[0m
 shell: /usr/bin/bash -e {0}
 env:
   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
 ##[endgroup]
 /home/runner/work/_temp/e7f1eb3d-b2c3-4955-b6a3-2e1ada02151e.sh: line 1: /home/runner/.cargo/bin/uv: No such file or directory
 ##[error]Process completed with exit code 127.

GitHub Actions: AI PR Agent / Run PR Agent: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

        \"target\": class_id,\n53 +                            \"type\": \"contains\"\n54 +                        })\n55 +                    elif isinstance(node, ast.FunctionDef):\n56 +                        func_id = f\"func_{file_id}_{node.name}\"\n57 +                        graph[\"nodes\"].append({\n58 +                            \"id\": func_id,\n59 +                            \"type\": \"function\",\n60 +                            \"label\": node.name,\n61 +                            \"file\": filepath\n62 +                        })\n63 +                        graph[\"edges\"].append({\n64 +                            \"source\": file_id,\n65 +                            \"target\": func_id,\n66 +                            \"type\": \"contains\"\n67 +                        })\n68 +\n69 +            except Exception as e:\n70 +                print(f\"Error parsing {filepath}: {e}\")\n71 +\n72 +    os.makedirs('docs', exist_ok=True)\n73 +    with open('docs/knowledge_graph.json', 'w') as f:\n74 +        json.dump(graph, f, indent=2)\n75 +\n76 +if __name__ == '__main__':\n77 +    generate_knowledge_graph()\n78\n\n\n## File: .github/ISSUE_TEMPLATE/issue_template.md'\n\n@@ -0,0 +1,32 @@\n__new hunk__\n1 +---\n2 +name: Issue Report\n3 +about: Create a report to help us improve\n4 +title: ''\n5 +labels: ''\n6 +assignees: ''\n7 +\n8 +---\n9 +\n10 +**Describe the bug or feature request**\n11 +A clear and concise description of what the bug is or what the feature request is about.\n12 +\n13 +**To Reproduce**\n14 +Steps to reproduce the behavior (if applicable):\n15 +1. Go to '...'\n16 +2. Click on '....'\n17 +3. Scroll down to '....'\n18 +4. See error\n19 +\n20 +**Expected behavior**\n21 +A clear and concise description of what you expected to happen.\n22 +\n23 +**Screenshots**\n24 +If applicable, add screenshots to help explain your problem.\n25 +\n26 +**Desktop (please complete the following information):**\n27 + - OS: [e.g. iOS]\n28 + - Browser [e.g....

GitHub Actions: AI PR Agent / 0_Run PR Agent.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

n53 +                            \"type\": \"contains\"\n54 +                        })\n55 +                    elif isinstance(node, ast.FunctionDef):\n56 +                        func_id = f\"func_{file_id}_{node.name}\"\n57 +                        graph[\"nodes\"].append({\n58 +                            \"id\": func_id,\n59 +                            \"type\": \"function\",\n60 +                            \"label\": node.name,\n61 +                            \"file\": filepath\n62 +                        })\n63 +                        graph[\"edges\"].append({\n64 +                            \"source\": file_id,\n65 +                            \"target\": func_id,\n66 +                            \"type\": \"contains\"\n67 +                        })\n68 +\n69 +            except Exception as e:\n70 +                print(f\"Error parsing {filepath}: {e}\")\n71 +\n72 +    os.makedirs('docs', exist_ok=True)\n73 +    with open('docs/knowledge_graph.json', 'w') as f:\n74 +        json.dump(graph, f, indent=2)\n75 +\n76 +if __name__ == '__main__':\n77 +    generate_knowledge_graph()\n78\n\n\n## File: .github/ISSUE_TEMPLATE/issue_template.md'\n\n@@ -0,0 +1,32 @@\n__new hunk__\n1 +---\n2 +name: Issue Report\n3 +about: Create a report to help us improve\n4 +title: ''\n5 +labels: ''\n6 +assignees: ''\n7 +\n8 +---\n9 +\n10 +**Describe the bug or feature request**\n11 +A clear and concise description of what the bug is or what the feature request is about.\n12 +\n13 +**To Reproduce**\n14 +Steps to reproduce the behavior (if applicable):\n15 +1. Go to '...'\n16 +2. Click on '....'\n17 +3. Scroll down to '....'\n18 +4. See error\n19 +\n20 +**Expected behavior**\n21 +A clear and concise description of what you expected to happen.\n22 +\n23 +**Screenshots**\n24 +If applicable, add screenshots to help explain your problem.\n25 +\n26 +**Desktop (please complete the following information):**\n27 + - OS: [e.g. iOS]\n28 + - Browser [e.g. chrome, safari]\n29 + - Versi...

GitHub Actions: Repository Maintenance / maintenance: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run curl -LsSf https://astral.sh/uv/install.sh | sh
 �[36;1mcurl -LsSf https://astral.sh/uv/install.sh | sh�[0m
 �[36;1m$HOME/.cargo/bin/uv venv�[0m
 �[36;1m$HOME/.cargo/bin/uv pip install --system pydeps xdg-utils cyclonedx-bom ruff�[0m
 shell: /usr/bin/bash -e {0}
 env:
   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
 ##[endgroup]
 downloading uv 0.11.25 x86_64-unknown-linux-gnu
 installing to /home/runner/.local/bin
   uv
   uvx
 everything's installed!
 /home/runner/work/_temp/de0591be-bc9b-4f19-966c-c9d17014a024.sh: line 2: /home/runner/.cargo/bin/uv: No such file or directory
 ##[error]Process completed with exit code 127.

GitHub Actions: Repository Maintenance / 0_maintenance.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run curl -LsSf https://astral.sh/uv/install.sh | sh
 �[36;1mcurl -LsSf https://astral.sh/uv/install.sh | sh�[0m
 �[36;1m$HOME/.cargo/bin/uv venv�[0m
 �[36;1m$HOME/.cargo/bin/uv pip install --system pydeps xdg-utils cyclonedx-bom ruff�[0m
 shell: /usr/bin/bash -e {0}
 env:
   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
 ##[endgroup]
 downloading uv 0.11.25 x86_64-unknown-linux-gnu
 installing to /home/runner/.local/bin
   uv
   uvx
 everything's installed!
 /home/runner/work/_temp/de0591be-bc9b-4f19-966c-c9d17014a024.sh: line 2: /home/runner/.cargo/bin/uv: No such file or directory
 ##[error]Process completed with exit code 127.

GitHub Actions: Security Automation / secret-detection: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run ##########################################
 �[36;1m##########################################�[0m
 �[36;1m## ADVANCED USAGE                       ##�[0m
 �[36;1m## Scan by BASE & HEAD user inputs      ##�[0m
 �[36;1m## If BASE == HEAD, exit with error     ##�[0m
 �[36;1m##########################################�[0m
 �[36;1m# Check if jq is installed, if not, install it�[0m
 �[36;1mif ! command -v jq &> /dev/null�[0m
 �[36;1mthen�[0m
 �[36;1m  echo "jq could not be found, installing..."�[0m
 �[36;1m  apt-get -y update && apt-get install -y jq�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mgit status >/dev/null  # make sure we are in a git repository�[0m
 �[36;1mif [ -n "$BASE" ] || [ -n "$HEAD" ]; then�[0m
 �[36;1m  if [ -n "$BASE" ]; then�[0m
 �[36;1m    base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true�[0m
 �[36;1m  else�[0m
 �[36;1m    base_commit=""�[0m
 �[36;1m  fi�[0m
 �[36;1m  if [ -n "$HEAD" ]; then�[0m
 �[36;1m    head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true�[0m
 �[36;1m  else�[0m
 �[36;1m    head_commit=""�[0m
 �[36;1m  fi�[0m
 �[36;1m  if [ "$base_commit" == "$head_commit" ] ; then�[0m
 �[36;1m    echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."�[0m

GitHub Actions: Security Automation / 0_trivy-scan.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run # `path` is passed via env to avoid script injection. As a result, shell
 �[36;1m# `path` is passed via env to avoid script injection. As a result, shell�[0m
 �[36;1m# variables (e.g. $HOME) and `~` inside it are NOT expanded. We validate it to:�[0m
 �[36;1m#   1. fail early with a clear message instead of silently creating a directory�[0m
 �[36;1m#      literally named `$HOME`;�[0m
 �[36;1m#   2. reject newlines, which could otherwise inject extra lines into the�[0m
 �[36;1m#      `$GITHUB_OUTPUT` file (and thus poison the `dir` output).�[0m
 �[36;1mcase "${INPUT_PATH}" in�[0m
 �[36;1m  *'$'* | *'~'*)�[0m
 �[36;1m    echo "::error::The 'path' input must be a literal path. Shell variables (e.g. \$HOME, \$USER) and '~' are not expanded. Use a GitHub expression that is resolved before the step runs, a relative path, or leave 'path' empty to use the default (\$HOME/.local/bin)." >&2�[0m

GitHub Actions: Security Automation / 2_secret-detection.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run ##########################################
 �[36;1m##########################################�[0m
 �[36;1m## ADVANCED USAGE                       ##�[0m
 �[36;1m## Scan by BASE & HEAD user inputs      ##�[0m
 �[36;1m## If BASE == HEAD, exit with error     ##�[0m
 �[36;1m##########################################�[0m
 �[36;1m# Check if jq is installed, if not, install it�[0m
 �[36;1mif ! command -v jq &> /dev/null�[0m
 �[36;1mthen�[0m
 �[36;1m  echo "jq could not be found, installing..."�[0m
 �[36;1m  apt-get -y update && apt-get install -y jq�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mgit status >/dev/null  # make sure we are in a git repository�[0m
 �[36;1mif [ -n "$BASE" ] || [ -n "$HEAD" ]; then�[0m
 �[36;1m  if [ -n "$BASE" ]; then�[0m
 �[36;1m    base_commit=$(git rev-parse "$BASE" 2>/dev/null) || true�[0m
 �[36;1m  else�[0m
 �[36;1m    base_commit=""�[0m
 �[36;1m  fi�[0m
 �[36;1m  if [ -n "$HEAD" ]; then�[0m
 �[36;1m    head_commit=$(git rev-parse "$HEAD" 2>/dev/null) || true�[0m
 �[36;1m  else�[0m
 �[36;1m    head_commit=""�[0m
 �[36;1m  fi�[0m
 �[36;1m  if [ "$base_commit" == "$head_commit" ] ; then�[0m
 �[36;1m    echo "::error::BASE and HEAD commits are the same. TruffleHog won't scan anything. Please see documentation (https://github.com/trufflesecurity/trufflehog#octocat-trufflehog-github-action)."�[0m

GitHub Actions: Security Automation / trivy-scan: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run # `path` is passed via env to avoid script injection. As a result, shell
 �[36;1m# `path` is passed via env to avoid script injection. As a result, shell�[0m
 �[36;1m# variables (e.g. $HOME) and `~` inside it are NOT expanded. We validate it to:�[0m
 �[36;1m#   1. fail early with a clear message instead of silently creating a directory�[0m
 �[36;1m#      literally named `$HOME`;�[0m
 �[36;1m#   2. reject newlines, which could otherwise inject extra lines into the�[0m
 �[36;1m#      `$GITHUB_OUTPUT` file (and thus poison the `dir` output).�[0m
 �[36;1mcase "${INPUT_PATH}" in�[0m
 �[36;1m  *'$'* | *'~'*)�[0m
 �[36;1m    echo "::error::The 'path' input must be a literal path. Shell variables (e.g. \$HOME, \$USER) and '~' are not expanded. Use a GitHub expression that is resolved before the step runs, a relative path, or leave 'path' empty to use the default (\$HOME/.local/bin)." >&2�[0m

GitHub Actions: Code Quality Automation / 2_python-quality.txt: Feature: Autonomous Repository Management & Intelligence Ecosystem

Conclusion: failure

View job details

##[group]Run ruff check . --output-format=github
 �[36;1mruff check . --output-format=github�[0m
 �[36;1mruff format --check .�[0m
 shell: /usr/bin/bash -e {0}
 env:
   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
 ##[endgroup]
 Would reformat: tools/docs_sync.py
 Would reformat: tools/generate_knowledge_graph.py
 2 files would be reformatted, 57 files already formatted
 ##[error]Process completed with exit code 1.
🧰 Additional context used
🪛 actionlint (1.7.12)
.github/workflows/stale.yml

[error] 15-15: the runner of "actions/stale@v8" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/greetings.yml

[error] 13-13: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 ast-grep (0.44.0)
tools/docs_sync.py

[warning] 15-15: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(index_path, 'w', encoding='utf-8')
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)

tools/generate_knowledge_graph.py

[warning] 24-24: File path is request-/variable-derived; validate and normalize to prevent path traversal.
Context: open(filepath, 'r', encoding='utf-8')
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

(open-filename-from-request)

🪛 GitHub Actions: Code Quality Automation / 2_python-quality.txt
tools/docs_sync.py

[error] 1-1: ruff format --check failed. File would be reformatted: tools/docs_sync.py.

tools/generate_knowledge_graph.py

[error] 1-1: ruff format --check failed. File would be reformatted: tools/generate_knowledge_graph.py.

🪛 GitHub Actions: Code Quality Automation / python-quality
tools/docs_sync.py

[error] 1-1: Ruff formatting check failed: file would be reformatted. Run 'ruff format --write tools/docs_sync.py' (or 'ruff format --write .').

tools/generate_knowledge_graph.py

[error] 1-1: Ruff formatting check failed: file would be reformatted. Run 'ruff format --write tools/generate_knowledge_graph.py' (or 'ruff format --write .').

🪛 LanguageTool
.github/pull_request_template.md

[style] ~2-~2: Consider using a different verb for a more formal wording.
Context: ...ummary of the change and which issue is fixed. Please also include relevant motivatio...

(FIX_RESOLVE)


[style] ~7-~7: Consider using a different verb for a more formal wording.
Context: ... [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaki...

(FIX_RESOLVE)

CODE_OF_CONDUCT.md

[style] ~20-~20: Try using a synonym here to strengthen your wording.
Context: ...vances * Trolling, insulting/derogatory comments, and personal or political attacks * Pu...

(COMMENT_REMARK)


[style] ~27-~27: ‘with regard to’ might be wordy. Consider a shorter alternative.
Context: ...s obligated to maintain confidentiality with regard to the reporter of an incident.

(EN_WORDINESS_PREMIUM_WITH_REGARD_TO)

CONTRIBUTING.md

[style] ~15-~15: Consider using a less common alternative to make your writing sound more unique and professional.
Context: ...int, you're ready to make your changes! Feel free to ask for help; everyone is a beginner at...

(FEEL_FREE_TO_STYLE_ME)

🪛 markdownlint-cli2 (0.22.1)
.github/pull_request_template.md

[warning] 1-1: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)


[warning] 1-1: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)


[warning] 6-6: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)


[warning] 12-12: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)


[warning] 15-15: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🪛 YAMLlint (1.37.1)
.github/workflows/ci.yml

[warning] 3-3: truthy value should be one of [false, true]

(truthy)


[error] 5-5: too many spaces inside brackets

(brackets)


[error] 5-5: too many spaces inside brackets

(brackets)


[error] 7-7: too many spaces inside brackets

(brackets)


[error] 7-7: too many spaces inside brackets

(brackets)

.github/workflows/repo-maintenance.yml

[warning] 3-3: truthy value should be one of [false, true]

(truthy)


[error] 5-5: too many spaces inside brackets

(brackets)


[error] 5-5: too many spaces inside brackets

(brackets)


[error] 7-7: too many spaces inside brackets

(brackets)


[error] 7-7: too many spaces inside brackets

(brackets)

🪛 zizmor (1.26.1)
.github/workflows/pages.yml

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 11-11: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level

(excessive-permissions)


[error] 12-12: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)


[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 11-11: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 19-19: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

.github/workflows/ai-review.yml

[warning] 1-19: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 8-8: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/stale.yml

[error] 8-8: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level

(excessive-permissions)


[error] 9-9: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 8-8: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 12-12: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/greetings.yml

[warning] 1-32: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 10-10: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-7: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/ci.yml

[warning] 13-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 1-44: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 10-10: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-7: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/repo-maintenance.yml

[warning] 16-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 10-10: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 10-10: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 13-13: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-7: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🔇 Additional comments (2)
.github/ISSUE_TEMPLATE/issue_template.md (1)

1-33: LGTM!

.github/pull_request_template.md (1)

1-23: LGTM!

Comment on lines +3 to +14
on:
pull_request:
types: [opened, synchronize]

jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: coderabbitai/openai-pr-reviewer@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ai-review.yml
printf '\n---\n'
cat -n .github/workflows/ai-review.yml

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 728


Guard the review job for forked PRs .github/workflows/ai-review.yml:3-14pull_request does not pass secrets.OPENAI_API_KEY to PRs from forks, so external contributors will hit a missing-secret path here. Add a fork/secret guard or move the secret-dependent step to a trusted trigger like pull_request_target.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 8-8: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-5: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 3 - 14, The review workflow
currently depends on OPENAI_API_KEY inside the review job, which breaks for
forked pull requests because that secret is unavailable. Update the ai-review
workflow to guard the coderabbitai/openai-pr-reviewer step against forked PRs or
switch the secret-dependent execution to a trusted trigger like
pull_request_target, using the review job and its env block as the main places
to adjust.

Comment on lines +7 to +18
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: coderabbitai/openai-pr-reviewer@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
debug: false
review_simple_changes: false
review_comment_lgtm: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ai-review.yml
echo '---'
nl -ba .github/workflows/ai-review.yml | sed -n '1,80p'

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 239


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('.github/workflows/ai-review.yml')
text = p.read_text()
for i, line in enumerate(text.splitlines(), 1):
    print(f"{i:>4} {line}")
PY

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 655


🌐 Web query:

GitHub Actions GITHUB_TOKEN default permissions pull request review comments pull-requests write coderabbitai/openai-pr-reviewer permissions

💡 Result:

The GITHUB_TOKEN used in GitHub Actions defaults to read-only permissions for new repositories and organizations [1]. While it previously had broader read/write access, this change was implemented to improve security [1]. You can modify these permissions in repository or organization settings [2], or explicitly override them within a workflow or job using the permissions key [3][4]. To perform operations such as creating or managing pull request review comments using the coderabbitai/openai-pr-reviewer action (or similar tools), the GITHUB_TOKEN requires the pull-requests: write permission [5][6][7]. A common point of confusion is the distinction between pull request and issue resources in the GitHub API. Even though the REST API path for posting comments on pull requests often includes the word "issues" (e.g., /repos/{owner}/{repo}/issues/{issue_number}/comments), creating these comments is governed by the pull-requests scope [8][7]. Granting issues: write permission is often insufficient or incorrect for these actions, whereas pull-requests: write provides the necessary access to interact with pull request metadata and comments [7]. Additionally, if your workflow is triggered by a pull request from a forked repository, GitHub automatically restricts the GITHUB_TOKEN to read-only mode to prevent security exploits, unless you use the pull_request_target event [4][5][9]. Using pull_request_target allows the workflow to access secrets and have elevated write permissions, but it requires careful configuration to ensure code is checked out safely from the correct commit [5][6].

Citations:


🌐 Web query:

coderabbitai openai-pr-reviewer required permissions pull-requests contents read GitHub Actions

💡 Result:

To configure the CodeRabbit AI PR reviewer GitHub Action, your workflow file must explicitly define the required permissions to allow the action to read your code and post feedback [1][2][3]. The following permissions are required within your GitHub Actions workflow file [1][2][3]: permissions: contents: read pull-requests: write Explanation of these permissions: - contents: read: This is required for the action to check out and analyze your repository's code [1][3]. - pull-requests: write: This is required for the action to post comments, summaries, and review feedback on your pull requests [1][2][3]. These settings ensure the GITHUB_TOKEN used by the action has sufficient scope to perform its tasks [1][3]. If you are using the CodeRabbit GitHub App (rather than just the Actions-only setup), ensure that the app has also been granted the necessary repository access in your GitHub organization or repository settings [4][5][6].

Citations:


Add explicit workflow permissions for the review bot.

Declare permissions: contents: read and pull-requests: write on this job instead of inheriting the repository default token scopes; that’s the minimal access the action needs to read the repo and post PR feedback.

Suggested change
 jobs:
   review:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: coderabbitai/openai-pr-reviewer@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
debug: false
review_simple_changes: false
review_comment_lgtm: false
jobs:
review:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: coderabbitai/openai-pr-reviewer@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
debug: false
review_simple_changes: false
review_comment_lgtm: false
🧰 Tools
🪛 zizmor (1.26.1)

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 8-8: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 7 - 18, The review job in the
ai-review workflow is relying on default GITHUB_TOKEN scopes instead of
explicitly declaring the minimal permissions needed. Update the review job
definition for coderabbitai/openai-pr-reviewer@latest to include job-level
permissions with contents: read and pull-requests: write so the action can read
the repository and post PR comments without broader access.

Source: Linters/SAST tools

Comment thread .github/workflows/ai-review.yml Outdated
Comment on lines +11 to +18
- uses: coderabbitai/openai-pr-reviewer@latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
debug: false
review_simple_changes: false
review_comment_lgtm: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Workflow snippet ==\n'
nl -ba .github/workflows/ai-review.yml | sed -n '1,80p'

printf '\n== Search for pinning / zizmor policy references ==\n'
rg -n --hidden --glob '!**/.git/**' -e 'zizmor|pin|pinned|immutable|`@latest`|openai-pr-reviewer|supply-chain' .github README.md . || true

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 227


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Workflow file ==\n'
awk '{printf "%4d %s\n", NR, $0}' .github/workflows/ai-review.yml | sed -n '1,120p'

printf '\n== Candidate policy files ==\n'
git ls-files | rg '(^|/)(README\.md|SECURITY\.md|CONTRIBUTING\.md|CODEOWNERS|zizmor|policy|security)' || true

printf '\n== Search for pinning / zizmor references ==\n'
rg -n --hidden --glob '!**/.git/**' -e 'zizmor|pin(ned|ning)?|immutable|`@latest`|openai-pr-reviewer|supply-chain' .github README.md SECURITY.md CONTRIBUTING.md CODEOWNERS . || true

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 50384


Pin coderabbitai/openai-pr-reviewer to a commit SHA.
.github/workflows/ai-review.yml:11 still uses @v1.17.1; tags can move upstream, so this privileged PR workflow should reference an immutable commit instead.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ai-review.yml around lines 11 - 18, The workflow step
using coderabbitai/openai-pr-reviewer is pinned to a mutable tag, which should
be replaced with an immutable commit reference. Update the uses entry in
ai-review.yml to point to a specific commit SHA instead of the current tag,
keeping the rest of the workflow step unchanged so the PR review action remains
deterministic and secure.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
Comment on lines +13 to +15
- uses: actions/checkout@v4
with:
lfs: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Restrict token exposure in this job.

This pull_request job executes repository-controlled pytest, npm install, and npm run build steps after checkout. Because the workflow relies on repository-default token scopes and leaves the checkout credential persisted in Git config, those scripts inherit more repository access than they need. Add an explicit read-only permissions block and persist-credentials: false.

Suggested hardening
 name: CI
 
 on:
   push:
     branches: [ "main", "master" ]
   pull_request:
     branches: [ "main", "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:
         lfs: true
+        persist-credentials: false

Also applies to: 31-43

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 13-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 13 - 15, The CI job currently exposes
more GitHub token access than needed after checkout. Update the workflow around
the `actions/checkout@v4` step and the job that runs `pytest`, `npm install`,
and `npm run build` to use an explicit read-only `permissions` block and set
`persist-credentials: false` on checkout so repository scripts do not inherit or
reuse the checkout credential.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
Comment on lines +13 to +18
- uses: actions/checkout@v4
with:
lfs: true

- name: Set up Python
uses: actions/setup-python@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and surrounding lines with line numbers.
git ls-files .github/workflows/ci.yml
wc -l .github/workflows/ci.yml
cat -n .github/workflows/ci.yml | sed -n '1,120p'

Repository: NITISH-R-G/ev-grid-oracle

Length of output: 1405


Pin the GitHub Actions to immutable SHAs. .github/workflows/ci.yml:13,18,35 still uses mutable tags (actions/checkout@v4, actions/setup-python@v5, actions/setup-node@v4); pin them to full commit SHAs to avoid unexpected workflow changes.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 13-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 13-13: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 13 - 18, The workflow still uses
mutable GitHub Actions tags, so update the actions in ci.yml to immutable commit
SHAs instead of version tags. Replace the usages of actions/checkout,
actions/setup-python, and actions/setup-node in the CI job with their full
pinned SHAs, keeping the same step structure while ensuring each action
reference is fixed to a specific commit.

Source: Linters/SAST tools

Comment thread CODE_OF_CONDUCT.md
Comment on lines +25 to +27
## Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a reporting contact method to the Enforcement section.

The Enforcement section directs people to contact "the project team" but provides no email, form, or other route. Add a dedicated email or link to a reporting form so the CoC is enforceable in practice.

🧰 Tools
🪛 LanguageTool

[style] ~27-~27: ‘with regard to’ might be wordy. Consider a shorter alternative.
Context: ...s obligated to maintain confidentiality with regard to the reporter of an incident.

(EN_WORDINESS_PREMIUM_WITH_REGARD_TO)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CODE_OF_CONDUCT.md` around lines 25 - 27, The Enforcement section in
CODE_OF_CONDUCT.md currently mentions contacting “the project team” without a
concrete reporting path; update that section to include a specific reporting
contact such as a dedicated email address or reporting form link so incidents
can be submitted directly. Keep the change localized to the Enforcement text and
make sure the new contact method is clearly identified alongside the existing
confidentiality language.

Comment thread CONTRIBUTING.md
Comment on lines +17 to +21
## Make a Pull Request

At this point, you should switch back to your master branch and make sure it's up to date with the main project's master branch.
Then run `uv run pytest tests/` and `cd web && npm test` to ensure tests are passing.
Once tests pass, open a Pull Request.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Replace "master" with "main" for default branch terminology.

Line 19 refers to "your master branch" and "master branch" of the main project. The PR objectives and modern GitHub defaults use main. Update to avoid confusion.

📝 Proposed fix
-At this point, you should switch back to your master branch and make sure it's up to date with the main project's master branch.
+At this point, you should switch back to your main branch and make sure it's up to date with the main project's main branch.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## Make a Pull Request
At this point, you should switch back to your master branch and make sure it's up to date with the main project's master branch.
Then run `uv run pytest tests/` and `cd web && npm test` to ensure tests are passing.
Once tests pass, open a Pull Request.
## Make a Pull Request
At this point, you should switch back to your main branch and make sure it's up to date with the main project's main branch.
Then run `uv run pytest tests/` and `cd web && npm test` to ensure tests are passing.
Once tests pass, open a Pull Request.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTRIBUTING.md` around lines 17 - 21, Update the branch terminology in the
Pull Request instructions to use main instead of master. In the “Make a Pull
Request” section, revise the wording around the default branch reference so both
mentions in that paragraph consistently refer to main; this change is isolated
to the CONTRIBUTING.md guidance text and should preserve the rest of the
instructions unchanged.

Comment thread tools/docs_sync.py
Comment thread tools/generate_knowledge_graph.py
Comment thread tools/generate_knowledge_graph.py Outdated
Comment on lines +14 to +19
for dirpath, _, filenames in os.walk(root_dir):
if any(exclude in dirpath for exclude in ['.git', '__pycache__', 'node_modules', '.venv', 'venv']):
continue

for filename in filenames:
if not filename.endswith('.py'):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Make traversal component-based and deterministic.

any(exclude in dirpath ...) will incorrectly match unrelated paths like .github, and os.walk's native order is not stable enough to use for file_id_counter. Since .github/workflows/repo-maintenance.yml auto-commits docs/knowledge_graph.json, this can both miss files and create churn-only commits. Filter on path components and sort dirnames/filenames before assigning IDs.

Suggested fix
-import os
 import ast
 import json
+import os
+from pathlib import Path
+
+EXCLUDED_DIRS = {'.git', '__pycache__', 'node_modules', '.venv', 'venv'}
 
 def generate_knowledge_graph(root_dir='.'):
@@
-    for dirpath, _, filenames in os.walk(root_dir):
-        if any(exclude in dirpath for exclude in ['.git', '__pycache__', 'node_modules', '.venv', 'venv']):
+    for dirpath, dirnames, filenames in os.walk(root_dir):
+        if EXCLUDED_DIRS.intersection(Path(dirpath).parts):
             continue
+        dirnames[:] = sorted(d for d in dirnames if d not in EXCLUDED_DIRS)
 
-        for filename in filenames:
+        for filename in sorted(filenames):
             if not filename.endswith('.py'):
                 continue

Also applies to: 30-38

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/generate_knowledge_graph.py` around lines 14 - 19, The traversal in
generate_knowledge_graph.py is using substring matching and unstable walk order,
which can skip valid paths and produce nondeterministic file IDs. Update the
directory filtering inside the os.walk loop to check path components in dirpath
rather than any(exclude in dirpath), and make the walk deterministic by sorting
both dirnames and filenames before processing them in the file_id_counter
assignment logic. Keep the changes localized to the traversal and ID-generation
flow so docs/knowledge_graph.json stays stable across runs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant