feat: implement issue #431 — [Fleet Monitor] petry-projects/.github-private — pr-review-mention.yml by don-petry · Pull Request #479 · petry-projects/.github-private

don-petry · 2026-06-08T00:54:15Z

Closes #431

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

New Features
- Added manual and scheduled review workflow triggers for more flexible PR review runs.
- Improved review handling so fine-grained tokens now continue with reduced capabilities instead of stopping the run.
Bug Fixes
- Review posting now skips approval actions when approval permissions aren’t available.
- Batch review runs exit cleanly when there are no PRs to process.
Tests & Documentation
- Expanded validation tests and workflow checks.
- Updated implementation notes and workflow-related documentation.

coderabbitai · 2026-06-08T00:54:22Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR review workflows now use direct triggers, inherited secrets, and warning-based fine-grained PAT handling. Review runtime scripts change batch fallback, engine helpers, and health reporting, while cascade automation, validation scripts, and repository maintenance files are also updated.

Changes

Fine-grained PAT Soft-Warning and Secrets Inherit

Layer / File(s)	Summary
Workflow triggers and mention caller `.github/workflows/pr-review.yml`, `.github/workflows/pr-review-mention.yml`, `tests/test_pr_review_mention_stub.py`	`pr-review.yml` replaces `workflow_call` with scheduled, manual, and repository-dispatch triggers. `pr-review-mention.yml` switches to inherited secrets, and the Python stub validates the workflow job reference and secrets field.
Fine-grained PAT warning path `.github/workflows/pr-review.yml`, `scripts/verify-auth-scopes.sh`, `scripts/post-pr-review.sh`, `tests/test_verify_auth_scopes.bats`	`pr-review.yml` adds a Verify auth step that uses `GH_PAT_WORKFLOWS`, `verify-auth-scopes.sh` emits warnings and sets `HAS_CLASSIC_PAT=false` for fine-grained PATs, `post-pr-review.sh` skips approval when the flag is false, and the Bats tests assert the warning-based behavior.

Review Runtime and Engine Control Flow

Layer / File(s)	Summary
Batch gating and fallback `scripts/review-one-pr.sh`, `scripts/review-batch.sh`	`review-one-pr.sh` removes a duplicated human-requested-changes skip block, `review-batch.sh` exits early when `PRS_FILE` is empty, and Gemini fallback exit codes `55` and `127` now route into the unavailable/rate-limited path.
Engine verdict and reset helpers `scripts/engine.sh`	`engine.sh` redefines verdict extraction, cross-engine dispatch, and rate-limit reset parsing helpers, including the ISO timestamp writer used by `parse_reset_time` and `parse_reset_time_files`.
Daily health install and status output `.github/workflows/daily-pr-review-health.yml`, `scripts/pr_review_health.sh`	`daily-pr-review-health.yml` drops the pinned Claude Code version and conditional cache install, while `pr_review_health.sh` initializes `LOG_DIR` earlier and only writes `HAS_FAILURES=true` when failures are present.

Cascade and Review-Fix Automation

Layer / File(s)	Summary
Cascade body and PR actions `prompts/cascade-action.md`	`prompts/cascade-action.md` removes the static cross-engine agreement placeholder, inserts it conditionally before Findings, and replaces the tail with branch-update, auto-merge, escalation, and final status JSON logic.
Review-fix helper cleanup `scripts/dev-lead-fix-reviews.sh`, `docs/dev-lead/implementation-plan.md`	`scripts/dev-lead-fix-reviews.sh` keeps `setup_git_identity` in the PR checkout block, deletes a later duplicate helper set, and `docs/dev-lead/implementation-plan.md` updates the described rebase and conflict-resolution test cases.

Validation and Repository Maintenance

Layer / File(s)	Summary
File-mode case validation `evals/validate-cases.py`	`evals/validate-cases.py` adds schema loading, JSONL parsing, per-case schema validation, duplicate id checks, and the zero-case failure path for file-mode validation.
Directory-mode split validation `evals/validate-cases.py`	`evals/validate-cases.py` adds split id loading, dev/holdout overlap checks, skill discovery, and the aggregated directory-mode summary.
Manifest and dispatch checks `scripts/lib/validate-consumer-manifest.sh`, `scripts/initiative-planner/redispatch.sh`	`scripts/lib/validate-consumer-manifest.sh` now validates only that `surface_sources` keys resolve to existing workflow files, and `scripts/initiative-planner/redispatch.sh` updates dry-run cleanup and ref detection.
Ignore list and comment cleanup `.gitleaksignore`, `scripts/list-prs.sh`	`.gitleaksignore` adds new fingerprint suppressions for known fixture keys, and `scripts/list-prs.sh` removes redundant filter commentary.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

petry-projects — workflow failures detected 2026-06-22 #909: The workflow changes in pr-review.yml and pr-review-mention.yml adjust the same review/mention path described in the issue.

Possibly related PRs

petry-projects/.github-private#480: Also changes fine-grained PAT warning and auth-scope handling in pr-review.yml and scripts/verify-auth-scopes.sh.
petry-projects/.github-private#175: Touches daily-pr-review-health.yml and scripts/pr_review_health.sh, which are updated here.
petry-projects/.github-private#133: Also changes scripts/review-batch.sh fallback handling for review-one-pr.sh exit codes.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR also changes unrelated docs, eval tooling, gitleaks ignores, and several other workflows/scripts beyond pr-review-mention.yml.	Move unrelated docs, eval, and automation updates into separate PRs so this change stays scoped to the Fleet Monitor workflow fix.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is specific and directly describes the main change to pr-review-mention.yml for issue `#431`.
Linked Issues check	✅ Passed	The PR updates pr-review-mention.yml and related auth handling to reduce workflow failures, matching issue `#431`'s goal.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch dev-lead/issue-431-20260608-0044

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands.}

gemini-code-assist

Code Review

This pull request introduces a new compliance test script, tests/test_pr_review_mention_stub.py, which verifies that the GitHub Actions workflow file .github/workflows/pr-review-mention.yml correctly uses secrets: inherit and references the expected reusable workflow. The review feedback suggests enhancing the script's robustness by catching potential YAML parsing errors (yaml.YAMLError) and verifying that the parsed YAML structure is a dictionary before accessing its keys to prevent runtime crashes.

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

don-petry · 2026-06-08T01:19:29Z

Dev-Lead — rate-limited (intent: review-changes)

PR: #479
The retry cron will re-attempt automatically.

don-petry · 2026-06-08T01:19:30Z

Note

@don-petry I received your request but all AI engines are currently rate-limited. I'll retry automatically once the rate limit clears.
Rate limit resets at: unknown

don-petry · 2026-06-08T01:41:21Z

Dev-Lead Fix CI — rate-limited

PR: #479 | SHA: 0fd73ac3406b062f089c3144be518db5f344838b
All engines were rate-limited. The retry cron will re-attempt automatically.

don-petry · 2026-06-08T05:06:42Z

Dev-Lead Fix CI — applied

PR: #479 | SHA: 0fd73ac3406b062f089c3144be518db5f344838b
Fix committed and pushed. Waiting for CI.

github-actions · 2026-06-08T05:09:36Z

CI Failure: CodeQL

Step: CodeQL Analysis
Root cause: Lint/style

CodeQL flagged tests/test_pr_review_mention_stub.py line 56 with a high-severity "Clear-text logging of sensitive information" alert. The variable secrets_val holds the parsed value of the YAML secrets: key; because the name contains "secret", CodeQL treats it as potentially sensitive data and flags the print(f" actual: {secrets_val!r}") statement as leaking that value to stdout in clear text. This is a false positive in intent (the value is either "inherit" or a dict of secret names, not secret values), but CodeQL cannot distinguish that statically.

Suggested fix: Rename secrets_val to secrets_cfg (or any name not containing "secret") in tests/test_pr_review_mention_stub.py — this removes the taint source CodeQL uses to track the data flow without changing any logic.

View run logs

don-petry · 2026-06-08T05:09:53Z

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

don-petry · 2026-06-08T05:12:10Z

Dev-Lead — review-changes (applied)

Changes committed and pushed.

don-petry · 2026-06-08T05:14:25Z

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #479
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-08T05:44:24Z

don-petry · 2026-06-08T05:14:26Z

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-08T05:44:24Z

don-petry · 2026-06-27T04:41:32Z