feat: implement issue #404 — Compliance: sonar-s7637-exemption-missing#405
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
More reviews will be available in 55 minutes and 43 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds SonarCloud ignore entries for ChangesSonarCloud S7637 exemption
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds SonarCloud S7637 exemptions in sonar-project.properties for several first-party reusable GitHub Actions workflow files. The reviewer suggests splitting the long, single-line list of multicriteria keys across multiple lines using backslashes to improve readability and make future diffs cleaner.
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-26T15:42:03Z. |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 0e41d14a29bc63dcee5a2fed8e6fdab5e00e9503
Review mode: triage-approved (single reviewer)
Summary
Config-only change (+41/-0) to sonar-project.properties adding the canonical per-stub SonarCloud S7637 exemption for first-party reusable-ref caller workflows. Directly implements compliance issue #404. Exemptions are correctly scoped per-file (no blanket workflows/*.yml resourceKey); third-party uses: and ci/sonarcloud workflows retain full SHA-pin enforcement.
Linked issue analysis
Closes #404 (Compliance: sonar-s7637-exemption-missing). The issue asked for the canonical per-stub githubactions:S7637 exemption per standards/ci-standards.md#sonarcloud-exemption-first-party-reusable-ref-s7637. The PR adds exactly that: a multicriteria list of 10 entries with matching per-file ruleKey/resourceKey blocks. Substantively addressed.
Findings
Verified all 10 exempted files are first-party petry-projects/.github(-private) reusable caller stubs pinned to moving channels (@/stable): agent-shield, dev-lead, add-to-project, dependency-audit, etc. feature-ideation.yml is itself SHA-pinned so its exemption is inert/harmless. Multicriteria list matches the 10 defined blocks exactly; scoping is per-file (not blanket), so SHA-pin enforcement is preserved elsewhere. No secrets, no logic, no migrations. Only advisory note: gemini-code-assist raised a LOW cosmetic suggestion to split the long multicriteria line with backslash continuations — non-blocking style nit; the current single-line form passed SonarCloud's Quality Gate.
CI status
All required checks green. SonarCloud Quality Gate PASSED (0 new issues, 0 security hotspots). CodeQL (actions/javascript/python) SUCCESS. CI Pipeline, gitleaks secret scan, Node tests, Playwright, Coverage, AgentShield all SUCCESS. CodeRabbit StatusContext SUCCESS. Codex/CodeRabbit interactive reviews were rate-limited, but SonarCloud + Gemini provide adequate advisory coverage and the prior auto-approval hold window (reset 2026-06-26T15:42:03Z) has elapsed. mergeStateStatus BLOCKED only on required human/team review (org-leads), not on failing checks.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@sonar-project.properties`:
- Around line 7-15: The inline SonarCloud exemption comment contains the wrong
issue reference; update the referenced issue number in the explanatory comment
so it matches the actual PR objective. Check the surrounding exemption note near
the reusable caller stubs and replace the `#498` reference with the correct
issue identifier, keeping the rest of the rationale unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 523642fd-9b9b-41eb-88ac-819c0074314e
📒 Files selected for processing (1)
sonar-project.properties
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
|
Dev-Lead — fix-reviews (no-changes)Agent reasoning |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-26T19:25:33Z. |
donpetry-bot
left a comment
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 1a032c81814d23f56308e7f29536a6419952d1d7
Review mode: triage-approved (single reviewer)
Summary
Adds the canonical per-stub SonarCloud S7637 exemption to sonar-project.properties (+51/-0, one file), suppressing the 'unpinned action' warning on 10 first-party reusable-ref caller stubs. Scoped per-file via **/.yml resourceKeys — not a blanket workflows/*.yml rule — so ci.yml/sonarcloud.yml and any third-party uses: retain full SHA-pin enforcement.
Linked issue analysis
Closes #404 (compliance: sonar-s7637-exemption-missing). The issue asked for the canonical per-stub S7637 exemption for first-party reusable-ref caller stubs pinned to moving channels. The PR implements exactly that, with an explanatory comment block citing standards/ci-standards.md#sonarcloud-exemption-first-party-reusable-ref-s7637. Substantively addressed.
Findings
Verified all 10 exempted files at the head SHA are genuine thin caller stubs, each containing a single first-party uses: ref (petry-projects/.github or .github-private reusable workflows): agent-shield, pr-review-mention, pr-auto-review (@v2), auto-rebase, dependabot-rebase, dependabot-automerge, dependency-audit, feature-ideation (already SHA-pinned @897e4d…#v1 — exemption harmless), add-to-project, dev-lead — the rest pinned to @/stable moving channels. No third-party uses: is exempted, so SHA-pin enforcement is not weakened where it counts. Per-file resourceKeys avoid the over-broad blanket the comment explicitly warns against. No secrets, no logic, no other files touched. No findings.
CI status
All required checks green. SonarCloud Quality Gate passed (0 new issues); CodeQL (actions/javascript-typescript/python), gitleaks secret scan, build-and-test, Node.js Tests, Playwright UI, coverage, dependency-audit, agent-shield all SUCCESS. Inapplicable ecosystem audits (pnpm/cargo/pip/go) and dependabot-automerge correctly SKIPPED.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
CI Failure: SonarCloud Code AnalysisStep: SonarCloud Quality Gate The PR modifies Suggested fix: Run |
2 participants
Closes #404
Implemented by dev-lead agent. Please review.
Summary by CodeRabbit