feat: implement issue #329 — Compliance: non-stub-feature-ideation.yml

[don-petry]

Closes #329

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

• New Features

  • The Ideas automation now also runs when a new GitHub Discussion is created.
  • It can automatically focus on a single newly created idea discussion for more targeted responses.

• Bug Fixes

  • The automation now ignores non-Ideas discussions and bot-created discussions, reducing unintended runs.
  • Scheduled and manual runs continue to work as before.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

This workflow now listens for created GitHub Discussions, limits ideation runs to Ideas-category discussions from non-bot authors, and passes the discussion number into the reusable ideation workflow while keeping schedule and manual dispatch paths unchanged.

Changes

Discussion-triggered ideation

Layer / File(s)	Summary
Add discussion trigger .github/workflows/feature-ideation.yml	Adds a discussion.created trigger to the workflow.
Gate ideate job .github/workflows/feature-ideation.yml	Runs ideate for discussion events only when the discussion is in the Ideas category and the author is not a bot; scheduled and manual runs are unchanged.
Pass discussion input .github/workflows/feature-ideation.yml	Updates the reusable workflow pin and passes target_discussion from the discussion number on discussion events.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• petry-projects/broodly issue 351 — touches the same workflow and reusable workflow pin/reference, matching the discussion-trigger and caller-input changes here.
• petry-projects/.github-private issue 944 — concerns the same workflow pinning/reference pattern updated in this PR.
• petry-projects/markets issue 294 — also centers on .github/workflows/feature-ideation.yml and its reusable workflow reference.

Possibly related PRs

• petry-projects/google-app-scripts#141: Also changes .github/workflows/feature-ideation.yml to adjust discussion-based ideation inputs and trigger handling around the same reusable workflow.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The summary indicates a newer pinned revision, but [#329] requires the reusable workflow to be delegated at @v1.	Match the canonical stub from the standard and pin feature-ideation-reusable.yml to @v1.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly names issue #329 and the compliance-focused feature-ideation workflow change.
Out of Scope Changes check	✅ Passed	All edits stay within feature-ideation workflow config and appear related to the compliance fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-329-20260626-1610

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[don-petry]

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #406
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-26T16:44:56Z

[don-petry]

Note

@don-petry I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-26T16:44:56Z

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning

**Tier 1 Blockers:** Zero
---
## Assessment
The SonarCloud quality gate has passed for this PR. The bot report shows **no actionable issues**—there are no new code issues, security hotspots, or coverage violations flagged. All quality measures passed their thresholds.
Since:
1. All CI checks passed
2. No Tier 1 blockers exist
3. The bot reports "Quality Gate passed" with zero new issues
4. No specific files, line numbers, or code patterns are flagged as problematic
**No changes are required.** The PR is ready from a code quality and security perspective.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/feature-ideation.yml (1)

84-87: 🎯 Functional Correctness | 🔵 Trivial

Replace category.slug with category.id to ensure workflow stability against category renames

The current guard relies on github.event.discussion.category.slug, which is a URL-friendly string generated from the category name. If the category name is updated in repository settings (e.g., "Ideas" to "Feature Requests"), the slug will change, causing this workflow condition to fail silently.

The user.type check ('Bot') correctly filters automated accounts as confirmed by GitHub webhook schemas, but the slug dependency poses a significant maintenance risk. Switch to the immutable category.id for robustness:

if: >-
  github.event_name != 'discussion' ||
  (github.event.discussion.category.id == <FIND_CATEGORY_ID> &&
   github.event.discussion.user.type != 'Bot')

Retrieve the current category's numeric ID from the repository's Discussion settings or the GitHub API and replace <FIND_CATEGORY_ID>.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/feature-ideation.yml around lines 84 - 87, The workflow
guard in the discussion trigger logic still depends on
github.event.discussion.category.slug, which can change when the category is
renamed. Update the condition in the feature-ideation workflow to use
github.event.discussion.category.id instead, keeping the
github.event.discussion.user.type != 'Bot' check unchanged, and replace the slug
comparison with the current immutable numeric category ID so the workflow stays
stable across category name changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/feature-ideation.yml:
- Around line 84-87: The workflow guard in the discussion trigger logic still
depends on github.event.discussion.category.slug, which can change when the
category is renamed. Update the condition in the feature-ideation workflow to
use github.event.discussion.category.id instead, keeping the
github.event.discussion.user.type != 'Bot' check unchanged, and replace the slug
comparison with the current immutable numeric category ID so the workflow stays
stable across category name changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97635b1c-c246-47a6-bc72-5d3b467cf0ad

📥 Commits

Reviewing files that changed from the base of the PR and between 3e9a242 and 4c9371d.

📒 Files selected for processing (1)

• .github/workflows/feature-ideation.yml

[don-petry]

Dev-Lead — fix-reviews (no-changes)

Agent reasoning

Addressed 0 threads:
(open threads list is empty — nothing to fix)
Test verification: skipped — no code changes made
Files changed: none
```
The PR is clean: all CI checks pass, no reviewer has requested changes, and there are no open review threads. It is ready for merge.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 4c9371d904d0b7a8c4e399248c305dbaa34c5ef2
Review mode: triage-approved (single reviewer)

Summary

Adds a discussion: created trigger (Ideas-category, non-bot guard) to feature-ideation.yml, passes target_discussion into the reusable workflow, and updates the reusable pin to 897e4de. Verified against the org canonical stub (standards/workflows/feature-ideation.yml@main): the trigger, if-guard, target_discussion input, and the exact pinned SHA all match verbatim. This is the correct remediation for compliance issue #329 (bring the non-stub workflow in line with the canonical @v1 stub).

Linked issue analysis

Issue #329 is a compliance finding (non-stub-feature-ideation.yml): the workflow must match the canonical stub that delegates to feature-ideation-reusable.yml@v1. The PR brings the repo copy in line with standards/workflows/feature-ideation.yml@main exactly — same trigger, same guard, same target_discussion wiring, same pinned SHA. Substantively addressed.

Findings

No blocking findings.

• Pin change 419c90f -> 897e4de initially looks like a downgrade (897e4de is a 33-commit ancestor of 419c90f), but it matches the org canonical stub verbatim, which is the source of truth per the org standard. Not guessed; correct.
• if: guard is sound: non-discussion events (schedule/dispatch) always run; discussion events run only for category 'ideas' and non-Bot authors, preventing the bot's own enhancement comments from re-firing.
• target_discussion: ${{ github.event.discussion.number }} is empty on schedule/dispatch (reusable handles via inputs.target_discussion || '') and carries the new discussion number on the created trigger.
• Note (by design, not introduced here): the discussion trigger + discussions:write + AI analyst processing user-authored discussion content is a prompt-injection surface, but this is inherent to the issue #329 feature and handled inside the reusable workflow; the category/non-bot guard limits exposure.

CI status

All required checks green: build-and-test, Node.js Tests, Playwright UI Tests, coverage, CodeQL (Analyze actions/javascript-typescript/python), SonarCloud (quality gate passed, 0 new issues), Secret scan (gitleaks), dependency-audit, agent-shield. Conditional jobs (dependabot-automerge, ci-relay, reconcile-discussion, etc.) correctly SKIPPED. No changes-requested reviews; coderabbit COMMENTED only; bot comments are rate-limit/status notes with no actionable blockers.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

[github-actions]

CI Failure: SonarCloud Code Analysis

Step: SonarCloud Quality Gate
Root cause: Config error

The PR modifies .github/workflows/feature-ideation.yml by adding a discussion: created trigger and passing target_discussion: ${{ github.event.discussion.number }} to the reusable workflow. SonarCloud flagged this change — the expression github.event.discussion.number is context-dependent and resolves to empty on schedule or workflow_dispatch triggers, which can be detected as an untrusted or potentially unsafe input reaching a reusable workflow call. This pattern is a known SonarCloud security hotspot in GitHub Actions YAML.

Suggested fix: Wrap the target_discussion value with a null-coalescing guard — e.g. target_discussion: ${{ github.event.discussion.number || '' }} — or confirm the reusable workflow declares the input as optional with a safe default, then suppress the hotspot in SonarCloud if it is a false positive.

View run logs