Skip to content

ci: inline NOSONAR(S7637) markers on first-party caller stubs (#549 canonical migration)#300

Merged
don-petry merged 9 commits into
mainfrom
chore/s7637-inline-marker
Jun 30, 2026
Merged

ci: inline NOSONAR(S7637) markers on first-party caller stubs (#549 canonical migration)#300
don-petry merged 9 commits into
mainfrom
chore/s7637-inline-marker

Conversation

@don-petry

Copy link
Copy Markdown
Contributor

Adds the canonical inline # NOSONAR(githubactions:S7637) marker to channel-pinned first-party caller stubs (9 file(s)). Preserves channel pins. Controlled fleet migration (#549/#551), not the weekly audit. hands-off so no agent re-SHA-pins. Legacy sonar-project.properties S7637 entries removed in a verified follow-up.

@don-petry don-petry requested a review from a team as a code owner June 30, 2026 19:51
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@don-petry, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c4c3d721-d0e7-4f60-8cf1-42ffd6fc704e

📥 Commits

Reviewing files that changed from the base of the PR and between ab7508f and 9b74281.

📒 Files selected for processing (9)
  • .github/workflows/add-to-project.yml
  • .github/workflows/agent-shield.yml
  • .github/workflows/auto-rebase.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/dependabot-rebase.yml
  • .github/workflows/dependency-audit.yml
  • .github/workflows/dev-lead.yml
  • .github/workflows/pr-review-mention.yml
  • .github/workflows/pr-review.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/s7637-inline-marker

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@don-petry don-petry enabled auto-merge (squash) June 30, 2026 19:52
@donpetry-bot

Copy link
Copy Markdown
Contributor

Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-30T20:53:46Z.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 9b74281751df544c8f724802ab520cf3aedf437d
Review mode: triage-approved (single reviewer)

Summary

Adds the canonical inline # NOSONAR(githubactions:S7637) first-party channel ref marker to the uses: line of 9 first-party caller-stub workflows. Change is comment-only (the 16 deletions are identical line re-adds from trailing-newline trimming); no logic, permissions, secrets, or channel pins changed. Part of controlled fleet migration #549/#551. Confirms triage's low-risk assessment.

Linked issue analysis

No linked issue (closingIssuesReferences empty); this is tracked migration work (#549/#551), not an issue fix, so no acceptance criteria to verify.

Findings

  • All 9 edits are additive inline comments suppressing only SonarCloud rule S7637 (pin-to-SHA) on uses: lines that reference first-party org-controlled reusable workflows (petry-projects/.github, petry-projects/.github-private) via channel pins (@*/stable). Channel-pinning first-party reusable workflows is the established org pattern; suppression is narrowly scoped to S7637 and does not weaken third-party action pinning. Not a security regression.
  • Nit (non-blocking): every edited file lost its trailing newline (\ No newline at end of file). POSIX prefers a final newline; harmless here and not worth blocking.
  • No secrets, credentials, schema/migration, or behavioral changes. Comment-only diff confirmed by inspection.

CI status

All required checks green: CodeQL SUCCESS, gitleaks secret-scan SUCCESS, SonarCloud Quality Gate PASSED (0 new issues, 0 hotspots), CodeRabbit/Analyze SUCCESS. Backend/Frontend CI and audit jobs SKIPPED (not applicable to workflow-comment changes). mergeable: MERGEABLE, state BLOCKED only on required review (this approval).


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

@don-petry don-petry merged commit 761efb9 into main Jun 30, 2026
24 checks passed
@don-petry don-petry deleted the chore/s7637-inline-marker branch June 30, 2026 19:56

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 9b74281751df544c8f724802ab520cf3aedf437d
Review mode: triage-approved (single reviewer)

Summary

Comment-only change adding the canonical inline # NOSONAR(githubactions:S7637) first-party channel ref marker to the uses: line of 9 first-party caller-stub workflows. No channel pins, inputs, permissions, or secrets wiring are altered; the only other delta is the trailing newline being dropped from each file. Author is the repo owner; part of the tracked controlled fleet migration (#549/#551).

Linked issue analysis

No linked closing issue (closingIssuesReferences empty). PR body cites #549/#551 as the migration context rather than a closeable issue, which is consistent with a fleet-wide marker rollout.

Findings

  • All 9 edits are identical inline suppression comments on uses: lines; diff body, channel refs (@*/stable), with:, and secrets: blocks are otherwise byte-identical.
  • All suppressed refs are FIRST-PARTY org reusable workflows (petry-projects/.github, petry-projects/.github-private) pinned to org-controlled channel tags. Suppressing S7637 (SHA-pin enforcement) for first-party channel refs is the documented org convention, not a third-party supply-chain risk.
  • Minor: each file loses its trailing newline (POSIX 'No newline at end of file'). Cosmetic only; non-blocking.
  • Secret-scanning MCP tool (run_secret_scanning) not available in this environment; relied on the passing gitleaks CI check instead. No secrets touched by the diff.

CI status

All required checks green or appropriately skipped: SonarCloud quality gate passed (0 new issues), CodeQL SUCCESS, gitleaks SUCCESS, AgentShield SUCCESS. No failing checks. reviewDecision already APPROVED. mergeStateStatus UNKNOWN (not yet computed by GitHub) — not a blocker.


Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants