ci: inline NOSONAR(S7637) markers on first-party caller stubs (#549 canonical migration)#300
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Review limit reached
Next review available in: 59 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-06-30T20:53:46Z. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 9b74281751df544c8f724802ab520cf3aedf437d
Review mode: triage-approved (single reviewer)
Summary
Adds the canonical inline # NOSONAR(githubactions:S7637) first-party channel ref marker to the uses: line of 9 first-party caller-stub workflows. Change is comment-only (the 16 deletions are identical line re-adds from trailing-newline trimming); no logic, permissions, secrets, or channel pins changed. Part of controlled fleet migration #549/#551. Confirms triage's low-risk assessment.
Linked issue analysis
No linked issue (closingIssuesReferences empty); this is tracked migration work (#549/#551), not an issue fix, so no acceptance criteria to verify.
Findings
- All 9 edits are additive inline comments suppressing only SonarCloud rule S7637 (pin-to-SHA) on
uses:lines that reference first-party org-controlled reusable workflows (petry-projects/.github,petry-projects/.github-private) via channel pins (@*/stable). Channel-pinning first-party reusable workflows is the established org pattern; suppression is narrowly scoped to S7637 and does not weaken third-party action pinning. Not a security regression. - Nit (non-blocking): every edited file lost its trailing newline (
\ No newline at end of file). POSIX prefers a final newline; harmless here and not worth blocking. - No secrets, credentials, schema/migration, or behavioral changes. Comment-only diff confirmed by inspection.
CI status
All required checks green: CodeQL SUCCESS, gitleaks secret-scan SUCCESS, SonarCloud Quality Gate PASSED (0 new issues, 0 hotspots), CodeRabbit/Analyze SUCCESS. Backend/Frontend CI and audit jobs SKIPPED (not applicable to workflow-comment changes). mergeable: MERGEABLE, state BLOCKED only on required review (this approval).
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 9b74281751df544c8f724802ab520cf3aedf437d
Review mode: triage-approved (single reviewer)
Summary
Comment-only change adding the canonical inline # NOSONAR(githubactions:S7637) first-party channel ref marker to the uses: line of 9 first-party caller-stub workflows. No channel pins, inputs, permissions, or secrets wiring are altered; the only other delta is the trailing newline being dropped from each file. Author is the repo owner; part of the tracked controlled fleet migration (#549/#551).
Linked issue analysis
No linked closing issue (closingIssuesReferences empty). PR body cites #549/#551 as the migration context rather than a closeable issue, which is consistent with a fleet-wide marker rollout.
Findings
- All 9 edits are identical inline suppression comments on
uses:lines; diff body, channel refs (@*/stable),with:, andsecrets:blocks are otherwise byte-identical. - All suppressed refs are FIRST-PARTY org reusable workflows (
petry-projects/.github,petry-projects/.github-private) pinned to org-controlled channel tags. Suppressing S7637 (SHA-pin enforcement) for first-party channel refs is the documented org convention, not a third-party supply-chain risk. - Minor: each file loses its trailing newline (POSIX 'No newline at end of file'). Cosmetic only; non-blocking.
- Secret-scanning MCP tool (run_secret_scanning) not available in this environment; relied on the passing gitleaks CI check instead. No secrets touched by the diff.
CI status
All required checks green or appropriately skipped: SonarCloud quality gate passed (0 new issues), CodeQL SUCCESS, gitleaks SUCCESS, AgentShield SUCCESS. No failing checks. reviewDecision already APPROVED. mergeStateStatus UNKNOWN (not yet computed by GitHub) — not a blocker.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.



Adds the canonical inline
# NOSONAR(githubactions:S7637)marker to channel-pinned first-party caller stubs (9 file(s)). Preserves channel pins. Controlled fleet migration (#549/#551), not the weekly audit. hands-off so no agent re-SHA-pins. Legacy sonar-project.properties S7637 entries removed in a verified follow-up.