Conversation
Co-authored-by: Codex <noreply@openai.com>
|
Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔 |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR migrates visual testing infrastructure from Percy and BrowserStack to Chromatic, removes the Agent Task workflow, and delegates quality gate logic to external reusable workflows from the Quality Zero Platform repository. The repository transitions from local workflow orchestration to platform-managed configurations. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| tool: ${{ inputs.tool || 'coverage' }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
In general, fix this by explicitly declaring a permissions block so the GITHUB_TOKEN used by this workflow (and its jobs) is restricted to the minimal capabilities required. This avoids inheriting broader default permissions from the repository or organization.
For this specific workflow, the simplest, least‑intrusive fix is to add a workflow‑level permissions block with read‑only access, e.g. permissions: { contents: read }. This will apply to the backlog-sweep job (which does not define its own permissions) and to any future jobs added without their own permissions. We place this block near the top of the file, after name: and before on:, which is a standard pattern and keeps the change minimal while not altering any existing behavior of the job itself.
No additional imports, methods, or definitions are needed; this is a pure YAML configuration change confined to .github/workflows/quality-zero-backlog.yml.
| @@ -1,5 +1,8 @@ | ||
| name: Quality Zero Backlog | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: "0 3 * * *" |
| if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'failure' | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| failure_context: ${{ inputs.failure_context || 'Quality Zero Gate' }} | ||
| sha: ${{ github.event.workflow_run.head_sha || github.sha }} | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
In general, this should be fixed by adding an explicit permissions block that restricts the GITHUB_TOKEN to the minimum required scopes. Since the snippet does not show any direct use of API write operations (it only triggers on workflow_run/workflow_dispatch and calls a reusable workflow), we can safely set the default to read-only contents, which is GitHub’s recommended baseline.
The best minimal change, without altering functionality, is to add a root-level permissions block after the on: section. We will set contents: read, which is equivalent to a read-only default and is sufficient for most workflows that only need to read repository contents or metadata. If the called reusable workflow needs additional permissions, it should declare them itself; here we only control this workflow’s own GITHUB_TOKEN defaults.
Concretely:
- Edit
.github/workflows/quality-zero-remediation.yml. - Insert:
permissions:
contents: readbetween the on: block (ending at line 13) and the jobs: key (line 14). No additional imports or definitions are needed, as this is pure YAML configuration.
| @@ -11,6 +11,9 @@ | ||
| required: false | ||
| default: Quality Zero Gate | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| remediate: | ||
| if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'failure' |
Co-authored-by: Codex <noreply@openai.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/web/package.json (1)
20-35:⚠️ Potential issue | 🟠 MajorUpdate the web lockfile with these dependency changes.
CI is already failing at
apps/web && npm cibecause the lock file no longer matchespackage.json. Please regenerate and commit the updated lockfile alongside these dependency additions/removals.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/web/package.json` around lines 20 - 35, The package.json devDependencies were changed but the lockfile was not updated, causing CI failures on `npm ci`; regenerate the lockfile by running `npm install` (or `npm ci` after syncing) in the apps/web working directory to produce an updated package-lock.json (or yarn.lock if you use Yarn), verify the lockfile reflects the new/removed entries under "devDependencies", and commit the updated lockfile alongside the package.json changes so CI can pass.
🧹 Nitpick comments (1)
scripts/verify (1)
4-4: Make the wrapper independent of the caller’s current directory.
make verifyonly works when the script is launched from the repo root. Since this file is an executable wrapper, it shouldcdto the repository root first so CI and local invocations behave the same.♻️ Proposed fix
#!/usr/bin/env bash set -euo pipefail -make verify +SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd -- "${SCRIPT_DIR}/.." && pwd)" + +cd "${REPO_ROOT}" +make verifyBased on learnings: Run
make verifyfrom the repository root before completion claims.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/verify` at line 4, Update the executable wrapper in scripts/verify so it first switches to the repository root before invoking make verify: detect the repo root (e.g., via git rev-parse --show-toplevel or resolving the script directory and its parent), cd to that directory and exit with a failure if the cd fails, then run the existing make verify command; keep the rest of the script behavior unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/quality-zero-backlog.yml:
- Around line 15-19: The workflow currently references the reusable workflow
with "uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main"
while still inheriting secrets; change the ref from "@main" to a pinned
immutable ref (a full commit SHA or a release tag) in that uses line so the call
is fixed to a specific commit, and ensure the "secrets: inherit" line remains
after that change; update the uses value only (e.g., replace "@main" with
"@<commit-sha>" or "@vX.Y.Z") to prevent unreviewed changes from receiving
inherited secrets.
In @.github/workflows/quality-zero-gate.yml:
- Around line 11-17: The job "aggregate-gate" is missing an explicit name, so
GitHub reports the check as the job ID instead of the required status context;
add a name: "Quality Zero Gate" field directly under the aggregate-gate job
definition (the job with id aggregate-gate that uses
Prekzursil/quality-zero-platform reusable workflow) so the status context
exactly matches the expected "Quality Zero Gate" used by branch-protection and
preflight scripts.
In @.github/workflows/quality-zero-platform.yml:
- Around line 12-17: Replace the floating ref and broad secret inheritance on
the reusable workflow: change the uses line referencing
Prekzursil/quality-zero-platform/.github/workflows/reusable-scanner-matrix.yml@main
to a pinned immutable ref (a specific commit SHA or immutable tag) and remove or
limit the risky secrets: inherit setting (e.g., remove secrets: inherit or
explicitly pass only required secrets) so the job uses a known immutable
workflow and does not automatically expose all repository secrets.
In @.github/workflows/quality-zero-remediation.yml:
- Around line 17-22: The reusable workflow reference currently uses a mutable
ref ("uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main");
replace the branch ref with an immutable commit SHA for that upstream repo so
the job no longer follows changes on main. Locate the "uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main"
line and update it to the specific commit SHA (the full 40-char hash) from the
upstream repository, then commit the change so inherited secrets run against
that pinned revision.
In `@apps/web/e2e/chromatic-core-routes.spec.ts`:
- Around line 5-10: The test currently clicks the nav button (navButton) and
waits for load state but doesn't assert that the target section became active;
after the click (and after page.waitForLoadState("networkidle")) add an explicit
assertion that the expected section or nav state changed — e.g., select the
section element or nav item that should be active for the given label (by id,
data-testid, or an "active" CSS class) and assert its visibility/active state
using Playwright expect or a DOM check inside the same test callback so the test
fails if the click didn't actually switch sections.
---
Outside diff comments:
In `@apps/web/package.json`:
- Around line 20-35: The package.json devDependencies were changed but the
lockfile was not updated, causing CI failures on `npm ci`; regenerate the
lockfile by running `npm install` (or `npm ci` after syncing) in the apps/web
working directory to produce an updated package-lock.json (or yarn.lock if you
use Yarn), verify the lockfile reflects the new/removed entries under
"devDependencies", and commit the updated lockfile alongside the package.json
changes so CI can pass.
---
Nitpick comments:
In `@scripts/verify`:
- Line 4: Update the executable wrapper in scripts/verify so it first switches
to the repository root before invoking make verify: detect the repo root (e.g.,
via git rev-parse --show-toplevel or resolving the script directory and its
parent), cd to that directory and exit with a failure if the cd fails, then run
the existing make verify command; keep the rest of the script behavior
unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f53fdcf5-7212-4d06-8a81-7d4133b9a3e2
⛔ Files ignored due to path filters (1)
apps/web/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (19)
.github/ISSUE_TEMPLATE/agent_task.yml.github/workflows/agent-task-queue.yml.github/workflows/chromatic-playwright.yml.github/workflows/percy-visual.yml.github/workflows/quality-zero-backlog.yml.github/workflows/quality-zero-gate.yml.github/workflows/quality-zero-platform.yml.github/workflows/quality-zero-remediation.ymlAGENTS.mdapps/web/browserstack.ymlapps/web/e2e/browserstack-core.spec.tsapps/web/e2e/chromatic-core-routes.spec.tsapps/web/e2e/percy-core-routes.spec.tsapps/web/package.jsondocs/branch-protection-policy.jsonscripts/quality/check_quality_secrets.pyscripts/strict23_preflight.pyscripts/verifytests/test_visual_gate_contract.py
💤 Files with no reviewable changes (6)
- apps/web/e2e/browserstack-core.spec.ts
- apps/web/e2e/percy-core-routes.spec.ts
- .github/ISSUE_TEMPLATE/agent_task.yml
- apps/web/browserstack.yml
- .github/workflows/agent-task-queue.yml
- .github/workflows/percy-visual.yml
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| tool: ${{ inputs.tool || 'coverage' }} | ||
| secrets: inherit |
There was a problem hiding this comment.
Pin the reusable workflow before inheriting secrets.
Using @main here means the called workflow can change underneath this repo while still receiving all inherited secrets. Please pin the reusable workflow to a commit SHA (or, at minimum, an immutable release tag) before secrets: inherit.
🧰 Tools
🪛 GitHub Check: CodeQL
[warning] 15-19: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/quality-zero-backlog.yml around lines 15 - 19, The
workflow currently references the reusable workflow with "uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-backlog-sweep.yml@main"
while still inheriting secrets; change the ref from "@main" to a pinned
immutable ref (a full commit SHA or a release tag) in that uses line so the call
is fixed to a specific commit, and ensure the "secrets: inherit" line remains
after that change; update the uses value only (e.g., replace "@main" with
"@<commit-sha>" or "@vX.Y.Z") to prevent unreviewed changes from receiving
inherited secrets.
| aggregate-gate: | ||
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| event_name: ${{ github.event_name }} | ||
| sha: ${{ github.event.pull_request.head.sha || github.sha }} | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Find and inspect the branch protection policy
fd branch-protection-policy.jsonRepository: Prekzursil/Reframe
Length of output: 96
🏁 Script executed:
# Find and inspect the preflight script
fd strict23_preflight.pyRepository: Prekzursil/Reframe
Length of output: 141
🏁 Script executed:
# Check the actual workflow file to see current state
fd quality-zero-gate.ymlRepository: Prekzursil/Reframe
Length of output: 44
🏁 Script executed:
# Search .github/workflows/ for the quality-zero-gate file
find .github/workflows -name "*quality-zero*"Repository: Prekzursil/Reframe
Length of output: 235
🏁 Script executed:
# Read the branch protection policy
cat docs/branch-protection-policy.jsonRepository: Prekzursil/Reframe
Length of output: 739
🏁 Script executed:
# Read the preflight script
cat scripts/strict23_preflight.pyRepository: Prekzursil/Reframe
Length of output: 14653
🏁 Script executed:
# Read the quality-zero-gate.yml file with line numbers
cat -n .github/workflows/quality-zero-gate.ymlRepository: Prekzursil/Reframe
Length of output: 601
🏁 Script executed:
# Search for any tests or documentation about the job naming
rg -A 5 -B 5 "aggregate-gate" .Repository: Prekzursil/Reframe
Length of output: 44
Add explicit job name to match the required status check.
The caller job aggregate-gate lacks an explicit name: field. GitHub Actions will report the check using the job ID (aggregate-gate), not the workflow name. However, both docs/branch-protection-policy.json and scripts/strict23_preflight.py require "Quality Zero Gate" as the exact status context name. This mismatch will cause branch protection checks to fail.
🧭 Proposed fix
jobs:
aggregate-gate:
+ name: Quality Zero Gate
uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@main
with:
repo_slug: ${{ github.repository }}
event_name: ${{ github.event_name }}
sha: ${{ github.event.pull_request.head.sha || github.sha }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| aggregate-gate: | |
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@main | |
| with: | |
| repo_slug: ${{ github.repository }} | |
| event_name: ${{ github.event_name }} | |
| sha: ${{ github.event.pull_request.head.sha || github.sha }} | |
| secrets: inherit | |
| aggregate-gate: | |
| name: Quality Zero Gate | |
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-quality-zero-gate.yml@main | |
| with: | |
| repo_slug: ${{ github.repository }} | |
| event_name: ${{ github.event_name }} | |
| sha: ${{ github.event.pull_request.head.sha || github.sha }} | |
| secrets: inherit |
🧰 Tools
🪛 GitHub Check: CodeQL
[warning] 12-17: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/quality-zero-gate.yml around lines 11 - 17, The job
"aggregate-gate" is missing an explicit name, so GitHub reports the check as the
job ID instead of the required status context; add a name: "Quality Zero Gate"
field directly under the aggregate-gate job definition (the job with id
aggregate-gate that uses Prekzursil/quality-zero-platform reusable workflow) so
the status context exactly matches the expected "Quality Zero Gate" used by
branch-protection and preflight scripts.
| uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main | ||
| with: | ||
| repo_slug: ${{ github.repository }} | ||
| failure_context: ${{ inputs.failure_context || 'Quality Zero Gate' }} | ||
| sha: ${{ github.event.workflow_run.head_sha || github.sha }} | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Quality Zero platform workflow refs:"
rg -n 'Prekzursil/quality-zero-platform/.+@' .github/workflows
echo
echo "Refs that are not pinned to a 40-character commit SHA:"
rg -nP 'Prekzursil/quality-zero-platform/.+@(?![0-9a-f]{40}\b)[^[:space:]]+' .github/workflowsRepository: Prekzursil/Reframe
Length of output: 1286
Pin the reusable remediation workflow to an immutable commit SHA.
This job inherits repository secrets but tracks Prekzursil/quality-zero-platform@main. Using a mutable ref with inherited secrets allows upstream changes to alter behavior immediately, reducing reproducibility and expanding the impact of upstream issues.
Example fix
- uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main
+ uses: Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@<commit-sha>🧰 Tools
🪛 GitHub Check: CodeQL
[warning] 16-22: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/quality-zero-remediation.yml around lines 17 - 22, The
reusable workflow reference currently uses a mutable ref ("uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main");
replace the branch ref with an immutable commit SHA for that upstream repo so
the job no longer follows changes on main. Locate the "uses:
Prekzursil/quality-zero-platform/.github/workflows/reusable-remediation-loop.yml@main"
line and update it to the specific commit SHA (the full 40-char hash) from the
upstream repository, then commit the change so inherited secrets run against
that pinned revision.
| test(`capture ${label} section`, async ({ page }) => { | ||
| await page.goto("/", { waitUntil: "domcontentloaded" }); | ||
| const button = navButton(page, label); | ||
| await button.waitFor({ state: "visible", timeout: 30_000 }); | ||
| await button.click(); | ||
| await page.waitForLoadState("networkidle"); |
There was a problem hiding this comment.
Assert that the selected section actually became active before ending the test.
Right now the test only clicks and waits. If the nav handler regresses, this can still pass while capturing the same default screen for every label. Please add a post-click assertion that the target section or active nav state changed.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@apps/web/e2e/chromatic-core-routes.spec.ts` around lines 5 - 10, The test
currently clicks the nav button (navButton) and waits for load state but doesn't
assert that the target section became active; after the click (and after
page.waitForLoadState("networkidle")) add an explicit assertion that the
expected section or nav state changed — e.g., select the section element or nav
item that should be active for the given label (by id, data-testid, or an
"active" CSS class) and assert its visibility/active state using Playwright
expect or a DOM check inside the same test callback so the test fails if the
click didn't actually switch sections.
Point the quality-zero platform, gate, and Codecov analytics workflows at the controller-managed parity baseline so protected-branch pushes evaluate the same scanner stack as pull requests. Co-authored-by: Codex <noreply@openai.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
1 participant
Summary
Risk
Evidence
Summary by CodeRabbit
Release Notes
New Features
Chores