Create summary.yml#1
Conversation
📝 WalkthroughWalkthroughThe PR adds a new GitHub Actions workflow that automatically summarizes newly opened issues using AI inference, and concurrently updates the changelog with release notes for recent versions (1.0.48–1.0.36) and corrects a documentation URL reference. ChangesIssue Auto-Summarization Workflow
Release Documentation Updates
🎯 2 (Simple) | ⏱️ ~8 minutes
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
changelog.md (1)
297-297:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUse a literal CLI flag instead of an em dash.
Line 297 says “Connect to CLI remote control sessions from the —resume picker”. This should be
--resume(double hyphen) to avoid misleading users.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@changelog.md` at line 297, Replace the em dash version of the flag in the changelog entry that currently reads "—resume picker" with the literal CLI flag form --resume (e.g., change "—resume picker" to "--resume picker") so the documentation shows the correct double-hyphen flag syntax.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/summary.yml:
- Line 17: Replace the mutable action tags with immutable 40-character commit
SHAs: locate the uses lines referencing actions/checkout@v4 and
actions/ai-inference@v1 in the workflow and change each to the audited commit
SHA you trust (e.g., actions/checkout@<40-char-sha> and
actions/ai-inference@<40-char-sha>), ensuring you update both occurrences so the
workflow pins to specific commits rather than floating tags.
- Around line 9-17: Remove the unnecessary checkout step and the contents: read
permission, keep only issues: write and models: read for the GH CLI/AI steps;
also replace the action references actions/checkout@v4 and
actions/ai-inference@v1 with their pinned commit SHAs (use the full commit@sha
form) to harden the workflow. Ensure the gh issue comment step still works with
issues: write + models: read and remove the entire "steps: - name: Checkout
repository uses: actions/checkout@..." block and the "contents: read" entry
under permissions, updating the two action uses to commit SHAs instead of the
short tags.
In `@changelog.md`:
- Line 86: Fix the typo in the release note sentence "Extensions now load in
prompt mode (-p). User extensions load by default; project extensions alnd
management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true." by
replacing "alnd" with "and" so the sentence reads "...project extensions and
management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true." Update the
string in changelog.md where this exact sentence appears.
---
Outside diff comments:
In `@changelog.md`:
- Line 297: Replace the em dash version of the flag in the changelog entry that
currently reads "—resume picker" with the literal CLI flag form --resume (e.g.,
change "—resume picker" to "--resume picker") so the documentation shows the
correct double-hyphen flag syntax.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 5bc99308-0e6b-41d6-9a8c-8c3215a15d8a
📒 Files selected for processing (2)
.github/workflows/summary.ymlchangelog.md
| runs-on: ubuntu-latest | ||
| permissions: | ||
| issues: write | ||
| models: read | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
echo "---- summary.yml ----"
sed -n '1,200p' .github/workflows/summary.yml
echo "---- feature-request-comment.yml (if exists) ----"
if [ -f .github/workflows/feature-request-comment.yml ]; then
sed -n '1,220p' .github/workflows/feature-request-comment.yml
else
echo "MISSING: .github/workflows/feature-request-comment.yml"
fi
echo "---- find other uses: actions/checkout / gh issue comment patterns ----"
rg -n --hidden "actions/checkout@|gh issue comment|persist-credentials|GH_TOKEN" .github/workflowsRepository: aidaiprivate-source/copilot-cli
Length of output: 4118
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --hidden "persist-credentials" .github/workflows || true
rg -n --hidden "uses:\s*actions/ai-inference@" .github/workflows
rg -n --hidden "uses:\s*actions/checkout@" .github/workflowsRepository: aidaiprivate-source/copilot-cli
Length of output: 213
🌐 Web query:
actions/ai-inference@v1 GitHub Action requirements needs checkout
💡 Result:
The actions/ai-inference@v1 GitHub Action does not inherently require the actions/checkout action to function [1][2][3]. The primary requirement for this action is the configuration of the correct permissions in your workflow file [1][3]. To use actions/ai-inference@v1, you must include the following permissions block in your workflow [1][3]: permissions: models: read You only need to use actions/checkout if your workflow requires access to the repository's source code, such as when reading prompt files from the repository (e.g., using the prompt-file input) [1][2]. If you are providing your prompts directly via the prompt input or generating them dynamically within the workflow, actions/checkout is unnecessary [1][3].
Citations:
- 1: https://github.com/actions/ai-inference?tab=readme-ov-file
- 2: https://github.com/marketplace/actions/ai-inference
- 3: https://github.com/aiqiaoy/ai-inference
Remove unnecessary actions/checkout / drop contents: read.
Nothing after checkout reads the working tree; actions/ai-inference@v1 uses inline prompt and the gh issue comment step only needs issues: write + models: read.
- Supply-chain hardening: pin
actions/checkout@v4andactions/ai-inference@v1to commit SHAs.
Suggested change
summary:
runs-on: ubuntu-latest
permissions:
issues: write
models: read
- contents: read
steps:
- - name: Checkout repository
- uses: actions/checkout@v4
-
- name: Run AI inference📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| models: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| models: read | |
| steps: | |
| - name: Run AI inference |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/summary.yml around lines 9 - 17, Remove the unnecessary
checkout step and the contents: read permission, keep only issues: write and
models: read for the GH CLI/AI steps; also replace the action references
actions/checkout@v4 and actions/ai-inference@v1 with their pinned commit SHAs
(use the full commit@sha form) to harden the workflow. Ensure the gh issue
comment step still works with issues: write + models: read and remove the entire
"steps: - name: Checkout repository uses: actions/checkout@..." block and the
"contents: read" entry under permissions, updating the two action uses to commit
SHAs instead of the short tags.
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate and display the relevant workflow file
ls -la .github/workflows || true
sed -n '1,120p' .github/workflows/summary.yml | nl -ba
# Show the exact uses lines near the reported locations
sed -n '1,60p' .github/workflows/summary.yml | nl -ba | sed -n '1,60p'
# Search for any stated pinning policy in the repo
rg -n --hidden --glob '!.git/*' -S "pin(n|ning)?|commit SHA|immutable commit|actions/checkout@|supply-chain|supply chain|dependabot|github actions.*pin" . \
|| true
# Search other workflows for SHA-pinned vs tag-pinned uses entries for context
rg -n --hidden --glob '!.git/*' -S "uses:\s*actions/checkout@|uses:\s*actions/[^ @]+@v" .github/workflows || true
rg -n --hidden --glob '!.git/*' -S "uses:\s*actions/[^ @]+@([0-9a-f]{40}|[0-9a-f]{7,})" .github/workflows || trueRepository: aidaiprivate-source/copilot-cli
Length of output: 1011
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== summary.yml (first 80 lines with line numbers) =="
awk '{printf "%4d\t%s\n", NR, $0}' .github/workflows/summary.yml | sed -n '1,80p'
echo
echo "== uses: lines in summary.yml =="
awk '{if ($0 ~ /uses:[[:space:]]*[^[:space:]]+/) printf "%4d\t%s\n", NR, $0}' .github/workflows/summary.yml
echo
echo "== Find pinning policy / wording in repo (search for docs or rules) =="
rg -n --hidden --glob '!.git/*' -S "pin(n|ning)?|commit SHA|immutable commit|supply-chain|supply chain|audit(ed)?|policy.*pin|github actions.*pin|dependabot" . || true
echo
echo "== Other workflows for SHA-pinned vs tag-pinned uses patterns =="
rg -n --hidden --glob '!.git/*' -S "uses:[[:space:]]+actions/[^[:space:]@]+@v[0-9]+(\.[0-9]+)*|uses:[[:space:]]+actions/[^[:space:]@]+@v[0-9]+" .github/workflows || true
rg -n --hidden --glob '!.git/*' -S "uses:[[:space:]]+actions/[^[:space:]@]+@[0-9a-f]{40}" .github/workflows || trueRepository: aidaiprivate-source/copilot-cli
Length of output: 5449
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Broad search for action pinning policy keywords =="
rg -n --hidden --glob '!.git/*' -S "actions/|github\.com/actions|pin(n|ning)|immutable|commit sha|sha256|supply chain|audit|dependabot|workflow.*(pin|sha|commit)" . || true
echo
echo "== Search for existing SHA-pinned uses entries anywhere =="
rg -n --hidden --glob '!.git/*' -S "uses:[[:space:]]+[^[:space:]@]+@[0-9a-f]{40}" .github/workflows || true
echo
echo "== Show all uses: lines across workflows (tag-only snapshot) =="
rg -n --hidden --glob '!.git/*' "uses:[[:space:]]+[^[:space:]]+@[v0-9][^[:space:]]*" .github/workflows || trueRepository: aidaiprivate-source/copilot-cli
Length of output: 2686
Pin GitHub Actions to immutable commit SHAs in summary.yml.
.github/workflows/summary.ymlline 17:actions/checkout@v4.github/workflows/summary.ymlline 21:actions/ai-inference@v1
Both are movable tags; pin each uses: entry to the audited 40-character commit SHA you intend to trust.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/summary.yml at line 17, Replace the mutable action tags
with immutable 40-character commit SHAs: locate the uses lines referencing
actions/checkout@v4 and actions/ai-inference@v1 in the workflow and change each
to the audited commit SHA you trust (e.g., actions/checkout@<40-char-sha> and
actions/ai-inference@<40-char-sha>), ensuring you update both occurrences so the
workflow pins to specific commits rather than floating tags.
| - Remote session connection errors show your logged-in account and tailored remediation steps | ||
| - Markdown formatting renders in ask user prompt questions | ||
| - Add experimental MCP Tasks support: MCP tools with `taskSupport: "required"` run as non-blocking background agents trackable via `list_agents` and `read_agent` (available when experimental mode is enabled, e.g. via `/experimental on` or the `--experimental` flag) | ||
| - Extensions now load in prompt mode (-p). User extensions load by default; project extensions alnd management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true. |
There was a problem hiding this comment.
Fix typo in release note text (alnd → and).
Line 86 has a user-facing typo: “project extensions alnd management tools…”. Please correct it to “and”.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@changelog.md` at line 86, Fix the typo in the release note sentence
"Extensions now load in prompt mode (-p). User extensions load by default;
project extensions alnd management tools require
GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true." by replacing "alnd" with "and" so
the sentence reads "...project extensions and management tools require
GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true." Update the string in changelog.md
where this exact sentence appears.
1 participant
Summary by CodeRabbit
Documentation
Chores