Release 2.1.1 with CI/CD upgrades and infrastructure improvements

[reactive-firewall]

Release Candidate for Version 2.1.1 (v2.1.1rc2) Patch Notes

see full changelog: stable...master

Impacted GHI

• Closes v2.1.x Chore - The script should handle the case where neither PYTHON environment variable is set nor python3 command is found. Add proper error handling and exit code. #362

• Contributes to v2.2.x Feature - Add pytest best-effort support to run_selective.py #380
• Contributes to v2.1.x Chore - Improve test-coverage reports #441

• Closes Security hardening improvements #485
• Closes Regression in default makefile rule caused by fix in checkmake tool in CI #488

• Contributes to CHORE v2.1.0 Release -- review new Makefile Lint violations #495

• Closes Review CEP-5 usage patterns with shlock #511
• Closes Add regression test for CEP-5 shlock usage pattern #512
• Closes CHORE: adopt coderabbitai plan feature #525

• Contributes to v2.2.x Chore - Harden CI runners even more #527

Included and Superseded PR/MRs

• Includes and Supersedes [FEATURE] Environment Variable Configuration Module (- WIP #31 -) #256
• Includes and Supersedes [UPDATE] (deps): Bump actions/download-artifact from 4.3.0 to 5.0.0 in /.github/workflows #462
• Includes and Supersedes [UPDATE] (deps): Bump actions/checkout from 4.2.2 to 5.0.0 in /.github/workflows #463
• Includes and Supersedes 2.1.0 alpha 3rc #474
• Includes and Supersedes [UPDATE] (deps): Bump actions/cache from 4.2.4 to 4.3.0 in /.github/workflows #479
• Includes and Supersedes [UPDATE] (deps): Bump peter-evans/commit-comment from 3.0.0 to 4.0.0 in /.github/workflows #481
• Includes and Supersedes [UPDATE] (deps): Bump github/codeql-action from 3.30.3 to 3.30.6 in /.github/workflows #482
• Includes and Supersedes [UPDATE] (deps): Bump ossf/scorecard-action from 2.4.2 to 2.4.3 in /.github/workflows #483
• Includes and Supersedes HOTFIX for checkmake wrapper #489
• Includes and Supersedes [UPDATE] (deps): Bump actions/upload-artifact from 4.6.2 to 5.0.0 in /.github/workflows #491
• Includes and Supersedes [UPDATE] (deps): Bump actions/download-artifact from 5.0.0 to 6.0.0 in /.github/workflows #492
• Includes and Supersedes [UPDATE] (deps): Bump actions/checkout from 5.0.0 to 6.0.0 in /.github/workflows #500
• Includes and Supersedes [UPDATE] (deps): Bump actions/setup-go from 6.0.0 to 6.1.0 in /.github/workflows #501
• Includes and Supersedes [STYLE] Refactored Makefile as per GHI #495 #510
• Includes and Supersedes Implement CEP-5 regression tests #518
• Includes and Supersedes CEP-5 refactor #519
• Includes and Supersedes [UPDATE] (deps): Bump codecov/test-results-action from 1.1.1 to 1.2.1 in /.github/workflows #520
• Includes and Supersedes [UPDATE] (deps): Bump actions/checkout from 6.0.1 to 6.0.2 in /.github/workflows #521
• Includes and Supersedes [UPDATE] (deps): Bump reactive-firewall/flake8-cq from 2.1 to 2.2 in /.github/workflows #522
• Includes and Supersedes [UPDATE] (deps): Bump github/codeql-action from 4.31.8 to 4.32.2 in /.github/workflows #523
• Includes and Supersedes FEATURE - Adopt CodeRabbit GHI planning feature #526

---

Changelog

Details
Kinds of changes	UPDATE, TESTS, TESTING, SYTLE, STYLE, SECURITY, RELEASE, PATCH, MERGE, HOTFIX, FIX, FEATURE, DOCUMENTATION, DOCUMENTAION, COVERAGE, CONFIGURATION, CONFIG, CI
Impacted Issues	#256, #362, #380, #441, #462, #463, #479, #481, #482, #483, #485, #488, #489, #491, #492, #495, #500, #501, #510, #511, #512, #518, #519, #520, #521, #522, #523, #525, #526, #527, #528
New Files	generate_manifest.sh, tests/check_CEP5_regression.bash, tests/check_coverage_helper

Changes in file .codecov.yml:

• updated status configs
• updated flags
• Refactored statuses again

Changes in file .coderabbit.yaml:

• made configuration a little more awesome
• Improved readability slightly
• enable issue enrichment in config

Changes in file .coveragerc:

• Updated config with modern options
• Related changes
• Adjusted scope of reports slighly

Changes in file docs/CI.md:

• version bump setup-python to v6 in examples
• updated copyright year to 2026

Changes in file docs/conf.py:

• version bump to 2.1 series
• version bump
• updated copyright year to 2026

Changes in file docs/Environment_Configuration.md:

• updated copyright year to 2026

Changes in file docs/Exception_Guide.md:

• updated copyright year to 2026

Changes in file docs/FAQ.md:

• Fixed propper noun 'MacOS' -> 'macOS' (:see_no_evil: Sorry Apple)
• updated copyright year to 2026

Changes in file docs/index.md:

• updated copyright year to 2026

Changes in file docs/INSTALL.md:

• updated copyright year to 2026

Changes in file docs/Makefile:

• revert to include whole date range from 2025 in copyright comment
• updated copyright year to 2026

Changes in file docs/requirements.txt:

• vesion bump for pip
• Version bumped related documentation extras
• version bump wheels to =>0.46.2
• version bump for pip
• Resolves GHSA-4xh5-x5gv-qwph
• version bumps
• version bump pip to resovle CVE-2026-1703
• updated copyright year to 2026
• related version bumps
• related changes

Changes in file docs/SECURITY.md:

• updated copyright year to 2026

Changes in file docs/Testing.md:

• updated copyright year to 2026

Changes in file docs/toc.md:

• updated copyright year to 2026

Changes in file docs/USAGE.md:

• Fixed propper noun 'MacOS' -> 'macOS' (:see_no_evil: Sorry Apple)
• updated copyright year to 2026

Changes in file docs/utils.py:

• updated copyright year to 2026

Changes in file generate_manifest.sh:
Additions with file generate_manifest.sh:

• Initial cleanup from prototyping implementation
• Improved stabillity slightly
• implemented helper for generation MANIFEST.in
• fix for redirection
• related changes
• refactored to ovewrite logic closer to oridginal make target logic
• improved return-code handling as discussed in review (- WIP PR [STYLE] Refactored Makefile as per GHI #495 #510 -)
• implemented new script to generate manifest files
• fixed premissions
• fixed mark_file function logic for darwin build systems

Changes in file .github/actions/check-control/action.yml:

• use variable for name and title inputs
• security hardening of user-controlled inputs
• removed faulty conditional
• Refactored variables in CI/CD and traded risks of input-injection (which was minor) for risk of data-leak (which is trivial and N/A in public repo)
• refactored how sha is normalized and sanitized
• minor refactor
• Improved hardening
• fixed a small typo
• fix regression in variable name
• fix CWE-20 from double escapping quotes
• fix check for details URL to compar with DEFAULT correctly

Changes in file .github/actions/checkout-and-rebuild/action.yml:

• version bumps
• version bump setup-python to v6
• version bump setup-python
• version bump for actions/checkout
• version bump checkout action to v6.0.2
• version bump checkout
• version bump actions/setup-python
• Version bump actions/download-artifact to v5
• Version bump actions/checkout to v5.0.0
• version bump
• update version for actions/downloads from 5 to 6
• Improved hardening
• version bump setup-python to v6.2
• Version bump

Changes in file .github/actions/run-minimal-acceptance-tests/action.yml:

• version bump uploads to v5.0
• version bump
• security hardening of user-controlled inputs
• removed faulty conditional
• refactored how sha is normalized and sanitized
• minor refactor
• Improved hardening
• fix CWE-20 from double escapping quotes

Changes in file .github/actions/setup-py-reqs/action.yml:

• version bump uploads to v5.0
• version bump
• security hardening of user-controlled inputs
• removed faulty conditional
• refactored how sha is normalized and sanitized
• minor refactor
• Improved hardening
• fix CWE-20 from double escapping quotes

Changes in file .github/actions/test-reporter-upload/action.yml:

• version bump uploads to v5.0
• version bump to new version like workflows
• Version bump for Codecov
• version bump
• security hardening of user-controlled inputs
• bump version of codecov/codecov-action to 5a1091511ad55cbe89839c7260b706298ca349f7 -- v5.5.1
• version bump codecov-action to v5.5.2
• Version bump

Changes in file .github/CONTRIBUTING.md:

• Added some documentation about issue_enhancement configs
• updated copyright year to 2026

Changes in file .github/ISSUE_TEMPLATE/bug_report.md:

• version bump
• Fixed propper noun 'MacOS' -> 'macOS' (:see_no_evil: Sorry Apple)

Changes in file .github/ISSUE_TEMPLATE.md:

• Fixed propper noun 'MacOS' -> 'macOS' (:see_no_evil: Sorry Apple)
• minor rewording

Changes in file .github/labeler.yml:

• updated new patterns for labels
• added pattern for new makefile helper scripts

Changes in file .github/tools/checkmake.bash:

• improve log handling
• improve error log cleanup
• fix for intentional SC2064
• fix for Regression in default makefile rule caused by fix in checkmake tool in CI #488
• added fail-case diognostics to checkmake wrapper tool

Changes in file .github/tools/cioutput.py:

• Restore copyright date to include the full range from 2025
• updated copyright year to 2026

Changes in file .github/tools/fetch-test-reporter:

• version bump
• update for 2026

Changes in file .github/workflows/bandit.yml:

• version update to 2.4
• version bumps
• version bump for actions/checkout
• version bump
• Removed limits reverting to previous LGV
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/CD-PyPi.yml:
ensure shell is running bash

• version bumps
• version bump setup-python
• version bump for actions/checkout
• version bump
• pinned the action by sha
• Flushed out more like working CI-Build for builds
• explicitly enabled PEP 740 features
• cleaned up environment conditionals a bit
• added icongraphy hints to step titles
• version bumps
• Version bump
• related changes

Changes in file .github/workflows/CI-BUILD.yml:

• version bumps
• version bump setup-python
• version bump for actions/checkout
• version bump for actions/cache
• version bump
• Removed limits reverting to previous LGV
• related changes
• merged version bumps
• Added new concurancy group settings
• version bumps
• Version bump
• related changes

Changes in file .github/workflows/CI-CHGLOG.yml:

• version bumps
• version bump for peter-evans-commit-comment
• version bump for actions/checkout
• version bump
• reslated changes
• Removed limits reverting to previous LGV
• merged version bumps
• Improved hardening
• hotfix for regression of download-artifacts action logic after version bump
• Added new concurancy group settings
• added more controls to reduce risk of CWE-829
• version bumps
• related changes

Changes in file .github/workflows/CI-DOCS.yml:

• version bumps
• version bump for peter-evans-commit-comment
• version bump for actions/checkout
• version bump
• reslated changes
• Removed limits reverting to previous LGV
• merged version bumps
• Improved hardening
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/CI-MATs.yml:

• version bumps
• version bump for peter-evans-commit-comment
• version bump for actions/checkout
• version bump
• reslated changes
• Removed limits reverting to previous LGV
• refactored commit link format
• merged version bumps
• Improved hardening
• additional controls added to reduce risk of CWE-829
• Added new concurancy group settings
• added more controls to reduce risk of CWE-829
• version bumps
• related changes

Changes in file .github/workflows/codeql-analysis.yml:

• version bumps
• version bump to CodeQL v3.29.3
• version bump for actions/checkout
• version bump CodeQL
• version bump
• Retuned limit for schedule runs
• refactor to fix code identification
• merged version bumps
• Harden use of actions/checkout by dropping credentials when done.
• fix for github action scanning
• corrected comment about pinned version
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/flake8.yml:

• version bumps
• version bump for actions/checkout
• version bump flake8-cq
• version bump
• Removed limits reverting to previous LGV
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/makefile-lint.yml:

• version bumps
• version bump for setup-go
• version bump for actions/checkout
• version bump
• Removed limits reverting to previous LGV
• Added new concurancy group settings
• added need for setup-go for checkmake
• version bumps
• Version bump
• updated to use checkmake's own checkmake.ini config when linting
• related changes
• other related changes

Changes in file .github/workflows/markdown-lint.yml:

• version bumps
• version bump for actions/checkout
• version bump
• Removed limits reverting to previous LGV
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/scorecard.yml:

• version bumps
• version bump to CodeQL v3.29.3
• version bump for actions/checkout
• version bump CodeQL
• Version bump
• version bump
• Retuned limit for schedule runs
• merged version bumps
• corrected comment about pinned version
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/shellcheck.yml:

• version bumps
• version bump for actions/checkout
• version bump
• Removed limits reverting to previous LGV
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .github/workflows/Tests.yml:

• version bumps
• version bump setup-python
• version bump for peter-evans-commit-comment
• version bump for coverallsapp
• version bump for actions/checkout
• version bump
• reslated changes
• Removed limits (kept throttling)
• related support for skipping result for skipped uploads
• refactored commit link format
• migrated codecov action
• merged version bumps
• improved report logic for non-pytest formatting slightly
• Improved hardening
• fixes for stability
• fixed variable names for report details (overlooked regression)
• fixed skip vs fail logic check for pytest
• fix input key for codecov test uploads
• corrected input key for checkout action
• additional controls added to reduce risk of CWE-829
• Added throttling limits
• added support for reporting skipped upload as a non-fail result when expected
• Added new concurancy group settings
• version bumps
• Version bump
• related version bumps
• related changes
• fix for regression

Changes in file .github/workflows/yaml-lint.yml:

• version bumps
• version bump for actions/checkout
• version bump
• Added new concurancy group settings
• version bumps
• related changes

Changes in file .gitmodules:

• config update

Changes in file LICENSE.md:

• updated copyright year to 2026

Changes in file Logo.svg:

• updated copyright year to 2026

Changes in file Makefile:
Changes in file docs/Makefile:

• vesion bump for pip
• Version bumped (still targeting python3.9+)
• version bump wheels to =>0.46.2
• version bump for pip
• revert to include whole date range from 2025 in copyright comment
• Resolves GHSA-4xh5-x5gv-qwph
• Related changes
• implemented a simple phony "all" rule
• corrected dependency order
• added 'all' target
• version bump pip to resovle CVE-2026-1703
• updated copyright year to 2026
• related changes
• refactored to use new helper script for test targets
• refactored to resolve linter suggestions
• refactored into multiple targets some of the larger targets
• integrated generate_manifest.sh
• DEPRECATED old pytest rule.
• added some minor diognostics
• added orginizational comments

Changes in file multicast/env.py:

• updated copyright year to 2026

Changes in file multicast/exceptions.py:

• updated copyright year to 2026

Changes in file multicast/hear.py:

• tweaked the doctests slightly
• fixed grammar in docstring
• Fixed a bug where defaults were not applied correctly
• updated copyright year to 2026
• minor refactor to fix empty initialization logic
• fix for default init given no arguments

Changes in file multicast/init.py:

• version bump to 2.1.0-alpha-3
• version bump to 2.1 series
• version bump
• fixed a small typo
• updated copyright year to 2026

Changes in file multicast/main.py:

• marked branch as defensive code
• updated copyright year to 2026

Changes in file multicast/recv.py:

• resolved a PY-D0003
• fixed grammar in docstring
• Added explanation as docstring to trivial implementation of setupArgs function
• updated copyright year to 2026

Changes in file multicast/send.py:

• updated copyright year to 2026

Changes in file multicast/skt.py:

• updated copyright year to 2026

Changes in file pyproject.toml:

• version bump wheels to =>0.46.2
• version bump to 2.1.0-alpha-3
• version bump to 2.1 series
• version bump
• Related changes
• Workaround for pytest config
• related version bumps
• related changes for CI/CD format warnings
• now also allow building with python versions >=3.14.1
• Added python v3.14 classifier as discussed in review.

Changes in file README.md:

• Slightly improved badges by adding links
• minor badge fixes
• added badge link for scorecard
• updated copyright year to 2026

Changes in file tests/requirements.txt:
Changes in file requirements.txt:
Changes in file docs/requirements.txt:

• vesion bump for pip
• Version bumped (still targeting python3.9+)
• Version bumped related documentation extras
• Version bumped related development extras
• version bump wheels to =>0.46.2
• version bump for pip
• version bump
• Resolves GHSA-4xh5-x5gv-qwph
• mitigates GHSA-8rrh-rw8j-w5fx (CVE-2026-24049)
• version bumps
• version bump pip to resovle CVE-2026-1703
• updated copyright year to 2026
• related version bumps
• related changes

Changes in file tests/check_cc_lines:

• refactor to align with CEP-5
• fixed CEP-5 regression

Changes in file tests/check_CEP5_regression.bash:
Changes in file tests/check_CEP5_regression:
Additions with file tests/check_CEP5_regression.bash:

• removed copy-paste artifact duplication
• related changes
• improved portability slightly
• improved performance slightly
• improved error handling of file selection
• Implemented regression test tool for GHI #512s
• implemented improved draft of regression tools from GHI Add regression test for CEP-5 shlock usage pattern #512
• fixed usage comments
• fixed regressions in style (SC2016)
• fixed literal '\n'
• fixed cascade failure fall through for better clarity
• defensive cleaning (reduce risk of shellshock by ommiting export)
• corrected name to match project conventions better
• better handling of script matches
• added fix for false negitives when comments described the defect
  • also error-codes should be more useful while debugging now

Changes in file tests/check_CEP5_regression.bash:
Additions with file tests/check_CEP5_regression.bash:

• implemented improved draft of regression tools from GHI Add regression test for CEP-5 shlock usage pattern #512
• fixed regressions in style (SC2016)

Changes in file tests/check_codecov:

• refactor to align with CEP-5
• fixed CEP-5 regression

Changes in file tests/check_coverage_helper:
Additions with file tests/check_coverage_helper:

• Resolved regressions from bad pre-flight tests
• Related changes
• Refactored to use default datafiles while running, and collect afterwards
• Improved stability slightly
• Improved coverage support slightly
• fix for quoting regression in helper
• resolved linting issues.
• related changes.
• improved shlock usage stability slightly in helper script
• implemented new helper script for makefile test-* targets
• Implemented new coverage helper tool for makefile to invoke testing

Changes in file tests/check_integration_coverage:

• version bump
• stability fixes
• slight improvement to skip some additional steps after an early failure
• refactor to align with CEP-5
• Improved the test script to handle more edge-cases where python3 is missing or unset.
• fixed CEP-5 regression

Changes in file tests/check_pip:

• refactor to align with CEP-5
• fixed CEP-5 regression
• related version bumps
• fix for regression

Changes in file tests/check_spelling:

• refactor to align with CEP-5
• minor comment about undocumented exit code 64
• fixed CEP-5 regression

Changes in file tests/context.py:

• added aditional details on handling imports with CWE-758 mitigations.
• updated copyright year to 2026

Changes in file tests/init.py:

• Refactored docstrings slightly.
• Fixed FLK-D204
• updated copyright year to 2026

Changes in file tests/MulticastUDPClient.py:

• updated copyright year to 2026

Changes in file tests/profiling.py:

• Suppressed some PY-D0003 to reduce noise for performance test code linting.
• Related changes
• Added some trivial docstrings to test code to resolve some PY-D0003
• updated copyright year to 2026

Changes in file tests/requirements.txt:

• Version bumped related development extras
• version bump wheels to =>0.46.2
• version bump for pip
• version bump
• version bumps
• version bump pip to resovle CVE-2026-1703
• updated copyright year to 2026
• related version bumps
• related changes

Changes in file tests/run_selective.py:

• updated copyright to include whole date range from 2025
• updated copyright year to 2026

Changes in file tests/test_basic.py:

• Fixed propper noun 'MacOS' -> 'macOS' (:see_no_evil: Sorry Apple)
• updated copyright year to 2026

Changes in file tests/test_build.py:

• Resolve PYL-E0601
• resolve PY-D0002 by adding class docstrings
• related style tweaks
• Improved stability by improved handling
• Workaround for venv to allow creation of virtual envs
• updated copyright year to 2026
• fix for venv permission regression

Changes in file tests/test_deps.py:

• Resolve PYL-E0601
• improved stability and relaxed permissions as with other venv tests.
• updated copyright year to 2026

Changes in file tests/test_exceptions.py:

• resolved PLY-W0105 by simplifying docstring to a comment
• updated copyright year to 2026

Changes in file tests/test_extra.py:

• updated copyright to include whole date range from 2025
• updated copyright year to 2026

Changes in file tests/test_fuzz.py:

• resolved PLY-W0105 by simplifying docstring to a comment
• updated copyright year to 2026

Changes in file tests/test_hear_cleanup.py:

• resolved PLY-W0105 by simplifying docstring to a comment
• updated copyright year to 2026

Changes in file tests/test_hear_data_processing.py:

• updated copyright year to 2026

Changes in file tests/test_hear_keyboard_interrupt.py:

• resolved PLY-W0105 by simplifying docstring to a comment
• Fixed FLK-D204
• updated copyright year to 2026

Changes in file tests/test_hear_server_activate.py:

• improved testing of hear server initialization/cleanup for edge-cases.
• Fixed FLK-D204
• de/re-indented for style
• added comment about nested try-except around import
• added a few more tests
• add suppression comment to pass statement to resolve false PYL-W0107 flagging of a test fixture.
• updated copyright year to 2026
• refactor to test fixed empty initialization logic
• fix broken test of init with no address given

Changes in file tests/test_hear_server.py:

• resolve PY-D0002 by adding class docstrings
• updated copyright year to 2026

Changes in file tests/test_manifest.py:

• updated copyright to include whole date range from 2025
• Resolve PYL-E0601
• resolve PY-D0002 by adding class docstrings
• Improved stability with better handling
• Workaround for venv to allow creation of virtual envs
• updated copyright year to 2026
• fix for venv permission regression

Changes in file tests/test_recv.py:

• updated copyright to include whole date range from 2025
• updated copyright year to 2026

Changes in file tests/test_usage.py:

• removed extra space from docstring to resolve FLK-D210
• added a related comment about imports
• updated copyright year to 2026
• removed confusing implicit string concatenation in a list

Changes in file tox.ini:

• softlink LICENSE
• Revert soft-linking logic.
• related refactoring for tox based testing
• now works with new makefile scripts
• now create missing directory in setup
• copy generate_manifest script into test env

Full Changelog: stable...master

---

Summary by CodeRabbit

• New Features
  • Issue enrichment with auto-planning, expanded review/labeling guidance and docs-dependency review; automated manifest generation
• Chores
  • Version bumped to 2.1.1; updated build/test/docs dependency pins; widespread CI/workflow/tool upgrades, tighter gating and concurrency; modernized build/makeflow; contributing and issue templates revised; copyright years updated
• Bug Fixes
  • More defensive server initialization and logging
• Tests
  • New test helpers, regression checks and initialization tests added
• Documentation
  • Multiple docs updated and clarified (including CI/docs guidance)

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/profiling.py (1)

233-255: 🛠️ Refactor suggestion | 🟠 Major

Add short docstrings to nested wrappers instead of suppressing PY-D0003.

At Line 233, Line 234, Line 253, and Line 254, the nested functions are still undocumented and currently rely on skipcq: PY-D0003. Please add concise CEP-7-style docstrings and drop those suppressions.

Suggested patch

-		def inner(func):  # skipcq: PY-D0003
-			def profiled_func(*args, **kwargs):  # skipcq: PY-D0003
+		def inner(func):
+			"""Wrap and return a line-profiled callable."""
+			def profiled_func(*args, **kwargs):
+				"""Execute `func` under LineProfiler and print collected stats."""
 				try:
 					profiler = LineProfiler()
 					profiler.add_function(func)
@@
-		def inner(func):  # skipcq: PY-D0003
-			def nothing(*args, **kwargs):  # skipcq: PY-D0003
+		def inner(func):
+			"""Return a no-op profiling wrapper when LineProfiler is unavailable."""
+			def nothing(*args, **kwargs):
+				"""Execute and return `func` unchanged."""
 				return func(*args, **kwargs)

Reference: https://peps.python.org/pep-0257/
As per coding guidelines, "undocumented function definitions and class definitions in the project's Python code are assumed incomplete" and docstrings should align with CEP-7.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/profiling.py` around lines 233 - 255, The nested wrapper functions lack
docstrings and currently use skipcq: PY-D0003; update the nested functions
inner, profiled_func (inside do_profile when LineProfiler is available) and
inner, nothing (inside the ImportError fallback) to include concise
CEP-7/PEP-257 style one-line docstrings describing their role (e.g., "Wraps and
profiles the wrapped function" and "Pass-through wrapper for non-profiling
mode"), then remove the skipcq: PY-D0003 suppressions for those definitions so
they are documented according to project guidelines.

♻️ Duplicate comments (5)

tests/test_manifest.py (1)

124-128: ⚠️ Potential issue | 🟠 Major

Move assertion outside the finally block.

The assertion on line 128 is inside the finally block. While theBuildtxt is correctly initialized to None before the try (avoiding UnboundLocalError), placing assertions in finally blocks is problematic:

1. finally blocks are for cleanup logic only
2. If checkPythonCommand raises an exception, this assertion will also fail (since theBuildtxt remains None), and the AssertionError will mask the original exception

📝 Proposed fix

 		try:
 			theBuildtxt = context.checkPythonCommand(build_arguments, stderr=subprocess.STDOUT)
 		finally:
 			os.umask(original_umask)  # Restore the original umask
-			self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed state")
+		self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed state")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_manifest.py` around lines 124 - 128, The assertion on theBuildtxt
is inside the finally block which should be reserved for cleanup (restoring
original_umask); move the self.assertIsNotNone(theBuildtxt, f"Failed with
{build_arguments} in relaxed state") out of the finally and place it immediately
after the try/finally so any exception from context.checkPythonCommand is not
masked; keep the os.umask(original_umask) call inside the finally and ensure
theBuildtxt variable (initialized to None before the try) is used in the
post-finally assertion.

tests/test_build.py (1)

107-111: ⚠️ Potential issue | 🟠 Major

Move assertion outside the finally block.

Same issue as in tests/test_manifest.py: the assertion on line 111 is inside the finally block. While theBuildtxt is correctly initialized to None before the try (avoiding UnboundLocalError), placing assertions in finally blocks masks original exceptions when the command fails.

📝 Proposed fix

 		try:
 			theBuildtxt = context.checkPythonCommand(build_arguments, stderr=subprocess.STDOUT)
 		finally:
 			os.umask(original_umask)  # Restore the original umask
-			self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed state")
+		self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed state")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_build.py` around lines 107 - 111, The assertion for theBuildtxt is
currently inside the finally block which masks original exceptions; move the
self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed
state") out of the finally and place it immediately after the try/finally
completes (i.e., after restoring os.umask) so that the try block runs
context.checkPythonCommand(build_arguments, stderr=subprocess.STDOUT) and any
exceptions from that call are preserved; keep the os.umask(original_umask) call
inside the finally to ensure cleanup, and reference theBuildtxt,
build_arguments, context.checkPythonCommand and original_umask when making the
change.

tests/test_hear_server_activate.py (2)

147-150: ⚠️ Potential issue | 🟡 Minor

Register cleanup immediately after server creation to avoid leak-on-assertion paths.

At Line 147, Line 162, Line 176, and Line 184, server_close() is only reached if assertions pass. If an assertion fails first, sockets remain open in the test process.

Reference: https://docs.python.org/3/library/unittest.html#unittest.TestCase.addCleanup

🔧 Suggested fix

 	def test_initialization_with_valid_address(self):
 		...
 		server = multicast.hear.McastServer(('224.0.0.1', self._the_test_port), None)
+		self.addCleanup(server.server_close)
 		self.assertIsInstance(server, multicast.hear.McastServer)
 		self.assertIsInstance(server, socketserver.UDPServer)
-		server.server_close()  # Clean up

 	def test_initialization_with_logger_name(self):
 		...
 		server = multicast.hear.McastServer(test_addr, None)
+		self.addCleanup(server.server_close)
 		self.assertIsNotNone(server.logger)
 		self.assertTrue(server.logger.name.endswith('239.0.0.9'))
-		server.server_close()  # Clean up

 	def test_initialization_without_address(self):
 		...
 		server = multicast.hear.McastServer(None, None)
+		self.addCleanup(server.server_close)
 		self.assertIsNotNone(server.logger)
 		...
-		server.server_close()  # Clean up

 		server = multicast.hear.McastServer((), None)
+		self.addCleanup(server.server_close)
 		self.assertIsNotNone(server.logger)
 		...
-		server.server_close()  # Clean up

Also applies to: 162-166, 176-190

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_hear_server_activate.py` around lines 147 - 150, After creating
the McastServer instance (multicast.hear.McastServer in the test), immediately
register a cleanup with the test harness (use
self.addCleanup(server.server_close)) so the socket is always closed even if
subsequent assertions fail; do this right after server =
multicast.hear.McastServer(...) in the test methods that currently call
server.server_close() at the end (replace or keep the final explicit close but
ensure addCleanup is added immediately after creation).

---

164-164: ⚠️ Potential issue | 🟠 Major

Logger-name assertions are overly platform-specific and can fail on Windows CI.

At Line 164 and Lines 178-189, strict suffix/equality checks assume resolved bind address behavior that is not stable across OS socket stacks. This makes the tests portability-fragile.

Reference:

• Python socket docs: https://docs.python.org/3/library/socket.html
• Python socketserver docs: https://docs.python.org/3/library/socketserver.html

🔧 Suggested fix (portable assertion pattern)

-		self.assertTrue(server.logger.name.endswith('239.0.0.9'))
+		self.assertTrue(
+			server.logger.name.startswith("multicast.hear.McastServer."),
+			f"Unexpected logger name: {server.logger.name}",
+		)

 		...
-		self.assertEqual(
-			server.logger.name,
-			f"multicast.hear.McastServer.{multicast._MCAST_DEFAULT_GROUP}"
-		)
+		self.assertTrue(
+			server.logger.name.startswith("multicast.hear.McastServer."),
+			f"Unexpected logger name: {server.logger.name}",
+		)

 		...
-		self.assertEqual(
-			server.logger.name,
-			f"multicast.hear.McastServer.{multicast._MCAST_DEFAULT_GROUP}"
-		)
+		self.assertTrue(
+			server.logger.name.startswith("multicast.hear.McastServer."),
+			f"Unexpected logger name: {server.logger.name}",
+		)

#!/bin/bash
# Verify this portability risk is reachable in current repo state.

# 1) Confirm Windows is part of CI matrix.
rg -n "windows-latest|windows" .github/workflows -g "*.yml" -C2

# 2) Confirm strict logger assertions are present in this test file.
rg -n "logger\.name\.endswith\('239\.0\.0\.9'\)|logger\.name,\s*$|_MCAST_DEFAULT_GROUP" tests/test_hear_server_activate.py -C2

# 3) Inspect logger derivation/bind flow in server implementation.
rg -n "def _sync_logger|def server_bind|getsockname|server_address" multicast/hear.py -C4

As per coding guidelines, "Prioritize portability over clarity, especially when dealing with cross-Python compatibility."

Also applies to: 178-189

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_hear_server_activate.py` at line 164, The test's strict
logger-name checks are platform-fragile; update the assertions in
tests/test_hear_server_activate.py to use a portable pattern (e.g., check that
server.logger.name contains or matches the multicast group string rather than
equals/endswith) — replace assertions like
server.logger.name.endswith('239.0.0.9') and any exact-equality checks with a
containment or regex match against _MCAST_DEFAULT_GROUP (or the literal
"239.0.0.9"), or alternatively assert that server.server_address /
server.socket.getsockname() reports the expected multicast group, so the tests
tolerate OS-specific logger name formatting.

.github/workflows/Tests.yml (1)

848-848: ⚠️ Potential issue | 🟠 Major

Matrix job output is still non-deterministic across legs.

Line 848 still maps a matrix-job output (integration_upload_artifact_outcome) from a shared output key. In matrix jobs, reused output keys can be overwritten by the last finishing leg, so this value is not reliably representative.

Reference: https://docs.github.com/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idoutputs

In GitHub Actions matrix jobs, when `jobs.<job_id>.outputs` uses the same output name for every matrix leg, which leg’s value is retained and what is the recommended way to aggregate per-leg outcomes?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/Tests.yml at line 848, The workflow maps a matrix-job
output into a single shared key (integration_upload_artifact_outcome) so the
last-finishing matrix leg overwrites the value; change each matrix leg to emit a
uniquely-named output (e.g., integration_upload_artifact_outcome_${{ matrix.<id>
}}) from the step producing outcome (steps.integration-reports-upload.outcome)
and then add an aggregator job that reads all per-leg outputs via
needs.<matrix_job>.outputs to deterministically collect/aggregate results;
update any consumers to reference the aggregated output instead of the single
shared key.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/Tests.yml:
- Line 130: The workflow uses the incorrect credential input name for the
actions/checkout step: replace the unsupported "github-token" input with the
documented "token" input for the checkout action (update the step that currently
sets github-token: ${{ env.GH_TOKEN }} to use token: ${{ env.GH_TOKEN }});
search for any other occurrences of "github-token" in the workflow and rename
them to "token" so actions/checkout receives the intended credential.

In `@README.md`:
- Line 31: The badge anchor in README.md currently links to the repository
homepage; update the anchor href around the OSSF-Scorecard badge markdown so it
points to the OSSF Scorecard viewer for this repo instead (replace the current
https://github.com/reactive-firewall-org/multicast URL with the OSSF Scorecard
viewer URL for reactive-firewall-org/multicast), keeping the existing image
alt/text and badge image URL unchanged.

---

Outside diff comments:
In `@tests/profiling.py`:
- Around line 233-255: The nested wrapper functions lack docstrings and
currently use skipcq: PY-D0003; update the nested functions inner, profiled_func
(inside do_profile when LineProfiler is available) and inner, nothing (inside
the ImportError fallback) to include concise CEP-7/PEP-257 style one-line
docstrings describing their role (e.g., "Wraps and profiles the wrapped
function" and "Pass-through wrapper for non-profiling mode"), then remove the
skipcq: PY-D0003 suppressions for those definitions so they are documented
according to project guidelines.

---

Duplicate comments:
In @.github/workflows/Tests.yml:
- Line 848: The workflow maps a matrix-job output into a single shared key
(integration_upload_artifact_outcome) so the last-finishing matrix leg
overwrites the value; change each matrix leg to emit a uniquely-named output
(e.g., integration_upload_artifact_outcome_${{ matrix.<id> }}) from the step
producing outcome (steps.integration-reports-upload.outcome) and then add an
aggregator job that reads all per-leg outputs via needs.<matrix_job>.outputs to
deterministically collect/aggregate results; update any consumers to reference
the aggregated output instead of the single shared key.

In `@tests/test_build.py`:
- Around line 107-111: The assertion for theBuildtxt is currently inside the
finally block which masks original exceptions; move the
self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed
state") out of the finally and place it immediately after the try/finally
completes (i.e., after restoring os.umask) so that the try block runs
context.checkPythonCommand(build_arguments, stderr=subprocess.STDOUT) and any
exceptions from that call are preserved; keep the os.umask(original_umask) call
inside the finally to ensure cleanup, and reference theBuildtxt,
build_arguments, context.checkPythonCommand and original_umask when making the
change.

In `@tests/test_hear_server_activate.py`:
- Around line 147-150: After creating the McastServer instance
(multicast.hear.McastServer in the test), immediately register a cleanup with
the test harness (use self.addCleanup(server.server_close)) so the socket is
always closed even if subsequent assertions fail; do this right after server =
multicast.hear.McastServer(...) in the test methods that currently call
server.server_close() at the end (replace or keep the final explicit close but
ensure addCleanup is added immediately after creation).
- Line 164: The test's strict logger-name checks are platform-fragile; update
the assertions in tests/test_hear_server_activate.py to use a portable pattern
(e.g., check that server.logger.name contains or matches the multicast group
string rather than equals/endswith) — replace assertions like
server.logger.name.endswith('239.0.0.9') and any exact-equality checks with a
containment or regex match against _MCAST_DEFAULT_GROUP (or the literal
"239.0.0.9"), or alternatively assert that server.server_address /
server.socket.getsockname() reports the expected multicast group, so the tests
tolerate OS-specific logger name formatting.

In `@tests/test_manifest.py`:
- Around line 124-128: The assertion on theBuildtxt is inside the finally block
which should be reserved for cleanup (restoring original_umask); move the
self.assertIsNotNone(theBuildtxt, f"Failed with {build_arguments} in relaxed
state") out of the finally and place it immediately after the try/finally so any
exception from context.checkPythonCommand is not masked; keep the
os.umask(original_umask) call inside the finally and ensure theBuildtxt variable
(initialized to None before the try) is used in the post-finally assertion.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7a079ce and 0ef0696.

📒 Files selected for processing (8)

• .github/workflows/Tests.yml
• README.md
• tests/profiling.py
• tests/test_build.py
• tests/test_deps.py
• tests/test_hear_server.py
• tests/test_hear_server_activate.py
• tests/test_manifest.py

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/actions/check-control/action.yml (1)

64-88: ⚠️ Potential issue | 🔴 Critical

Invalid type and options keys in composite action inputs.

The type: choice and options keys (lines 70-74 for status, lines 81-88 for conclusion) are only valid for workflow_dispatch inputs in workflow files, not for composite action inputs. Composite actions do not support typed/choice inputs - they only accept string values.

This causes the actionlint parsing error: "unexpected key 'options' for definition of input 'conclusion'".

🔧 Proposed fix: Remove unsupported keys

   status:
     description: |
       The check's status. See 'https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#update-a-check-run'
       for documentation.
     default: 'completed'
     required: false
-    type: choice
-    options:
-      - queued
-      - in_progress
-      - completed
   conclusion:
     description: |
       The check's conclusion. See 'https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#update-a-check-run'
       for documentation.
     default: ''
     required: false
-    type: choice
-    options:
-      - cancelled
-      - failure
-      - neutral
-      - success
-      - skipped
-      - timed_out

Consider documenting the valid values in the description instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/check-control/action.yml around lines 64 - 88, The inputs
'status' and 'conclusion' in the composite action currently use unsupported keys
("type: choice" and "options"); remove the unsupported keys from both input
definitions (delete the type: choice and options: [...] blocks for the status
and conclusion inputs) and keep them as simple string inputs (retain or adjust
the default values if needed); instead, enumerate the allowed/expected values in
each input's description for documentation and to avoid the actionlint
"unexpected key 'options'" parsing error.

♻️ Duplicate comments (1)

tests/test_hear_server_activate.py (1)

147-150: ⚠️ Potential issue | 🟡 Minor

Ensure cleanup always runs and avoid masking test failures.

server.server_close() currently depends on reaching the end of the method (or can dereference None in finally), so assertion/construction failures can leak sockets or hide the real error. Register cleanup immediately after construction and let exceptions fail naturally.

Proposed fix

 	def test_initialization_with_valid_address(self):
 		"""
 		Test multicast server initialization with a valid address.
@@
 		server = multicast.hear.McastServer(('224.0.0.1', self._the_test_port), None)
+		self.addCleanup(server.server_close)
 		self.assertIsInstance(server, multicast.hear.McastServer)
 		self.assertIsInstance(server, socketserver.UDPServer)
-		server.server_close()  # Clean up
 
 	def test_initialization_with_logger_name(self):
@@
 		test_addr = ('239.0.0.9', self._the_test_port)
 		server = multicast.hear.McastServer(test_addr, None)
+		self.addCleanup(server.server_close)
 		self.assertIsNotNone(server.logger)
 		self.assertTrue(server.logger.name.endswith('239.0.0.9'))
-		server.server_close()  # Clean up
 
 	def test_initialization_without_address(self):
@@
 		host_test_fixtures = [None, (), (None, self._the_test_port)]
 		_fail_fixture: str = "An expected logger was missing for the McastServer instance"
 		for host_test_fixture in host_test_fixtures:
 			with self.subTest(host_test_fixture=host_test_fixture):
-				server = None
-				_test_server_logger_name_cache = None
-				try:
-					server = multicast.hear.McastServer(host_test_fixture, None)
-					self.assertIsNotNone(server.logger, _fail_fixture)
-					_test_server_logger_name_cache = server.logger.name
-				except Exception as _cause:
-					context.debugtestError(_cause)
-				finally:
-					server.server_close()  # Clean up
+				server = multicast.hear.McastServer(host_test_fixture, None)
+				self.addCleanup(server.server_close)
+				self.assertIsNotNone(server.logger, _fail_fixture)
+				_test_server_logger_name_cache = server.logger.name
 				# assert to actually test
 				self.assertEqual(
 					_test_server_logger_name_cache,
 					f"multicast.hear.McastServer.{multicast._MCAST_DEFAULT_GROUP}",  # skipcq: PYL-W0212
 				)  # skipcq: PYL-W0212 - Test OK

Also applies to: 161-165, 181-190

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_hear_server_activate.py` around lines 147 - 150, Create the
McastServer, then immediately register its cleanup with
self.addCleanup(server.server_close) before running assertions so socket cleanup
always runs even if assertions fail; update the three occurrences that construct
multicast.hear.McastServer (the blocks using server =
multicast.hear.McastServer(...), assertions that check isinstance(server,
multicast.hear.McastServer) and isinstance(server, socketserver.UDPServer), and
the current server.server_close() calls) to remove direct server.server_close()
calls and instead rely on addCleanup(server.server_close) right after
construction.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coveragerc:
- Line 10: Update the .coveragerc to use the additive option exclude_also (not
exclude_lines) only if the project will run with coverage.py >= 7.2.0: change
any mention or use of exclude_lines where you intended to add patterns to
instead use exclude_also, and ensure the project dependency (or CI/test env)
pins or documents coverage.py 7.2.0+ so the additive behavior is supported;
verify the new exclude_also entries produce combined (default + custom)
exclusions rather than replacing defaults.

In @.github/actions/check-control/action.yml:
- Around line 326-329: The check creation curl flags use single-quoted strings
for 'output[summary]=${RAW_CHECK_SUMMARY_INPUT}' and
'output[text]=${RAW_CHECK_TEXT_INPUT}', preventing shell expansion; update those
flags in the action.yml step to use double quotes (e.g., -f
"output[summary]=${RAW_CHECK_SUMMARY_INPUT}" and -f
"output[text]=${RAW_CHECK_TEXT_INPUT}") so the RAW_CHECK_SUMMARY_INPUT and
RAW_CHECK_TEXT_INPUT variables are expanded before being sent to the GitHub API.
- Around line 358-361: In the complete_check step the output form fields are
wrapped in single quotes which prevents shell variable expansion; locate the -f
arguments that set 'output[summary]=${RAW_CHECK_SUMMARY_INPUT}' and
'output[text]=${RAW_CHECK_TEXT_INPUT}' (in the complete_check step) and replace
the single quotes with double quotes so the shell expands
RAW_CHECK_SUMMARY_INPUT and RAW_CHECK_TEXT_INPUT (i.e., change
'output[summary]=${RAW_CHECK_SUMMARY_INPUT}' and
'output[text]=${RAW_CHECK_TEXT_INPUT}' to use double quotes).

In @.github/workflows/Tests.yml:
- Line 158: Review and confirm the intended parallelism for the workflow jobs
(COVERAGE, DOCTESTS, INTEGRATION, EXTRAS-FOR-PIP) and update their max-parallel
values to match available runner capacity and desired concurrency; specifically
check the three occurrences where max-parallel is set (for COVERAGE and DOCTESTS
currently 3, INTEGRATION 4, EXTRAS-FOR-PIP 1) and either adjust the numeric
values to respect resource limits or document/justify them in the workflow
comment so they are intentional.

In `@Makefile`:
- Around line 180-184: The Makefile uses a shell variable DO_FAIL set on one
recipe line and invoked on subsequent lines (e.g., target MANIFEST.in and test
targets like just-test, test-mat-doctests, test-mat-*, test-extra, test-extra-*,
test-fuzzing, test-perf), but because each recipe line runs in its own shell
that assignment doesn't persist, masking failures; fix by replacing the
multi-line DO_FAIL pattern with an immediate failure check on the same recipe
line (use "|| exit N" or "|| { echo ...; exit N; }" as appropriate) so that
tests like the MANIFEST.in rule and every affected test-* target exit with the
correct status without relying on cross-line shell variable scope.

---

Outside diff comments:
In @.github/actions/check-control/action.yml:
- Around line 64-88: The inputs 'status' and 'conclusion' in the composite
action currently use unsupported keys ("type: choice" and "options"); remove the
unsupported keys from both input definitions (delete the type: choice and
options: [...] blocks for the status and conclusion inputs) and keep them as
simple string inputs (retain or adjust the default values if needed); instead,
enumerate the allowed/expected values in each input's description for
documentation and to avoid the actionlint "unexpected key 'options'" parsing
error.

---

Duplicate comments:
In `@tests/test_hear_server_activate.py`:
- Around line 147-150: Create the McastServer, then immediately register its
cleanup with self.addCleanup(server.server_close) before running assertions so
socket cleanup always runs even if assertions fail; update the three occurrences
that construct multicast.hear.McastServer (the blocks using server =
multicast.hear.McastServer(...), assertions that check isinstance(server,
multicast.hear.McastServer) and isinstance(server, socketserver.UDPServer), and
the current server.server_close() calls) to remove direct server.server_close()
calls and instead rely on addCleanup(server.server_close) right after
construction.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 0ef0696 and 898c19d.

📒 Files selected for processing (15)

• .codecov.yml
• .coveragerc
• .github/actions/check-control/action.yml
• .github/workflows/CI-MATs.yml
• .github/workflows/Tests.yml
• Makefile
• README.md
• docs/requirements.txt
• multicast/hear.py
• multicast/recv.py
• pyproject.toml
• requirements.txt
• tests/check_coverage_helper
• tests/requirements.txt
• tests/test_hear_server_activate.py

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/actions/check-control/action.yml (1)

197-203: ⚠️ Potential issue | 🟠 Major

Use the provided workflow-run-id when building the default details URL.

Line 202 always uses ${{ github.run_id }}. In this branch, Line 201 already confirmed inputs.workflow-run-id is set, so the generated URL should use that input instead of the caller run ID.

🔧 Proposed fix

-            printf "details_url=%s\n" 'https://github.com/reactive-firewall-org/multicast/actions/runs/${{ github.run_id }}' >> "$GITHUB_OUTPUT"
+            printf "details_url=%s\n" 'https://github.com/reactive-firewall-org/multicast/actions/runs/${{ inputs.workflow-run-id }}' >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/check-control/action.yml around lines 197 - 203, The default
details URL branch incorrectly hardcodes github.run_id; update the printf that
writes details_url so it uses the provided input variable
(inputs.workflow-run-id) instead of github.run_id—i.e. replace the URL fragment
'.../actions/runs/${{ github.run_id }}' with '.../actions/runs/${{
inputs.workflow-run-id }}' in the printf that sets details_url and keep the
debug printf message that references inputs.workflow-run-id.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/check-control/action.yml:
- Around line 324-327: The group label opened with "::group::validate-summary"
is misleading for the block that validates
RAW_CHECK_TEXT_INPUT/sanitized_input_text_field; rename the opening label to
match the content (for example "::group::validate-text" or
"::group::validate-input") so the group accurately reflects the validation of
RAW_CHECK_TEXT_INPUT and sanitized_input_text_field, leaving the "::endgroup::"
unchanged.
- Around line 149-173: The tag resolution sometimes returns annotated tag object
SHAs instead of commit SHAs; update the git rev-parse calls that resolve tags
(the branch/tag resolution logic that sets resolved_sha) to dereference tags to
their commit objects by using the ^{commit} suffix when calling git rev-parse
for refs/tags (so refs/tags/$input resolves to refs/tags/$input^{commit}), and
keep the existing validated check that resolved_sha is a 40-character commit SHA
before using it with the Checks API.

---

Outside diff comments:
In @.github/actions/check-control/action.yml:
- Around line 197-203: The default details URL branch incorrectly hardcodes
github.run_id; update the printf that writes details_url so it uses the provided
input variable (inputs.workflow-run-id) instead of github.run_id—i.e. replace
the URL fragment '.../actions/runs/${{ github.run_id }}' with
'.../actions/runs/${{ inputs.workflow-run-id }}' in the printf that sets
details_url and keep the debug printf message that references
inputs.workflow-run-id.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 898c19d and 55033f7.

📒 Files selected for processing (1)

• .github/actions/check-control/action.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/actions/check-control/action.yml (1)

197-203: ⚠️ Potential issue | 🟡 Minor

workflow-run-id is checked but not actually used in the generated URL.

Line 201 gates on inputs.workflow-run-id, but Line 202 still builds the URL with github.run_id. That makes custom workflow-run-id inputs ineffective and can emit the wrong details link.

🔧 Proposed fix

-            printf "details_url=%s\n" 'https://github.com/reactive-firewall-org/multicast/actions/runs/${{ github.run_id }}' >> "$GITHUB_OUTPUT"
+            printf "details_url=%s\n" 'https://github.com/reactive-firewall-org/multicast/actions/runs/${{ inputs.workflow-run-id }}' >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/check-control/action.yml around lines 197 - 203, The URL
generation wrongly ignores the provided inputs.workflow-run-id: when
inputs.details-url is DEFAULT and inputs.workflow-run-id is non-empty the script
still inserts github.run_id into the details_url; change the branch that handles
the workflow-run-id check so it uses the inputs.workflow-run-id value to
construct the printed URL (i.e., replace the hard-coded ${GITHUB_RUN_ID} usage
with '${{ inputs.workflow-run-id }}' in the printf that writes details_url to
$GITHUB_OUTPUT) and keep the debug message consistent (referencing
inputs.workflow-run-id); ensure inputs.details-url, inputs.workflow-run-id and
github.run_id are used in the correct branches.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/Tests.yml:
- Line 823: Fix the typo in the GitHub Actions step name by updating the step
label string "Summarize Syle-Tests" to the correct "Summarize Style-Tests"
wherever the workflow step name is defined (the string used as the step's name
in the YAML); ensure the change is applied to the step that summarizes style
tests so logs and UI show the corrected "Style" spelling.

---

Outside diff comments:
In @.github/actions/check-control/action.yml:
- Around line 197-203: The URL generation wrongly ignores the provided
inputs.workflow-run-id: when inputs.details-url is DEFAULT and
inputs.workflow-run-id is non-empty the script still inserts github.run_id into
the details_url; change the branch that handles the workflow-run-id check so it
uses the inputs.workflow-run-id value to construct the printed URL (i.e.,
replace the hard-coded ${GITHUB_RUN_ID} usage with '${{ inputs.workflow-run-id
}}' in the printf that writes details_url to $GITHUB_OUTPUT) and keep the debug
message consistent (referencing inputs.workflow-run-id); ensure
inputs.details-url, inputs.workflow-run-id and github.run_id are used in the
correct branches.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 55033f7 and 48e34fb.

📒 Files selected for processing (2)

• .github/actions/check-control/action.yml
• .github/workflows/Tests.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/Tests.yml:
- Around line 808-822: The "Evaluate Style-Tests" step (id: styletests_outcome)
contains verbose bash logic to evaluate steps.style.outcome; replace the
multi-line if/then that sets THE_RESULT and exits with a single direct check on
steps.style.outcome and return the appropriate exit status (i.e., exit 0 for
success, non-zero otherwise) to simplify the block while preserving behavior;
update the run script for the styletests_outcome step to use the condensed
conditional referencing steps.style.outcome.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 48e34fb and cb2df10.

📒 Files selected for processing (2)

• .github/workflows/Tests.yml
• tests/check_coverage_helper