chore(agentops): onboard policy federation artifacts#838
Closed
KooshaPari wants to merge 10 commits intomainfrom
Closed
chore(agentops): onboard policy federation artifacts#838KooshaPari wants to merge 10 commits intomainfrom
KooshaPari wants to merge 10 commits intomainfrom
Conversation
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Sync harness/task-domain policy onboarding artifacts into cliproxyapi++. Co-authored-by: Codex <noreply@openai.com>
📝 WalkthroughWalkthroughAdds two GitHub Actions workflows and a security scan script; updates CI required-checks and minor workflow guards; and deletes a large set of spec-kitty documentation, prompt files, mission templates, ignore/config files, and multiple task/acceptance Python modules and shims. Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer (push/PR)
participant GH as GitHub Actions
participant Airlock as airlock/actions
participant Repo as Repository
participant Upstream as Upstream Remote
participant PreCommit as pre-commit/action (ggshield/codespell)
Note over Dev,GH: Main Pipeline (push)
Dev->>GH: push event
GH->>Airlock: run rebase step
Airlock-->>Repo: apply rebase/commits
GH->>Airlock: lint/format & generate patch
Airlock-->>Repo: commit fixes / create patch
GH->>Airlock: freeze/describe/document/update-docs
GH->>GH: run tests
GH->>Upstream: gated push (requires approval)
GH->>Upstream: create PR
Note over Dev,PreCommit: Security Guard (pull_request / push)
Dev->>GH: pull_request / push event
GH->>PreCommit: checkout + run pre-commit hooks
PreCommit-->>GH: report failures/diffs
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the repository's development infrastructure by introducing automated CI/CD workflows and robust security checks. It streamlines the integration of new code, ensures adherence to quality standards, and proactively identifies potential security vulnerabilities, thereby improving overall code health and operational efficiency. Highlights
Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds new configuration files for an Airlock workflow and a security guard script. While no vulnerabilities meeting the required severity threshold were identified, it's important to address a security risk in the Airlock workflow where GitHub Actions are using the main branch; it's recommended to pin them to specific commit SHAs. Additionally, a bug was found in the security-guard.sh script where filenames with spaces are not handled correctly, and a more robust implementation is suggested.
| steps: | ||
| # Rebase onto upstream to handle drift | ||
| - name: rebase | ||
| uses: airlock-hq/airlock/defaults/rebase@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/rebase@<commit-sha>|
|
||
| # Run linters and formatters, auto-fix issues | ||
| - name: lint | ||
| uses: airlock-hq/airlock/defaults/lint@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/lint@<commit-sha>|
|
||
| # Generate PR title and description from the diff | ||
| - name: describe | ||
| uses: airlock-hq/airlock/defaults/describe@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/describe@<commit-sha>|
|
||
| # Update documentation to reflect changes | ||
| - name: document | ||
| uses: airlock-hq/airlock/defaults/document@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/document@<commit-sha>|
|
||
| # Run tests | ||
| - name: test | ||
| uses: airlock-hq/airlock/defaults/test@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/test@<commit-sha>|
|
||
| # Push changes to upstream (pauses for user approval first) | ||
| - name: push | ||
| uses: airlock-hq/airlock/defaults/push@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/push@<commit-sha>|
|
||
| # Create pull/merge request | ||
| - name: create-pr | ||
| uses: airlock-hq/airlock/defaults/create-pr@main |
There was a problem hiding this comment.
For security and stability, it's recommended to pin GitHub Actions to a specific commit SHA instead of a branch like main. Using a branch means the action can change without notice, potentially breaking your workflow or introducing malicious code. Please replace @main with a full-length commit SHA.
uses: airlock-hq/airlock/defaults/create-pr@<commit-sha>
Comment on lines
+21
to
+29
| changed_files=$(git diff --cached --name-only --diff-filter=ACM || true) | ||
| if [ -z "${changed_files}" ]; then | ||
| changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | ||
| fi | ||
|
|
||
| if [ -n "${changed_files}" ]; then | ||
| echo "[security-guard] Running optional codespell fast pass" | ||
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true | ||
| fi |
There was a problem hiding this comment.
The current method of piping filenames to xargs is not robust as it will fail for filenames containing spaces. It's better to read the files into an array and then pass them to codespell. This ensures that filenames are handled correctly.
Suggested change
| changed_files=$(git diff --cached --name-only --diff-filter=ACM || true) | |
| if [ -z "${changed_files}" ]; then | |
| changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | |
| fi | |
| if [ -n "${changed_files}" ]; then | |
| echo "[security-guard] Running optional codespell fast pass" | |
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true | |
| fi | |
| changed_files_list=$(git diff --cached --name-only --diff-filter=ACM || true) | |
| if [ -z "${changed_files_list}" ]; then | |
| changed_files_list=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | |
| fi | |
| if [ -n "${changed_files_list}" ]; then | |
| echo "[security-guard] Running optional codespell fast pass" | |
| files_to_check=() | |
| while IFS= read -r file; do | |
| case "$file" in | |
| *.md|*.txt|*.py|*.ts|*.tsx|*.js|*.go|*.rs|*.kt|*.java|*.yaml|*.yml) | |
| files_to_check+=("$file") | |
| ;; | |
| esac | |
| done <<< "${changed_files_list}" | |
| if [ ${#files_to_check[@]} -gt 0 ]; then | |
| codespell -q 2 -L "hte,teh" "${files_to_check[@]}" || true | |
| fi | |
| fi |
There was a problem hiding this comment.
Pull request overview
Adds repository-level automation artifacts intended for AgentOps onboarding by introducing security guard CI checks and an Airlock pipeline configuration, while removing a large set of previously committed Spec Kitty/Kittify mission templates, prompts, and editor workflow files.
Changes:
- Add a GitHub Actions “Security Guard” workflow to run pre-commit checks on PRs and pushes.
- Add a
security-guard.shhelper script for secret scanning (ggshield) and optional codespell. - Remove various
.kittify/,.kilocode/,.cursor/, and.github/prompts/mission templates and workflow prompt artifacts.
Reviewed changes
Copilot reviewed 104 out of 117 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| .kittify/scripts/tasks/task_helpers.py | Removed legacy Spec Kitty helper re-export module. |
| .kittify/scripts/tasks/acceptance_support.py | Removed legacy acceptance support script wrapper. |
| .kittify/scripts/debug-dashboard-scan.py | Removed standalone dashboard scan debug script. |
| .kittify/missions/software-dev/templates/tasks-template.md | Removed software-dev tasks template. |
| .kittify/missions/software-dev/templates/task-prompt-template.md | Removed software-dev task prompt template. |
| .kittify/missions/software-dev/templates/spec-template.md | Removed software-dev spec template. |
| .kittify/missions/software-dev/templates/plan-template.md | Removed software-dev plan template. |
| .kittify/missions/software-dev/mission.yaml | Removed software-dev mission definition. |
| .kittify/missions/software-dev/command-templates/review.md | Removed software-dev review command template. |
| .kittify/missions/software-dev/command-templates/plan.md | Removed software-dev plan command template. |
| .kittify/missions/software-dev/command-templates/implement.md | Removed software-dev implement command template. |
| .kittify/missions/software-dev/command-templates/dashboard.md | Removed software-dev dashboard command template. |
| .kittify/missions/software-dev/command-templates/clarify.md | Removed software-dev clarify command template. |
| .kittify/missions/software-dev/command-templates/analyze.md | Removed software-dev analyze command template. |
| .kittify/missions/software-dev/command-templates/accept.md | Removed software-dev accept command template. |
| .kittify/missions/research/templates/tasks-template.md | Removed research tasks template. |
| .kittify/missions/research/templates/task-prompt-template.md | Removed research task prompt template. |
| .kittify/missions/research/templates/spec-template.md | Removed research spec template. |
| .kittify/missions/research/templates/research/source-register.csv | Removed research source-register template CSV. |
| .kittify/missions/research/templates/research/evidence-log.csv | Removed research evidence-log template CSV. |
| .kittify/missions/research/templates/research-template.md | Removed research decision-log template. |
| .kittify/missions/research/templates/plan-template.md | Removed research plan template. |
| .kittify/missions/research/templates/data-model-template.md | Removed research data-model template. |
| .kittify/missions/research/mission.yaml | Removed research mission definition. |
| .kittify/missions/research/command-templates/tasks.md | Removed research tasks command template. |
| .kittify/missions/research/command-templates/specify.md | Removed research specify command template. |
| .kittify/missions/research/command-templates/review.md | Removed research review command template. |
| .kittify/missions/research/command-templates/plan.md | Removed research plan command template. |
| .kittify/missions/research/command-templates/implement.md | Removed research implement command template. |
| .kittify/missions/documentation/templates/tasks-template.md | Removed documentation tasks template. |
| .kittify/missions/documentation/templates/task-prompt-template.md | Removed documentation task prompt template. |
| .kittify/missions/documentation/templates/spec-template.md | Removed documentation spec template. |
| .kittify/missions/documentation/templates/release-template.md | Removed documentation release template. |
| .kittify/missions/documentation/templates/generators/sphinx-conf.py.template | Removed Sphinx generator template. |
| .kittify/missions/documentation/templates/generators/jsdoc.json.template | Removed JSDoc generator template. |
| .kittify/missions/documentation/templates/divio/tutorial-template.md | Removed Divio tutorial template. |
| .kittify/missions/documentation/templates/divio/reference-template.md | Removed Divio reference template. |
| .kittify/missions/documentation/templates/divio/howto-template.md | Removed Divio how-to template. |
| .kittify/missions/documentation/templates/divio/explanation-template.md | Removed Divio explanation template. |
| .kittify/missions/documentation/mission.yaml | Removed documentation mission definition. |
| .kittify/missions/documentation/command-templates/tasks.md | Removed documentation tasks command template. |
| .kittify/missions/documentation/command-templates/specify.md | Removed documentation specify command template. |
| .kittify/metadata.yaml | Removed Spec Kitty metadata file. |
| .kittify/.dashboard | Removed local dashboard state file. |
| .kilocode/workflows/spec-kitty.status.md | Removed kilocode status workflow prompt. |
| .kilocode/workflows/spec-kitty.review.md | Removed kilocode review workflow prompt. |
| .kilocode/workflows/spec-kitty.research.md | Removed kilocode research workflow prompt. |
| .kilocode/workflows/spec-kitty.plan.md | Removed kilocode plan workflow prompt. |
| .kilocode/workflows/spec-kitty.implement.md | Removed kilocode implement workflow prompt. |
| .kilocode/workflows/spec-kitty.dashboard.md | Removed kilocode dashboard workflow prompt. |
| .kilocode/workflows/spec-kitty.clarify.md | Removed kilocode clarify workflow prompt. |
| .kilocode/workflows/spec-kitty.analyze.md | Removed kilocode analyze workflow prompt. |
| .kilocode/workflows/spec-kitty.accept.md | Removed kilocode accept workflow prompt. |
| .github/workflows/security-guard.yml | Added CI workflow to run pre-commit guard checks. |
| .github/scripts/security-guard.sh | Added helper script for ggshield scan + optional codespell. |
| .github/prompts/spec-kitty.status.prompt.md | Removed GitHub prompt artifact for spec-kitty status. |
| .github/prompts/spec-kitty.review.prompt.md | Removed GitHub prompt artifact for spec-kitty review. |
| .github/prompts/spec-kitty.research.prompt.md | Removed GitHub prompt artifact for spec-kitty research. |
| .github/prompts/spec-kitty.plan.prompt.md | Removed GitHub prompt artifact for spec-kitty plan. |
| .github/prompts/spec-kitty.implement.prompt.md | Removed GitHub prompt artifact for spec-kitty implement. |
| .github/prompts/spec-kitty.dashboard.prompt.md | Removed GitHub prompt artifact for spec-kitty dashboard. |
| .github/prompts/spec-kitty.clarify.prompt.md | Removed GitHub prompt artifact for spec-kitty clarify. |
| .github/prompts/spec-kitty.analyze.prompt.md | Removed GitHub prompt artifact for spec-kitty analyze. |
| .github/prompts/spec-kitty.accept.prompt.md | Removed GitHub prompt artifact for spec-kitty accept. |
| .github/copilot-instructions.md | Removed repository Copilot instruction file. |
| .cursorignore | Removed Cursor ignore rules file. |
| .cursor/commands/spec-kitty.status.md | Removed Cursor command file for spec-kitty status. |
| .cursor/commands/spec-kitty.review.md | Removed Cursor command file for spec-kitty review. |
| .cursor/commands/spec-kitty.research.md | Removed Cursor command file for spec-kitty research. |
| .cursor/commands/spec-kitty.plan.md | Removed Cursor command file for spec-kitty plan. |
| .cursor/commands/spec-kitty.implement.md | Removed Cursor command file for spec-kitty implement. |
| .cursor/commands/spec-kitty.dashboard.md | Removed Cursor command file for spec-kitty dashboard. |
| .cursor/commands/spec-kitty.clarify.md | Removed Cursor command file for spec-kitty clarify. |
| .cursor/commands/spec-kitty.analyze.md | Removed Cursor command file for spec-kitty analyze. |
| .cursor/commands/spec-kitty.accept.md | Removed Cursor command file for spec-kitty accept. |
| .claudeignore | Removed Claude ignore rules file. |
| .airlock/workflows/main.yml | Added Airlock workflow configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| if [ -n "${changed_files}" ]; then | ||
| echo "[security-guard] Running optional codespell fast pass" | ||
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true |
There was a problem hiding this comment.
xargs -r is not supported by BSD xargs (default on macOS), so this script will fail for contributors running it locally on macOS. To keep it portable, remove -r and instead guard the codespell invocation by checking for at least one matching file before calling xargs (or use a POSIX-compatible alternative).
Suggested change
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true | |
| spell_files=$(printf '%s\n' "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' || true) | |
| if [ -n "${spell_files}" ]; then | |
| printf '%s\n' "${spell_files}" | xargs codespell -q 2 -L "hte,teh" || true | |
| fi |
Comment on lines
+7
to
+8
| branches: | ||
| - "**" |
There was a problem hiding this comment.
The push trigger already runs on all branches by default; setting branches: [\"**\"] is redundant and can be confusing. Consider removing the branches filter entirely, or narrowing it to the branches you actually want guarded (e.g., main/release branches) to reduce noisy/duplicative CI runs.
Suggested change
| branches: | |
| - "**" |
Comment on lines
+18
to
+23
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run pre-commit guard checks | ||
| uses: pre-commit/action@v3.0.1 |
There was a problem hiding this comment.
For supply-chain hardening, GitHub recommends pinning third-party actions to a full commit SHA rather than a mutable tag (even version tags). Consider pinning both actions/checkout and pre-commit/action to specific SHAs (optionally with a comment noting the corresponding version) to reduce the risk of compromised upstream tags.
Suggested change
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run pre-commit guard checks | |
| uses: pre-commit/action@v3.0.1 | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run pre-commit guard checks | |
| uses: pre-commit/action@78975d1f3bc84d3494a7653960a6c4a88c507d4c # v3.0.1 |
Comment on lines
+18
to
+23
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run pre-commit guard checks | ||
| uses: pre-commit/action@v3.0.1 |
There was a problem hiding this comment.
For supply-chain hardening, GitHub recommends pinning third-party actions to a full commit SHA rather than a mutable tag (even version tags). Consider pinning both actions/checkout and pre-commit/action to specific SHAs (optionally with a comment noting the corresponding version) to reduce the risk of compromised upstream tags.
Suggested change
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run pre-commit guard checks | |
| uses: pre-commit/action@v3.0.1 | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run pre-commit guard checks | |
| uses: pre-commit/action@2c2c18c48066f0f5eeb1c6fba5880a0c44c12a2f # v3.0.1 |
| steps: | ||
| # Rebase onto upstream to handle drift | ||
| - name: rebase | ||
| uses: airlock-hq/airlock/defaults/rebase@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
|
|
||
| # Generate PR title and description from the diff | ||
| - name: describe | ||
| uses: airlock-hq/airlock/defaults/describe@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
|
|
||
| # Update documentation to reflect changes | ||
| - name: document | ||
| uses: airlock-hq/airlock/defaults/document@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
|
|
||
| # Run tests | ||
| - name: test | ||
| uses: airlock-hq/airlock/defaults/test@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
|
|
||
| # Push changes to upstream (pauses for user approval first) | ||
| - name: push | ||
| uses: airlock-hq/airlock/defaults/push@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
|
|
||
| # Create pull/merge request | ||
| - name: create-pr | ||
| uses: airlock-hq/airlock/defaults/create-pr@main |
There was a problem hiding this comment.
These uses: references point to @main, which is a moving target and can introduce non-reproducible runs and supply-chain risk. Pin these steps to a tagged release or commit SHA for determinism and safer upgrades.
Co-authored-by: Codex <noreply@openai.com>
coderabbitai
bot
added
HELIOS-CODEX
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.airlock/workflows/main.yml:
- Around line 16-45: Replace all uses entries that reference
airlock-hq/airlock/defaults/*@main with immutable commit SHAs; locate the steps
named "lint", "freeze", "describe", "document", "test", "push", and "create-pr"
which currently use airlock-hq/airlock/defaults/<name>@main and update each uses
value to airlock-hq/airlock/defaults/<name>@<commit-sha> (the precise SHA for
the desired release), ensuring you pin every action ref so no `@main` references
remain.
In @.github/required-checks.txt:
- Around line 2-6: The required-checks list is missing the security workflow;
either add the entry "security-guard.yml|guard" to .github/required-checks.txt
so branch protection recognizes the security-guard workflow, or if that workflow
is not intended as a required check, update documentation/PR description to
state it is optional and remove any implicit expectation; locate the filename
.github/required-checks.txt and add the exact string security-guard.yml|guard
(or explicitly document the decision) to resolve the mismatch.
In @.github/scripts/security-guard.sh:
- Line 28: The current pipeline uses plain newline-separated piping from the
changed_files variable which can split filenames containing spaces/tabs; make
the command produce and consume null-delimited filenames instead: ensure
changed_files is printed with null separators and switch grep and xargs to
null-safe modes (use grep -z -E and xargs -0 -r) so codespell receives each full
filename intact; update the pipeline surrounding changed_files, grep -E, xargs
-r and codespell to use null-delimiters and preserve whitespace in filenames.
- Around line 23-24: The current changed_files assignment only diffs
HEAD~1..HEAD and misses multi-commit pushes; update the logic that sets the
changed_files variable so it computes a proper base ref via git merge-base
(e.g., using git merge-base --fork-point or git merge-base with the remote
branch) and then runs git diff --name-only <base>..HEAD; keep a safe fallback to
the original HEAD~1..HEAD if merge-base fails. Modify the assignment that
currently invokes git diff --name-only HEAD~1..HEAD to first determine base
(using git merge-base/--fork-point against the target branch) and use that base
for the git diff between <base>..HEAD to populate changed_files.
In @.github/workflows/security-guard.yml:
- Around line 3-8: The workflow is triggered twice because both pull_request and
push (with branches: - "**") overlap; to fix, remove or narrow the push trigger
so only one event runs the workflow—either delete the push block entirely or
replace branches: - "**" with a specific branch list (e.g., main) or add an
explicit condition (if: github.event_name == 'push' && github.ref ==
'refs/heads/main'); update the YAML by modifying the on: section (specifically
the pull_request and push keys and the branches: - "**" entry) accordingly.
- Line 23: Replace the mutable action reference "uses: pre-commit/action@v3.0.1"
with a pinned full commit SHA for pre-commit/action (e.g., "uses:
pre-commit/action@<commit-sha>") to satisfy supply-chain best practices; keep
the original tag (v3.0.1) in a comment immediately above or beside the pinned
SHA for auditability and future maintenance. Ensure the commit SHA corresponds
to the same release you intended and update any workflow documentation if
needed.
ℹ️ Review info
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
⛔ Files ignored due to path filters (2)
.kittify/missions/research/templates/research/evidence-log.csvis excluded by!**/*.csv.kittify/missions/research/templates/research/source-register.csvis excluded by!**/*.csv
📒 Files selected for processing (116)
.airlock/workflows/main.yml.claudeignore.cursor/commands/spec-kitty.accept.md.cursor/commands/spec-kitty.analyze.md.cursor/commands/spec-kitty.checklist.md.cursor/commands/spec-kitty.clarify.md.cursor/commands/spec-kitty.constitution.md.cursor/commands/spec-kitty.dashboard.md.cursor/commands/spec-kitty.implement.md.cursor/commands/spec-kitty.merge.md.cursor/commands/spec-kitty.plan.md.cursor/commands/spec-kitty.research.md.cursor/commands/spec-kitty.review.md.cursor/commands/spec-kitty.specify.md.cursor/commands/spec-kitty.status.md.cursor/commands/spec-kitty.tasks.md.cursorignore.github/copilot-instructions.md.github/prompts/spec-kitty.accept.prompt.md.github/prompts/spec-kitty.analyze.prompt.md.github/prompts/spec-kitty.checklist.prompt.md.github/prompts/spec-kitty.clarify.prompt.md.github/prompts/spec-kitty.constitution.prompt.md.github/prompts/spec-kitty.dashboard.prompt.md.github/prompts/spec-kitty.implement.prompt.md.github/prompts/spec-kitty.merge.prompt.md.github/prompts/spec-kitty.plan.prompt.md.github/prompts/spec-kitty.research.prompt.md.github/prompts/spec-kitty.review.prompt.md.github/prompts/spec-kitty.specify.prompt.md.github/prompts/spec-kitty.status.prompt.md.github/prompts/spec-kitty.tasks.prompt.md.github/required-checks.txt.github/scripts/security-guard.sh.github/workflows/security-guard.yml.kilocode/workflows/spec-kitty.accept.md.kilocode/workflows/spec-kitty.analyze.md.kilocode/workflows/spec-kitty.checklist.md.kilocode/workflows/spec-kitty.clarify.md.kilocode/workflows/spec-kitty.constitution.md.kilocode/workflows/spec-kitty.dashboard.md.kilocode/workflows/spec-kitty.implement.md.kilocode/workflows/spec-kitty.merge.md.kilocode/workflows/spec-kitty.plan.md.kilocode/workflows/spec-kitty.research.md.kilocode/workflows/spec-kitty.review.md.kilocode/workflows/spec-kitty.specify.md.kilocode/workflows/spec-kitty.status.md.kilocode/workflows/spec-kitty.tasks.md.kittify/.dashboard.kittify/metadata.yaml.kittify/missions/documentation/command-templates/implement.md.kittify/missions/documentation/command-templates/plan.md.kittify/missions/documentation/command-templates/review.md.kittify/missions/documentation/command-templates/specify.md.kittify/missions/documentation/command-templates/tasks.md.kittify/missions/documentation/mission.yaml.kittify/missions/documentation/templates/divio/explanation-template.md.kittify/missions/documentation/templates/divio/howto-template.md.kittify/missions/documentation/templates/divio/reference-template.md.kittify/missions/documentation/templates/divio/tutorial-template.md.kittify/missions/documentation/templates/generators/jsdoc.json.template.kittify/missions/documentation/templates/generators/sphinx-conf.py.template.kittify/missions/documentation/templates/plan-template.md.kittify/missions/documentation/templates/release-template.md.kittify/missions/documentation/templates/spec-template.md.kittify/missions/documentation/templates/task-prompt-template.md.kittify/missions/documentation/templates/tasks-template.md.kittify/missions/research/command-templates/implement.md.kittify/missions/research/command-templates/merge.md.kittify/missions/research/command-templates/plan.md.kittify/missions/research/command-templates/review.md.kittify/missions/research/command-templates/specify.md.kittify/missions/research/command-templates/tasks.md.kittify/missions/research/mission.yaml.kittify/missions/research/templates/data-model-template.md.kittify/missions/research/templates/plan-template.md.kittify/missions/research/templates/research-template.md.kittify/missions/research/templates/spec-template.md.kittify/missions/research/templates/task-prompt-template.md.kittify/missions/research/templates/tasks-template.md.kittify/missions/software-dev/command-templates/accept.md.kittify/missions/software-dev/command-templates/analyze.md.kittify/missions/software-dev/command-templates/checklist.md.kittify/missions/software-dev/command-templates/clarify.md.kittify/missions/software-dev/command-templates/constitution.md.kittify/missions/software-dev/command-templates/dashboard.md.kittify/missions/software-dev/command-templates/implement.md.kittify/missions/software-dev/command-templates/merge.md.kittify/missions/software-dev/command-templates/plan.md.kittify/missions/software-dev/command-templates/review.md.kittify/missions/software-dev/command-templates/specify.md.kittify/missions/software-dev/command-templates/tasks.md.kittify/missions/software-dev/mission.yaml.kittify/missions/software-dev/templates/plan-template.md.kittify/missions/software-dev/templates/spec-template.md.kittify/missions/software-dev/templates/task-prompt-template.md.kittify/missions/software-dev/templates/tasks-template.md.kittify/scripts/debug-dashboard-scan.py.kittify/scripts/tasks/acceptance_core.py.kittify/scripts/tasks/acceptance_support.py.kittify/scripts/tasks/task_helpers.py.kittify/scripts/tasks/task_helpers_shared.py.kittify/scripts/tasks/tasks_cli.py.kittify/scripts/validate_encoding.py.llmignore.pre-commit-config.yamlAGENTS.mdCLAUDE.mdcmd/cliproxyctl/main.gocmd/cliproxyctl/main_test.godocs/agent-policy/effective-policy.jsondocs/agent-policy/sources.jsonpkg/llmproxy/usage/metrics.gopkg/llmproxy/util/provider_alias.gopkg/llmproxy/util/provider_test.go
💤 Files with no reviewable changes (99)
- .cursor/commands/spec-kitty.merge.md
- .github/prompts/spec-kitty.research.prompt.md
- .cursor/commands/spec-kitty.tasks.md
- .github/prompts/spec-kitty.dashboard.prompt.md
- .kittify/missions/research/command-templates/plan.md
- .cursor/commands/spec-kitty.constitution.md
- .cursorignore
- .kittify/missions/software-dev/mission.yaml
- .kittify/missions/documentation/templates/divio/reference-template.md
- .kittify/missions/software-dev/command-templates/constitution.md
- .kittify/missions/documentation/command-templates/implement.md
- .kittify/missions/research/command-templates/tasks.md
- .kittify/missions/research/templates/task-prompt-template.md
- .kittify/missions/software-dev/templates/task-prompt-template.md
- .kittify/missions/documentation/mission.yaml
- .github/prompts/spec-kitty.analyze.prompt.md
- .github/prompts/spec-kitty.merge.prompt.md
- .kittify/missions/research/templates/spec-template.md
- .github/prompts/spec-kitty.tasks.prompt.md
- .github/prompts/spec-kitty.implement.prompt.md
- .kittify/missions/research/command-templates/implement.md
- .github/prompts/spec-kitty.specify.prompt.md
- .claudeignore
- .kilocode/workflows/spec-kitty.status.md
- .cursor/commands/spec-kitty.status.md
- .kittify/missions/documentation/templates/generators/jsdoc.json.template
- .kittify/missions/documentation/templates/spec-template.md
- .kittify/missions/research/mission.yaml
- .kittify/missions/software-dev/templates/spec-template.md
- .kilocode/workflows/spec-kitty.checklist.md
- .cursor/commands/spec-kitty.analyze.md
- .github/prompts/spec-kitty.checklist.prompt.md
- .kilocode/workflows/spec-kitty.plan.md
- .kilocode/workflows/spec-kitty.tasks.md
- .kittify/.dashboard
- .kittify/missions/research/templates/plan-template.md
- .kilocode/workflows/spec-kitty.accept.md
- .cursor/commands/spec-kitty.checklist.md
- .github/copilot-instructions.md
- .kittify/missions/documentation/templates/task-prompt-template.md
- .kittify/missions/documentation/command-templates/plan.md
- .kilocode/workflows/spec-kitty.constitution.md
- .kittify/missions/software-dev/command-templates/merge.md
- .cursor/commands/spec-kitty.dashboard.md
- .kittify/missions/documentation/templates/divio/tutorial-template.md
- .cursor/commands/spec-kitty.specify.md
- .kittify/missions/documentation/templates/tasks-template.md
- .kittify/missions/software-dev/command-templates/tasks.md
- .cursor/commands/spec-kitty.plan.md
- .kittify/missions/research/command-templates/specify.md
- .kittify/missions/software-dev/command-templates/dashboard.md
- .kittify/missions/software-dev/command-templates/plan.md
- .kilocode/workflows/spec-kitty.implement.md
- .cursor/commands/spec-kitty.clarify.md
- .kittify/missions/documentation/command-templates/tasks.md
- .kilocode/workflows/spec-kitty.dashboard.md
- .kittify/missions/software-dev/command-templates/checklist.md
- .kittify/missions/software-dev/command-templates/specify.md
- .kittify/missions/research/templates/research-template.md
- .cursor/commands/spec-kitty.review.md
- .github/prompts/spec-kitty.plan.prompt.md
- .kittify/scripts/tasks/acceptance_support.py
- .kittify/metadata.yaml
- .kittify/missions/documentation/templates/plan-template.md
- .kittify/missions/software-dev/command-templates/accept.md
- .kilocode/workflows/spec-kitty.merge.md
- .github/prompts/spec-kitty.accept.prompt.md
- .kittify/missions/research/command-templates/review.md
- .kittify/scripts/tasks/acceptance_core.py
- .kittify/missions/software-dev/templates/tasks-template.md
- .kittify/missions/documentation/templates/divio/explanation-template.md
- .kittify/missions/documentation/templates/release-template.md
- .github/prompts/spec-kitty.review.prompt.md
- .kittify/missions/documentation/command-templates/review.md
- .kittify/missions/documentation/templates/generators/sphinx-conf.py.template
- .cursor/commands/spec-kitty.accept.md
- .kittify/missions/documentation/command-templates/specify.md
- .kilocode/workflows/spec-kitty.review.md
- .kittify/missions/research/command-templates/merge.md
- .kittify/missions/research/templates/data-model-template.md
- .github/prompts/spec-kitty.clarify.prompt.md
- .kilocode/workflows/spec-kitty.analyze.md
- .github/prompts/spec-kitty.constitution.prompt.md
- .kilocode/workflows/spec-kitty.research.md
- .kittify/missions/software-dev/command-templates/analyze.md
- .kittify/missions/software-dev/command-templates/clarify.md
- .kittify/missions/software-dev/templates/plan-template.md
- .kittify/missions/software-dev/command-templates/review.md
- .kittify/missions/documentation/templates/divio/howto-template.md
- .kittify/scripts/tasks/task_helpers.py
- .github/prompts/spec-kitty.status.prompt.md
- .kittify/missions/research/templates/tasks-template.md
- .kittify/scripts/tasks/task_helpers_shared.py
- .kittify/missions/software-dev/command-templates/implement.md
- .cursor/commands/spec-kitty.research.md
- .kilocode/workflows/spec-kitty.specify.md
- .kittify/scripts/debug-dashboard-scan.py
- .kilocode/workflows/spec-kitty.clarify.md
- .cursor/commands/spec-kitty.implement.md
📜 Review details
🔇 Additional comments (1)
.github/required-checks.txt (1)
5-5: The required check stringAnalyze (Go)in.github/required-checks.txtexactly matches the workflow job names declared in.github/workflows/codeql.yml. No action needed.
Comment on lines
+16
to
+45
| uses: airlock-hq/airlock/defaults/rebase@main | ||
|
|
||
| # Run linters and formatters, auto-fix issues | ||
| - name: lint | ||
| uses: airlock-hq/airlock/defaults/lint@main | ||
|
|
||
| # Commit auto-fix patches and lock the worktree | ||
| - name: freeze | ||
| run: airlock exec freeze | ||
|
|
||
| # Generate PR title and description from the diff | ||
| - name: describe | ||
| uses: airlock-hq/airlock/defaults/describe@main | ||
|
|
||
| # Update documentation to reflect changes | ||
| - name: document | ||
| uses: airlock-hq/airlock/defaults/document@main | ||
|
|
||
| # Run tests | ||
| - name: test | ||
| uses: airlock-hq/airlock/defaults/test@main | ||
|
|
||
| # Push changes to upstream (pauses for user approval first) | ||
| - name: push | ||
| uses: airlock-hq/airlock/defaults/push@main | ||
| require-approval: true | ||
|
|
||
| # Create pull/merge request | ||
| - name: create-pr | ||
| uses: airlock-hq/airlock/defaults/create-pr@main |
There was a problem hiding this comment.
Pin Airlock action references to immutable SHAs (not @main).
Using @main allows upstream changes to alter behavior without review. Pin each action ref to a commit SHA for reproducibility and supply-chain hardening.
Suggested change
- uses: airlock-hq/airlock/defaults/rebase@main
+ uses: airlock-hq/airlock/defaults/rebase@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/lint@main
+ uses: airlock-hq/airlock/defaults/lint@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/describe@main
+ uses: airlock-hq/airlock/defaults/describe@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/document@main
+ uses: airlock-hq/airlock/defaults/document@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/test@main
+ uses: airlock-hq/airlock/defaults/test@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/push@main
+ uses: airlock-hq/airlock/defaults/push@<commit-sha>
...
- uses: airlock-hq/airlock/defaults/create-pr@main
+ uses: airlock-hq/airlock/defaults/create-pr@<commit-sha>#!/usr/bin/env bash
set -euo pipefail
rg -n 'uses:\s*airlock-hq/airlock/defaults/.+@main' .airlock/workflows/main.ymlExpected after fix: no matches.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.airlock/workflows/main.yml around lines 16 - 45, Replace all uses entries
that reference airlock-hq/airlock/defaults/*@main with immutable commit SHAs;
locate the steps named "lint", "freeze", "describe", "document", "test", "push",
and "create-pr" which currently use airlock-hq/airlock/defaults/<name>@main and
update each uses value to airlock-hq/airlock/defaults/<name>@<commit-sha> (the
precise SHA for the desired release), ensuring you pin every action ref so no
`@main` references remain.
Comment on lines
+2
to
+6
| pr-test-build.yml|build | ||
| pr-path-guard.yml|ensure-no-translator-changes | ||
| required-check-names-guard.yml|verify-required-check-names | ||
| codeql.yml|Analyze (Go) | ||
| docs.yml|Build Docs |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
echo "Required checks file:"
cat .github/required-checks.txt
echo
echo "Security Guard workflow exists:"
test -f .github/workflows/security-guard.yml && echo "yes" || echo "no"
echo
echo "Is security-guard required?"
rg -n '^security-guard\.yml\|guard$' .github/required-checks.txt || echo "missing"Repository: KooshaPari/cliproxyapi-plusplus
Length of output: 369
Add security-guard.yml|guard to required-checks.txt or clarify intent.
The security-guard.yml workflow exists but is not listed in .github/required-checks.txt. If this workflow is intended to gate merges as a branch protection requirement, it must be added to the file. If it's not meant to be required, please clarify.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/required-checks.txt around lines 2 - 6, The required-checks list is
missing the security workflow; either add the entry "security-guard.yml|guard"
to .github/required-checks.txt so branch protection recognizes the
security-guard workflow, or if that workflow is not intended as a required
check, update documentation/PR description to state it is optional and remove
any implicit expectation; locate the filename .github/required-checks.txt and
add the exact string security-guard.yml|guard (or explicitly document the
decision) to resolve the mismatch.
Comment on lines
+23
to
+24
| changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | ||
| fi |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Use a merge-base diff fallback instead of only HEAD~1..HEAD.
This fallback only scans the last commit, so multi-commit pushes can skip files.
Suggested change
- changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true)
+ if [ -n "${GITHUB_BASE_REF:-}" ] && git rev-parse --verify "origin/${GITHUB_BASE_REF}" >/dev/null 2>&1; then
+ changed_files=$(git diff --name-only "origin/${GITHUB_BASE_REF}...HEAD" || true)
+ else
+ changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true)
+ fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | |
| fi | |
| if [ -n "${GITHUB_BASE_REF:-}" ] && git rev-parse --verify "origin/${GITHUB_BASE_REF}" >/dev/null 2>&1; then | |
| changed_files=$(git diff --name-only "origin/${GITHUB_BASE_REF}...HEAD" || true) | |
| else | |
| changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) | |
| fi | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/scripts/security-guard.sh around lines 23 - 24, The current
changed_files assignment only diffs HEAD~1..HEAD and misses multi-commit pushes;
update the logic that sets the changed_files variable so it computes a proper
base ref via git merge-base (e.g., using git merge-base --fork-point or git
merge-base with the remote branch) and then runs git diff --name-only
<base>..HEAD; keep a safe fallback to the original HEAD~1..HEAD if merge-base
fails. Modify the assignment that currently invokes git diff --name-only
HEAD~1..HEAD to first determine base (using git merge-base/--fork-point against
the target branch) and use that base for the git diff between <base>..HEAD to
populate changed_files.
|
|
||
| if [ -n "${changed_files}" ]; then | ||
| echo "[security-guard] Running optional codespell fast pass" | ||
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true |
There was a problem hiding this comment.
Harden codespell file passing to avoid path-splitting bugs.
Current piping can split filenames containing spaces/tabs before codespell.
Suggested change
- echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true
+ echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r -d '\n' codespell -q 2 -L "hte,teh" || true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true | |
| echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r -d '\n' codespell -q 2 -L "hte,teh" || true |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/scripts/security-guard.sh at line 28, The current pipeline uses
plain newline-separated piping from the changed_files variable which can split
filenames containing spaces/tabs; make the command produce and consume
null-delimited filenames instead: ensure changed_files is printed with null
separators and switch grep and xargs to null-safe modes (use grep -z -E and
xargs -0 -r) so codespell receives each full filename intact; update the
pipeline surrounding changed_files, grep -E, xargs -r and codespell to use
null-delimiters and preserve whitespace in filenames.
Comment on lines
+3
to
+8
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| push: | ||
| branches: | ||
| - "**" |
There was a problem hiding this comment.
Avoid duplicate executions from overlapping triggers.
With pull_request plus push on **, a PR branch update runs this workflow twice (once per event).
Suggested change
on:
pull_request:
types: [opened, synchronize, reopened]
- push:
- branches:
- - "**"
+ push:
+ branches:
+ - main📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - "**" | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| push: | |
| branches: | |
| - main |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/security-guard.yml around lines 3 - 8, The workflow is
triggered twice because both pull_request and push (with branches: - "**")
overlap; to fix, remove or narrow the push trigger so only one event runs the
workflow—either delete the push block entirely or replace branches: - "**" with
a specific branch list (e.g., main) or add an explicit condition (if:
github.event_name == 'push' && github.ref == 'refs/heads/main'); update the YAML
by modifying the on: section (specifically the pull_request and push keys and
the branches: - "**" entry) accordingly.
| fetch-depth: 0 | ||
|
|
||
| - name: Run pre-commit guard checks | ||
| uses: pre-commit/action@v3.0.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/security-guard.yml | grep -A 2 -B 2 "pre-commit/action"Repository: KooshaPari/cliproxyapi-plusplus
Length of output: 307
🌐 Web query:
GitHub Actions pinning best practices commit SHA vs version tag
💡 Result:
Best practice: pin to a full commit SHA (preferred)
- Use a full-length commit SHA in
uses:so the referenced action code is immutable and can’t change under you (protects against retagging / moving branches). GitHub explicitly recommends this for security hardening. [1] - Pin the SHA that corresponds to a tagged release, and keep the human-friendly version in a comment, e.g.:
This improves auditability and makes automated update tooling (like Dependabot) practical. [1]
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
When (and how) version tags are acceptable
- Plain tags (e.g.,
@v4,@v4.1.7,@main) are not inherently immutable—they can be moved by the publisher—so they’re a weaker supply-chain posture than SHAs. [1] - GitHub supports “immutable releases” for action publishers: if a release is made immutable, its Git tag can’t be changed or deleted, making tag pinning safer when you trust the publisher and the repo is configured that way. [2]
Org/enterprise enforcement (recommended)
- GitHub Actions policy can enforce SHA pinning so workflows fail if an action isn’t pinned to a full commit SHA. [3]
Practical rule of thumb
- Security-sensitive or production workflows: pin full SHA (with a version comment). [1]
- If you must use tags for convenience: prefer tags that are backed by immutable releases, and understand it’s still a trust tradeoff vs SHAs. [2]
Sources: GitHub Well-Architected Actions Security guidance [1], GitHub Docs on immutable releases/tags [2], GitHub Changelog on SHA-pinning enforcement [3].
Pin pre-commit/action to a commit SHA.
@v3.0.1 is a mutable version tag that can be retagged by the publisher, weakening supply-chain integrity. GitHub's security guidance recommends pinning to a full commit SHA instead. For auditability, keep the version tag in a comment.
Suggested change
- uses: pre-commit/action@v3.0.1
+ uses: pre-commit/action@<full-commit-sha> # v3.0.1🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/security-guard.yml at line 23, Replace the mutable action
reference "uses: pre-commit/action@v3.0.1" with a pinned full commit SHA for
pre-commit/action (e.g., "uses: pre-commit/action@<commit-sha>") to satisfy
supply-chain best practices; keep the original tag (v3.0.1) in a comment
immediately above or beside the pinned SHA for auditability and future
maintenance. Ensure the commit SHA corresponds to the same release you intended
and update any workflow documentation if needed.
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Unblocks VitePress build by removing import/registration for a component not present on this branch. Co-authored-by: Codex <noreply@openai.com>
Drops custom.css import from VitePress theme index to unblock docs bundle resolution. Co-authored-by: Codex <noreply@openai.com>
KooshaPari
had a problem deploying
to
github-pages
GitHub Actions
Failure
Prevents Deploy Pages failures on feature/PR branch pushes while keeping docs build validation active. Co-authored-by: Codex <noreply@openai.com>
Owner
Author
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Owner
Author
|
@coderabbitai full review |
✅ Actions performedFull review triggered. |
Owner
Author
|
I’m currently handling blocker cleanup in PR #839; 838 and 839 are now both conflict/blocking and 839 has the broader lane scope. Suggest either (1) close 838 and continue with 839 rebased from current main, or (2) explicitly separate/focus 838 to only non-overlapping policy federation deltas and rebase before continuing. |
github-actions
bot
added
the
ci:coderabbit-bypass
|
@coderabbitai full review Automated retrigger: CodeRabbit state=FAILURE, age=1127.2m (stale after 20m). |
|
However, I want to surface an earlier comment from
Recommendation: Before or after this review completes, you may want to decide on the merge strategy:
The full review will help assess the current state of this PR, but the strategic decision about how to handle the overlap with ✅ Actions performedFull review triggered. |
There was a problem hiding this comment.
♻️ Duplicate comments (6)
.airlock/workflows/main.yml (1)
16-45:⚠️ Potential issue | 🟠 MajorPin Airlock action refs to immutable SHAs (not
@main).Using
@mainon Lines 16/20/28/32/36/40/45 makes CI behavior mutable and non-reproducible.Suggested patch pattern
- uses: airlock-hq/airlock/defaults/rebase@main + uses: airlock-hq/airlock/defaults/rebase@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/lint@main + uses: airlock-hq/airlock/defaults/lint@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/describe@main + uses: airlock-hq/airlock/defaults/describe@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/document@main + uses: airlock-hq/airlock/defaults/document@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/test@main + uses: airlock-hq/airlock/defaults/test@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/push@main + uses: airlock-hq/airlock/defaults/push@<full-commit-sha> ... - uses: airlock-hq/airlock/defaults/create-pr@main + uses: airlock-hq/airlock/defaults/create-pr@<full-commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.airlock/workflows/main.yml around lines 16 - 45, CI action refs use mutable `@main` tags; pin all uses entries (e.g., the steps with uses: airlock-hq/airlock/defaults/rebase@main, lint@main, describe@main, document@main, test@main, push@main, create-pr@main) to immutable commit SHAs or fixed version tags. Replace each `@main` suffix with the corresponding immutable SHA/tag for that action (maintain step names like "lint", "freeze", "describe", "document", "test", "push", "create-pr" and keep existing settings such as require-approval) so workflow runs are reproducible..github/scripts/security-guard.sh (2)
23-24:⚠️ Potential issue | 🟡 MinorUse merge-base-based fallback, not only
HEAD~1..HEAD.Line 23 only inspects the last commit, so multi-commit pushes can bypass the intended file set.
Suggested patch
- if [ -z "${changed_files}" ]; then - changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) - fi + if [ -z "${changed_files}" ]; then + if [ -n "${GITHUB_BASE_REF:-}" ] && git rev-parse --verify "origin/${GITHUB_BASE_REF}" >/dev/null 2>&1; then + base="$(git merge-base "origin/${GITHUB_BASE_REF}" HEAD 2>/dev/null || true)" + if [ -n "${base}" ]; then + changed_files=$(git diff --name-only "${base}..HEAD" || true) + else + changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) + fi + else + changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true) + fi + fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/security-guard.sh around lines 23 - 24, The script currently sets changed_files using "git diff --name-only HEAD~1..HEAD" which only captures the last commit; update the assignment that defines changed_files to fallback to a merge-base range (using git merge-base to compute base between origin/main (or the target branch ref) and HEAD) and run git diff --name-only <merge-base>..HEAD so all commits in the push are inspected; modify the code path around the changed_files variable assignment to compute merge_base=$(git merge-base <target-ref> HEAD) and use that in the git diff call (preserve the existing 2>/dev/null || true fallback).
28-28:⚠️ Potential issue | 🟡 MinorMake codespell file passing whitespace-safe.
Line 28 can split filenames containing spaces/tabs before
codespell.Suggested patch
- echo "${changed_files}" | grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' | xargs -r codespell -q 2 -L "hte,teh" || true + printf '%s\n' "${changed_files}" \ + | tr '\n' '\0' \ + | grep -z -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' \ + | xargs -0 -r codespell -q 2 -L "hte,teh" || true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/scripts/security-guard.sh at line 28, The current pipeline can split filenames with spaces because it pipes plain newline-delimited text through grep and xargs; change the pipeline to use NUL-separated handling: feed NUL-terminated input (e.g. printf '%s\0' "$changed_files"), use grep -zE '...\$' (or use grep -E on the text then convert to NULs), and call xargs -0 -r codespell -q 2 -L "hte,teh" || true so codespell receives filenames safely; update the line using the symbols changed_files, grep (grep -zE), and xargs (xargs -0 -r) to implement NUL-delimited processing..github/required-checks.txt (1)
2-6:⚠️ Potential issue | 🟠 MajorMissing
security-guard.yml|guardin required checks list.The security guard workflow exists in this PR, but it is still not represented here. If it is intended to gate merges, this omission weakens enforcement.
Suggested patch
# workflow_file|job_name pr-test-build.yml|build pr-path-guard.yml|ensure-no-translator-changes required-check-names-guard.yml|verify-required-check-names codeql.yml|Analyze (Go) docs.yml|Build Docs +security-guard.yml|guard🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/required-checks.txt around lines 2 - 6, Add the missing entry for the security guard workflow to the required checks list by inserting the line "security-guard.yml|guard" into the required checks manifest (matching the same "workflow|check-name" format used by existing entries such as "pr-test-build.yml|build" and "pr-path-guard.yml|ensure-no-translator-changes"); ensure the new entry exactly matches the workflow filename and the guard job name so the security-guard workflow is enforced as a required check..github/workflows/security-guard.yml (2)
23-23:⚠️ Potential issue | 🟠 MajorPin
pre-commit/actionto a full commit SHA.Line 23 uses a mutable tag (
@v3.0.1). Pin to an immutable SHA for stronger supply-chain integrity.Suggested patch
- uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@<full-commit-sha> # v3.0.1🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/security-guard.yml at line 23, The workflow currently pins pre-commit/action to the mutable tag "pre-commit/action@v3.0.1"; replace that tag with the action's full immutable commit SHA (e.g., "pre-commit/action@<full-commit-sha>") to hard-pin the dependency. Locate the uses entry "pre-commit/action@v3.0.1" in the workflow and update it to the exact commit SHA from the pre-commit/action repository, then run/verify the workflow to ensure the action still works with that SHA.
3-8:⚠️ Potential issue | 🟠 MajorAvoid duplicate executions from overlapping triggers.
With
pull_requestandpushon**(Lines 3–8), PR branch updates can run this workflow twice.Suggested patch
on: pull_request: types: [opened, synchronize, reopened] push: branches: - - "**" + - main🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/security-guard.yml around lines 3 - 8, The workflow is triggered twice because it uses both pull_request and push with a broad branch pattern; to fix it, remove or narrow the push trigger: either delete the push block or change its branches from "**" to only the repository's primary protected branches (e.g., "main" or "release/*"), or alternatively keep both but add a top-level conditional to skip push events originating from pull_request merges (use the push trigger only for actual branch pushes). Update the workflow's triggers (the pull_request and push entries) accordingly so PR updates don't re-run the same job triggered by push.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.airlock/workflows/main.yml:
- Around line 16-45: CI action refs use mutable `@main` tags; pin all uses entries
(e.g., the steps with uses: airlock-hq/airlock/defaults/rebase@main, lint@main,
describe@main, document@main, test@main, push@main, create-pr@main) to immutable
commit SHAs or fixed version tags. Replace each `@main` suffix with the
corresponding immutable SHA/tag for that action (maintain step names like
"lint", "freeze", "describe", "document", "test", "push", "create-pr" and keep
existing settings such as require-approval) so workflow runs are reproducible.
In @.github/required-checks.txt:
- Around line 2-6: Add the missing entry for the security guard workflow to the
required checks list by inserting the line "security-guard.yml|guard" into the
required checks manifest (matching the same "workflow|check-name" format used by
existing entries such as "pr-test-build.yml|build" and
"pr-path-guard.yml|ensure-no-translator-changes"); ensure the new entry exactly
matches the workflow filename and the guard job name so the security-guard
workflow is enforced as a required check.
In @.github/scripts/security-guard.sh:
- Around line 23-24: The script currently sets changed_files using "git diff
--name-only HEAD~1..HEAD" which only captures the last commit; update the
assignment that defines changed_files to fallback to a merge-base range (using
git merge-base to compute base between origin/main (or the target branch ref)
and HEAD) and run git diff --name-only <merge-base>..HEAD so all commits in the
push are inspected; modify the code path around the changed_files variable
assignment to compute merge_base=$(git merge-base <target-ref> HEAD) and use
that in the git diff call (preserve the existing 2>/dev/null || true fallback).
- Line 28: The current pipeline can split filenames with spaces because it pipes
plain newline-delimited text through grep and xargs; change the pipeline to use
NUL-separated handling: feed NUL-terminated input (e.g. printf '%s\0'
"$changed_files"), use grep -zE '...\$' (or use grep -E on the text then convert
to NULs), and call xargs -0 -r codespell -q 2 -L "hte,teh" || true so codespell
receives filenames safely; update the line using the symbols changed_files, grep
(grep -zE), and xargs (xargs -0 -r) to implement NUL-delimited processing.
In @.github/workflows/security-guard.yml:
- Line 23: The workflow currently pins pre-commit/action to the mutable tag
"pre-commit/action@v3.0.1"; replace that tag with the action's full immutable
commit SHA (e.g., "pre-commit/action@<full-commit-sha>") to hard-pin the
dependency. Locate the uses entry "pre-commit/action@v3.0.1" in the workflow and
update it to the exact commit SHA from the pre-commit/action repository, then
run/verify the workflow to ensure the action still works with that SHA.
- Around line 3-8: The workflow is triggered twice because it uses both
pull_request and push with a broad branch pattern; to fix it, remove or narrow
the push trigger: either delete the push block or change its branches from "**"
to only the repository's primary protected branches (e.g., "main" or
"release/*"), or alternatively keep both but add a top-level conditional to skip
push events originating from pull_request merges (use the push trigger only for
actual branch pushes). Update the workflow's triggers (the pull_request and push
entries) accordingly so PR updates don't re-run the same job triggered by push.
ℹ️ Review info
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
⛔ Files ignored due to path filters (2)
.kittify/missions/research/templates/research/evidence-log.csvis excluded by!**/*.csv.kittify/missions/research/templates/research/source-register.csvis excluded by!**/*.csv
📒 Files selected for processing (121)
.airlock/workflows/main.yml.claudeignore.cursor/commands/spec-kitty.accept.md.cursor/commands/spec-kitty.analyze.md.cursor/commands/spec-kitty.checklist.md.cursor/commands/spec-kitty.clarify.md.cursor/commands/spec-kitty.constitution.md.cursor/commands/spec-kitty.dashboard.md.cursor/commands/spec-kitty.implement.md.cursor/commands/spec-kitty.merge.md.cursor/commands/spec-kitty.plan.md.cursor/commands/spec-kitty.research.md.cursor/commands/spec-kitty.review.md.cursor/commands/spec-kitty.specify.md.cursor/commands/spec-kitty.status.md.cursor/commands/spec-kitty.tasks.md.cursorignore.github/copilot-instructions.md.github/prompts/spec-kitty.accept.prompt.md.github/prompts/spec-kitty.analyze.prompt.md.github/prompts/spec-kitty.checklist.prompt.md.github/prompts/spec-kitty.clarify.prompt.md.github/prompts/spec-kitty.constitution.prompt.md.github/prompts/spec-kitty.dashboard.prompt.md.github/prompts/spec-kitty.implement.prompt.md.github/prompts/spec-kitty.merge.prompt.md.github/prompts/spec-kitty.plan.prompt.md.github/prompts/spec-kitty.research.prompt.md.github/prompts/spec-kitty.review.prompt.md.github/prompts/spec-kitty.specify.prompt.md.github/prompts/spec-kitty.status.prompt.md.github/prompts/spec-kitty.tasks.prompt.md.github/required-checks.txt.github/scripts/security-guard.sh.github/workflows/docs.yml.github/workflows/pr-path-guard.yml.github/workflows/security-guard.yml.kilocode/workflows/spec-kitty.accept.md.kilocode/workflows/spec-kitty.analyze.md.kilocode/workflows/spec-kitty.checklist.md.kilocode/workflows/spec-kitty.clarify.md.kilocode/workflows/spec-kitty.constitution.md.kilocode/workflows/spec-kitty.dashboard.md.kilocode/workflows/spec-kitty.implement.md.kilocode/workflows/spec-kitty.merge.md.kilocode/workflows/spec-kitty.plan.md.kilocode/workflows/spec-kitty.research.md.kilocode/workflows/spec-kitty.review.md.kilocode/workflows/spec-kitty.specify.md.kilocode/workflows/spec-kitty.status.md.kilocode/workflows/spec-kitty.tasks.md.kittify/.dashboard.kittify/metadata.yaml.kittify/missions/documentation/command-templates/implement.md.kittify/missions/documentation/command-templates/plan.md.kittify/missions/documentation/command-templates/review.md.kittify/missions/documentation/command-templates/specify.md.kittify/missions/documentation/command-templates/tasks.md.kittify/missions/documentation/mission.yaml.kittify/missions/documentation/templates/divio/explanation-template.md.kittify/missions/documentation/templates/divio/howto-template.md.kittify/missions/documentation/templates/divio/reference-template.md.kittify/missions/documentation/templates/divio/tutorial-template.md.kittify/missions/documentation/templates/generators/jsdoc.json.template.kittify/missions/documentation/templates/generators/sphinx-conf.py.template.kittify/missions/documentation/templates/plan-template.md.kittify/missions/documentation/templates/release-template.md.kittify/missions/documentation/templates/spec-template.md.kittify/missions/documentation/templates/task-prompt-template.md.kittify/missions/documentation/templates/tasks-template.md.kittify/missions/research/command-templates/implement.md.kittify/missions/research/command-templates/merge.md.kittify/missions/research/command-templates/plan.md.kittify/missions/research/command-templates/review.md.kittify/missions/research/command-templates/specify.md.kittify/missions/research/command-templates/tasks.md.kittify/missions/research/mission.yaml.kittify/missions/research/templates/data-model-template.md.kittify/missions/research/templates/plan-template.md.kittify/missions/research/templates/research-template.md.kittify/missions/research/templates/spec-template.md.kittify/missions/research/templates/task-prompt-template.md.kittify/missions/research/templates/tasks-template.md.kittify/missions/software-dev/command-templates/accept.md.kittify/missions/software-dev/command-templates/analyze.md.kittify/missions/software-dev/command-templates/checklist.md.kittify/missions/software-dev/command-templates/clarify.md.kittify/missions/software-dev/command-templates/constitution.md.kittify/missions/software-dev/command-templates/dashboard.md.kittify/missions/software-dev/command-templates/implement.md.kittify/missions/software-dev/command-templates/merge.md.kittify/missions/software-dev/command-templates/plan.md.kittify/missions/software-dev/command-templates/review.md.kittify/missions/software-dev/command-templates/specify.md.kittify/missions/software-dev/command-templates/tasks.md.kittify/missions/software-dev/mission.yaml.kittify/missions/software-dev/templates/plan-template.md.kittify/missions/software-dev/templates/spec-template.md.kittify/missions/software-dev/templates/task-prompt-template.md.kittify/missions/software-dev/templates/tasks-template.md.kittify/scripts/debug-dashboard-scan.py.kittify/scripts/tasks/acceptance_core.py.kittify/scripts/tasks/acceptance_support.py.kittify/scripts/tasks/task_helpers.py.kittify/scripts/tasks/task_helpers_shared.py.kittify/scripts/tasks/tasks_cli.py.kittify/scripts/validate_encoding.py.llmignore.pre-commit-config.yamlAGENTS.mdCLAUDE.mdcmd/cliproxyctl/main.gocmd/cliproxyctl/main_test.godocs/.vitepress/theme/index.tsdocs/agent-policy/effective-policy.jsondocs/agent-policy/sources.jsondocs/troubleshooting.mdgo.modpkg/llmproxy/usage/metrics.gopkg/llmproxy/util/provider_alias.gopkg/llmproxy/util/provider_test.go
💤 Files with no reviewable changes (99)
- .kittify/missions/research/templates/data-model-template.md
- .kittify/missions/research/templates/spec-template.md
- .kittify/.dashboard
- .github/prompts/spec-kitty.research.prompt.md
- .cursor/commands/spec-kitty.accept.md
- .kittify/missions/documentation/templates/generators/jsdoc.json.template
- .kilocode/workflows/spec-kitty.tasks.md
- .kilocode/workflows/spec-kitty.research.md
- .github/prompts/spec-kitty.merge.prompt.md
- .kilocode/workflows/spec-kitty.review.md
- .github/prompts/spec-kitty.checklist.prompt.md
- .kittify/missions/documentation/command-templates/tasks.md
- .kittify/missions/research/mission.yaml
- .kittify/missions/research/templates/plan-template.md
- .github/prompts/spec-kitty.review.prompt.md
- .kilocode/workflows/spec-kitty.analyze.md
- .cursor/commands/spec-kitty.implement.md
- .kittify/missions/software-dev/templates/plan-template.md
- .github/prompts/spec-kitty.constitution.prompt.md
- .github/prompts/spec-kitty.implement.prompt.md
- .kittify/scripts/debug-dashboard-scan.py
- .kittify/missions/documentation/templates/task-prompt-template.md
- .kittify/missions/software-dev/command-templates/accept.md
- .kittify/missions/software-dev/command-templates/clarify.md
- .kittify/metadata.yaml
- .kittify/missions/research/templates/task-prompt-template.md
- .kittify/missions/software-dev/command-templates/dashboard.md
- .kittify/missions/research/command-templates/implement.md
- .kittify/missions/software-dev/templates/spec-template.md
- .kittify/missions/documentation/command-templates/plan.md
- .kittify/missions/documentation/templates/spec-template.md
- .kittify/missions/research/command-templates/tasks.md
- .kittify/missions/software-dev/command-templates/implement.md
- .github/prompts/spec-kitty.status.prompt.md
- .kilocode/workflows/spec-kitty.implement.md
- .cursor/commands/spec-kitty.plan.md
- .cursor/commands/spec-kitty.specify.md
- .kilocode/workflows/spec-kitty.status.md
- .kittify/missions/software-dev/command-templates/constitution.md
- .cursor/commands/spec-kitty.constitution.md
- .kilocode/workflows/spec-kitty.constitution.md
- .cursor/commands/spec-kitty.tasks.md
- .cursor/commands/spec-kitty.research.md
- .kittify/missions/documentation/command-templates/implement.md
- .cursor/commands/spec-kitty.clarify.md
- .kittify/missions/documentation/templates/divio/reference-template.md
- .cursor/commands/spec-kitty.checklist.md
- .kittify/missions/documentation/templates/generators/sphinx-conf.py.template
- .kittify/missions/software-dev/templates/tasks-template.md
- .kittify/missions/research/command-templates/review.md
- .kittify/missions/research/command-templates/merge.md
- .kittify/missions/research/templates/tasks-template.md
- .github/prompts/spec-kitty.specify.prompt.md
- .kittify/missions/software-dev/templates/task-prompt-template.md
- .kittify/missions/documentation/command-templates/specify.md
- .kittify/missions/research/command-templates/specify.md
- .kittify/missions/software-dev/command-templates/merge.md
- .kittify/scripts/tasks/task_helpers_shared.py
- .claudeignore
- .kittify/missions/documentation/templates/tasks-template.md
- .kittify/missions/documentation/templates/plan-template.md
- .cursor/commands/spec-kitty.status.md
- .cursor/commands/spec-kitty.merge.md
- .kittify/missions/software-dev/command-templates/plan.md
- .cursor/commands/spec-kitty.analyze.md
- .github/prompts/spec-kitty.tasks.prompt.md
- .kittify/missions/software-dev/command-templates/specify.md
- .kittify/scripts/tasks/acceptance_core.py
- .kittify/missions/documentation/mission.yaml
- .cursorignore
- .cursor/commands/spec-kitty.dashboard.md
- .kilocode/workflows/spec-kitty.clarify.md
- .kittify/missions/documentation/command-templates/review.md
- .github/prompts/spec-kitty.plan.prompt.md
- .kittify/missions/software-dev/mission.yaml
- .github/prompts/spec-kitty.analyze.prompt.md
- .kilocode/workflows/spec-kitty.specify.md
- .cursor/commands/spec-kitty.review.md
- .kittify/missions/research/command-templates/plan.md
- .kilocode/workflows/spec-kitty.dashboard.md
- .kittify/missions/software-dev/command-templates/review.md
- .kittify/missions/software-dev/command-templates/analyze.md
- .kittify/missions/software-dev/command-templates/tasks.md
- .github/copilot-instructions.md
- .kittify/missions/software-dev/command-templates/checklist.md
- .github/prompts/spec-kitty.dashboard.prompt.md
- .kilocode/workflows/spec-kitty.accept.md
- .github/prompts/spec-kitty.accept.prompt.md
- .kittify/missions/documentation/templates/release-template.md
- .kilocode/workflows/spec-kitty.checklist.md
- .kittify/scripts/tasks/task_helpers.py
- .kittify/missions/research/templates/research-template.md
- .kittify/scripts/tasks/acceptance_support.py
- .kittify/missions/documentation/templates/divio/howto-template.md
- .kilocode/workflows/spec-kitty.merge.md
- .kilocode/workflows/spec-kitty.plan.md
- .github/prompts/spec-kitty.clarify.prompt.md
- .kittify/missions/documentation/templates/divio/explanation-template.md
- .kittify/missions/documentation/templates/divio/tutorial-template.md
📜 Review details
🔇 Additional comments (2)
.github/workflows/pr-path-guard.yml (1)
12-12: Good improvement for check-name stability.Adding an explicit job name on Line 12 helps keep required-check mapping deterministic.
.github/workflows/docs.yml (1)
52-52: Deploy guard is correctly scoped.Line 52 properly restricts Pages deployment to
main, reducing accidental branch deployments.
github-actions
bot
removed
the
ci:coderabbit-bypass
Owner
Author
|
Closing this stale policy-federation lane: it now has very large structural drift (123 files, 20k+ deletions) and is conflict-heavy against current main. Please reopen as a clean replay PR if any remaining deltas are still needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope\n- Add repository-level policy federation onboarding artifacts for AgentOps.\n- Include docs and extension policy sync metadata.\n\n## Notes\nGenerated from shared policy package.
Summary by CodeRabbit
New Features
CI
Chores