ROX-34007: Auto-merge MintMaker updates#19944
Conversation
|
Skipping CI for Draft Pull Request. |
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The
DRY_RUNenvironment variable is set in both jobs but never used; consider removing it or wiring it into the action if it's meant to affect behavior to avoid confusion. - The workflow now uses
stackrox/actions/automerge@tm/ROX-34007-automerge-configurabilityinstead of a pinned commit SHA; consider pinning to a specific revision (as before) to keep the workflow deterministic and auditable.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `DRY_RUN` environment variable is set in both jobs but never used; consider removing it or wiring it into the action if it's meant to affect behavior to avoid confusion.
- The workflow now uses `stackrox/actions/automerge@tm/ROX-34007-automerge-configurability` instead of a pinned commit SHA; consider pinning to a specific revision (as before) to keep the workflow deterministic and auditable.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Addressed. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19944 +/- ##
=======================================
Coverage 49.56% 49.56%
=======================================
Files 2764 2764
Lines 208357 208357
=======================================
Hits 103269 103269
Misses 97436 97436
Partials 7652 7652
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
🚀 Build Images ReadyImages are ready for commit 220e41b. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-626-g220e41b021 |
📝 WalkthroughSummary by CodeRabbit
WalkthroughAdds a boolean Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/auto-merge.yml:
- Line 32: The workflow currently references the mutable ref
"stackrox/actions/automerge@tm/ROX-34007-automerge-configurability"; replace
that branch ref with the corresponding immutable commit SHA (e.g.,
"stackrox/actions/automerge@<commit-sha>") to pin the action, and update all
occurrences of that ref in the workflow (the two uses of
stackrox/actions/automerge) so both are locked to the same commit SHA.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 25b3bd90-0fdb-4885-940e-369548c36b10
📒 Files selected for processing (1)
.github/workflows/auto-merge.yml
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | ||
| - name: Run auto-merge action | ||
| uses: stackrox/actions/automerge@tm/ROX-34007-automerge-configurability |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ref='tm/ROX-34007-automerge-configurability'
repo='stackrox/actions'
echo "Resolved SHA for $repo@$ref:"
gh api "repos/$repo/commits/$ref" --jq '.sha'
echo "Current automerge references in workflow:"
rg -n 'stackrox/actions/automerge@' .github/workflows/auto-merge.ymlRepository: stackrox/stackrox
Length of output: 295
🏁 Script executed:
cat -n .github/workflows/auto-merge.yml | head -50Repository: stackrox/stackrox
Length of output: 1882
🏁 Script executed:
rg -n 'stackrox/actions/automerge@' .github/workflows/auto-merge.ymlRepository: stackrox/stackrox
Length of output: 226
Pin stackrox/actions/automerge to an immutable commit SHA.
Lines 32 and 43 use the mutable branch ref tm/ROX-34007-automerge-configurability, which is a supply-chain and reproducibility risk. Branch refs can be force-pushed, causing workflows to unexpectedly execute different code without updates to the workflow file itself. These should be pinned to specific commit SHAs.
🧰 Tools
🪛 GitHub Check: style-check
[failure] 32-32: Ratchet - Unpinned Reference
.github/workflows/auto-merge.yml:32:15: The reference stackrox/actions/automerge@tm/ROX-34007-automerge-configurability is unpinned. Either pin the reference to a SHA or mark the line with ratchet:exclude.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/auto-merge.yml at line 32, The workflow currently
references the mutable ref
"stackrox/actions/automerge@tm/ROX-34007-automerge-configurability"; replace
that branch ref with the corresponding immutable commit SHA (e.g.,
"stackrox/actions/automerge@<commit-sha>") to pin the action, and update all
occurrences of that ref in the workflow (the two uses of
stackrox/actions/automerge) so both are locked to the same commit SHA.
…updates for approvals
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The workflow now references
stackrox/actions/automerge@tm/ROX-34007-automerge-configurability; before merging, consider pinning this to a specific commit SHA (as was done previously) rather than a branch for reproducibility and supply-chain safety. - The two jobs (
auto-merge-dependabotandauto-merge-mintmaker) share most of their configuration; consider using a strategy matrix or a reusable workflow to reduce duplication and make future changes to the auto-merge logic easier to keep consistent.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The workflow now references `stackrox/actions/automerge@tm/ROX-34007-automerge-configurability`; before merging, consider pinning this to a specific commit SHA (as was done previously) rather than a branch for reproducibility and supply-chain safety.
- The two jobs (`auto-merge-dependabot` and `auto-merge-mintmaker`) share most of their configuration; consider using a strategy matrix or a reusable workflow to reduce duplication and make future changes to the auto-merge logic easier to keep consistent.
## Individual Comments
### Comment 1
<location path=".github/workflows/auto-merge.yml" line_range="18-21" />
<code_context>
group: auto-merge
cancel-in-progress: false
+run-name: >-
+ ${{
+ format('auto-merge {0}',
+ fromJSON('[" (dry-run)", ""]')[github.event.inputs.dry-run != 'true']
+ )
+ }}
</code_context>
<issue_to_address>
**issue:** Array indexing with a boolean expression in `run-name` may not be reliable in GitHub Expressions.
Here the index `github.event.inputs.dry-run != 'true'` is a boolean. GitHub expressions expect a numeric or string index, so relying on implicit bool → index coercion is brittle and may break with engine changes. Prefer explicitly mapping to 0/1 (e.g. `... [condition && 0 || 1]`) or replace the array with a more direct conditional expression to select the suffix.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| run-name: >- | ||
| ${{ | ||
| format('auto-merge {0}', | ||
| fromJSON('[" (dry-run)", ""]')[github.event.inputs.dry-run != 'true'] |
There was a problem hiding this comment.
issue: Array indexing with a boolean expression in run-name may not be reliable in GitHub Expressions.
Here the index github.event.inputs.dry-run != 'true' is a boolean. GitHub expressions expect a numeric or string index, so relying on implicit bool → index coercion is brittle and may break with engine changes. Prefer explicitly mapping to 0/1 (e.g. ... [condition && 0 || 1]) or replace the array with a more direct conditional expression to select the suffix.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/auto-merge.yml (1)
32-32:⚠️ Potential issue | 🟠 MajorPin
stackrox/actions/automergeto an immutable SHA.Both jobs still reference the action via the mutable branch
tm/ROX-34007-automerge-configurability. That keeps the workflow non-reproducible and leaves the Ratchet failure unresolved. Please pin both occurrences to the same commit SHA instead.#!/bin/bash set -euo pipefail echo "Current automerge references in the workflow:" rg -n 'stackrox/actions/automerge@' .github/workflows/auto-merge.yml echo echo "Resolved commit for stackrox/actions@tm/ROX-34007-automerge-configurability:" gh api repos/stackrox/actions/commits/tm/ROX-34007-automerge-configurability --jq '.sha' echo echo "Expected: both workflow lines use the same 40-character SHA."Also applies to: 43-43
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/auto-merge.yml at line 32, Replace the mutable branch reference "uses: stackrox/actions/automerge@tm/ROX-34007-automerge-configurability" with a fixed 40-character commit SHA for both occurrences in the workflow (the two lines currently using that branch); obtain the correct SHA by querying the repo branch commit (e.g., gh api repos/stackrox/actions/commits/tm/ROX-34007-automerge-configurability --jq '.sha') and update both "uses: stackrox/actions/automerge@..." entries to use the same immutable SHA string so the workflow is reproducible and Ratchet will pass.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/auto-merge.yml:
- Line 32: Replace the mutable branch reference "uses:
stackrox/actions/automerge@tm/ROX-34007-automerge-configurability" with a fixed
40-character commit SHA for both occurrences in the workflow (the two lines
currently using that branch); obtain the correct SHA by querying the repo branch
commit (e.g., gh api
repos/stackrox/actions/commits/tm/ROX-34007-automerge-configurability --jq
'.sha') and update both "uses: stackrox/actions/automerge@..." entries to use
the same immutable SHA string so the workflow is reproducible and Ratchet will
pass.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 3df7c0ad-699d-473c-9c52-3acf1f8431cc
📒 Files selected for processing (2)
.github/renovate.json5.github/workflows/auto-merge.yml
✅ Files skipped from review due to trivial changes (1)
- .github/renovate.json5
Description
Companion for stackrox/actions#91
TODO before merge:
User-facing documentation
Testing and quality
Automated testing
How I validated my change
See companion.