docs: add downstream GitHub Actions audit recipes#797
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the project's active goals and expands the documentation with new guides for integrating uselesskey into downstream CI and GitHub Actions. The feedback highlights several critical issues in the provided GitHub Actions recipes, including the use of non-existent versions for actions/checkout, dtolnay/rust-toolchain, and actions/upload-artifact. Furthermore, a logical error was identified in the artifact upload configuration, which incorrectly attempts to access files produced in separate jobs.
| - uses: actions/checkout@v6 | ||
|
|
||
| - uses: dtolnay/rust-toolchain@stable |
There was a problem hiding this comment.
The GitHub Action versions for actions/checkout and dtolnay/rust-toolchain appear to be incorrect. actions/checkout is currently at v4, and dtolnay/rust-toolchain typically uses @master or @v1. Using non-existent versions like v6 or @stable will cause the workflow to fail.
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master |
| - uses: actions/checkout@v6 | ||
|
|
||
| - uses: dtolnay/rust-toolchain@stable |
There was a problem hiding this comment.
The GitHub Action versions for actions/checkout and dtolnay/rust-toolchain appear to be incorrect. actions/checkout is currently at v4, and dtolnay/rust-toolchain typically uses @master. Using non-existent versions will cause the workflow to fail.
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master |
|
|
||
| ```yaml | ||
| - name: Upload uselesskey audit receipts | ||
| uses: actions/upload-artifact@v7 |
| path: | | ||
| target/uselesskey-webhook-audit/bundle-audit.json | ||
| target/uselesskey-webhook-audit/bundle-audit.md | ||
| target/uselesskey-tls-audit/bundle-audit.json | ||
| target/uselesskey-tls-audit/bundle-audit.md | ||
| target/uselesskey-oidc-audit/bundle-audit.json | ||
| target/uselesskey-oidc-audit/bundle-audit.md |
There was a problem hiding this comment.
The artifact upload paths combine files from two different jobs (webhook-fixtures and verifier-fixtures). In GitHub Actions, jobs run on separate runners by default, so an upload step in one job cannot access files generated in another runner's workspace.
To fix this, you should either:
- Merge the generation steps into a single job.
- Provide separate upload steps within each job, referencing only the files produced by that specific job.
Summary
audit-bundle --ci.Files added/changed
docs/how-to/use-uselesskey-in-github-actions.mddocs/how-to/use-uselesskey-in-downstream-ci.mddocs/README.md.uselesskey/goals/active.tomlValidation
cargo xtask docs-sync --checkcargo xtask typosgit diff --checkNon-goals
What this enables next
external-adoption-smoke --ci-recipescan make these documented CI snippets executable evidence instead of doc-only guidance.