Skip to content

chore: tune CodeRabbit config#12460

Merged
zkochan merged 1 commit into
mainfrom
coderabbit-tuning
Jun 16, 2026
Merged

chore: tune CodeRabbit config#12460
zkochan merged 1 commit into
mainfrom
coderabbit-tuning

Conversation

@zkochan

@zkochan zkochan commented Jun 16, 2026

Copy link
Copy Markdown
Member

Follow-up to the CodeRabbit product labels (#12459). Adds a few CodeRabbit settings, chosen to cut review noise and close a real gap rather than pile on features:

  • reviews.path_filters — skip generated/vendored/snapshot files (pnpm-lock.yaml, Cargo.lock, **/dist/**, **/__fixtures__/**, *.snap, CHANGELOG.md) so review attention lands on hand-written code.
  • reviews.pre_merge_checks.title — enforce Conventional Commits on the PR title. PRs are squash-merged, so the title becomes the commit message, which the commit-msg hook never sees (it only validates per-commit messages).
  • knowledge_base.learnings.scope: local — maintainer corrections are remembered for this repo without crossing org/repo boundaries, so repeat false positives get suppressed over time.
  • issue_enrichment.labeling — auto-apply the durable area:/type: taxonomy to issues, where long-lived labels actually aid triage and search (deliberately not applied to PRs, where they'd just be noise).
  • reviews.poem: false — drop the walkthrough poem.

The secret scanners (gitleaks, semgrep, trufflehog) are already enabled: true by default, so they're intentionally not added here — explicit config would be a no-op.

Skipped on purpose: auto-generated docstrings and unit tests, which conflict with this repo's "code explains itself / no comments that restate code" convention and its bespoke test infra.

All field names and enum values were validated against the live CodeRabbit v2 schema.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Chores
    • Updated code review configuration to exclude generated and vendored paths from automated reviews and enforce Conventional Commits-style PR titles as warnings.

Add several CodeRabbit settings:

- path_filters: skip generated/vendored/snapshot files (lockfiles, dist,
  fixtures, snapshots, changelogs) so reviews focus on hand-written code.
- pre_merge_checks.title: enforce Conventional Commits on the PR title,
  which becomes the commit message under squash merge (the commit-msg
  hook only validates per-commit messages).
- knowledge_base.learnings scoped to local so maintainer corrections are
  remembered without crossing repo boundaries.
- issue_enrichment labeling: auto-apply the durable area/type taxonomy to
  issues, where long-lived labels actually aid triage and search.
- poem disabled.

Secret scanners (gitleaks, semgrep, trufflehog) are already enabled by
default, so they are not added explicitly.
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0)

Grey Divider


Remediation recommended

1. Lockfiles skipped in reviews 🐞 Bug ⛨ Security
Description
The new reviews.path_filters excludes pnpm-lock.yaml and Cargo.lock from CodeRabbit reviews,
creating a security blind spot where attacker-controlled dependency graph changes can land without
automated review attention. This conflicts with AGENTS.md’s security-first guidance that explicitly
treats lockfiles as high-risk inputs to scrutinize.
Code

.coderabbit.yaml[R4-6]

+  path_filters:
+    - "!pnpm-lock.yaml"
+    - "!Cargo.lock"
Evidence
The config explicitly filters out lockfiles from review, while AGENTS.md explicitly says lockfiles
are attacker-controlled and a key security review focus.

.coderabbit.yaml[4-6]
AGENTS.md[127-137]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`reviews.path_filters` excludes `pnpm-lock.yaml` and `Cargo.lock`, which are security-sensitive, attacker-influenced inputs. This reduces automated review coverage for supply-chain relevant changes.

### Issue Context
AGENTS.md explicitly calls out lockfiles as primary security review focus and attacker-controlled input.

### Fix Focus Areas
- .coderabbit.yaml[4-6]
- AGENTS.md[127-137]

### Suggested change
Remove the lockfile filters (or narrow them so lockfile changes are still reviewed, possibly with specialized low-noise instructions for lockfile diffs).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. Fixtures skipped in reviews 🐞 Bug ⛨ Security
Description
The new reviews.path_filters excludes **/__fixtures__/** even though __fixtures__ contains scripts
invoked by the repo’s prepare-fixtures/pretest flows, so changes there can materially affect CI/test
execution. This can hide malicious or destabilizing changes to fixture-driven scripts and test
inputs from automated review.
Code

.coderabbit.yaml[R7-9]

+    - "!**/dist/**"
+    - "!**/__fixtures__/**"
+    - "!**/*.snap"
Evidence
The config excludes __fixtures__ from review, but the repo’s own scripts run prepare-fixtures,
which executes commands defined under __fixtures__/package.yaml, making fixture changes
security/CI-relevant.

.coderabbit.yaml[7-9]
package.json[8-15]
fixtures/package.yaml[1-12]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`reviews.path_filters` excludes all `__fixtures__` content from CodeRabbit reviews, but this repo executes fixture scripts as part of `prepare-fixtures` and `pretest`.

### Issue Context
- Root `package.json` runs `prepare-fixtures` in `pretest` and CI scripts.
- `prepare-fixtures` executes `__fixtures__/package.yaml` scripts.

### Fix Focus Areas
- .coderabbit.yaml[7-9]
- package.json[8-15]
- __fixtures__/package.yaml[1-12]

### Suggested change
Remove the `!**/__fixtures__/**` filter (or replace it with narrower patterns that only exclude truly generated fixture artifacts, not executable fixture inputs).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

3. Title types guidance mismatch 🐞 Bug ⚙ Maintainability
Description
The PR title Conventional Commits guidance example omits the style: type even though AGENTS.md
lists style as an allowed Conventional Commit prefix. This inconsistency can confuse contributors
and create avoidable title-check noise.
Code

.coderabbit.yaml[R22-24]

+      requirements: |
+        The title must follow the Conventional Commits specification (e.g. feat:, fix:, docs:, refactor:, perf:, test:, chore:),
+        matching the prefixes documented in AGENTS.md.
Evidence
AGENTS.md explicitly includes style as a Conventional Commits type, but the title requirements
example omits it.

.coderabbit.yaml[22-24]
AGENTS.md[163-174]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The Conventional Commits type list in the title-check guidance omits `style:`, which is listed as a valid type in AGENTS.md.

### Issue Context
This is a guidance/consistency issue (the check is configured as `mode: warning`), but aligning the example with repo standards reduces confusion.

### Fix Focus Areas
- .coderabbit.yaml[22-24]
- AGENTS.md[163-174]

### Suggested change
Update the example list to include `style:` (and keep it in sync with AGENTS.md over time).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1280238d-be7b-4ffc-8f1f-6bc670fb8cd9

📥 Commits

Reviewing files that changed from the base of the PR and between 61969fb and 45e85d8.

📒 Files selected for processing (1)
  • .coderabbit.yaml

📝 Walkthrough

Walkthrough

.coderabbit.yaml is extended with path filters excluding generated/vendored/dist files, AGENTS.md path instructions, a disabled poem walkthrough, a Conventional Commits PR title pre-merge check, a local-scoped knowledge base, and issue_enrichment with auto-applied type:* and area:* label taxonomy.

Changes

CodeRabbit Configuration

Layer / File(s) Summary
Review filters, guidance wiring, and pre-merge title check
.coderabbit.yaml
Adds path_filters to skip auto-generated/vendored/snapshot/dist paths, sets path_instructions to apply AGENTS.md guidance, disables the walkthrough poem, and introduces a pre_merge_checks.title rule enforcing Conventional Commits-style PR titles as warnings.
Knowledge base scoping and issue label taxonomy
.coderabbit.yaml
Scopes knowledge_base.learnings to the local repository and adds issue_enrichment with auto_apply_labels enabled plus labeling instructions for type:* and area:* categories (lockfile, monorepo, lifecycle-scripts, peers, catalogs, patching, resolution, supply chain security, config dependencies).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • pnpm/pnpm#12405: Both PRs modify .coderabbit.yaml to configure CodeRabbit review instructions sourced from AGENTS.md.

Suggested labels

product: pnpm

Poem

🐇 A config file bloomed in the .yaml meadow,
With labels and filters to lighten review's shadow.
Conventional commits now guard the PR gate,
And AGENTS.md guides each review's fate.
Hop hop hooray, the issues get tagged neat—
This bunny's config work is quite complete! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title "chore: tune CodeRabbit config" accurately summarizes the main change—updating CodeRabbit configuration settings to improve code review quality.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch coderabbit-tuning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Tune CodeRabbit config to reduce review noise and improve triage automation
⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Grey Divider

Walkthroughs

Description
• Configure CodeRabbit to ignore generated/vendored files and disable the walkthrough poem.
• Warn when PR titles don’t follow Conventional Commits (squash-merge commit hygiene).
• Scope learnings to this repo and auto-label issues with durable area/type taxonomy.
Diagram
graph TD
  A["Repo (PRs & Issues)"] --> B["CodeRabbit"] --> C["PR reviews"] --> D["Filters + title check"]
  B --> E[("Knowledge base")] --> F["Local learnings"]
  B --> G["Issue enrichment"] --> H["Issue labels"]
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Dedicated PR-title checker (GitHub Action / semantic-pull-requests)
  • ➕ Enforcement is independent of CodeRabbit availability/configuration.
  • ➕ Can be configured as a required status check with consistent behavior across tooling.
  • ➖ Adds CI/Action maintenance and potential extra noise for contributors.
  • ➖ Duplicates policy already expressible via CodeRabbit pre-merge checks.
2. Broader repo-level ignore strategy (e.g., .gitattributes linguist-generated)
  • ➕ Helps other tooling (diff views, language stats) de-emphasize generated files too.
  • ➕ Centralized repo policy beyond a single integration.
  • ➖ Does not necessarily reduce CodeRabbit review scope unless CodeRabbit honors it.
  • ➖ May have unintended effects on GitHub UI and other automation.

Recommendation: The current approach is appropriate: keep enforcement and noise-reduction inside CodeRabbit where the problems occur (review scope, review formatting, triage automation). Consider a dedicated PR-title action only if you later want hard blocking (required check) rather than CodeRabbit’s warning-mode guidance.

Grey Divider

File Changes

Other (1)
.coderabbit.yaml Add CodeRabbit path filters, PR-title check, local learnings, and issue auto-labeling +53/-0

Add CodeRabbit path filters, PR-title check, local learnings, and issue auto-labeling

• Adds review path filters to skip lockfiles, dist output, fixtures, snapshots, and changelogs; disables the review poem; and adds a warning-mode pre-merge check enforcing Conventional Commits on PR titles. Also scopes knowledge-base learnings to this repository and enables issue enrichment to auto-apply area/type labels for issue triage.

.coderabbit.yaml


Grey Divider

Qodo Logo

@zkochan zkochan merged commit cc4cada into main Jun 16, 2026
25 checks passed
@zkochan zkochan deleted the coderabbit-tuning branch June 16, 2026 23:00
Comment thread .coderabbit.yaml
Comment on lines +4 to +6
path_filters:
- "!pnpm-lock.yaml"
- "!Cargo.lock"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

1. Lockfiles skipped in reviews 🐞 Bug ⛨ Security

The new reviews.path_filters excludes pnpm-lock.yaml and Cargo.lock from CodeRabbit reviews,
creating a security blind spot where attacker-controlled dependency graph changes can land without
automated review attention. This conflicts with AGENTS.md’s security-first guidance that explicitly
treats lockfiles as high-risk inputs to scrutinize.
Agent Prompt
### Issue description
`reviews.path_filters` excludes `pnpm-lock.yaml` and `Cargo.lock`, which are security-sensitive, attacker-influenced inputs. This reduces automated review coverage for supply-chain relevant changes.

### Issue Context
AGENTS.md explicitly calls out lockfiles as primary security review focus and attacker-controlled input.

### Fix Focus Areas
- .coderabbit.yaml[4-6]
- AGENTS.md[127-137]

### Suggested change
Remove the lockfile filters (or narrow them so lockfile changes are still reviewed, possibly with specialized low-noise instructions for lockfile diffs).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread .coderabbit.yaml
Comment on lines +7 to +9
- "!**/dist/**"
- "!**/__fixtures__/**"
- "!**/*.snap"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

2. Fixtures skipped in reviews 🐞 Bug ⛨ Security

The new reviews.path_filters excludes **/__fixtures__/** even though __fixtures__ contains scripts
invoked by the repo’s prepare-fixtures/pretest flows, so changes there can materially affect CI/test
execution. This can hide malicious or destabilizing changes to fixture-driven scripts and test
inputs from automated review.
Agent Prompt
### Issue description
`reviews.path_filters` excludes all `__fixtures__` content from CodeRabbit reviews, but this repo executes fixture scripts as part of `prepare-fixtures` and `pretest`.

### Issue Context
- Root `package.json` runs `prepare-fixtures` in `pretest` and CI scripts.
- `prepare-fixtures` executes `__fixtures__/package.yaml` scripts.

### Fix Focus Areas
- .coderabbit.yaml[7-9]
- package.json[8-15]
- __fixtures__/package.yaml[1-12]

### Suggested change
Remove the `!**/__fixtures__/**` filter (or replace it with narrower patterns that only exclude truly generated fixture artifacts, not executable fixture inputs).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

zkochan added a commit that referenced this pull request Jun 17, 2026
* chore: stop configuring CodeRabbit pre-merge checks

Defining any pre-merge check turned on the whole pre-merge-checks
subsystem, which under Request Changes Workflow replaces the
auto-approve flow: CodeRabbit emits a pre-merge-checks status block
instead of approving once review threads are resolved, leaving PRs at
REVIEW_REQUIRED even with all threads cleared and all checks green.

Remove the title check (added in #12460) to restore
auto-approval and document why the block is intentionally absent.
Conventional Commits on the squash title stay covered by the commit-msg
hook and the squash-title convention.

* fix: declare Qodo auto-approval under [config]

enable_auto_approval and auto_approve_for_no_suggestions were declared
under [pr_reviewer], where Qodo never reads them, so auto-approval never
ran. Per the Qodo docs both keys belong under [config]. Move them and
drop the now-empty [pr_reviewer] section.

* chore: stop applying labels from Qodo

Product labels are applied by CodeRabbit (auto_apply_labels +
labeling_instructions in .coderabbit.yaml). Having Qodo also publish
labels via enable_custom_labels/publish_labels/custom_labels meant two
tools managing the same labels. Drop the Qodo label config and leave
labeling to CodeRabbit.

* ci: tag Qodo-approved PRs and fix the label step

Add an on-qodo-approval job that applies the 'reviewed: qodo' label when
qodo-free-for-open-source-projects[bot] approves, mirroring the existing
CodeRabbit job.

The label step used 'gh pr edit --add-label', which is broken (it errors
on the deprecated Projects-v1 GraphQL field), so adding the label failed
on approval. Switch all three jobs to the issues REST API
(POST /repos/{owner}/{repo}/issues/{number}/labels) instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant