chore: tune CodeRabbit config#12460
Conversation
Add several CodeRabbit settings: - path_filters: skip generated/vendored/snapshot files (lockfiles, dist, fixtures, snapshots, changelogs) so reviews focus on hand-written code. - pre_merge_checks.title: enforce Conventional Commits on the PR title, which becomes the commit message under squash merge (the commit-msg hook only validates per-commit messages). - knowledge_base.learnings scoped to local so maintainer corrections are remembered without crossing repo boundaries. - issue_enrichment labeling: auto-apply the durable area/type taxonomy to issues, where long-lived labels actually aid triage and search. - poem disabled. Secret scanners (gitleaks, semgrep, trufflehog) are already enabled by default, so they are not added explicitly.
Code Review by Qodo
1. Lockfiles skipped in reviews
|
|
Warning Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories. No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesCodeRabbit Configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoTune CodeRabbit config to reduce review noise and improve triage automation WalkthroughsDescription• Configure CodeRabbit to ignore generated/vendored files and disable the walkthrough poem. • Warn when PR titles don’t follow Conventional Commits (squash-merge commit hygiene). • Scope learnings to this repo and auto-label issues with durable area/type taxonomy. Diagramgraph TD
A["Repo (PRs & Issues)"] --> B["CodeRabbit"] --> C["PR reviews"] --> D["Filters + title check"]
B --> E[("Knowledge base")] --> F["Local learnings"]
B --> G["Issue enrichment"] --> H["Issue labels"]
High-Level AssessmentThe following are alternative approaches to this PR: 1. Dedicated PR-title checker (GitHub Action / semantic-pull-requests)
2. Broader repo-level ignore strategy (e.g., .gitattributes linguist-generated)
Recommendation: The current approach is appropriate: keep enforcement and noise-reduction inside CodeRabbit where the problems occur (review scope, review formatting, triage automation). Consider a dedicated PR-title action only if you later want hard blocking (required check) rather than CodeRabbit’s warning-mode guidance. File ChangesOther (1)
|
| path_filters: | ||
| - "!pnpm-lock.yaml" | ||
| - "!Cargo.lock" |
There was a problem hiding this comment.
1. Lockfiles skipped in reviews 🐞 Bug ⛨ Security
The new reviews.path_filters excludes pnpm-lock.yaml and Cargo.lock from CodeRabbit reviews, creating a security blind spot where attacker-controlled dependency graph changes can land without automated review attention. This conflicts with AGENTS.md’s security-first guidance that explicitly treats lockfiles as high-risk inputs to scrutinize.
Agent Prompt
### Issue description
`reviews.path_filters` excludes `pnpm-lock.yaml` and `Cargo.lock`, which are security-sensitive, attacker-influenced inputs. This reduces automated review coverage for supply-chain relevant changes.
### Issue Context
AGENTS.md explicitly calls out lockfiles as primary security review focus and attacker-controlled input.
### Fix Focus Areas
- .coderabbit.yaml[4-6]
- AGENTS.md[127-137]
### Suggested change
Remove the lockfile filters (or narrow them so lockfile changes are still reviewed, possibly with specialized low-noise instructions for lockfile diffs).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| - "!**/dist/**" | ||
| - "!**/__fixtures__/**" | ||
| - "!**/*.snap" |
There was a problem hiding this comment.
2. Fixtures skipped in reviews 🐞 Bug ⛨ Security
The new reviews.path_filters excludes **/__fixtures__/** even though __fixtures__ contains scripts invoked by the repo’s prepare-fixtures/pretest flows, so changes there can materially affect CI/test execution. This can hide malicious or destabilizing changes to fixture-driven scripts and test inputs from automated review.
Agent Prompt
### Issue description
`reviews.path_filters` excludes all `__fixtures__` content from CodeRabbit reviews, but this repo executes fixture scripts as part of `prepare-fixtures` and `pretest`.
### Issue Context
- Root `package.json` runs `prepare-fixtures` in `pretest` and CI scripts.
- `prepare-fixtures` executes `__fixtures__/package.yaml` scripts.
### Fix Focus Areas
- .coderabbit.yaml[7-9]
- package.json[8-15]
- __fixtures__/package.yaml[1-12]
### Suggested change
Remove the `!**/__fixtures__/**` filter (or replace it with narrower patterns that only exclude truly generated fixture artifacts, not executable fixture inputs).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
* chore: stop configuring CodeRabbit pre-merge checks Defining any pre-merge check turned on the whole pre-merge-checks subsystem, which under Request Changes Workflow replaces the auto-approve flow: CodeRabbit emits a pre-merge-checks status block instead of approving once review threads are resolved, leaving PRs at REVIEW_REQUIRED even with all threads cleared and all checks green. Remove the title check (added in #12460) to restore auto-approval and document why the block is intentionally absent. Conventional Commits on the squash title stay covered by the commit-msg hook and the squash-title convention. * fix: declare Qodo auto-approval under [config] enable_auto_approval and auto_approve_for_no_suggestions were declared under [pr_reviewer], where Qodo never reads them, so auto-approval never ran. Per the Qodo docs both keys belong under [config]. Move them and drop the now-empty [pr_reviewer] section. * chore: stop applying labels from Qodo Product labels are applied by CodeRabbit (auto_apply_labels + labeling_instructions in .coderabbit.yaml). Having Qodo also publish labels via enable_custom_labels/publish_labels/custom_labels meant two tools managing the same labels. Drop the Qodo label config and leave labeling to CodeRabbit. * ci: tag Qodo-approved PRs and fix the label step Add an on-qodo-approval job that applies the 'reviewed: qodo' label when qodo-free-for-open-source-projects[bot] approves, mirroring the existing CodeRabbit job. The label step used 'gh pr edit --add-label', which is broken (it errors on the deprecated Projects-v1 GraphQL field), so adding the label failed on approval. Switch all three jobs to the issues REST API (POST /repos/{owner}/{repo}/issues/{number}/labels) instead.
Follow-up to the CodeRabbit product labels (#12459). Adds a few CodeRabbit settings, chosen to cut review noise and close a real gap rather than pile on features:
reviews.path_filters— skip generated/vendored/snapshot files (pnpm-lock.yaml,Cargo.lock,**/dist/**,**/__fixtures__/**,*.snap,CHANGELOG.md) so review attention lands on hand-written code.reviews.pre_merge_checks.title— enforce Conventional Commits on the PR title. PRs are squash-merged, so the title becomes the commit message, which thecommit-msghook never sees (it only validates per-commit messages).knowledge_base.learnings.scope: local— maintainer corrections are remembered for this repo without crossing org/repo boundaries, so repeat false positives get suppressed over time.issue_enrichment.labeling— auto-apply the durablearea:/type:taxonomy to issues, where long-lived labels actually aid triage and search (deliberately not applied to PRs, where they'd just be noise).reviews.poem: false— drop the walkthrough poem.The secret scanners (
gitleaks,semgrep,trufflehog) are alreadyenabled: trueby default, so they're intentionally not added here — explicit config would be a no-op.Skipped on purpose: auto-generated docstrings and unit tests, which conflict with this repo's "code explains itself / no comments that restate code" convention and its bespoke test infra.
All field names and enum values were validated against the live CodeRabbit v2 schema.
Written by an agent (Claude Code, claude-opus-4-8).
Summary by CodeRabbit