Skip to content

ci: PR review automation (CodeRabbit approval + maintainer automerge)#12462

Merged
zkochan merged 3 commits into
mainfrom
coderabbit-approval-notify
Jun 16, 2026
Merged

ci: PR review automation (CodeRabbit approval + maintainer automerge)#12462
zkochan merged 3 commits into
mainfrom
coderabbit-approval-notify

Conversation

@zkochan

@zkochan zkochan commented Jun 16, 2026

Copy link
Copy Markdown
Member

Adds a GitHub Actions workflow (.github/workflows/pr-review-automation.yml) that reacts to PR review submissions. Two independent jobs on the same pull_request_review (submitted) trigger:

1. CodeRabbit approval — when coderabbitai[bot] submits an approved review:

  • applies the informational label reviewed: coderabbit (already created on this repo; triggers nothing on its own), and
  • posts a notice to Discord — only if a DISCORD_WEBHOOK secret is configured.

2. Maintainer approval — when zkochan submits an approved review:

  • applies the existing state: automerge label.

How it works

  • pull_request_review runs in the base-repo context with the repo token and secrets, so it works for fork PRs too.
  • Each job is gated on review.state == 'approved' plus the specific reviewer login.
  • permissions: is narrowed to pull-requests: write (labels only).

Security

PR fields (title, URL, number) are passed to the steps through the environment, never interpolated into a run: script, so an attacker-controlled PR title can't inject shell commands. The Discord payload is built with jq (proper JSON escaping). No PR code is checked out or executed — important because pull_request_review is a privileged trigger.

Heads-up on state: automerge

I couldn't find anything in this repo that consumes state: automerge (no workflow, no Mergify/Kodiak config). If an external GitHub App reads it, zkochan's approval will trigger a real merge; if nothing reads it, the label is currently inert. Worth confirming the consumer exists.

The zkochan gate is hardcoded — if you'd rather key off a maintainers team or CODEOWNERS, that's an easy change.

Required to enable the Discord notice (maintainer action)

The Discord step is a no-op until you add the webhook:

  1. Create a Discord channel webhook (Channel → Integrations → Webhooks → New Webhook → Copy URL).
  2. Add it as a repo secret: Settings → Secrets and variables → Actions → New repository secret, name DISCORD_WEBHOOK.

Until then the labels are applied and the Discord step is skipped cleanly.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Chores
    • Added an automated workflow that reacts to pull request review submissions by applying appropriate labels and sending optional approval notifications when approvals come from designated reviewers.

Add a workflow that fires on pull_request_review and, when CodeRabbit
submits an approving review, applies the informational "reviewed:
coderabbit" label and (if a DISCORD_WEBHOOK secret is configured) posts
a notice to Discord.

PR fields reach the steps through the environment rather than script
interpolation, so an attacker-controlled PR title cannot inject shell
commands. The Discord step is skipped when the webhook secret is unset.
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0)

Grey Divider


Action required

1. Stale automerge label 🐞 Bug ≡ Correctness ⭐ New
Description
The workflow adds state: automerge on a single zkochan approval, but never removes it if that
approval is later dismissed/changed or becomes stale after new commits. This can leave PRs
permanently flagged for automerge, enabling unintended merges if any automation merges based on the
label despite the current review state.
Code

.github/workflows/pr-review-automation.yml[R54-68]

+  on-maintainer-approval:
+    if: >-
+      github.event.review.state == 'approved' &&
+      github.event.review.user.login == 'zkochan'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    env:
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+    steps:
+      - name: Flag for automerge
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "state: automerge"
Evidence
The workflow is only triggered for review submissions (types: [submitted]) and the maintainer job
only adds state: automerge; there is no corresponding event handling or step to remove/reconcile
the label when the approval is no longer valid.

.github/workflows/pr-review-automation.yml[5-7]
.github/workflows/pr-review-automation.yml[54-68]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`state: automerge` is added when `zkochan` submits an approved review, but there is no workflow path to remove that label when the approval is no longer valid (dismissed, changed to changes requested/commented, or made stale by new commits).

## Issue Context
The workflow only listens to `pull_request_review` with `types: [submitted]` and only performs `--add-label` mutations.

## Fix Focus Areas
- .github/workflows/pr-review-automation.yml[5-7]
- .github/workflows/pr-review-automation.yml[54-68]

## Suggested fix
- Add removal logic for `state: automerge`, e.g.:
 - Expand `on.pull_request_review.types` to include `dismissed` (and/or handle `submitted` where `review.state != 'approved'`).
 - Add a job gated on `github.event.review.user.login == 'zkochan'` that runs `gh pr edit ... --remove-label "state: automerge"` when the review is dismissed or when `review.state` is not `approved`.
- Consider also removing `state: automerge` on `pull_request` `synchronize` (new commits) so the label can’t survive past changes that invalidate prior approvals.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. Insufficient label permissions ✓ Resolved 🐞 Bug ≡ Correctness
Description
The workflow only grants pull-requests: write, but the gh pr edit --add-label step is a label
mutation and is likely to fail with insufficient permissions, preventing the label from being
applied. This breaks the workflow’s primary purpose even when the CodeRabbit approval gate passes.
Code

.github/workflows/coderabbit-approval-notify.yml[R8-30]

+permissions:
+  pull-requests: write
+
+jobs:
+  on-coderabbit-approval:
+    if: >-
+      github.event.review.state == 'approved' &&
+      github.event.review.user.login == 'coderabbitai[bot]'
+    runs-on: ubuntu-latest
+    env:
+      # Webhook URL is optional; the Discord step is skipped when the secret is unset.
+      DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      # PR fields are passed through the environment, never interpolated into a run script,
+      # so an attacker-controlled PR title cannot inject shell commands.
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_TITLE: ${{ github.event.pull_request.title }}
+      PR_URL: ${{ github.event.pull_request.html_url }}
+    steps:
+      - name: Add the reviewed label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "reviewed: coderabbit"
Evidence
The new workflow’s only declared permission is pull-requests: write, yet it calls `gh pr edit ...
--add-label .... In this repo, workflows that write back to PR/issue state request issues: write`,
indicating the current permission set is likely insufficient for label mutation.

.github/workflows/coderabbit-approval-notify.yml[8-30]
.github/workflows/pacquet-integrated-benchmark-comment.yml[24-29]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow attempts to apply a label via `gh pr edit --add-label`, but it only requests `pull-requests: write`. Label operations are governed by issue/label permissions, so this can 403 and prevent the label from being applied.
### Issue Context
Other workflows in this repo that mutate PR/issue state request `issues: write` (often alongside `pull-requests: write`).
### Fix Focus Areas
- .github/workflows/coderabbit-approval-notify.yml[8-10]
- .github/workflows/coderabbit-approval-notify.yml[26-30]
### Suggested change
Update `permissions:` to include `issues: write` (keep `pull-requests: write` as needed).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

3. Discord step fails job 🐞 Bug ☼ Reliability ⭐ New
Description
If DISCORD_WEBHOOK is set but the webhook is invalid or Discord returns an error, curl -fsS will
fail the entire job even after the label is applied. This makes the automation brittle and can
produce a red check for a notification-only failure.
Code

.github/workflows/pr-review-automation.yml[R35-52]

+      - name: Announce on Discord
+        if: ${{ env.DISCORD_WEBHOOK != '' }}
+        run: |
+          # allowed_mentions parse:[] stops a PR title like "@everyone" from pinging the Discord server.
+          payload="$(jq -n \
+            --arg n "$PR_NUMBER" \
+            --arg t "$PR_TITLE" \
+            --arg u "$PR_URL" \
+            '{content: ("✅ CodeRabbit approved PR #" + $n + ": " + $t + "\n" + $u), allowed_mentions: {parse: []}}')"
+          curl -fsS \
+            --connect-timeout 5 \
+            --max-time 20 \
+            --retry 3 \
+            --retry-all-errors \
+            --retry-delay 2 \
+            -H "Content-Type: application/json" \
+            -d "$payload" \
+            "$DISCORD_WEBHOOK"
Evidence
The Discord step runs curl -fsS (fail on HTTP >= 400) and is not marked best-effort; any
persistent webhook/Discord error will fail the step and therefore the job.

.github/workflows/pr-review-automation.yml[35-52]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Discord notification uses `curl -fsS ...` without `continue-on-error`, so a notification failure marks the whole job as failed even though the label edit already happened.

## Issue Context
This job’s primary purpose is labeling; the Discord step is best-effort.

## Fix Focus Areas
- .github/workflows/pr-review-automation.yml[35-52]

## Suggested fix
- Make the Discord step non-blocking, e.g. add `continue-on-error: true`, or wrap the curl call to avoid failing the step (while still logging the error).
- Optionally emit a clear log line when the webhook call fails so it’s visible in the job output.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


4. Discord mention injection ✓ Resolved 🐞 Bug ⛨ Security
Description
The Discord payload includes the PR title verbatim, so a PR title containing @everyone, @here,
or role/user mentions can generate unwanted pings and spam when CodeRabbit approves. This enables
notification abuse/social engineering through attacker-controlled PR titles.
Code

.github/workflows/coderabbit-approval-notify.yml[R17-40]

+    env:
+      # Webhook URL is optional; the Discord step is skipped when the secret is unset.
+      DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      # PR fields are passed through the environment, never interpolated into a run script,
+      # so an attacker-controlled PR title cannot inject shell commands.
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_TITLE: ${{ github.event.pull_request.title }}
+      PR_URL: ${{ github.event.pull_request.html_url }}
+    steps:
+      - name: Add the reviewed label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "reviewed: coderabbit"
+
+      - name: Announce on Discord
+        if: ${{ env.DISCORD_WEBHOOK != '' }}
+        run: |
+          payload="$(jq -n \
+            --arg n "$PR_NUMBER" \
+            --arg t "$PR_TITLE" \
+            --arg u "$PR_URL" \
+            '{content: ("✅ CodeRabbit approved PR #" + $n + ": " + $t + "\n" + $u)}')"
+          curl -fsS -H "Content-Type: application/json" -d "$payload" "$DISCORD_WEBHOOK"
Evidence
The workflow sources PR_TITLE from github.event.pull_request.title and inserts it into Discord
content without setting allowed_mentions, so Discord may parse mentions present in the title.

.github/workflows/coderabbit-approval-notify.yml[17-40]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow posts `PR_TITLE` directly into Discord message `content`. Discord will interpret mention-like strings unless `allowed_mentions` is explicitly restricted, so attacker-controlled PR titles can trigger pings (e.g. `@everyone`).
### Issue Context
This is not shell injection (JSON is built with `jq`), but it is message-content injection that can be abused whenever `DISCORD_WEBHOOK` is configured.
### Fix Focus Areas
- .github/workflows/coderabbit-approval-notify.yml[35-40]
### Suggested change
Add `allowed_mentions` to the webhook payload, e.g.:

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Previous review results

Review updated until commit 3166ab2

Results up to commit N/A


🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0)


Action required
1. Insufficient label permissions ✓ Resolved 🐞 Bug ≡ Correctness
Description
The workflow only grants pull-requests: write, but the gh pr edit --add-label step is a label
mutation and is likely to fail with insufficient permissions, preventing the label from being
applied. This breaks the workflow’s primary purpose even when the CodeRabbit approval gate passes.
Code

.github/workflows/coderabbit-approval-notify.yml[R8-30]

+permissions:
+  pull-requests: write
+
+jobs:
+  on-coderabbit-approval:
+    if: >-
+      github.event.review.state == 'approved' &&
+      github.event.review.user.login == 'coderabbitai[bot]'
+    runs-on: ubuntu-latest
+    env:
+      # Webhook URL is optional; the Discord step is skipped when the secret is unset.
+      DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      # PR fields are passed through the environment, never interpolated into a run script,
+      # so an attacker-controlled PR title cannot inject shell commands.
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_TITLE: ${{ github.event.pull_request.title }}
+      PR_URL: ${{ github.event.pull_request.html_url }}
+    steps:
+      - name: Add the reviewed label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "reviewed: coderabbit"
Evidence
The new workflow’s only declared permission is pull-requests: write, yet it calls `gh pr edit ...
--add-label .... In this repo, workflows that write back to PR/issue state request issues: write`,
indicating the current permission set is likely insufficient for label mutation.

.github/workflows/coderabbit-approval-notify.yml[8-30]
.github/workflows/pacquet-integrated-benchmark-comment.yml[24-29]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow attempts to apply a label via `gh pr edit --add-label`, but it only requests `pull-requests: write`. Label operations are governed by issue/label permissions, so this can 403 and prevent the label from being applied.
### Issue Context
Other workflows in this repo that mutate PR/issue state request `issues: write` (often alongside `pull-requests: write`).
### Fix Focus Areas
- .github/workflows/coderabbit-approval-notify.yml[8-10]
- .github/workflows/coderabbit-approval-notify.yml[26-30]
### Suggested change
Update `permissions:` to include `issues: write` (keep `pull-requests: write` as needed).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended
2. Discord mention injection ✓ Resolved 🐞 Bug ⛨ Security
Description
The Discord payload includes the PR title verbatim, so a PR title containing @everyone, @here,
or role/user mentions can generate unwanted pings and spam when CodeRabbit approves. This enables
notification abuse/social engineering through attacker-controlled PR titles.
Code

.github/workflows/coderabbit-approval-notify.yml[R17-40]

+    env:
+      # Webhook URL is optional; the Discord step is skipped when the secret is unset.
+      DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+      # PR fields are passed through the environment, never interpolated into a run script,
+      # so an attacker-controlled PR title cannot inject shell commands.
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      PR_TITLE: ${{ github.event.pull_request.title }}
+      PR_URL: ${{ github.event.pull_request.html_url }}
+    steps:
+      - name: Add the reviewed label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "reviewed: coderabbit"
+
+      - name: Announce on Discord
+        if: ${{ env.DISCORD_WEBHOOK != '' }}
+        run: |
+          payload="$(jq -n \
+            --arg n "$PR_NUMBER" \
+            --arg t "$PR_TITLE" \
+            --arg u "$PR_URL" \
+            '{content: ("✅ CodeRabbit approved PR #" + $n + ": " + $t + "\n" + $u)}')"
+          curl -fsS -H "Content-Type: application/json" -d "$payload" "$DISCORD_WEBHOOK"
Evidence
The workflow sources PR_TITLE from github.event.pull_request.title and inserts it into Discord
content without setting allowed_mentions, so Discord may parse mentions present in the title.

.github/workflows/coderabbit-approval-notify.yml[17-40]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow posts `PR_TITLE` directly into Discord message `content`. Discord will interpret mention-like strings unless `allowed_mentions` is explicitly restricted, so attacker-controlled PR titles can trigger pings (e.g. `@everyone`).
### Issue Context
This is not shell injection (JSON is built with `jq`), but it is message-content injection that can be abused whenever `DISCORD_WEBHOOK` is configured.
### Fix Focus Areas
- .github/workflows/coderabbit-approval-notify.yml[35-40]
### Suggested change
Add `allowed_mentions` to the webhook payload, e.g.:

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Qodo Logo

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6cbb9758-8bb9-4310-b2c2-493690ca5a44

📥 Commits

Reviewing files that changed from the base of the PR and between 129b94a and 3166ab2.

📒 Files selected for processing (1)
  • .github/workflows/pr-review-automation.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/pr-review-automation.yml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow (pr-review-automation.yml) is added. It triggers on pull_request_review submitted events and defines two jobs: one applies a reviewed: coderabbit label and optionally posts to a Discord webhook when CodeRabbit approves, and another applies a state: automerge label when the maintainer approves.

Changes

PR Review Automation Workflow

Layer / File(s) Summary
Workflow trigger, permissions, and CodeRabbit approval job
.github/workflows/pr-review-automation.yml
Defines the pull_request_review: submitted trigger with disabled default permissions and per-job pull-requests: write grants. The on-coderabbit-approval job filters for coderabbitai[bot] reviewer with an approved state, runs gh pr edit to add the reviewed: coderabbit label, and conditionally POSTs a Discord announcement via curl with a jq-built JSON payload when DISCORD_WEBHOOK is set.
Maintainer approval automerge job
.github/workflows/pr-review-automation.yml
The on-maintainer-approval job filters for zkochan as reviewer with an approved state and applies the state: automerge label to the PR via gh pr edit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title uses the 'ci:' prefix as specified in Conventional Commits and clearly describes the main change: a PR review automation workflow with CodeRabbit approval and maintainer automerge functionality.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch coderabbit-approval-notify

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

CI: label PRs and optionally notify Discord on CodeRabbit approval
⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Grey Divider

Walkthroughs

Description
• Add a workflow triggered by submitted PR reviews.
• When CodeRabbit approves, apply the "reviewed: coderabbit" label.
• Optionally post an approval notice to Discord when DISCORD_WEBHOOK is set.
Diagram
graph TD
  A["pull_request_review submitted"] --> B{"Approved by CodeRabbit?"} --> C["Step: add label"] --> D["GitHub PR metadata"]
  B --> E{"DISCORD_WEBHOOK set?"} --> F["Step: Discord notify"] --> G["Discord webhook"]
  C --> H["GitHub API (labels)"]

  subgraph Legend
    direction LR
    _evt([Event]) ~~~ _dec{Decision} ~~~ _job[Step] ~~~ _ext[[External]]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use actions/github-script instead of gh CLI
  • ➕ Avoids reliance on preinstalled gh tooling and shell scripting
  • ➕ Uses the GitHub API directly with clearer error handling
  • ➕ Reduces command injection surface further (no shell CLI args)
  • ➖ More verbose JavaScript snippet
  • ➖ Still requires careful permissions and event-context gating
2. Use a dedicated Discord notification action
  • ➕ Less custom scripting; simpler payload construction
  • ➕ Often includes retries and nicer formatting options
  • ➖ Adds third-party action dependency and supply-chain surface
  • ➖ May reduce transparency vs explicit jq + curl

Recommendation: The current approach is solid for a security-sensitive trigger: it avoids checkout, narrows permissions, gates on bot+approval, and builds JSON safely with jq. If maintainers prefer fewer shell dependencies, switching the label step to actions/github-script is the most meaningful alternative; otherwise, keep this implementation.

Grey Divider

File Changes

Other (1)
coderabbit-approval-notify.yml Add workflow to label and Discord-notify on CodeRabbit approval +40/-0

Add workflow to label and Discord-notify on CodeRabbit approval

• Introduces a pull_request_review-triggered workflow that runs only when coderabbitai[bot] submits an approved review. It applies the existing "reviewed: coderabbit" label and optionally posts a Discord notification when the DISCORD_WEBHOOK secret is configured, passing PR fields via env and building the payload with jq.

.github/workflows/coderabbit-approval-notify.yml


Grey Divider

Qodo Logo

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/coderabbit-approval-notify.yml (1)

40-40: ⚡ Quick win

Add timeout/retry bounds to the Discord webhook call.

curl -fsS can still fail on transient network faults (or wait too long). Add connect/overall timeouts and retries so this step is more resilient.

Suggested patch
-          curl -fsS -H "Content-Type: application/json" -d "$payload" "$DISCORD_WEBHOOK"
+          curl -fsS \
+            --connect-timeout 5 \
+            --max-time 20 \
+            --retry 3 \
+            --retry-all-errors \
+            --retry-delay 2 \
+            -H "Content-Type: application/json" \
+            -d "$payload" \
+            "$DISCORD_WEBHOOK"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coderabbit-approval-notify.yml at line 40, The curl
command used to send the Discord webhook notification lacks timeout and retry
mechanisms, making it vulnerable to transient network failures and excessive
wait times. Add connection timeout and maximum operation timeout parameters to
the curl command (using --connect-timeout and --max-time flags), and include
automatic retry logic with delays (using --retry and --retry-delay flags) to
make the Discord webhook call more resilient to temporary network issues while
ensuring the step completes in a reasonable time.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/coderabbit-approval-notify.yml:
- Line 40: The curl command used to send the Discord webhook notification lacks
timeout and retry mechanisms, making it vulnerable to transient network failures
and excessive wait times. Add connection timeout and maximum operation timeout
parameters to the curl command (using --connect-timeout and --max-time flags),
and include automatic retry logic with delays (using --retry and --retry-delay
flags) to make the Discord webhook call more resilient to temporary network
issues while ensuring the step completes in a reasonable time.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 00853989-478a-4eb6-bcd6-c2cdf9625895

📥 Commits

Reviewing files that changed from the base of the PR and between 293921a and af37ea1.

📒 Files selected for processing (1)
  • .github/workflows/coderabbit-approval-notify.yml

Rename the approval workflow to cover both review automations and add a
second job: when zkochan submits an approving review, apply the existing
"state: automerge" label.

Like the CodeRabbit job, the PR number is passed through the environment
rather than interpolated into the run script.
Comment thread .github/workflows/pr-review-automation.yml Outdated
Comment thread .github/workflows/pr-review-automation.yml Outdated
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

Copy link
Copy Markdown

Code Review by Qodo

Grey Divider

New Review Started

This review has been superseded by a new analysis

Grey Divider

Qodo Logo

@zkochan zkochan changed the title ci: label and notify on CodeRabbit approval ci: PR review automation (CodeRabbit approval + maintainer automerge) Jun 16, 2026
Comment thread .github/workflows/pr-review-automation.yml Fixed
- Scope permissions to each job (top-level permissions: {}) instead of
  granting pull-requests: write workflow-wide (zizmor).
- Set allowed_mentions to {parse: []} on the Discord payload so a PR
  title containing `@everyone`/`@here` cannot ping the server.
- Add connect/overall timeouts and retries to the Discord curl call.
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 16, 2026

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit 3166ab2

@zkochan zkochan merged commit c38f68a into main Jun 16, 2026
26 checks passed
@zkochan zkochan deleted the coderabbit-approval-notify branch June 16, 2026 23:33
Comment on lines +54 to +68
on-maintainer-approval:
if: >-
github.event.review.state == 'approved' &&
github.event.review.user.login == 'zkochan'
runs-on: ubuntu-latest
permissions:
pull-requests: write
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
steps:
- name: Flag for automerge
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --add-label "state: automerge"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Stale automerge label 🐞 Bug ≡ Correctness

The workflow adds state: automerge on a single zkochan approval, but never removes it if that
approval is later dismissed/changed or becomes stale after new commits. This can leave PRs
permanently flagged for automerge, enabling unintended merges if any automation merges based on the
label despite the current review state.
Agent Prompt
## Issue description
`state: automerge` is added when `zkochan` submits an approved review, but there is no workflow path to remove that label when the approval is no longer valid (dismissed, changed to changes requested/commented, or made stale by new commits).

## Issue Context
The workflow only listens to `pull_request_review` with `types: [submitted]` and only performs `--add-label` mutations.

## Fix Focus Areas
- .github/workflows/pr-review-automation.yml[5-7]
- .github/workflows/pr-review-automation.yml[54-68]

## Suggested fix
- Add removal logic for `state: automerge`, e.g.:
  - Expand `on.pull_request_review.types` to include `dismissed` (and/or handle `submitted` where `review.state != 'approved'`).
  - Add a job gated on `github.event.review.user.login == 'zkochan'` that runs `gh pr edit ... --remove-label "state: automerge"` when the review is dismissed or when `review.state` is not `approved`.
- Consider also removing `state: automerge` on `pull_request` `synchronize` (new commits) so the label can’t survive past changes that invalidate prior approvals.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +35 to +52
- name: Announce on Discord
if: ${{ env.DISCORD_WEBHOOK != '' }}
run: |
# allowed_mentions parse:[] stops a PR title like "@everyone" from pinging the Discord server.
payload="$(jq -n \
--arg n "$PR_NUMBER" \
--arg t "$PR_TITLE" \
--arg u "$PR_URL" \
'{content: ("✅ CodeRabbit approved PR #" + $n + ": " + $t + "\n" + $u), allowed_mentions: {parse: []}}')"
curl -fsS \
--connect-timeout 5 \
--max-time 20 \
--retry 3 \
--retry-all-errors \
--retry-delay 2 \
-H "Content-Type: application/json" \
-d "$payload" \
"$DISCORD_WEBHOOK"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

2. Discord step fails job 🐞 Bug ☼ Reliability

If DISCORD_WEBHOOK is set but the webhook is invalid or Discord returns an error, curl -fsS will
fail the entire job even after the label is applied. This makes the automation brittle and can
produce a red check for a notification-only failure.
Agent Prompt
## Issue description
The Discord notification uses `curl -fsS ...` without `continue-on-error`, so a notification failure marks the whole job as failed even though the label edit already happened.

## Issue Context
This job’s primary purpose is labeling; the Discord step is best-effort.

## Fix Focus Areas
- .github/workflows/pr-review-automation.yml[35-52]

## Suggested fix
- Make the Discord step non-blocking, e.g. add `continue-on-error: true`, or wrap the curl call to avoid failing the step (while still logging the error).
- Optionally emit a clear log line when the webhook call fails so it’s visible in the job output.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

KSXGitHub pushed a commit that referenced this pull request Jun 17, 2026
Brings in 2 new commits from main (through 531f2a3): #12140
(preserve workspace specs on update) and #12462 (PR review
automation CI). Conflict-free — neither touches the Arc-cleanup files
(compat_package_extensions.rs, install_with_fresh_lockfile.rs, upload.rs).
zkochan added a commit that referenced this pull request Jun 17, 2026
The pr-review-automation workflow merged in #12462 fails at the
label step with 'Resource not accessible by integration
(addLabelsToLabelable)'. gh pr edit --add-label uses the GraphQL
addLabelsToLabelable mutation, which requires issues: write even when
labeling a PR; pull-requests: write alone is insufficient. Grant it per
job, matching pacquet-integrated-benchmark-comment.yml.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants