fix: restore CodeRabbit and Qodo PR auto-approval#12474
Conversation
Defining any pre-merge check turned on the whole pre-merge-checks subsystem, which under Request Changes Workflow replaces the auto-approve flow: CodeRabbit emits a pre-merge-checks status block instead of approving once review threads are resolved, leaving PRs at REVIEW_REQUIRED even with all threads cleared and all checks green. Remove the title check (added in #12460) to restore auto-approval and document why the block is intentionally absent. Conventional Commits on the squash title stay covered by the commit-msg hook and the squash-title convention.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR updates automation tool configurations and refactors PR review automation workflows. The ChangesAutomation Configuration and Workflow Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoStop configuring CodeRabbit pre-merge checks to restore auto-approval Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
1. Overbroad workflow permissions
|
enable_auto_approval and auto_approve_for_no_suggestions were declared under [pr_reviewer], where Qodo never reads them, so auto-approval never ran. Per the Qodo docs both keys belong under [config]. Move them and drop the now-empty [pr_reviewer] section.
Product labels are applied by CodeRabbit (auto_apply_labels + labeling_instructions in .coderabbit.yaml). Having Qodo also publish labels via enable_custom_labels/publish_labels/custom_labels meant two tools managing the same labels. Drop the Qodo label config and leave labeling to CodeRabbit.
|
Code review by qodo was updated up to the latest commit 9495e0d |
Add an on-qodo-approval job that applies the 'reviewed: qodo' label when
qodo-free-for-open-source-projects[bot] approves, mirroring the existing
CodeRabbit job.
The label step used 'gh pr edit --add-label', which is broken (it errors
on the deprecated Projects-v1 GraphQL field), so adding the label failed
on approval. Switch all three jobs to the issues REST API
(POST /repos/{owner}/{repo}/issues/{number}/labels) instead.
| permissions: | ||
| # Adding a label via the issues REST API is governed by issues: write | ||
| # even when the target is a PR. | ||
| issues: write | ||
| pull-requests: write | ||
| env: |
There was a problem hiding this comment.
1. Overbroad workflow permissions 🐞 Bug ⛨ Security
In .github/workflows/pr-review-automation.yml, the jobs now label PRs via the issues labels REST endpoint but still request pull-requests: write, expanding the GITHUB_TOKEN scope beyond what the modified steps require. This increases blast radius if the workflow/job context is ever compromised, and can be avoided while keeping behavior unchanged.
Agent Prompt
### Issue description
Workflow jobs grant `pull-requests: write` even though the updated implementation only POSTs to the issue-labels endpoint (`/repos/{owner}/{repo}/issues/{number}/labels`), which is governed by `issues: write`. This violates least-privilege and increases the impact of any workflow compromise.
### Issue Context
The PR replaced `gh pr edit --add-label` with `gh api .../issues/.../labels`, but permissions were not tightened accordingly.
### Fix Focus Areas
- .github/workflows/pr-review-automation.yml[18-23]
- .github/workflows/pr-review-automation.yml[64-69]
- .github/workflows/pr-review-automation.yml[85-90]
### Suggested change
For each affected job, remove `pull-requests: write` (or reduce it to `read` if you want to keep it explicit) and keep `issues: write`.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
|
Code review by qodo was updated up to the latest commit 7c68f81 |
What
Fixes the AI-reviewer approval automation for both CodeRabbit and Qodo.
pre_merge_checks(.coderabbit.yaml). Defining any pre-merge check turns on the whole subsystem, which under Request Changes Workflow replaces the auto-approve flow: CodeRabbit emits a pre-merge-checks status block instead of approving once review threads are resolved, so PRs sat atREVIEW_REQUIREDwith all threads cleared and all checks green. Conventional-Commits enforcement on the squash title stays covered by thecommit-msghook.[config](.pr_agent.toml).enable_auto_approval/auto_approve_for_no_suggestionswere under[pr_reviewer], where Qodo never reads them, so auto-approval never ran. Per the Qodo docs both keys belong under[config].auto_apply_labels+labeling_instructions), so the Qodo label config (enable_custom_labels/publish_labels/custom_labels) was redundant and is removed..github/workflows/pr-review-automation.yml). Adds anon-qodo-approvaljob that appliesreviewed: qodowhenqodo-free-for-open-source-projects[bot]approves, mirroring the CodeRabbit job. The label step usedgh pr edit --add-label, which is broken (it errors on the deprecated Projects-v1 GraphQL field) — so the label add failed on approval. All three jobs now use the issues REST API instead.Why
CodeRabbit stopped auto-approving after #12460; the last approval (#12443, 2026-06-16 20:31 UTC) predates it and nothing has been approved since. The dashboard settings (Request Changes Workflow is enabled) were unchanged — only the local config. On recent PRs every CodeRabbit thread is resolved and all pre-merge checks pass (5/5 ✅), yet they stay at
REVIEW_REQUIRED. Qodo never auto-approved because its switch was in the wrong TOML section.Written by an agent (Claude Code, claude-opus-4-8).
Summary by CodeRabbit
Chores
Automation