Skip to content

fix: restore CodeRabbit and Qodo PR auto-approval#12474

Merged
zkochan merged 4 commits into
mainfrom
fix-coderabbit-approve
Jun 17, 2026
Merged

fix: restore CodeRabbit and Qodo PR auto-approval#12474
zkochan merged 4 commits into
mainfrom
fix-coderabbit-approve

Conversation

@zkochan

@zkochan zkochan commented Jun 17, 2026

Copy link
Copy Markdown
Member

What

Fixes the AI-reviewer approval automation for both CodeRabbit and Qodo.

  1. CodeRabbit — remove pre_merge_checks (.coderabbit.yaml). Defining any pre-merge check turns on the whole subsystem, which under Request Changes Workflow replaces the auto-approve flow: CodeRabbit emits a pre-merge-checks status block instead of approving once review threads are resolved, so PRs sat at REVIEW_REQUIRED with all threads cleared and all checks green. Conventional-Commits enforcement on the squash title stays covered by the commit-msg hook.
  2. Qodo — declare auto-approval under [config] (.pr_agent.toml). enable_auto_approval / auto_approve_for_no_suggestions were under [pr_reviewer], where Qodo never reads them, so auto-approval never ran. Per the Qodo docs both keys belong under [config].
  3. Qodo — stop applying labels. Product labels are applied by CodeRabbit (auto_apply_labels + labeling_instructions), so the Qodo label config (enable_custom_labels / publish_labels / custom_labels) was redundant and is removed.
  4. Workflow — tag Qodo-approved PRs and fix the label step (.github/workflows/pr-review-automation.yml). Adds an on-qodo-approval job that applies reviewed: qodo when qodo-free-for-open-source-projects[bot] approves, mirroring the CodeRabbit job. The label step used gh pr edit --add-label, which is broken (it errors on the deprecated Projects-v1 GraphQL field) — so the label add failed on approval. All three jobs now use the issues REST API instead.

Why

CodeRabbit stopped auto-approving after #12460; the last approval (#12443, 2026-06-16 20:31 UTC) predates it and nothing has been approved since. The dashboard settings (Request Changes Workflow is enabled) were unchanged — only the local config. On recent PRs every CodeRabbit thread is resolved and all pre-merge checks pass (5/5 ✅), yet they stay at REVIEW_REQUIRED. Qodo never auto-approved because its switch was in the wrong TOML section.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Chores

    • Streamlined pre-merge PR title validation by removing Conventional Commit title checks and relying on commit hook enforcement.
    • Reorganized automated approval settings so auto-approval is governed by the primary configuration only.
    • Updated label configuration to omit custom label publishing and align with the default product label behavior.
  • Automation

    • Improved PR review automation labeling to use the GitHub Issues REST API for applying reviewed and automerge state labels.
    • Added parallel automation for the additional approval type using the same REST-based labeling approach.

Defining any pre-merge check turned on the whole pre-merge-checks
subsystem, which under Request Changes Workflow replaces the
auto-approve flow: CodeRabbit emits a pre-merge-checks status block
instead of approving once review threads are resolved, leaving PRs at
REVIEW_REQUIRED even with all threads cleared and all checks green.

Remove the title check (added in #12460) to restore
auto-approval and document why the block is intentionally absent.
Conventional Commits on the squash title stay covered by the commit-msg
hook and the squash-title convention.
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 352e1f56-b9f6-4a69-ac99-fa0721860f56

📥 Commits

Reviewing files that changed from the base of the PR and between 3bec861 and 7c68f81.

📒 Files selected for processing (1)
  • .github/workflows/pr-review-automation.yml

📝 Walkthrough

Walkthrough

The PR updates automation tool configurations and refactors PR review automation workflows. The reviews.pre_merge_checks.title Conventional Commits enforcement is removed from .coderabbit.yaml, auto-approval settings are moved from [pr_reviewer] to [config] in .pr_agent.toml, and the GitHub Actions workflow migrates label operations from gh pr edit to the Issues REST API while adding support for Qodo bot approvals.

Changes

Automation Configuration and Workflow Updates

Layer / File(s) Summary
Remove CodeRabbit pre-merge title enforcement
.coderabbit.yaml
Removes the reviews.pre_merge_checks.title block (which enforced Conventional Commits format with mode: warning) and substitutes explanatory comments delegating title enforcement to the commit-msg hook and squash-title convention.
Restructure PR Agent auto-approval configuration
.pr_agent.toml
Moves enable_auto_approval and auto_approve_for_no_suggestions settings from [pr_reviewer] section to [config] section, with comments explaining their required master-switch placement and default-branch behavior. Removes label-related configuration and replaces it with comments indicating CodeRabbit applies product labels.
Migrate workflow labeling to GitHub Issues REST API and add Qodo approval
.github/workflows/pr-review-automation.yml
Updates labeling steps to use gh api against the issues labels REST endpoint instead of gh pr edit. CodeRabbit and maintainer approval jobs apply reviewed: coderabbit and state: automerge labels via REST API. Introduces a new on-qodo-approval job that mirrors CodeRabbit approval behavior, applying a reviewed: qodo label through the same REST API approach. Updates workflow header and inline documentation to describe REST API-based label management.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • pnpm/pnpm#12457: Both PRs modify .pr_agent.toml to configure auto-approval by moving the same enable_auto_approval and auto_approve_for_no_suggestions settings.
  • pnpm/pnpm#12460: The retrieved PR added the exact reviews.pre_merge_checks.title Conventional Commits enforcement that this PR removes, making them direct inverses on the same config field.
  • pnpm/pnpm#12462: Both PRs modify .github/workflows/pr-review-automation.yml to migrate PR review approval labeling to the GitHub Issues REST API instead of gh pr edit.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title follows Conventional Commits specification with the 'chore:' prefix and clearly describes the main change: removing CodeRabbit pre-merge checks configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-coderabbit-approve

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Stop configuring CodeRabbit pre-merge checks to restore auto-approval
⚙️ Configuration changes 🕐 Less than 5 minutes

Grey Divider

Description

• Remove CodeRabbit pre-merge checks configuration that prevented auto-approval under Request
 Changes Workflow.
• Document why pre-merge checks are intentionally left unconfigured and how titles are enforced
 instead.
Diagram

graph TD
  Dev["Contributor"] --> PR["GitHub PR"] --> CR["CodeRabbit"] --> Review["Review outcome"]
  PR --> Hooks["commit-msg hook"]
  Hooks --> Title["Squash title convention"]
  CR -->|"no pre-merge checks configured"| Review
  subgraph Legend
    direction LR
    _user["Actor"] ~~~ _sys["System"] ~~~ _cfg["Local policy"]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Enforce PR title via GitHub-native checks (Action/Probot)
  • ➕ Keeps Conventional Commits enforcement visible in CI
  • ➕ Does not depend on CodeRabbit behavior changes
  • ➖ Adds CI/runtime maintenance overhead
  • ➖ Requires additional permissions and workflow wiring
2. Keep CodeRabbit pre-merge checks but disable/adjust Request Changes Workflow
  • ➕ Retains CodeRabbit’s structured pre-merge checks UX
  • ➖ Depends on CodeRabbit product behavior/settings that may not be repo-local or predictable
  • ➖ May still not restore auto-approval semantics desired by the team

Recommendation: The PR’s approach (removing the pre_merge_checks block and documenting the rationale) is the lowest-maintenance way to restore CodeRabbit auto-approval behavior without introducing new infrastructure. If stricter title enforcement is desired later, prefer a GitHub-native check rather than re-enabling CodeRabbit pre-merge checks that can interfere with approval flow.

Files changed (1) +7 / -8

Other (1) +7 / -8
.coderabbit.yamlRemove pre_merge_checks config and document why it’s disabled +7/-8

Remove pre_merge_checks config and document why it’s disabled

• Deletes the configured CodeRabbit pre-merge title check that implicitly enabled the broader pre-merge-checks subsystem. Replaces it with comments explaining that enabling any check can prevent auto-approval under Request Changes Workflow, and notes reliance on commit-msg hook plus squash-title convention instead.

.coderabbit.yaml

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 17, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Remediation recommended

1. Overbroad workflow permissions 🐞 Bug ⛨ Security ⭐ New
Description
In .github/workflows/pr-review-automation.yml, the jobs now label PRs via the issues labels REST
endpoint but still request pull-requests: write, expanding the GITHUB_TOKEN scope beyond what
the modified steps require. This increases blast radius if the workflow/job context is ever
compromised, and can be avoided while keeping behavior unchanged.
Code

.github/workflows/pr-review-automation.yml[R64-69]

+    permissions:
+      # Adding a label via the issues REST API is governed by issues: write
+      # even when the target is a PR.
+      issues: write
+      pull-requests: write
+    env:
Evidence
All three jobs add labels by POSTing to the issues-labels REST endpoint, which only requires
issues: write; there are no PR-write operations in the updated steps, so pull-requests: write is
excess scope.

.github/workflows/pr-review-automation.yml[18-39]
.github/workflows/pr-review-automation.yml[59-79]
.github/workflows/pr-review-automation.yml[80-99]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Workflow jobs grant `pull-requests: write` even though the updated implementation only POSTs to the issue-labels endpoint (`/repos/{owner}/{repo}/issues/{number}/labels`), which is governed by `issues: write`. This violates least-privilege and increases the impact of any workflow compromise.

### Issue Context
The PR replaced `gh pr edit --add-label` with `gh api .../issues/.../labels`, but permissions were not tightened accordingly.

### Fix Focus Areas
- .github/workflows/pr-review-automation.yml[18-23]
- .github/workflows/pr-review-automation.yml[64-69]
- .github/workflows/pr-review-automation.yml[85-90]

### Suggested change
For each affected job, remove `pull-requests: write` (or reduce it to `read` if you want to keep it explicit) and keep `issues: write`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

2. PR title lint removed 🐞 Bug ⚙ Maintainability
Description
With pre_merge_checks removed, PR/squash titles are no longer validated via CodeRabbit; the
replacement comment describes "title enforcement" via a local commit-msg hook plus a squash-title
convention, but commit-msg only lints locally-created commit messages and cannot enforce squash/PR
titles repo-wide. This can let non-Conventional-Commit squash titles slip through when hooks aren’t
installed or the squash title isn’t manually corrected at merge time.
Code

.coderabbit.yaml[R17-23]

+  # Pre-merge checks are intentionally left unconfigured. Defining any check here
+  # turns on the whole pre-merge-checks subsystem, which replaces the auto-approve
+  # flow under Request Changes Workflow: CodeRabbit then emits a pre-merge-checks
+  # status block instead of approving once review threads are resolved, so PRs sit
+  # at REVIEW_REQUIRED even with all threads cleared and all checks green. We rely
+  # on the commit-msg hook plus the squash-title convention for title enforcement
+  # instead of a CodeRabbit title check.
Evidence
The new .coderabbit.yaml text claims title enforcement via a commit-msg hook; in this repo that
hook runs commitlint on the commit message file during local commits, and AGENTS.md explicitly notes
hooks only run if installed locally—so it’s not repo-wide enforcement of squash/PR titles.

.coderabbit.yaml[17-23]
.husky/commit-msg[1-3]
AGENTS.md[176-186]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The comment added to `.coderabbit.yaml` says the repo relies on the `commit-msg` hook plus a squash-title convention for **title enforcement**, but the `commit-msg` hook only runs locally and does not enforce PR/squash titles repo-wide. This can mislead maintainers into thinking PR title enforcement still exists.
### Issue Context
- The PR intentionally removes CodeRabbit `pre_merge_checks` to restore auto-approve behavior.
- This suggestion is only about making the comment accurate/less misleading (or optionally adding a separate PR-title check that does not interfere with CodeRabbit approvals).
### Fix Focus Areas
- .coderabbit.yaml[17-23]
### Suggested change
- Reword to reflect that Conventional Commits are enforced for *local commit messages* via `commit-msg`, while squash/PR titles are a *manual convention* at merge time (not an automated check).
- (Optional) If you still want automated PR-title validation without CodeRabbit pre-merge checks, add a dedicated CI/PR-title checker (separate from CodeRabbit) and update the comment accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Previous review results

Review updated until commit 7c68f81

Results up to commit 9495e0d


🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)


Informational
1. PR title lint removed 🐞 Bug ⚙ Maintainability
Description
With pre_merge_checks removed, PR/squash titles are no longer validated via CodeRabbit; the
replacement comment describes "title enforcement" via a local commit-msg hook plus a squash-title
convention, but commit-msg only lints locally-created commit messages and cannot enforce squash/PR
titles repo-wide. This can let non-Conventional-Commit squash titles slip through when hooks aren’t
installed or the squash title isn’t manually corrected at merge time.
Code

.coderabbit.yaml[R17-23]

+  # Pre-merge checks are intentionally left unconfigured. Defining any check here
+  # turns on the whole pre-merge-checks subsystem, which replaces the auto-approve
+  # flow under Request Changes Workflow: CodeRabbit then emits a pre-merge-checks
+  # status block instead of approving once review threads are resolved, so PRs sit
+  # at REVIEW_REQUIRED even with all threads cleared and all checks green. We rely
+  # on the commit-msg hook plus the squash-title convention for title enforcement
+  # instead of a CodeRabbit title check.
Evidence
The new .coderabbit.yaml text claims title enforcement via a commit-msg hook; in this repo that
hook runs commitlint on the commit message file during local commits, and AGENTS.md explicitly notes
hooks only run if installed locally—so it’s not repo-wide enforcement of squash/PR titles.

.coderabbit.yaml[17-23]
.husky/commit-msg[1-3]
AGENTS.md[176-186]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The comment added to `.coderabbit.yaml` says the repo relies on the `commit-msg` hook plus a squash-title convention for **title enforcement**, but the `commit-msg` hook only runs locally and does not enforce PR/squash titles repo-wide. This can mislead maintainers into thinking PR title enforcement still exists.
### Issue Context
- The PR intentionally removes CodeRabbit `pre_merge_checks` to restore auto-approve behavior.
- This suggestion is only about making the comment accurate/less misleading (or optionally adding a separate PR-title check that does not interfere with CodeRabbit approvals).
### Fix Focus Areas
- .coderabbit.yaml[17-23]
### Suggested change
- Reword to reflect that Conventional Commits are enforced for *local commit messages* via `commit-msg`, while squash/PR titles are a *manual convention* at merge time (not an automated check).
- (Optional) If you still want automated PR-title validation without CodeRabbit pre-merge checks, add a dedicated CI/PR-title checker (separate from CodeRabbit) and update the comment accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Results up to commit e96e95d


🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)


Informational
1. PR title lint removed 🐞 Bug ⚙ Maintainability
Description
With pre_merge_checks removed, PR/squash titles are no longer validated via CodeRabbit; the
replacement comment describes "title enforcement" via a local commit-msg hook plus a squash-title
convention, but commit-msg only lints locally-created commit messages and cannot enforce squash/PR
titles repo-wide. This can let non-Conventional-Commit squash titles slip through when hooks aren’t
installed or the squash title isn’t manually corrected at merge time.
Code

.coderabbit.yaml[R17-23]

+  # Pre-merge checks are intentionally left unconfigured. Defining any check here
+  # turns on the whole pre-merge-checks subsystem, which replaces the auto-approve
+  # flow under Request Changes Workflow: CodeRabbit then emits a pre-merge-checks
+  # status block instead of approving once review threads are resolved, so PRs sit
+  # at REVIEW_REQUIRED even with all threads cleared and all checks green. We rely
+  # on the commit-msg hook plus the squash-title convention for title enforcement
+  # instead of a CodeRabbit title check.
Evidence
The new .coderabbit.yaml text claims title enforcement via a commit-msg hook; in this repo that
hook runs commitlint on the commit message file during local commits, and AGENTS.md explicitly notes
hooks only run if installed locally—so it’s not repo-wide enforcement of squash/PR titles.

.coderabbit.yaml[17-23]
.husky/commit-msg[1-3]
AGENTS.md[176-186]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The comment added to `.coderabbit.yaml` says the repo relies on the `commit-msg` hook plus a squash-title convention for **title enforcement**, but the `commit-msg` hook only runs locally and does not enforce PR/squash titles repo-wide. This can mislead maintainers into thinking PR title enforcement still exists.

### Issue Context
- The PR intentionally removes CodeRabbit `pre_merge_checks` to restore auto-approve behavior.
- This suggestion is only about making the comment accurate/less misleading (or optionally adding a separate PR-title check that does not interfere with CodeRabbit approvals).

### Fix Focus Areas
- .coderabbit.yaml[17-23]

### Suggested change
- Reword to reflect that Conventional Commits are enforced for *local commit messages* via `commit-msg`, while squash/PR titles are a *manual convention* at merge time (not an automated check).
- (Optional) If you still want automated PR-title validation without CodeRabbit pre-merge checks, add a dedicated CI/PR-title checker (separate from CodeRabbit) and update the comment accordingly.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Qodo Logo

zkochan added 2 commits June 17, 2026 14:09
enable_auto_approval and auto_approve_for_no_suggestions were declared
under [pr_reviewer], where Qodo never reads them, so auto-approval never
ran. Per the Qodo docs both keys belong under [config]. Move them and
drop the now-empty [pr_reviewer] section.
Product labels are applied by CodeRabbit (auto_apply_labels +
labeling_instructions in .coderabbit.yaml). Having Qodo also publish
labels via enable_custom_labels/publish_labels/custom_labels meant two
tools managing the same labels. Drop the Qodo label config and leave
labeling to CodeRabbit.
@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit 9495e0d

Add an on-qodo-approval job that applies the 'reviewed: qodo' label when
qodo-free-for-open-source-projects[bot] approves, mirroring the existing
CodeRabbit job.

The label step used 'gh pr edit --add-label', which is broken (it errors
on the deprecated Projects-v1 GraphQL field), so adding the label failed
on approval. Switch all three jobs to the issues REST API
(POST /repos/{owner}/{repo}/issues/{number}/labels) instead.
@zkochan zkochan changed the title chore: stop configuring CodeRabbit pre-merge checks fix: restore CodeRabbit and Qodo PR auto-approval Jun 17, 2026
@zkochan zkochan merged commit 7a31307 into main Jun 17, 2026
8 of 9 checks passed
@zkochan zkochan deleted the fix-coderabbit-approve branch June 17, 2026 12:15
Comment on lines +64 to +69
permissions:
# Adding a label via the issues REST API is governed by issues: write
# even when the target is a PR.
issues: write
pull-requests: write
env:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

1. Overbroad workflow permissions 🐞 Bug ⛨ Security

In .github/workflows/pr-review-automation.yml, the jobs now label PRs via the issues labels REST
endpoint but still request pull-requests: write, expanding the GITHUB_TOKEN scope beyond what
the modified steps require. This increases blast radius if the workflow/job context is ever
compromised, and can be avoided while keeping behavior unchanged.
Agent Prompt
### Issue description
Workflow jobs grant `pull-requests: write` even though the updated implementation only POSTs to the issue-labels endpoint (`/repos/{owner}/{repo}/issues/{number}/labels`), which is governed by `issues: write`. This violates least-privilege and increases the impact of any workflow compromise.

### Issue Context
The PR replaced `gh pr edit --add-label` with `gh api .../issues/.../labels`, but permissions were not tightened accordingly.

### Fix Focus Areas
- .github/workflows/pr-review-automation.yml[18-23]
- .github/workflows/pr-review-automation.yml[64-69]
- .github/workflows/pr-review-automation.yml[85-90]

### Suggested change
For each affected job, remove `pull-requests: write` (or reduce it to `read` if you want to keep it explicit) and keep `issues: write`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit 7c68f81

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant