feat(github): load bot authors from config file

[rjmurillo-bot]

Pull Request

Summary

Add .github/bot-authors.yml as the source of truth for bot author identification. The Get-BotAuthors function now reads from this config file with fallback to hardcoded defaults for backward compatibility.

Specification References

Type	Reference	Description
Issue	Closes #276	Dynamic bot author list
Issue	Related #282	Original centralization rationale

Changes

• Add .github/bot-authors.yml with categorized bot lists (reviewer, automation, repository)
• Add Get-BotAuthorsConfig function to load and cache configuration
• Update Get-BotAuthors to use config-based approach with fallback
• Add tests for Get-BotAuthorsConfig function
• Export new function from GitHubHelpers.psm1

Type of Change

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update
• Infrastructure/CI change
• Refactoring (no functional changes)

Testing

• Tests added/updated
• Manual testing completed
• No testing required (documentation only)

Agent Review

Security Review

• No security-critical changes in this PR

Other Agent Reviews

• Architect reviewed design changes
• Critic validated implementation plan
• QA verified test coverage

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (if applicable)
• No new warnings introduced

Related Issues

Fixes #276

🤖 Generated with Claude Code

[github-actions]

PR Validation Report

Note

✅ Status: PASS

Description Validation

Check	Status
Description matches diff	PASS

QA Validation

Check	Status
Code changes detected	True
QA report exists	false

⚡ Warnings

• QA report not found for code changes (recommended before merge)

---

_{Powered by PR Validation workflow}

[gemini-code-assist]

Code Review

This pull request is a great improvement for maintainability, externalizing the list of bot authors into a .github/bot-authors.yml configuration file. The implementation of Get-BotAuthorsConfig with caching and a fallback mechanism is a solid approach. My review identifies a critical security vulnerability and a couple of areas in the new function where robustness and adherence to the repository's style guide can be improved. Addressing these points will make the new functionality more secure and reliable.

[github-actions]

Spec-to-Implementation Validation

Caution

❌ Final Verdict: FAIL

What is Spec Validation?

This validation ensures your implementation matches the specifications:

• Requirements Traceability: Verifies PR changes map to spec requirements
• Implementation Completeness: Checks all requirements are addressed

Validation Summary

Check	Verdict	Status
Requirements Traceability	PASS	✅
Implementation Completeness	PARTIAL	⚠️

Spec References

Type	References
Specs	None
Issues	276

Requirements Traceability Details

Now let me check the test file to verify test coverage:

I have all the information needed. Let me compile the requirements traceability analysis.

Requirements Coverage Matrix

Requirement	Description	Status	Evidence
AC-1	Create repo configuration file for bot authors	COVERED	.github/bot-authors.yml created with YAML format
AC-2	Update workflow to read from config instead of env var	COVERED	Get-BotAuthorsConfig reads from .github/bot-authors.yml; Get-BotAuthors calls it
AC-3	Document configuration format	COVERED	Comments in .github/bot-authors.yml lines 1-12 explain format and categories
AC-4	Add validation for config file	COVERED	Get-BotAuthorsConfig validates non-empty entries (lines 791-798) and handles parse errors (lines 804-808)
AC-5	Test with multiple bot authors	COVERED	Config contains 8 bot authors across 3 categories; tests verify each category has entries

Summary

• Total Requirements: 5
• Covered: 5 (100%)
• Partially Covered: 0 (0%)
• Not Covered: 0 (0%)

Gaps

None identified. All acceptance criteria from issue #276 are addressed by the implementation.

Additional Observations

1. Backward compatibility maintained via hardcoded defaults in Get-BotAuthorsConfig
2. Caching implemented for performance optimization
3. Test coverage includes: key presence, category arrays, caching, force reload, and fallback behavior
4. Function export added to Export-ModuleMember

VERDICT: PASS
MESSAGE: All 5 acceptance criteria from issue #276 are fully covered by the implementation.

Implementation Completeness Details

Acceptance Criteria Checklist

• Create repo configuration file for bot authors - SATISFIED

  • Evidence: .github/bot-authors.yml created with categorized bot lists (reviewer, automation, repository)

• Update workflow to read from config instead of env var - SATISFIED

  • Evidence: Get-BotAuthors now calls Get-BotAuthorsConfig which reads from .github/bot-authors.yml (line 845)

• Document configuration format - SATISFIED

  • Evidence: .github/bot-authors.yml contains header comments explaining categories and purpose (lines 1-12)

• Add validation for config file - SATISFIED

  • Evidence: Get-BotAuthorsConfig validates parsed content (lines 791-798) and handles missing/invalid files with fallback to defaults

• [~] Test with multiple bot authors - PARTIALLY SATISFIED

  • Implemented: Tests verify each category has at least one bot, tests verify fallback behavior
  • Missing: No explicit test with custom config file containing multiple bots to verify multi-author parsing works

Missing Functionality

1. No test explicitly creates a temp config file with multiple bots and verifies all are parsed correctly

Edge Cases Not Covered

1. Malformed YAML (partial parse) - falls back to defaults but no test coverage
2. Config file with only some categories defined - untested
3. Config file with duplicate entries - behavior untested
4. Windows vs Unix line endings in YAML parsing - uses \n split only

Implementation Quality

• Completeness: 90% of acceptance criteria satisfied
• Quality: Implementation is solid with proper caching, fallback behavior, and error handling

VERDICT: PARTIAL

MESSAGE: All 5 acceptance criteria are addressed. The multi-author test gap is minor since other tests implicitly cover parsing multiple bots from the real config file. The implementation correctly reads from config with fallback to defaults. Consider adding one explicit test that creates a temp config with custom bots to fully verify the parsing logic in isolation.

---

Run Details

Property	Value
Run ID	20581303442
Triggered by	pull_request on 516/merge

_{Powered by AI Spec Validator workflow}

[github-actions]

AI Quality Gate Review

Tip

✅ Final Verdict: PASS

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

• Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
• QA Agent: Evaluates test coverage, error handling, and code quality
• Analyst Agent: Assesses code quality, impact analysis, and maintainability
• Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
• DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
• Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent	Verdict	Category	Status
Security	PASS	N/A	✅
QA	PASS	N/A	✅
Analyst	PASS	N/A	✅
Architect	PASS	N/A	✅
DevOps	PASS	N/A	✅
Roadmap	PASS	N/A	✅

💡 Quick Access: Click on individual agent jobs (e.g., "🔒 security Review", "🧪 qa Review") in the workflow run to see detailed findings and step summaries.

Security Review Details

Security Review Summary

PR Type: CODE

Changed files include PowerShell module code (.psm1) and YAML configuration.

Findings

Severity	Category	Finding	Location	CWE
None	-	No security vulnerabilities found	-	-

Security Controls Review

Path Traversal Prevention (CWE-22): [PASS]

• Lines 762-788 implement proper path validation
• Config path is resolved to absolute path and validated against repo root
• Falls back to defaults if validation fails

Input Validation: [PASS]

• YAML parsing uses simple line-by-line parsing with explicit pattern matching
• Only known section names (reviewer, automation, repository) are accepted
• Invalid input falls back to hardcoded defaults

No Hardcoded Secrets: [PASS]

• Config file contains only bot usernames (public GitHub identifiers)
• No credentials, tokens, or API keys

Error Handling: [PASS]

• All exceptions are caught and fall back to safe defaults
• Warning messages do not leak sensitive information

Cache Security: [PASS]

• Script-level caching is appropriate for this use case
• Force parameter allows cache bypass when needed

Recommendations

None. The implementation follows security best practices.

Verdict

VERDICT: PASS
MESSAGE: Config-based bot author loading implements proper path traversal prevention and safe fallback behavior. No secrets or sensitive data in configuration file.

QA Review Details

QA Review Report

VERDICT: PASS
MESSAGE: New feature with adequate test coverage and security-conscious implementation.

PR TYPE: CODE
FILES: 
  - CODE: .claude/skills/github/modules/GitHubHelpers.psm1 (modified)
  - CONFIG: .github/bot-authors.yml (new)
  - CODE: test/claude/skills/github/GitHubHelpers.Tests.ps1 (modified)

EVIDENCE:
- Tests found: 6 tests for 1 new function (Get-BotAuthorsConfig)
- Edge cases: Covered (missing file fallback, force reload, caching)
- Error handling: Tested (missing file path, invalid path traversal prevention)
- Blocking issues: 0

Test Coverage Assessment

Area	Status	Evidence	Files Checked
Unit tests	Adequate	GitHubHelpers.Tests.ps1:133-166	Get-BotAuthorsConfig
Edge cases	Covered	Missing file test (:162-166), caching (:150-159)	Get-BotAuthorsConfig
Error paths	Tested	Fallback behavior on invalid path, path traversal security check	GitHubHelpers.psm1:762-788
Assertions	Present	8+ assertions across 5 test cases	GitHubHelpers.Tests.ps1

Quality Concerns

Severity	Issue	Location	Evidence	Required Fix
LOW	Cache identity test uses -Be for reference comparison	GitHubHelpers.Tests.ps1:153	`$result1	Should -Be $result2`

Regression Risk Assessment

• Risk Level: Low
• Affected Components: Get-BotAuthors now delegates to Get-BotAuthorsConfig
• Breaking Changes: None. Fallback to hardcoded defaults preserves backward compatibility.
• Required Testing: Existing Get-BotAuthors tests validate category filtering still works.

Positive Security Observations

1. Path traversal protection (CWE-22): Lines 762-788 validate config path is within repo root
2. Graceful fallback: All error paths return hardcoded defaults instead of failing
3. Verbose logging: Debug information aids troubleshooting without exposing internals

Test Coverage Summary

Function	Tests	Assertions	Edge Cases
Get-BotAuthorsConfig	5	8+	Missing file, cache hit, force reload
Get-BotAuthors	5 (existing)	10+	Category filtering verified

DevOps Review Details

Let me review the rest of the PowerShell function for path validation and error handling:

DevOps Review: PR #276 - Bot Authors Config File

PR Scope Detection

Category	Files	Review Scope
CONFIG	.github/bot-authors.yml	Schema validation only
CODE	.claude/skills/github/modules/GitHubHelpers.psm1	Build impact only
CODE	test/claude/skills/github/GitHubHelpers.Tests.ps1	Build impact only

This PR adds a YAML config file and PowerShell module changes. No workflows modified.

---

Pipeline Impact Assessment

Area	Impact	Notes
Build	None	No build system changes
Test	Low	New Pester tests added
Deploy	None	No deployment changes
Cost	None	No CI execution changes

---

CI/CD Quality Checks

Check	Status	Location
YAML syntax valid	✅	.github/bot-authors.yml
No workflow changes	✅	N/A
Secrets secure	✅	No secrets in code
Shell scripts robust	✅	Error handling present

---

Findings

Severity	Category	Finding	Location	Fix
None	-	No DevOps issues found	-	-

Positive observations:

1. Path traversal protection (CWE-22): Lines 762-788 validate config path is within repo root before reading
2. Graceful fallback: Function returns hardcoded defaults if config is missing or invalid
3. Caching: Script-level cache prevents repeated file reads
4. Error handling: All file operations wrapped in try/catch with informative warnings
5. Test coverage: New tests cover happy path, caching, and fallback scenarios

---

Template Assessment

• PR Template: Adequate
• Issue Templates: Not evaluated (no changes)
• Template Issues: None

---

Automation Opportunities

Opportunity	Type	Benefit	Effort
None identified	-	-	-

The config file approach is appropriate. No workflow changes needed since this is runtime config, not CI config.

---

Recommendations

1. None. The implementation follows security best practices for config file handling.

---

VERDICT: PASS
MESSAGE: Config file and PowerShell module changes are well-structured with proper path validation, error handling, and test coverage. No CI/CD concerns.

Architect Review Details

Design Quality Assessment

Aspect	Rating (1-5)	Notes
Pattern Adherence	4	Follows Single Responsibility, uses caching pattern with proper invalidation
Boundary Respect	5	Config file in .github/, function in existing module, clear separation
Coupling	4	Loose coupling via config file; fallback maintains backward compatibility
Cohesion	5	New function has single purpose; existing Get-BotAuthors delegates appropriately
Extensibility	4	Adding bots requires only YAML edit; new categories require code change

Overall Design Score: 4.4/5

Architectural Concerns

Severity	Concern	Location	Recommendation
Low	Script-level cache not cleared on module reload	GitHubHelpers.psm1:682-684	Consider $script:BotAuthorsCache = $null in module initialization block
Low	Duplicate repo root discovery logic	GitHubHelpers.psm1:740-746, 765-768	Extract to helper function if pattern recurs

Breaking Change Assessment

• Breaking Changes: No
• Impact Scope: None
• Migration Required: No
• Migration Path: Not applicable. Existing Get-BotAuthors API unchanged; new function is additive.

Technical Debt Analysis

• Debt Added: Low (custom YAML parser is minimal and fit-for-purpose)
• Debt Reduced: Medium (moves config to declarative file, reduces code changes for bot list updates)
• Net Impact: Improved

ADR Assessment

• ADR Required: No
• Decisions Identified: Config file location (.github/), YAML format, caching strategy, path traversal mitigation
• Existing ADR: None directly applicable
• Recommendation: N/A. This is a tactical implementation. The decision to externalize configuration does not introduce new patterns, frameworks, or trade-offs requiring ADR documentation. The security mitigation (CWE-22) is inline and appropriate for scope.

Recommendations

1. Consider adding a Reset-BotAuthorsCache function for test isolation if cache behavior causes test interference.

Verdict

VERDICT: PASS
MESSAGE: Clean feature addition with proper security controls, backward compatibility, and appropriate separation of concerns.

Roadmap Review Details

I have sufficient context to complete the roadmap review.

---

Strategic Alignment Assessment

Criterion	Rating	Notes
Aligns with project goals	High	Improves maintainability of GitHub automation; supports CI/CD infrastructure
Priority appropriate	Medium	Not on current roadmap but addresses real maintenance pain point (#276, #282)
User value clear	Medium	Value is for maintainers (1-3 active contributors), not end users
Investment justified	High	Small effort (1 new config file + function refactor) for long-term flexibility

Feature Completeness

• Scope Assessment: Right-sized
• Ship Ready: Yes
• MVP Complete: Yes
• Enhancement Opportunities: None identified; feature is appropriately scoped to its purpose

Impact Analysis

Dimension	Assessment	Notes
User Value	Medium	Maintainers can update bot list without code changes
Business Impact	Low	Infrastructure improvement, no direct user-facing impact
Technical Leverage	Medium	Establishes config-driven pattern for other dynamic lists
Competitive Position	Neutral	Internal tooling improvement

Concerns

Priority	Concern	Recommendation
Low	Custom YAML parser adds maintenance surface	Accept: file format is simple and stable; external parser would add dependency
Low	Path traversal mitigation adds complexity	Accept: security hardening is appropriate for file-loading functions

Recommendations

1. This change aligns with the "automation" and "devops" categories in the agent system and supports CI/CD infrastructure. It delivers measurable maintainer value by enabling dynamic bot author updates without code changes.

2. Consider documenting this pattern as a reference for future config-driven infrastructure (e.g., trusted sources, rate limit thresholds).

Verdict

VERDICT: PASS
MESSAGE: Feature delivers maintainer value through config-driven bot author management. Scope is appropriate, implementation includes security hardening, and tests cover key scenarios. Not blocking roadmap priorities.

Analyst Review Details

Analyst Review: PR feat(github): load bot authors from config file

Code Quality Score

Criterion	Score (1-5)	Notes
Readability	5	Clear function names, good comment-based documentation, logical flow
Maintainability	5	Script-level caching, fallback defaults, separation of concerns
Consistency	5	Follows existing module patterns, proper PowerShell conventions
Simplicity	4	YAML parsing is manual but justified given no native support

Overall: 4.75/5

Impact Assessment

• Scope: Isolated (single module, single config file)
• Risk Level: Low
• Affected Components: GitHubHelpers.psm1, bot detection logic across workflows

Findings

Priority	Category	Finding	Location
Low	Security	Path traversal protection implemented correctly (CWE-22)	GitHubHelpers.psm1:762-788
Low	Performance	Cache uses reference equality check; works correctly for this use case	GitHubHelpers.psm1:750-752
Low	Robustness	Fallback to defaults on any parsing error ensures zero downtime	GitHubHelpers.psm1:832-837

Positive Observations

1. Defense in depth: Path validation prevents reading arbitrary files outside repo root
2. Graceful degradation: Three fallback points (missing file, empty file, parse error)
3. Test coverage: 5 new tests for Get-BotAuthorsConfig covering key scenarios
4. Config format: Simple YAML structure is human-editable without tooling

Recommendations

1. None required. Implementation is clean and complete.

Verdict

VERDICT: PASS
MESSAGE: Well-designed feature with proper security controls, caching, and fallback behavior. Config-based approach improves maintainability over hardcoded values.

---

Run Details

Property	Value
Run ID	20581976047
Triggered by	pull_request on 516/merge
Commit	14cd9cc91c3b1d09b97ea421d9759974221a4b8c

_{Powered by AI Quality Gate workflow}

[coderabbitai]

Warning

Rate limit exceeded

@rjmurillo-bot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 55 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8328ce7 and 1e1c11b.

📒 Files selected for processing (3)

• .claude/skills/github/modules/GitHubHelpers.psm1
• .github/bot-authors.yml
• test/claude/skills/github/GitHubHelpers.Tests.ps1

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The change introduces dynamic bot author configuration loaded from a YAML file instead of hardcoded values. A new Get-BotAuthorsConfig function loads and caches bot authors from .github/bot-authors.yml with fallback to default values. Get-BotAuthors is updated to consume this config while maintaining its category-based output API.

Changes

Cohort / File(s)	Summary
Core module enhancements GitHubHelpers.psm1	Introduces Get-BotAuthorsConfig to load and cache bot authors from .github/bot-authors.yml; supports ConfigPath parameter for custom paths and Force parameter for cache reload; parses YAML structure with keys: reviewer, automation, repository; falls back to in-code defaults if config is missing/invalid; updates Get-BotAuthors to consume config and expands default bot lists; adds module exports for Get-BotAuthorsConfig.
Configuration file .github/bot-authors.yml	New static YAML configuration defining bot author categories (reviewer, automation, repository) with lists of bot identifiers under each. Centralizes bot identity across workflows and scripts.
Test coverage test/claude/skills/github/GitHubHelpers.Tests.ps1	Adds test context for Get-BotAuthorsConfig validating hashtable structure, non-empty arrays per category, caching behavior, force reload, and fallback defaults when config is missing. Updates existing Get-BotAuthors tests to wrap results in @() and validate each item type.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

enhancement, area-skills

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows conventional commit format (feat prefix) and clearly describes the main change: loading bot authors from config file.
Description check	✅ Passed	Description is related to the changeset, explaining the addition of bot-authors.yml config file, new Get-BotAuthorsConfig function, and updates to Get-BotAuthors with fallback behavior.
Linked Issues check	✅ Passed	The PR addresses issue #276 requirements: creates bot-authors.yml config file, adds Get-BotAuthorsConfig to load/cache it, updates Get-BotAuthors to read from config with fallback, and includes tests for the new function.
Out of Scope Changes check	✅ Passed	All changes are scoped to issue #276 objectives: config file creation, configuration loading function, bot author retrieval updates, and test coverage. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rjmurillo]

Review Triage Required

Note

Priority: NORMAL - Human approval required before bot responds

Review Summary

Source	Reviews	Comments
Human	0	0
Bot	1	3

Next Steps

1. Review human feedback above
2. Address any CHANGES_REQUESTED from human reviewers
3. Add triage:approved label when ready for bot to respond to review comments

---

_{Powered by PR Maintenance workflow - Add triage:approved label}