fix: keep external OpenCode check failures out of review state

[seonghobae]

Summary

• classify GitHub artifact upload finalization resets as external infrastructure failures
• stop OpenCode from submitting REQUEST_CHANGES when the only failed current-head check is that external artifact failure
• keep ordinary test/build failures on the existing source-backed diagnosis path

Verification

• python3 -m py_compile scripts/ci/classify_failed_check_evidence.py
• uv run --project services/analysis-engine ruff check scripts/ci/classify_failed_check_evidence.py services/analysis-engine/tests/test_supply_chain_policy.py
• uv run --project services/analysis-engine ruff format --check scripts/ci/classify_failed_check_evidence.py services/analysis-engine/tests/test_supply_chain_policy.py
• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q
• python3 scripts/checks/verify_supply_chain.py

Security Notes

• No runtime network path is added; the helper classifies bounded GitHub Actions evidence already collected by CI.
• Required build checks are not weakened or skipped. External artifact upload failures still block merge through the failed GitHub check until rerun succeeds.
• OpenCode no longer creates stale source-change review state for non-source infrastructure failures, reducing review-gate confusion without bypassing protected checks.

[coderabbitai]

Warning

Review limit reached

@seonghobae, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 39 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0413e9ef-0f5f-46ed-99fb-e466f67645a0

📥 Commits

Reviewing files that changed from the base of the PR and between 13deb2b and af3c6b7.

📒 Files selected for processing (4)

• .github/workflows/opencode-review.yml
• scripts/checks/normalize_scorecard_sarif.py
• scripts/ci/classify_failed_check_evidence.py
• services/analysis-engine/tests/test_supply_chain_policy.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/opencode-external-checks

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/opencode-external-checks

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR refines the OpenCode review workflow to avoid creating REQUEST_CHANGES review state when the only current-head failure is an external GitHub Actions artifact upload finalization/reset (e.g., ECONNRESET), while preserving the existing failed-check diagnosis path for actionable test/build failures.

Changes:

• Add a Python classifier that detects transient artifact upload finalization/network resets from collected failed-check evidence.
• Update opencode-review.yml to stop before submitting REQUEST_CHANGES when the classifier identifies an external infrastructure-only failure, and instead publish an overview update.
• Add regression tests covering the external-infrastructure classification and ensuring ordinary test failures remain actionable.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
services/analysis-engine/tests/test_supply_chain_policy.py	Adds tests validating the new classifier behavior and workflow integration.
scripts/ci/classify_failed_check_evidence.py	Introduces evidence parsing/classification logic for external artifact upload reset failures.
.github/workflows/opencode-review.yml	Calls the classifier and stops review-state changes for external-only failed checks, while keeping the existing diagnosis flow for actionable failures.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[opencode-agent]

OpenCode Review Overview

• Head SHA: af3c6b7c4c06285c41b388d58229bdc13046b6aa
• Workflow run: 27727201231
• Workflow attempt: 1
• Gate result: APPROVE (approval step)

Pull request overview

PR #346 introduces CI workflow enhancements and test updates. The changes include: 1) Workflow script cleanup improvements, 2) New evidence classification script, 3) Supply chain policy test updates. No security concerns or breaking changes detected in the limited diff view.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Result: APPROVE
• Reason: Changes appear to be CI improvements and test updates with no evident issues

Gate evidence

• Head SHA: af3c6b7c4c06285c41b388d58229bdc13046b6aa
• Workflow run: 27727201231
• Workflow attempt: 1

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

[opencode-agent]

Pull request overview

PR #346 introduces CI workflow enhancements and test updates. The changes include: 1) Workflow script cleanup improvements, 2) New evidence classification script, 3) Supply chain policy test updates. No security concerns or breaking changes detected in the limited diff view.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Result: APPROVE
• Reason: Changes appear to be CI improvements and test updates with no evident issues

Gate evidence

• Head SHA: af3c6b7c4c06285c41b388d58229bdc13046b6aa
• Workflow run: 27727201231
• Workflow attempt: 1