ci: reject OpenCode approvals without structural review#348
Conversation
|
Warning Review limit reached
More reviews will be available in 34 minutes and 31 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Warning Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR hardens the OpenCode robot-review merge gate by rejecting APPROVE control payloads that admit structural exploration could not be completed (e.g., truncated evidence or inability to inspect changed files), and aligns that contract across the workflow prompt, the Python normalizer, and the shell approval gate.
Changes:
- Add structural-review failure detection to the Python OpenCode output normalizer and reject invalid
APPROVEpayloads. - Add the same structural-review failure detection to the shell approval gate so runtime gating matches published/normalized output.
- Update the OpenCode workflow prompt to explicitly forbid approval when structural exploration/evidence inspection was not possible, and add targeted policy tests.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
services/analysis-engine/tests/test_supply_chain_policy.py |
Adds regression tests ensuring approvals are rejected when the control payload admits missing structural review. |
scripts/ci/opencode_review_normalize_output.py |
Rejects APPROVE control objects that contain structural-review failure phrases in reason/summary. |
scripts/ci/opencode_review_approve_gate.sh |
Enforces the same structural-review failure rejection at gate time (fail-closed to NO_CONCLUSION). |
.github/workflows/opencode-review.yml |
Tightens the review prompt so approval requires completed structural exploration and untruncated/inspectable evidence. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
OpenCode Review Overview
Pull request overviewReviewed changes in PR #348, including workflow updates and test additions. No critical issues or regressions identified. The changes align with the project's architecture and contracts. FindingsNo blocking findings from OpenCode's independent review. Verification
Gate evidence
|
![opencode-agent[bot]](https://avatars.githubusercontent.com/in/1549082?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
The changes in PR #348 include updates to workflow files and test scripts, with no critical issues identified. The changes are well-contained and do not introduce regressions or security risks. Structural exploration confirmed the changes are safe and do not affect critical paths.
Findings
No blocking findings from OpenCode's independent review.
Verification
- Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
- Result: APPROVE
- Reason: No critical issues found in the changes. Structural exploration completed without identifying blockers.
Gate evidence
- Head SHA:
d0bec83f97f5433b1fced95cbfa4c3da29bd86e0 - Workflow run: 27737594548
- Workflow attempt: 1
seonghobae
force-pushed
the
fix/opencode-reject-missing-structure
branch
from
d0bec83 to
3aac995
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
seonghobae
force-pushed
the
fix/opencode-reject-missing-structure
branch
from
3aac995 to
472bc95
Compare
There was a problem hiding this comment.
Pull request overview
PR adds robust test coverage for supply chain policy validation and makes minor workflow improvements. No regressions found in structural exploration.
Findings
No blocking findings from OpenCode's independent review.
Verification
- Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
- Result: APPROVE
- Reason: Changes maintain functionality while adding comprehensive tests
Gate evidence
- Head SHA:
472bc95de6d3fe8ce2c79f04fd85ab114ba6aac6 - Workflow run: 27738339120
- Workflow attempt: 1
seonghobae
force-pushed
the
fix/opencode-reject-missing-structure
branch
from
472bc95 to
856c3bf
Compare
There was a problem hiding this comment.
Pull request overview
Reviewed changes in PR #348, including workflow updates and test additions. No critical issues or regressions identified. The changes align with the project's architecture and contracts.
Findings
No blocking findings from OpenCode's independent review.
Verification
- Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
- Result: APPROVE
- Reason: No source-backed blockers found; structural exploration completed without issues.
Gate evidence
- Head SHA:
856c3bf0ce92ad8034f1f05cd54003eb6030f7e1 - Workflow run: 27738826355
- Workflow attempt: 1
Summary
APPROVEcontrol payloads that admit structural exploration failed, evidence was truncated, or changed files could not be inspected.Structural Exploration
.github/workflows/opencode-review.yml,scripts/ci/opencode_review_normalize_output.py,scripts/ci/opencode_review_approve_gate.sh, and targeted policy tests.REQUEST_CHANGESfindings and validAPPROVEpayloads with empty findings; it now rejects only approvals whose reason/summary admit missing structural review.Security Notes
NO_CONCLUSION, which prevents an approval rather than requesting source changes without line-specific evidence.Validation
python3 -m py_compile scripts/ci/opencode_review_normalize_output.py && bash -n scripts/ci/opencode_review_approve_gate.shuv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py::test_opencode_normalizer_rejects_approve_without_structural_review services/analysis-engine/tests/test_supply_chain_policy.py::test_opencode_review_gate_rejects_approve_without_structural_review services/analysis-engine/tests/test_supply_chain_policy.py::test_opencode_normalizer_defaults_missing_approve_findings services/analysis-engine/tests/test_supply_chain_policy.py::test_opencode_review_gate_defaults_missing_approve_findings -qactionlint .github/workflows/opencode-review.ymlpython3 scripts/checks/verify_github_bootstrap_policy.pypython3 scripts/checks/verify_supply_chain.pygit diff --check