fix: harden release workflow permissions#12
Conversation
|
Warning Review limit reached
Next review available in: 59 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
SkillLoop/.github/workflows/release.yml
Line 70 in c2903b9
In the new release job this command now runs after only downloading artifacts, without a checkout, so it is outside any local git repository. The GitHub CLI docs say GH_REPO is needed for commands that otherwise operate on a local repository, and gh release create alternatively accepts -R/--repo; GITHUB_REPOSITORY alone is not the CLI's repo selector. On every tagged release this step can fail before creating the GitHub Release, and publish-pypi is now blocked behind this job, so set GH_REPO: ${{ github.repository }}, pass --repo "$GITHUB_REPOSITORY", or checkout in this job.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Motivation
GITHUB_TOKENand OIDC token to build/test steps that install and run project-controlled code.Description
contents: write/id-token: writetocontents: readat the top level in.github/workflows/release.yml.buildjob tocontents: readand disable persisted checkout credentials withpersist-credentials: falseonactions/checkout@v4so build/test steps cannot use a write-capable token.releasejob thatneeds: build, downloads artifacts, and runs withcontents: writeonly for the release step.publish-pypito depend onreleaseand retainid-token: writescoped to the publishing job while keepingcontents: readthere.Testing
.github/workflows/release.yml, and it succeeded.python -m pytest tests/ -q, and all tests passed.PyYAMLwhich failed becausePyYAMLis not installed in the environment, so that specific validation could not run.Codex Task