Skip to content

ci: Use our own pr_title_lint.py instead of NPM commitlint [citest_skip]#338

Open
richm wants to merge 1 commit into
mainfrom
pr_title_lint
Open

ci: Use our own pr_title_lint.py instead of NPM commitlint [citest_skip]#338
richm wants to merge 1 commit into
mainfrom
pr_title_lint

Conversation

@richm

@richm richm commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

There are a few problems with the NPM commitlint

  • NPM is problematic
  • Having to install NPM and commitlint and dependencies is slow and heavyweight
  • commitlint is overkill for our simple use case

We have our own pr_title_lint.py which is small and works exactly for our use case.

Enhance coderabbit checks for PRs and test cleanup

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by CodeRabbit

  • Chores
    • Tightened pull request title checks to better match Conventional Commits, with clearer examples and breaking-change support.
    • Added requirements for signed-off contribution notes, with an optional assisted-by line.
    • Improved test guidance so cleanup runs even when tests fail, and cleanup steps can be skipped when needed for debugging.
    • Updated PR title validation to use a simpler checking approach.

There are a few problems with the NPM commitlint

* NPM is problematic
* Having to install NPM and commitlint and dependencies is slow and heavyweight
* commitlint is overkill for our simple use case

We have our own pr_title_lint.py which is small and works exactly for our use case.

Enhance coderabbit checks for PRs and test cleanup

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
@richm richm requested review from rjeffman and spetrosi as code owners July 1, 2026 14:54
@richm richm self-assigned this Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

📝 Walkthrough

Walkthrough

This PR updates .coderabbit.yaml pre-merge checks with a revised Conventional Commits title format, sign-off requirements in PR descriptions, and test playbook cleanup guidance. It removes .commitlintrc.js and replaces the commitlint-based workflow step with a downloaded Python title-lint script.

Changes

CI Validation Configuration Updates

Layer / File(s) Summary
Conventional Commits title format and examples
.coderabbit.yaml
Title requirements updated with explicit format description, valid type reference, and additional breaking-change examples.
PR description sign-off requirements
.coderabbit.yaml
Adds mandatory Signed-off-by and optional Assisted-by requirements, and updates the embedded example template with these lines.
Test playbook cleanup guidance
.coderabbit.yaml
Adds requirement for an always-block cleanup step and tests::cleanup tagging in playbook instructions.
PR title lint workflow migration
.github/workflows/pr-title-lint.yml, .commitlintrc.js
Removes commitlint config and npm-based lint steps, replacing them with a downloaded pr_title_lint.py script run against the PR title.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description omits the required Enhancement, Reason, Result, and Issue Tracker Tickets sections from the template. Rewrite the description using the template headings and fill in each section, including any relevant issue tracker ticket IDs.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the CI change from NPM commitlint to the repository's pr_title_lint.py.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pr_title_lint

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.coderabbit.yaml (1)

42-49: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Fragile line-anchored reference for valid types.

Line 43 references a specific line number (#L23) in an external file to document valid Conventional Commit types. If pr_title_lint.py is updated upstream (lines added/removed), this anchor will silently point to the wrong line, misleading contributors/reviewers reading the requirement.

Consider linking to the file itself (or a specific commit/tag) without the line anchor, or referencing the constant/variable name instead of a line number.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 42 - 49, The Conventional Commit types
reference in the comment is tied to a fragile external line anchor, so update
the guidance in .coderabbit.yaml to point to the source file, tag, or stable
symbol instead of a specific line number. Keep the examples and valid-types
note, but remove the `#L23` dependency so the reference remains correct as
pr_title_lint.py changes upstream.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-title-lint.yml:
- Around line 25-26: The pr_title_lint.py download step is pulling from a
mutable upstream branch and does not fail cleanly on HTTP errors. Update the
curl command in the workflow’s install step to fetch from an immutable ref (a
pinned commit or tag) instead of main, and add curl fail behavior such as --fail
or --fail-with-body so CI stops immediately on 4xx/5xx responses before invoking
the script.

---

Nitpick comments:
In @.coderabbit.yaml:
- Around line 42-49: The Conventional Commit types reference in the comment is
tied to a fragile external line anchor, so update the guidance in
.coderabbit.yaml to point to the source file, tag, or stable symbol instead of a
specific line number. Keep the examples and valid-types note, but remove the
`#L23` dependency so the reference remains correct as pr_title_lint.py changes
upstream.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 21044011-baff-492c-a358-2f7081344fb2

📥 Commits

Reviewing files that changed from the base of the PR and between 828c33b and ba39875.

📒 Files selected for processing (3)
  • .coderabbit.yaml
  • .commitlintrc.js
  • .github/workflows/pr-title-lint.yml
💤 Files with no reviewable changes (1)
  • .commitlintrc.js

Comment on lines +25 to +26
- name: Install pr_title_lint.py
run: curl -o pr_title_lint.py https://raw.githubusercontent.com/linux-system-roles/auto-maintenance/main/pr_title_lint.py

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

linux-system-roles auto-maintenance pr_title_lint.py latest commit checksum verification recommended practice for downloading scripts in CI

💡 Result:

The linux-system-roles/auto-maintenance repository is a collection of automation scripts and tools used to manage various linux-system-roles repositories [1]. Regarding the specific query about pr_title_lint.py, while auto-maintenance contains many utility scripts [1], standard PR title linting in the linux-system-roles ecosystem is typically handled via GitHub Actions—specifically using commitlint as shown in the linux-system-roles/template repository [2]. Recommended practices for downloading and executing scripts in CI pipelines emphasize security to prevent supply chain attacks, as piping directly from curl to shell (e.g., curl | bash) is considered a security risk [3][4]. The following practices are recommended: 1. Use Trusted Sources and Version Pinning: Whenever possible, use official plugins, package managers (apt, apk, npm), or container images [3][4]. If you must download a script, ensure it is from a trusted, immutable source and pin it to a specific version or commit [3]. 2. Verify Integrity via Checksums: Never execute a remote script without verification [3]. The standard practice is to: - Download the script to a temporary file [3]. - Compute its hash (e.g., sha256sum) [3][5]. - Compare the computed hash against a known, trusted checksum [3][5]. - Only execute the script if the verification succeeds [3][6][5]. Example CI pattern for checksum verification: curl -fsSL https://example.com/script.sh -o script.sh echo "EXPECTED_HASH script.sh" | sha256sum -c - if [ $? -eq 0 ]; then bash script.sh else echo "Checksum verification failed" exit 1 fi 3. Avoid Dynamic Scripts: If a script is generated dynamically, it is difficult to verify via a static checksum [5]. In such cases, prefer cloning the repository and running the script from a specific commit hash, which guarantees integrity through git's cryptographic signing rather than relying on a downloadable artifact checksum [7][5].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/pr-title-lint.yml .github/workflows
wc -l .github/workflows/pr-title-lint.yml
cat -n .github/workflows/pr-title-lint.yml | sed -n '1,120p'

printf '\n--- related references ---\n'
rg -n "pr_title_lint\.py|curl .*raw.githubusercontent.com|--fail|-f" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**'

Repository: linux-system-roles/certificate

Length of output: 8607


🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "curl .*raw\.githubusercontent\.com|curl .* -f|curl .*--fail|curl .* -L" .github/workflows -g '*.yml' -g '*.yaml'

Repository: linux-system-roles/certificate

Length of output: 736


🌐 Web query:

curl --fail exit code HTTP 404 body saved without --fail documentation

💡 Result:

When using the --fail (or -f) option in curl, the program will exit with code 22 if an HTTP server returns an error response code of 400 or greater [1][2]. Crucially, the --fail option explicitly prevents curl from outputting or saving the response body for these errors [1][3]. In these cases, curl stops immediately after receiving the response headers and does not store the content [1][4]. If you need to both trigger an exit code on HTTP errors (400+) and save the response body (such as the HTML error page or error details), you should use the --fail-with-body option instead [1][5][4]. This option, introduced in curl version 7.76.0, functions as an alternative to --fail by allowing the body to be saved while still returning exit code 22 upon encountering a server error [1][4]. These two options, --fail and --fail-with-body, are mutually exclusive [1][6].

Citations:


Pin the downloaded script to an immutable ref and fail fast on HTTP errors. Fetching from main means CI executes whatever upstream publishes next; pin a commit/tag, and use curl --fail (or --fail-with-body) so 4xx/5xx responses don’t turn into a confusing Python traceback.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-title-lint.yml around lines 25 - 26, The
pr_title_lint.py download step is pulling from a mutable upstream branch and
does not fail cleanly on HTTP errors. Update the curl command in the workflow’s
install step to fetch from an immutable ref (a pinned commit or tag) instead of
main, and add curl fail behavior such as --fail or --fail-with-body so CI stops
immediately on 4xx/5xx responses before invoking the script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant