Skip to content

ci(skillsaw): migrate to official GitHub Action with PR review comments#66

Merged
cblecker merged 1 commit into
mainfrom
worktree-unified-riding-stonebraker
Jul 3, 2026
Merged

ci(skillsaw): migrate to official GitHub Action with PR review comments#66
cblecker merged 1 commit into
mainfrom
worktree-unified-riding-stonebraker

Conversation

@cblecker

@cblecker cblecker commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Replace uvx skillsaw --strict with the official stbenjam/skillsaw@v0 composite action, SHA-pinned at v0.15.0 for dependabot auto-upgrades
  • Add skillsaw-review.yml workflow that posts inline PR review comments on lint violations using the two-workflow security pattern (lint is read-only, review comments go in a separate workflow_run-triggered job)
  • Remove the astral-sh/setup-uv step that is no longer needed

Test plan

  • Verify lint workflow passes on this PR
  • Verify skillsaw-review workflow triggers after lint completes and posts inline comments (if any violations exist)
  • Confirm dependabot can detect the SHA-pinned action for future version bumps

Copilot AI review requested due to automatic review settings July 3, 2026 18:17
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@cblecker, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b4d81037-2a64-4f1d-8a07-fa050210fb5e

📥 Commits

Reviewing files that changed from the base of the PR and between c4c2d91 and c5133f3.

📒 Files selected for processing (3)
  • .github/workflows/lint.yml
  • .github/workflows/skillsaw-review.yml
  • .skillsaw.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-unified-riding-stonebraker

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cblecker cblecker force-pushed the worktree-unified-riding-stonebraker branch from 2a82419 to b75f3e0 Compare July 3, 2026 18:22
Replace uvx-based skillsaw invocation with the official stbenjam/skillsaw
composite action (SHA-pinned at v0.15.0) for version pinning and dependabot
support. Add a companion skillsaw-review workflow that posts inline PR
comments on lint violations using the two-workflow security pattern.

Assisted-by: Claude:claude-opus-4-6
@cblecker cblecker force-pushed the worktree-unified-riding-stonebraker branch from b75f3e0 to c5133f3 Compare July 3, 2026 18:22
@cblecker cblecker enabled auto-merge July 3, 2026 18:23
@cblecker cblecker merged commit b5a8b05 into main Jul 3, 2026
13 checks passed
@cblecker cblecker deleted the worktree-unified-riding-stonebraker branch July 3, 2026 18:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the repository's skillsaw linting from an ad-hoc uvx skillsaw --strict invocation to the official stbenjam/skillsaw GitHub Action (SHA-pinned to v0.15.0), and adds a companion skillsaw-review.yml workflow that posts inline PR review comments using skillsaw's documented two-workflow security pattern. In this pattern the read-only Lint Plugins workflow runs on the PR and uploads the lint report as an artifact, while a separate workflow_run-triggered job with pull-requests: write downloads that artifact and posts comments without executing untrusted PR code.

Changes:

  • Replace the setup-uv + uvx skillsaw --strict steps in lint.yml with the SHA-pinned stbenjam/skillsaw action (strict: true).
  • Add skillsaw-review.yml (workflow_run on "Lint Plugins") that runs stbenjam/skillsaw/review to post inline PR comments.

I verified: the pinned SHA a1d7340… correctly resolves to tag v0.15.0; the workflows: ["Lint Plugins"] reference matches lint.yml's name; the lint action uploads the skillsaw-report/skillsaw-pr-metadata artifacts the review action consumes; and the repo's .skillsaw.yaml defines no custom rules, so the action's no-custom-rules: true default does not silently change behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/lint.yml Swaps setup-uv/uvx skillsaw --strict for the SHA-pinned stbenjam/skillsaw action with strict: true.
.github/workflows/skillsaw-review.yml New workflow_run job that posts inline PR review comments via stbenjam/skillsaw/review; includes an unnecessary actions/checkout step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +16 to +21
- uses: actions/checkout@v7
with:
persist-credentials: false

- name: Post PR review comments
uses: stbenjam/skillsaw/review@a1d7340ef19cd0949f884a5381155843589dbad8 #v0.15.0
Copilot AI review requested due to automatic review settings July 3, 2026 18:25

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment on lines +13 to +14
permissions:
pull-requests: write
Comment on lines +16 to +18
- uses: actions/checkout@v7
with:
persist-credentials: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants