ci(skillsaw): migrate to official GitHub Action with PR review comments#66
Conversation
|
Warning Review limit reached
Next review available in: 23 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
2a82419 to
b75f3e0
Compare
Replace uvx-based skillsaw invocation with the official stbenjam/skillsaw composite action (SHA-pinned at v0.15.0) for version pinning and dependabot support. Add a companion skillsaw-review workflow that posts inline PR comments on lint violations using the two-workflow security pattern. Assisted-by: Claude:claude-opus-4-6
b75f3e0 to
c5133f3
Compare
There was a problem hiding this comment.
Pull request overview
This PR migrates the repository's skillsaw linting from an ad-hoc uvx skillsaw --strict invocation to the official stbenjam/skillsaw GitHub Action (SHA-pinned to v0.15.0), and adds a companion skillsaw-review.yml workflow that posts inline PR review comments using skillsaw's documented two-workflow security pattern. In this pattern the read-only Lint Plugins workflow runs on the PR and uploads the lint report as an artifact, while a separate workflow_run-triggered job with pull-requests: write downloads that artifact and posts comments without executing untrusted PR code.
Changes:
- Replace the
setup-uv+uvx skillsaw --strictsteps inlint.ymlwith the SHA-pinnedstbenjam/skillsawaction (strict: true). - Add
skillsaw-review.yml(workflow_runon "Lint Plugins") that runsstbenjam/skillsaw/reviewto post inline PR comments.
I verified: the pinned SHA a1d7340… correctly resolves to tag v0.15.0; the workflows: ["Lint Plugins"] reference matches lint.yml's name; the lint action uploads the skillsaw-report/skillsaw-pr-metadata artifacts the review action consumes; and the repo's .skillsaw.yaml defines no custom rules, so the action's no-custom-rules: true default does not silently change behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/lint.yml |
Swaps setup-uv/uvx skillsaw --strict for the SHA-pinned stbenjam/skillsaw action with strict: true. |
.github/workflows/skillsaw-review.yml |
New workflow_run job that posts inline PR review comments via stbenjam/skillsaw/review; includes an unnecessary actions/checkout step. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/checkout@v7 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Post PR review comments | ||
| uses: stbenjam/skillsaw/review@a1d7340ef19cd0949f884a5381155843589dbad8 #v0.15.0 |
| permissions: | ||
| pull-requests: write |
| - uses: actions/checkout@v7 | ||
| with: | ||
| persist-credentials: false |
Summary
uvx skillsaw --strictwith the officialstbenjam/skillsaw@v0composite action, SHA-pinned at v0.15.0 for dependabot auto-upgradesskillsaw-review.ymlworkflow that posts inline PR review comments on lint violations using the two-workflow security pattern (lint is read-only, review comments go in a separateworkflow_run-triggered job)astral-sh/setup-uvstep that is no longer neededTest plan