Skip to content

chore: sync workflow templates#864

Closed
stranske wants to merge 1 commit into
mainfrom
sync/workflows-b653eb470804
Closed

chore: sync workflow templates#864
stranske wants to merge 1 commit into
mainfrom
sync/workflows-b653eb470804

Conversation

@stranske

@stranske stranske commented Jun 22, 2026

Copy link
Copy Markdown
Owner

Sync Summary

Files Updated

  • maint-76-claude-code-review.yml: Claude Code review (opt-in) - runs only on labeled PRs or manual dispatch
  • reference_packs.py: Validates and resolves reference pack configuration for shared runner prompt assembly
  • orchestrator_skill.py: Validates and resolves exported Orchestrator skill context for remote Codex lanes
  • runner_lib/ (1 files): Shared runner prompt assembly, output parsing, and dispatch debounce helpers

Files Skipped

  • pr-00-gate.yml: File exists and sync_mode is create_only
  • ci.yml: File exists and sync_mode is create_only
  • renovate.json: File exists and sync_mode is create_only
  • cross-repo-smoke.yml: File exists and sync_mode is create_only
  • llm_slots.json: None

Review Checklist

  • CI passes with updated workflows
  • No repo-specific customizations were overwritten

Source: stranske/Workflows
Source SHA: 1bc0f231da20f5596199ce25d3923f9230ac4b76
Template hash: b653eb470804
Sync branch: sync/workflows-b653eb470804
Consumer repo: stranske/Collab-Admin
Manifest: .github/sync-manifest.yml

Summary by CodeRabbit

  • Bug Fixes

    • Improved repository name validation to strictly enforce the owner/name format, preventing invalid inputs with missing or extra path segments.
  • Chores

    • Updated CI/CD workflows to the latest version.
    • Enhanced orchestrator skill context initialization with cleaner directory management and environment variable configuration support.

Automated sync from stranske/Workflows
Template hash: b653eb470804

Changes synced from sync-manifest.yml
@stranske stranske added sync Automated sync from Workflows automated Automated sync from Workflows labels Jun 22, 2026
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0ae2027b-1aba-4f28-96ab-a5d9716b5065

📥 Commits

Reviewing files that changed from the base of the PR and between 6066047 and 1c8d07f.

📒 Files selected for processing (4)
  • .github/workflows/maint-76-claude-code-review.yml
  • scripts/orchestrator_skill.py
  • scripts/reference_packs.py
  • scripts/runner_lib/core.py
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • stranske/Workflows (auto-detected)
  • stranske/Template (auto-detected)
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (5)
{pyproject.toml,.github/workflows/*.{yml,yaml}}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

{pyproject.toml,.github/workflows/*.{yml,yaml}}: Ensure coverage thresholds in pyproject.toml ([tool.coverage.report] fail_under) match the coverage-min settings in CI workflow files to avoid threshold conflicts
The Manager-Database repository has a coverage threshold of 75%

Files:

  • .github/workflows/maint-76-claude-code-review.yml
.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

When a GitHub Actions workflow fails with startup_failure, check for invalid YAML syntax, top-level permissions: blocks on workflow_call reusable workflows (which conflicts with caller permissions), invalid permission scopes, or circular workflow references

Files:

  • .github/workflows/maint-76-claude-code-review.yml
.github/workflows/**/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Reference reusable workflows with @main to match first-party consumer defaults, unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/maint-76-claude-code-review.yml
.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

First-party consumers should reference reusable workflows with @main unless intentionally pinning to an exact commit SHA for a controlled reason.

Files:

  • .github/workflows/maint-76-claude-code-review.yml
**/*.py

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

In the Manager-Database repository, use Prefect 2.x and import schedules from prefect.client.schemas.schedules

Files:

  • scripts/orchestrator_skill.py
  • scripts/reference_packs.py
  • scripts/runner_lib/core.py
🔀 Multi-repo context stranske/Workflows, stranske/Template

Perfect. Now I have enough context to provide a comprehensive analysis. Let me create a summary of the findings.

Linked repositories findings

stranske/Workflows (Source Repository)

Repository Configuration and Script Usage:

Both stranske/Workflows and stranske/Template share identical copies of the changed scripts via a sync mechanism. This is confirmed by the test assertion that validates sync order:
[::stranske/Workflows::] tests/scripts/test_reference_packs.py — The test test_sync_manifest_ships_reference_packs_before_runner_lib verifies that scripts/reference_packs.py and scripts/orchestrator_skill.py appear in the sync manifest before scripts/runner_lib/, indicating these are foundational modules that runner_lib depends on.

Repository Validation Changes Impact:

[::stranske/Workflows::] scripts/orchestrator_skill.py and scripts/reference_packs.py — Both files implement identical tightened validation:

  • Old behavior: Only checked for presence of / and rejected leading/trailing slashes
  • New behavior: Splits repo on / and requires exactly 2 non-empty parts (rejects owner/repo/extra)

The test cases confirm this:

  • [::stranske/Workflows::] tests/scripts/test_orchestrator_skill.py — Test test_parse_rejects_nested_repo_names validates that inputs like "owner/repo/extra" are rejected with error "repo must use owner/name format"
  • [::stranske/Workflows::] tests/scripts/test_reference_packs.py — Test test_parse_reference_packs_rejects_nested_repo_names validates the same constraint for reference packs

Orchestrator Skill Context Materialization Changes:

[::stranske/Workflows::] scripts/runner_lib/core.py — Three behavioral changes:

  1. Imports contextlib and uses contextlib.suppress(FileNotFoundError) when calling shutil.rmtree(checkout_path) before materialization, allowing stale checkout directories to be cleaned up safely
  2. In assemble_prompt(), when materialize_orchestrator_skill=False, now reads orchestrator_skill_summary_path from the provided context (new env variable ORCHESTRATOR_SKILL_SUMMARY_PATH)
  3. Conditionally includes "Orchestrator Skill Context" section only if the summary path exists as a file (was previously using a fixed workspace reference path)

[::stranske/Workflows::] scripts/runner_lib/core.py:~88 — The new environment variable wiring:

"orchestrator_skill_summary_path": os.environ.get("ORCHESTRATOR_SKILL_SUMMARY_PATH"),

stranske/Template (Consumer Repository)

[::stranske/Template::] scripts/orchestrator_skill.py and scripts/reference_packs.py — These files are synced from stranske/Workflows and receive identical validation changes. Any consumer repository with reference pack or orchestrator skill configs using nested repo paths (e.g., owner/repo/extra) would now fail validation upon sync.

[::stranske/Template::] scripts/runner_lib/ — This module depends on both orchestrator_skill.py and reference_packs.py, receiving the prompt assembly behavior changes where orchestrator skill context is now only conditionally included if the summary file exists.

Potential Breaking Change:

Any consumer repository (like Template) that syncs these files and has .github/orchestrator_skill.json or .github/reference_packs.json configurations with repo values containing extra path segments would experience validation failures after this sync.

🔇 Additional comments (5)
scripts/reference_packs.py (1)

86-88: LGTM!

scripts/runner_lib/core.py (2)

8-8: LGTM!

Also applies to: 370-376, 419-425, 461-465


426-431: No security exposure in Collab-Admin: ORCHESTRATOR_SKILL_SUMMARY_PATH is not wired into any workflow.

The code at lines 426 and 955 does accept absolute paths without restriction, but in Collab-Admin no workflow sets ORCHESTRATOR_SKILL_SUMMARY_PATH, so there is no untrusted input vector. The assemble subcommand is not invoked in any Collab-Admin workflow. If this functionality is synced to other repositories or exposed to user-controlled inputs in the future, validate paths against an allowlist or restrict to relative paths.

scripts/orchestrator_skill.py (1)

83-85: No breaking config compatibility issues found with the validator tightening.

The validation change at lines 83–85 enforces owner/name format by rejecting nested repo paths (e.g., owner/repo/extra). A full audit of .github configs in this repository found no incompatible values, confirming this change is safe to merge.

.github/workflows/maint-76-claude-code-review.yml (1)

192-192: LGTM!


📝 Walkthrough

Walkthrough

Three scripts are updated: _validate_repo in orchestrator_skill.py and reference_packs.py is tightened to use split-based validation requiring exactly two non-empty segments. In runner_lib/core.py, orchestrator skill materialization gains guarded directory cleanup, prompt assembly adds dynamic summary path resolution with an env-var fallback, and the Orchestrator Skill Context section becomes conditional on file existence. The CI workflow bumps the pinned claude-code-action SHA.

Changes

Orchestrator Skill Validation and Prompt Assembly

Layer / File(s) Summary
Repo string validation tightening
scripts/orchestrator_skill.py, scripts/reference_packs.py
_validate_repo in both files replaces slash-position checks with repo.split("/") requiring exactly two non-empty parts, rejecting inputs like a/b/c or /a/b.
Safe cleanup, dynamic summary path, and env-var wiring
scripts/runner_lib/core.py
Adds contextlib import; wraps shutil.rmtree(checkout_path) with contextlib.suppress(FileNotFoundError) before materializing; assemble_prompt stores the materialization result as orchestrator_summary_path or resolves it from context["orchestrator_skill_summary_path"] with workspace-relative fallback; gates the prompt's "Orchestrator Skill Context" section on orchestrator_summary_path.is_file(); wires ORCHESTRATOR_SKILL_SUMMARY_PATH env var into the assemble-prompt CLI context.

CI Workflow SHA Bump

Layer / File(s) Summary
claude-code-action pinned SHA update
.github/workflows/maint-76-claude-code-review.yml
Updates the pinned commit SHA for anthropics/claude-code-action in the claude-review job; all other configuration is unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • stranske/Collab-Admin#829: Updates the same maint-76-claude-code-review.yml workflow by bumping the pinned anthropics/claude-code-action SHA, identical in kind to this PR's CI change.
  • stranske/Collab-Admin#843: Also bumps the pinned anthropics/claude-code-action SHA in the same claude-review job of the same workflow file.
  • stranske/Collab-Admin#861: Touches the same orchestrator skill feature files — scripts/orchestrator_skill.py repo validation and scripts/runner_lib/core.py prompt assembly/materialization — making it directly related to this PR's core changes.
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title 'chore: sync workflow templates' is vague and generic. While it mentions syncing workflow templates, it doesn't convey the significant validation logic updates to repository configuration and runner prompt assembly across multiple critical files, nor does it indicate this is a template synchronization from an external source repository. Consider a more descriptive title that reflects the main changes, such as 'chore: sync workflows and update repo/orchestrator validation logic' or provide context about the scope of synchronization.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sync/workflows-b653eb470804

Comment @coderabbitai help to get the list of available commands and usage tips.

@agents-workflows-bot agents-workflows-bot Bot deleted the sync/workflows-b653eb470804 branch June 22, 2026 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automated sync from Workflows sync Automated sync from Workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant