Copier update: fail on dev tag CI job

[ejfine]

Pull in upstream template changes

Summary by CodeRabbit

• New Features

  • Duplicate-pull-request detection to skip redundant CI runs.
  • Validation workflow to ensure the template uses a clean release tag.
  • CI now runs on pull requests and conditionally gates jobs based on duplicate-check results.

• Chores

  • Devcontainer host requirements added (runtime: 2 CPUs, 4GB; template default: 2 CPUs, 10GB).
  • Updated devcontainer base image, VS Code extension pins, pnpm and other tooling/version bumps.
  • Updated tag-on-merge publishing tooling.

• Documentation

  • Strengthened Python tooling guidance.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a5a649b2-6b38-4482-8066-b254350a948d

📥 Commits

Reviewing files that changed from the base of the PR and between c0f8ac2 and ac6c7e1.

📒 Files selected for processing (1)

• .copier-answers.yml

---

📝 Walkthrough

Walkthrough

Updated devcontainer images, pinned tooling and extension versions, refactored devcontainer scripts to compute repo root for Git safe.directory, added a composite action to skip duplicate-PR CI runs, added a reusable workflow enforcing .copier-answers.yml _commit is a release tag, and strengthened Python tooling guidance.

Changes

Cohort / File(s)	Summary
Copier metadata & template context \.copier-answers.yml, extensions/context.py	Bumped .copier-answers.yml _commit and updated context pins (pnpm 10.32.1→10.33.0, nuxt_ui ^4.5.1→^4.6.0, faker ^10.3.0→^10.4.0, graphql_codegen_cli ^6.1.0→^6.2.1).
Devcontainer base & extensions .devcontainer/Dockerfile, template/.devcontainer/Dockerfile, .devcontainer/devcontainer.json, template/.devcontainer/devcontainer.json.jinja	Bumped base image tag 5.1.4→5.1.5; added hostRequirements; updated multiple VS Code extension pins.
Devcontainer tooling install .devcontainer/install-ci-tooling.py, template/.../install-ci-tooling.py	Pinned PNPM_VERSION updated 10.32.1→10.33.0 (used by npm install -g pnpm@...).
Devcontainer scripts / templates .devcontainer/on-create-command.sh, .devcontainer/post-start-command.sh, template/.devcontainer/on-create-command.sh.jinja, template/.devcontainer/post-start-command.sh.jinja	Compute script_dir/repo_root earlier and register "$repo_root" via git config --global --add safe.directory instead of hardcoded workspace paths.
CI: duplicate-PR gating .github/actions/check-skip-duplicates/action.yml, .github/workflows/ci.yaml, template/.github/workflows/ci.yaml.jinja	Added composite action Check Skip Duplicates that queries gh pr list for same-branch PRs and exposes should-run; CI jobs now depend on and are gated by this output.
CI: copier commit validation .github/workflows/confirm-on-tagged-copier-template.yaml, template/.github/workflows/confirm-on-tagged-copier-template.yaml, .github/workflows/ci.yaml	Added reusable workflow that fails if .copier-answers.yml _commit contains a hyphen (dev commit form); wired into CI as confirm-on-tagged-copier-template.
CI: tagging workflow updates .github/workflows/tag-on-merge.yaml	Updated actions/checkout to v6.0.2 and swapped to a different pinned github-tag-action implementation.
Docs / guidance AGENTS.md, template/AGENTS.md	Strengthened Python tooling rules: disallow direct python/python3 usage; mandate uv run python and prefer jq/shell builtins for one-off tasks.

Sequence Diagram(s)

sequenceDiagram
    actor CI as GitHub Actions CI
    participant Check as Check-Skip-Duplicates Action
    participant GH as GitHub API (gh)
    participant Workflow as Confirm-on-Tagged-Copier-Template
    participant Repo as Repository FS

    CI->>Check: run composite action (REF_NAME, REPO_NAME)
    Check->>GH: gh pr list --head $REF_NAME --repo $REPO_NAME
    GH-->>Check: PR list (number or empty)
    alt PR found
        Check-->>CI: should-run = false
    else no PR found
        Check-->>CI: should-run = true
    end

    opt when should-run == 'true'
        CI->>Workflow: call reusable workflow (answers_file)
        Workflow->>Repo: checkout repository
        Workflow->>Repo: read .copier-answers.yml
        Workflow->>Workflow: extract _commit
        alt _commit contains hyphen
            Workflow-->>CI: fail (not a clean release tag)
        else clean tag
            Workflow-->>CI: pass
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Update logging to display more locals #105: related changes to template context/version pins (e.g., pnpm and other tooling versions).
• Update to be latest version and not a branch #115: related update to .copier-answers.yml _commit/tag metadata.
• Copier update (Fix VCR) #98: related CI checks and workflows around .copier-answers.yml _commit validation.

Suggested reviewers

• idonaldson
• zendern

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is minimal and does not follow the provided template structure, missing critical sections like issue links, rationale, implementation approach, testing, and potential side effects.	Expand the description to include all template sections: link to relevant issue/discussion, explain why this change is necessary, detail how it addresses the issue, document testing performed, and note any potential side effects.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding CI validation to fail when using dev/commit tags instead of clean release tags.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.copier-answers.yml:
- Line 2: The `_commit` value in .copier-answers.yml is a dev-style string with
hyphens ("v0.0.106-20-g673eee8") which will be rejected by the
confirm-on-tagged-copier-template CI check; replace that value with a clean
release tag (e.g., "v0.0.111") or otherwise update the PR description
documenting the intentional test of the workflow validation so CI isn't blocked
by the invalid tag format.

In @.github/workflows/confirm-on-tagged-copier-template.yaml:
- Around line 37-41: The current hyphen check on COMMIT_LINE (the grep -q "-"
branch) will reject valid semver pre-release tags; change the check in the block
that reads COMMIT_LINE so it only detects git-describe style dev commits (the
pattern: a hyphen followed by digits, another hyphen, a "g" and a hex hash)
rather than any hyphen; keep the existing error message and exit behavior when
that more specific git-describe pattern matches.
- Around line 29-30: The conditional uses a confusing double-negative: the step
"Check _commit is a clean release tag" relies on steps.check.outputs.should-run
with value 'true' meaning "no PR open", but the workflow currently checks
should-run != 'true' which reads as a negative; change the output name or invert
the logic to make intent explicit—either rename the output from should-run to
has-open-pr (or should-skip) and update the condition to use a direct check
(e.g., steps.check.outputs.has-open-pr == 'true' or
steps.check.outputs.should-skip == 'true'), or keep the current output and flip
the condition to == 'true' and adjust the comment to match the new semantics;
update any references to steps.check.outputs.should-run accordingly (in the step
named "Check _commit is a clean release tag" and any steps that consume that
output).

In @.github/workflows/tag-on-merge.yaml:
- Line 23: The workflow currently references an unmaintained fork "uses:
nickkostov/github-tag-action@b3aa34..." which is unverifiable; update the GitHub
Action invocation to use the upstream maintained action by replacing that uses
entry with mathieudutour/github-tag-action@v6.2 (or a later tag) so the workflow
uses the official maintained action compatible with ubuntu-24.04 and remove the
hard commit hash reference.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 45ea04b8-cf7f-4343-979d-77461234fab8

📥 Commits

Reviewing files that changed from the base of the PR and between 48849dd and dac3fbe.

📒 Files selected for processing (17)

• .copier-answers.yml
• .devcontainer/Dockerfile
• .devcontainer/devcontainer.json
• .devcontainer/install-ci-tooling.py
• .devcontainer/on-create-command.sh
• .devcontainer/post-start-command.sh
• .github/actions/check-skip-duplicates/action.yml
• .github/workflows/ci.yaml
• .github/workflows/confirm-on-tagged-copier-template.yaml
• .github/workflows/tag-on-merge.yaml
• AGENTS.md
• extensions/context.py
• template/.devcontainer/Dockerfile
• template/.devcontainer/devcontainer.json.jinja
• template/.devcontainer/on-create-command.sh.jinja
• template/.devcontainer/post-start-command.sh.jinja
• template/AGENTS.md

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Hyphen check may reject valid semver pre-release tags.

The grep -q "-" check will flag any _commit containing a hyphen, including legitimate semver pre-release versions like v1.0.0-alpha or v1.0.0-rc.1. If the upstream template ever uses pre-release tags, this would incorrectly reject them.

Consider a more precise pattern if pre-release tags should be allowed:

# Rejects git-describe format (vX.Y.Z-N-gHASH) but allows semver pre-release (vX.Y.Z-alpha)
if echo "$COMMIT_LINE" | grep -qE '\-[0-9]+-g[0-9a-f]+'; then

If dev commits are the only concern and pre-release tags are not used upstream, the current implementation is acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/confirm-on-tagged-copier-template.yaml around lines 37 -
41, The current hyphen check on COMMIT_LINE (the grep -q "-" branch) will reject
valid semver pre-release tags; change the check in the block that reads
COMMIT_LINE so it only detects git-describe style dev commits (the pattern: a
hyphen followed by digits, another hyphen, a "g" and a hex hash) rather than any
hyphen; keep the existing error message and exit behavior when that more
specific git-describe pattern matches.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the fork's commit history and compare to original

echo "=== Checking fork details ==="
gh repo view nickkostov/github-tag-action --json name,owner,description,updatedAt,forkCount,stargazerCount 2>/dev/null || echo "Could not fetch repo details"

echo ""
echo "=== Checking the specific commit ==="
gh api repos/nickkostov/github-tag-action/commits/b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 --jq '.commit.message, .commit.author.date' 2>/dev/null || echo "Could not fetch commit details"

Repository: LabAutomationAndScreening/copier-nuxt-python-intranet-app

Length of output: 340

---

🌐 Web query:

nickkostov/github-tag-action fork Node.js maintenance

💡 Result:

No evidence found of a GitHub repository nickkostov/github-tag-action. Nikolay Kostov (GitHub username: nickkostov) is a DevOps engineer at Planet (weareplanet) in Sofia, with expertise in GitHub Actions, GitOps, Kubernetes, etc. He has forked many repositories including anothrNick/github-tag-action (a popular Shell-based GitHub Action for automatic SemVer tagging), but does not appear to maintain a Node.js-based fork. The original anothrNick/github-tag-action uses Node.js (upgraded to v20 in 2024; mathieudutour/github-tag-action, a TypeScript/Node.js alternative, upgraded to Node 24 in 2026). No sources indicate active Node.js maintenance by nickkostov for this action. His repos focus on homelab, ArgoCD, etc., not github-tag-action forks.

Citations:

• 1: https://github.com/nickkostov
• 2: https://linkedin.com/in/nikolay-kostov-689364131
• 3: https://github.com/anothrNick/github-tag-action/network/members
• 4: https://github.com/anothrNick/github-tag-action
• 5: https://github.com/mathieudutour/github-tag-action
• 6: Upgrade node to version 20 anothrNick/github-tag-action#308
• 7: Upgrade to Node 24, enhance Semantic Release, and improve workflows mathieudutour/github-tag-action#244

---

🌐 Web query:

mathieudutour/github-tag-action Node.js 20 compatibility issue

💡 Result:

The mathieudutour/github-tag-action is compatible with Node.js 20. It was updated from Node 16 (EOL) to Node 20 via PR #202, merged on March 11, 2024, and included in release v6.2 (March 13, 2024). The repository's example usage specifies actions/checkout@v4, compatible with Node 20 runners. Use version v6.2 or later (latest as of 2024-08-30). No ongoing compatibility issues reported; an open issue #242 requests further Node.js upgrades but does not indicate problems with Node 20.

Citations:

• 1: Update action to use Node 20 or newer mathieudutour/github-tag-action#198
• 2: Update Node version to 20 mathieudutour/github-tag-action#202
• 3: https://github.com/mathieudutour/github-tag-action

---

🏁 Script executed:

# Check if there's any documentation about dependency choices in the repository
find . -type f \( -name "*.md" -o -name "*.txt" -o -name "DEPENDENCIES" -o -name "ADR*" \) | head -20

Repository: LabAutomationAndScreening/copier-nuxt-python-intranet-app

Length of output: 655

---

🏁 Script executed:

# Check the workflow file for any additional context
cat -n .github/workflows/tag-on-merge.yaml

Repository: LabAutomationAndScreening/copier-nuxt-python-intranet-app

Length of output: 1014

---

🏁 Script executed:

# Search for any references to this commit hash in the repository
rg "b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9" .

Repository: LabAutomationAndScreening/copier-nuxt-python-intranet-app

Length of output: 83

---

🌐 Web query:

b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 github-tag-action commit

💡 Result:

No public GitHub commit matching the SHA "b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9" was found in relation to "github-tag-action" or similar repositories. Extensive searches across GitHub, including anothrNick/github-tag-action (the primary matching action), mathieudutour/github-tag-action fork, releases, tags, pull requests, and general web results returned no matches for this specific commit hash. It may be a private commit, from a deleted repository, or not publicly indexed.

Citations:

• 1: https://github.com/anothrNick/github-tag-action
• 2: https://github.com/mathieudutour/github-tag-action
• 3: Added TAG_PREFIX so more descriptive tags can be used anothrNick/github-tag-action#326
• 4: https://github.com/anothrNick/github-tag-action/releases
• 5: https://github.com/anothrNick/github-tag-action/tags
• 6: https://github.com/BBBYOUA/BCS333333333333
• 7: https://github.com/meta-llama/llama/pull/87/files
• 8: Is this a bug ? haotian-liu/LLaVA#1498
• 9: DeepSeekV3-671B-BF16 Lora Finetune hiyouga/LlamaFactory#6843
• 10: GH-133410: Use commit hashes for change detection python/cpython#133416
• 11: python/cpython@003b831
• 12: gh-124552 : Improve the accuracy of possible breakpoint check in bdb python/cpython#124553
• 13: python/cpython@42d754e
• 14: gh-133349: Enable auto-indent for pdb's multi-line mode python/cpython#133350

---

Remove the unmaintained fork and use the upstream action instead.

The fork nickkostov/github-tag-action does not appear to exist or be actively maintained, and the commit hash b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 cannot be verified in any public repository. The stated justification—that the original mathieudutour/github-tag-action "is still on Node 20"—is incorrect; the upstream action was updated to Node.js 20 in v6.2 (March 2024) and is fully compatible with ubuntu-24.04.

Use mathieudutour/github-tag-action@v6.2 or later instead:

Recommended change

- uses: nickkostov/github-tag-action@b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 # v1.3.0
+ uses: mathieudutour/github-tag-action@v6.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: nickkostov/github-tag-action@b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 # v1.3.0 # a fork of https://github.com/mathieudutour/github-tag-action, which is still on Node 20
	uses: mathieudutour/github-tag-action@v6.2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tag-on-merge.yaml at line 23, The workflow currently
references an unmaintained fork "uses: nickkostov/github-tag-action@b3aa34..."
which is unverifiable; update the GitHub Action invocation to use the upstream
maintained action by replacing that uses entry with
mathieudutour/github-tag-action@v6.2 (or a later tag) so the workflow uses the
official maintained action compatible with ubuntu-24.04 and remove the hard
commit hash reference.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 233-242: The step that posts to "${{
github.event.pull_request.statuses_url }}" runs for both github.event_name ==
'pull_request' and 'merge_group' but github.event.pull_request.statuses_url is
undefined for merge_group; update the step's if condition to run only for
'pull_request' (remove 'merge_group') so the API call using
github.event.pull_request.statuses_url is only executed when that value exists.

In `@template/.devcontainer/devcontainer.json.jinja`:
- Around line 2-6: Replace the hard-coded hostRequirements.memory ("10gb") with
a Copier template variable (e.g., {{ devcontainer_memory | default("10gb") }})
and optionally make cpus configurable via {{ devcontainer_cpus | default(2) }},
update the hostRequirements block to reference these variables
(hostRequirements.memory and hostRequirements.cpus), and add corresponding
entries and defaults in the template variables documentation so generated repos
can override values without forcing a static 10gb value.

In `@template/.github/workflows/ci.yaml.jinja`:
- Around line 471-480: The step that posts to "${{
github.event.pull_request.statuses_url }}" runs for merge_group events where
github.event.pull_request.statuses_url is undefined; either restrict the step
conditional to only run when github.event_name == 'pull_request' or change the
API call to the commit statuses endpoint using a SHA (e.g., use "${{
github.event.pull_request.head.sha }}" when available or "${{ github.sha }}" for
other events and call POST /repos/:owner/:repo/statuses/:sha); update the step
using GH_TOKEN and the run block that currently references statuses_url so it
uses the commit-statuses API with the appropriate SHA or limit the if condition
to 'pull_request' only.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: aa54403a-7d23-41e6-bd86-9f20d9e82317

📥 Commits

Reviewing files that changed from the base of the PR and between dac3fbe and c0f8ac2.

📒 Files selected for processing (7)

• .copier-answers.yml
• .github/workflows/ci.yaml
• .github/workflows/confirm-on-tagged-copier-template.yaml
• extensions/context.py
• template/.devcontainer/devcontainer.json.jinja
• template/.github/workflows/ci.yaml.jinja
• template/.github/workflows/confirm-on-tagged-copier-template.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

statuses_url is undefined for merge_group events.

Same issue as in the template: line 234 includes merge_group in the condition, but github.event.pull_request.statuses_url (line 240) is only available for pull_request events. The API call will fail for merge_group events.

🛠️ Proposed fix: Limit to pull_request only

       - name: Mark the required-check as succeeded so the PR can be merged
-        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+        if: ${{ github.event_name == 'pull_request' }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 233 - 242, The step that posts to
"${{ github.event.pull_request.statuses_url }}" runs for both github.event_name
== 'pull_request' and 'merge_group' but github.event.pull_request.statuses_url
is undefined for merge_group; update the step's if condition to run only for
'pull_request' (remove 'merge_group') so the API call using
github.event.pull_request.statuses_url is only executed when that value exists.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Make hostRequirements.memory configurable instead of hard-coding 10gb.

This template-level hardcode can force larger dev environments than needed and increases drift risk with generated repos (notably where .devcontainer/devcontainer.json currently uses a different memory value). Please expose memory (and optionally CPUs) as Copier variables with documented defaults.

Proposed template refactor

-  "hostRequirements": {
-    "cpus": 2,
-    // Static site generation requires more memory
-    "memory": "10gb"
-  },
+  "hostRequirements": {
+    "cpus": {% endraw %}{{ devcontainer_host_cpus | default(2) }}{% raw %},
+    // Keep configurable to avoid over-provisioning across generated repos
+    "memory": "{% endraw %}{{ devcontainer_host_memory | default('4gb') }}{% raw %}"
+  },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"hostRequirements": {
	"cpus": 2,
	// Static site generation requires more memory
	"memory": "10gb"
	},
	"hostRequirements": {
	"cpus": {{ devcontainer_host_cpus | default(2) }},
	// Keep configurable to avoid over-provisioning across generated repos
	"memory": "{{ devcontainer_host_memory | default('4gb') }}"
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@template/.devcontainer/devcontainer.json.jinja` around lines 2 - 6, Replace
the hard-coded hostRequirements.memory ("10gb") with a Copier template variable
(e.g., {{ devcontainer_memory | default("10gb") }}) and optionally make cpus
configurable via {{ devcontainer_cpus | default(2) }}, update the
hostRequirements block to reference these variables (hostRequirements.memory and
hostRequirements.cpus), and add corresponding entries and defaults in the
template variables documentation so generated repos can override values without
forcing a static 10gb value.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

statuses_url is undefined for merge_group events.

The condition on line 472 includes merge_group, but github.event.pull_request.statuses_url (line 478) is only populated for pull_request events. For merge_group events, this will be empty and the API call will fail.

Consider using the commits API endpoint directly or limiting this step to pull_request only:

🛠️ Option 1: Limit to pull_request only

       - name: Mark the required-check as succeeded so the PR can be merged
-        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+        if: ${{ github.event_name == 'pull_request' }}

🛠️ Option 2: Use commits API with SHA

         gh api \
           -X POST -H "Accept: application/vnd.github.v3+json" \
-          "${{ github.event.pull_request.statuses_url }}" \
+          "/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha || github.sha }}" \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Mark the required-check as succeeded so the PR can be merged
	if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
	env:
	GH_TOKEN: ${{ github.token }}
	run: |
	gh api \
	-X POST -H "Accept: application/vnd.github.v3+json" \
	"${{ github.event.pull_request.statuses_url }}" \
	-f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
	-f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
	- name: Mark the required-check as succeeded so the PR can be merged
	if: ${{ github.event_name == 'pull_request' }}
	env:
	GH_TOKEN: ${{ github.token }}
	run: |
	gh api \
	-X POST -H "Accept: application/vnd.github.v3+json" \
	"${{ github.event.pull_request.statuses_url }}" \
	-f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
	-f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

Suggested change

	- name: Mark the required-check as succeeded so the PR can be merged
	if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
	env:
	GH_TOKEN: ${{ github.token }}
	run: |
	gh api \
	-X POST -H "Accept: application/vnd.github.v3+json" \
	"${{ github.event.pull_request.statuses_url }}" \
	-f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
	-f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
	- name: Mark the required-check as succeeded so the PR can be merged
	if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
	env:
	GH_TOKEN: ${{ github.token }}
	run: |
	gh api \
	-X POST -H "Accept: application/vnd.github.v3+json" \
	"/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha || github.sha }}" \
	-f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
	-f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@template/.github/workflows/ci.yaml.jinja` around lines 471 - 480, The step
that posts to "${{ github.event.pull_request.statuses_url }}" runs for
merge_group events where github.event.pull_request.statuses_url is undefined;
either restrict the step conditional to only run when github.event_name ==
'pull_request' or change the API call to the commit statuses endpoint using a
SHA (e.g., use "${{ github.event.pull_request.head.sha }}" when available or
"${{ github.sha }}" for other events and call POST
/repos/:owner/:repo/statuses/:sha); update the step using GH_TOKEN and the run
block that currently references statuses_url so it uses the commit-statuses API
with the appropriate SHA or limit the if condition to 'pull_request' only.