Conversation
📝 WalkthroughWalkthroughThis PR updates the Copier template infrastructure from v0.0.106 to v0.0.109, refines GitHub CLI bash permissions with explicit deny rules, adds new CI workflows for duplicate-push and copier-template validation checks, replaces hardcoded repository paths with dynamic script-based resolution in dev setup, updates DevContainer images and extension versions, introduces a conditional Pulumi CLI installation flag, and enhances agent/testing documentation guidelines. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.devcontainer/manual-setup-deps.py:
- Around line 136-146: The code calls subprocess.run on REPO_ROOT_DIR /
".devcontainer" / "install-pulumi-cli.sh" when generate_lock_file_only is false,
args.skip_installing_pulumi_cli is false and env.lock_file contains "pulumi",
but that script is missing and will raise CalledProcessError; fix by either
adding the missing script at .devcontainer/install-pulumi-cli.sh or by guarding
the call with a file-existence check (e.g. verify (REPO_ROOT_DIR /
".devcontainer" / "install-pulumi-cli.sh").exists()) and only invoking
subprocess.run when the script exists, or remove this installation branch
entirely so generate_lock_file_only / args.skip_installing_pulumi_cli /
env.lock_file logic does not attempt to run a non-existent installer
(references: generate_lock_file_only, args.skip_installing_pulumi_cli,
env.lock_file, and the install-pulumi-cli.sh path).
In @.github/actions/check-skip-duplicates/action.yml:
- Around line 1-44: The gh pr list call in the composite action's check step
requires pull-requests: read permission, so update the job that uses this
composite action (the check-skip-duplicate job) to include a permissions block
granting pull-requests: read; specifically, in the workflow where you declare
the check-skip-duplicate job (the job with outputs.should-run and the step id
"check"), add permissions: pull-requests: read so the "gh pr list" command
invoked in the action's step (id "check") can run successfully.
In @.github/workflows/ci.yaml:
- Around line 232-241: The workflow step "Mark the required-check as succeeded
so the PR can be merged" uses github.event.pull_request.statuses_url which is
only present for pull_request events; modify the step's if condition so it only
runs when a pull_request payload exists (e.g. change the if to check
github.event.pull_request != null or restrict to github.event_name ==
'pull_request') or otherwise short-circuit by first deriving statuses_url into
an env only if github.event.pull_request is defined and skip the API call when
it is undefined; update the step referenced by its name and the use of
github.event.pull_request.statuses_url accordingly.
In @.github/workflows/confirm-on-tagged-copier-template.yaml:
- Around line 29-34: The current hyphen-based rejection (checking COMMIT_LINE
from ANSWERS_FILE with grep -q "-") incorrectly rejects valid prerelease semver
(e.g., v1.0.0-alpha); change the check to detect the specific git-describe dev
suffix pattern instead (match "-<number>-g<hash>", e.g. -[0-9]+-g[0-9a-f]+)
using a precise regex (grep -E or similar) against COMMIT_LINE, and update the
error message to mention that only git-describe style dev commits are rejected
while allowing prerelease tags.
In @.github/workflows/tag-on-merge.yaml:
- Around line 22-24: The workflow step "Bump version and push tag" references a
non-existent fork nickkostov/github-tag-action@b3aa34... which will break CI;
replace that action reference with a valid, existing action such as
mathieudutour/github-tag-action@v1 (or a verified commit/tag) or remove the step
if tagging is handled elsewhere, and update the comment that incorrectly claims
lack of Node 20 support; ensure you change the uses: line to point at
mathieudutour/github-tag-action (or another verified fork) and keep any required
inputs the same so the step continues to work.
In `@template/.github/workflows/ci.yaml.jinja`:
- Around line 219-228: The "Mark the required-check as succeeded so the PR can
be merged" step uses github.event.pull_request.statuses_url but also runs for
merge_group events, and statuses_url is undefined for merge_group; either
restrict the step condition to only pull_request, or add branching so the gh api
call uses github.event.pull_request.statuses_url when the event is pull_request
and constructs the statuses API URL from the merge_group head SHA
(github.event.merge_group.head_sha) when the event is merge_group before calling
gh api; update the step condition or add an if/else that selects the correct URL
and keeps the gh api invocation (gh api ... -X POST ...) unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c40c48b4-84a0-479c-9cef-93ce36e5a3a7
📒 Files selected for processing (29)
.claude/settings/permissions/bash.jsonc.coderabbit.yaml.copier-answers.yml.devcontainer/Dockerfile.devcontainer/devcontainer.json.devcontainer/install-ci-tooling.py.devcontainer/manual-setup-deps.py.devcontainer/on-create-command.sh.devcontainer/post-start-command.sh.github/actions/check-skip-duplicates/action.yml.github/actions/install_deps/action.yml.github/workflows/ci.yaml.github/workflows/confirm-on-tagged-copier-template.yaml.github/workflows/pre-commit.yaml.github/workflows/tag-on-merge.yamlAGENTS.mdextensions/context.pytemplate/.claude/settings/permissions/bash.jsonctemplate/.coderabbit.yamltemplate/.devcontainer/Dockerfiletemplate/.devcontainer/devcontainer.json.jinjatemplate/.devcontainer/manual-setup-deps.pytemplate/.devcontainer/on-create-command.sh.jinjatemplate/.devcontainer/post-start-command.sh.jinjatemplate/.github/actions/install_deps/action.ymltemplate/.github/workflows/ci.yaml.jinjatemplate/.github/workflows/confirm-on-tagged-copier-template.yamltemplate/.github/workflows/pre-commit.yamltemplate/AGENTS.md
| if ( | ||
| not generate_lock_file_only | ||
| and not args.skip_installing_pulumi_cli | ||
| and platform.system() == "Linux" | ||
| and env.lock_file.exists() | ||
| and '"pulumi"' in env.lock_file.read_text() | ||
| ): | ||
| _ = subprocess.run( | ||
| ["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)], | ||
| check=True, | ||
| ) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the install script exists
fd -t f 'install-pulumi-cli.sh' .devcontainer
# Check the script's expected arguments
cat .devcontainer/install-pulumi-cli.sh 2>/dev/null | head -30Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 82
🏁 Script executed:
#!/bin/bash
# List all files in .devcontainer directory
echo "=== All files in .devcontainer ==="
fd -t f . .devcontainer
echo -e "\n=== Search for any install or pulumi related scripts ==="
rg -l 'install|pulumi' .devcontainer --type sh 2>/dev/null || echo "No matches found"
echo -e "\n=== Check if .devcontainer directory exists ==="
ls -la .devcontainer/ 2>/dev/null || echo ".devcontainer directory not found"Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 1693
🏁 Script executed:
#!/bin/bash
# Search for any references to install-pulumi-cli in the codebase
echo "=== References to install-pulumi-cli ==="
rg 'install-pulumi-cli' . --type py --type sh
echo -e "\n=== Context around line 136-146 in manual-setup-deps.py ==="
head -150 .devcontainer/manual-setup-deps.py | tail -30Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 1672
The Pulumi CLI install script referenced at line 139 does not exist in the repository.
The file .devcontainer/install-pulumi-cli.sh is missing. When the conditional logic evaluates to true (Linux platform, Pulumi in lock file, not skipping install), subprocess.run() with check=True will raise a CalledProcessError and crash the script. Either create the missing script or remove this installation logic.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.devcontainer/manual-setup-deps.py around lines 136 - 146, The code calls
subprocess.run on REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh" when
generate_lock_file_only is false, args.skip_installing_pulumi_cli is false and
env.lock_file contains "pulumi", but that script is missing and will raise
CalledProcessError; fix by either adding the missing script at
.devcontainer/install-pulumi-cli.sh or by guarding the call with a
file-existence check (e.g. verify (REPO_ROOT_DIR / ".devcontainer" /
"install-pulumi-cli.sh").exists()) and only invoking subprocess.run when the
script exists, or remove this installation branch entirely so
generate_lock_file_only / args.skip_installing_pulumi_cli / env.lock_file logic
does not attempt to run a non-existent installer (references:
generate_lock_file_only, args.skip_installing_pulumi_cli, env.lock_file, and the
install-pulumi-cli.sh path).
| name: Check Skip Duplicates | ||
| description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you dont want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.' | ||
|
|
||
| outputs: | ||
| should-run: | ||
| description: 'Flag that determines if this execution should run or not' | ||
| value: ${{ steps.check.outputs.should_run }} | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Check if push has associated open PR | ||
| id: check | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| REF_NAME: ${{ github.ref_name }} | ||
| REPO_NAME: ${{ github.repository }} | ||
| EVENT_NAME: ${{ github.event_name }} | ||
| shell: bash | ||
| run: | | ||
| # For non-push events, always run | ||
| if [ "$EVENT_NAME" != "push" ]; then | ||
| echo "should_run=true" >> $GITHUB_OUTPUT | ||
| echo "Event is $EVENT_NAME, will run CI" | ||
| exit 0 | ||
| fi | ||
|
|
||
| # For push events, check if there's an open PR for this branch | ||
| pr_json=$(gh pr list \ | ||
| --repo "$REPO_NAME" \ | ||
| --head "$REF_NAME" \ | ||
| --state open \ | ||
| --json number \ | ||
| --limit 1) | ||
|
|
||
| pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""') | ||
|
|
||
| if [ -n "$pr_number" ]; then | ||
| echo "should_run=false" >> $GITHUB_OUTPUT | ||
| echo "Push to branch with open PR #$pr_number detected, skipping (PR event will run CI)" | ||
| else | ||
| echo "should_run=true" >> $GITHUB_OUTPUT | ||
| echo "Push to branch without open PR, will run CI" | ||
| fi |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the ci.yaml workflow has workflow-level permissions that would cover pull-requests: read
rg -n 'permissions:' -A 10 .github/workflows/ci.yaml | head -30Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 1155
🏁 Script executed:
# Check GitHub Actions documentation patterns and verify the output naming
# Look for any other composite actions in the repo to see how they handle outputs
fd -e yml -e yaml | xargs grep -l "outputs:" | head -5Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 82
🏁 Script executed:
# Get the full check-skip-duplicate job definition to see if it has a permissions block
sed -n '24,41p' .github/workflows/ci.yamlRepository: LabAutomationAndScreening/copier-python-package-template
Length of output: 602
Add pull-requests: read permission to the check-skip-duplicate job.
The gh pr list command requires pull-requests: read permission. The workflow-level permissions define id-token: write and contents: read, but do not include pull-requests: read. The check-skip-duplicate job does not override this with an explicit permissions block, so the gh pr list call will fail with insufficient permissions.
Add a permissions block to the job:
check-skip-duplicate:
runs-on: ubuntu-24.04
permissions:
pull-requests: read
outputs:
should-run: ${{ steps.check.outputs.should-run }}The rest of the action logic is sound—the handling of non-push events and the jq null-coalescing are correct.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/actions/check-skip-duplicates/action.yml around lines 1 - 44, The gh
pr list call in the composite action's check step requires pull-requests: read
permission, so update the job that uses this composite action (the
check-skip-duplicate job) to include a permissions block granting pull-requests:
read; specifically, in the workflow where you declare the check-skip-duplicate
job (the job with outputs.should-run and the step id "check"), add permissions:
pull-requests: read so the "gh pr list" command invoked in the action's step (id
"check") can run successfully.
| - name: Mark the required-check as succeeded so the PR can be merged | ||
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| gh api \ | ||
| -X POST -H "Accept: application/vnd.github.v3+json" \ | ||
| "${{ github.event.pull_request.statuses_url }}" \ | ||
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | ||
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
There was a problem hiding this comment.
statuses_url is undefined for merge_group events.
Same issue as in the template: the condition includes merge_group, but github.event.pull_request.statuses_url only exists for pull_request events. This will cause the API call to fail during merge queue runs.
Proposed fix
- name: Mark the required-check as succeeded so the PR can be merged
- if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+ if: ${{ github.event_name == 'pull_request' }}
env:
GH_TOKEN: ${{ github.token }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Mark the required-check as succeeded so the PR can be merged | |
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh api \ | |
| -X POST -H "Accept: application/vnd.github.v3+json" \ | |
| "${{ github.event.pull_request.statuses_url }}" \ | |
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | |
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| - name: Mark the required-check as succeeded so the PR can be merged | |
| if: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh api \ | |
| -X POST -H "Accept: application/vnd.github.v3+json" \ | |
| "${{ github.event.pull_request.statuses_url }}" \ | |
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | |
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yaml around lines 232 - 241, The workflow step "Mark
the required-check as succeeded so the PR can be merged" uses
github.event.pull_request.statuses_url which is only present for pull_request
events; modify the step's if condition so it only runs when a pull_request
payload exists (e.g. change the if to check github.event.pull_request != null or
restrict to github.event_name == 'pull_request') or otherwise short-circuit by
first deriving statuses_url into an env only if github.event.pull_request is
defined and skip the API call when it is undefined; update the step referenced
by its name and the use of github.event.pull_request.statuses_url accordingly.
| COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE") | ||
| if echo "$COMMIT_LINE" | grep -q "-"; then | ||
| echo "Error: $COMMIT_LINE" | ||
| echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider edge case: prerelease semver tags containing hyphens.
The hyphen check correctly rejects git-describe dev commits (e.g., v0.0.106-14-g7847d7b), but it would also reject valid prerelease tags like v1.0.0-alpha or v2.0.0-rc.1. If you only use simple numeric semver tags (as indicated by the example v0.0.111), this is fine. Otherwise, a more precise regex could distinguish git-describe format (which has the -<N>-g<hash> suffix pattern).
Optional: More precise git-describe detection
- if echo "$COMMIT_LINE" | grep -q "-"; then
+ # git-describe format: v0.0.106-14-g7847d7b (tag-commits-gHASH)
+ if echo "$COMMIT_LINE" | grep -qE -- '-[0-9]+-g[0-9a-f]+'; then🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/confirm-on-tagged-copier-template.yaml around lines 29 -
34, The current hyphen-based rejection (checking COMMIT_LINE from ANSWERS_FILE
with grep -q "-") incorrectly rejects valid prerelease semver (e.g.,
v1.0.0-alpha); change the check to detect the specific git-describe dev suffix
pattern instead (match "-<number>-g<hash>", e.g. -[0-9]+-g[0-9a-f]+) using a
precise regex (grep -E or similar) against COMMIT_LINE, and update the error
message to mention that only git-describe style dev commits are rejected while
allowing prerelease tags.
| - name: Bump version and push tag | ||
| uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 | ||
| uses: nickkostov/github-tag-action@b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 # v1.3.0 # a fork of https://github.com/mathieudutour/github-tag-action, which is still on Node 20 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the tag matches the pinned commit SHA
gh api repos/nickkostov/github-tag-action/git/refs/tags/v1.3.0 --jq '.object.sha'
echo "Expected: b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9"
# Check recent activity and stars for the fork
gh repo view nickkostov/github-tag-action --json stargazerCount,pushedAt,descriptionRepository: LabAutomationAndScreening/copier-python-package-template
Length of output: 409
🌐 Web query:
nickkostov github-tag-action fork Node 22
💡 Result:
No evidence found of a GitHub repository or fork named "nickkostov/github-tag-action" or similar by user nickkostov related to Node.js 22. The query likely refers to a fork or PR for the popular github-tag-action (anothrNick/mathieudutour variants) updated for Node 22 compatibility. Key findings: - nick-kostov (from DataDog issue) and NikolayIT/nnkostov exist but no forks of github-tag-action. - mathieudutour/github-tag-action has PR #244 by nickkostov: "Upgrade to Node 24, enhance Semantic Release, and improve workflows" opened Mar 12, 2026 (future date, possibly preview). Also PR #243 "feat(node): Upgrading NodeJS version to 24". - anothrNick/github-tag-action upgraded to Node 20 (PR #308, Mar 2024), not 22. Node 22 support in GitHub Actions is partial (setup-node supports, but runs.using='node22' not fully until Node 24). - No direct "nickkostov" fork with Node 22. Closest is nickkostov PRs in mathieudutour fork for Node 24. If this refers to using the action with Node 22 runner, both main repos work as they use Docker/shell (anothrNick) or Node 20 (mathieudutour v6). For JS actions, specify runs: using: 'node20' or wait for node24 default (Mar 2026).
Citations:
- 1: https://github.com/mathieudutour/github-tag-action/pulls
- 2: https://linkedin.com/in/nikolay-kostov-689364131
- 3: https://github-redirect.dependabot.com/nnkostov
- 4: https://github.com/nnkostov
- 5: https://github.com/anothrNick/github-tag-action
- 6: https://github.com/mathieudutour/github-tag-action
- 7: Upgrade node to version 20 anothrNick/github-tag-action#308
- 8: Add support for Node.js v22 Current actions/setup-node#1016
- 9: Support node22 in runs.using for JavaScript actions actions/runner#3600
🌐 Web query:
mathieudutour github-tag-action Node version support
💡 Result:
The mathieudutour/github-tag-action GitHub Action supports Node.js 20 as of its latest release v6.2 (March 2024). It was previously updated to Node 16 in October 2022, and a PR to upgrade to Node 20 was merged in March 2024 in response to Node 16 deprecation. A recent PR (March 2026) proposes upgrading to Node 24, indicating ongoing maintenance for current Node versions, but this is not yet released. The action runs on ubuntu-latest runners, which support Node 20+ via actions/setup-node.
Citations:
- 1: Upgrade to Node 24, enhance Semantic Release, and improve workflows mathieudutour/github-tag-action#244
- 2: https://github.com/mathieudutour/github-tag-action
- 3: Update to Node.js 16 mathieudutour/github-tag-action#147
- 4: Update action to use Node 20 or newer mathieudutour/github-tag-action#198
- 5: Update Node version to 20 mathieudutour/github-tag-action#202
- 6: https://github.com/actions/setup-node
🏁 Script executed:
# Check the workflow file for additional context about this change
cd .github/workflows && cat -n tag-on-merge.yaml | head -30Repository: LabAutomationAndScreening/copier-python-package-template
Length of output: 1013
Remove or replace the invalid action reference immediately—the fork does not exist.
The action nickkostov/github-tag-action at the referenced commit does not appear to have a public repository. Web searches and PR activity show that nickkostov made pull requests to the original mathieudutour/github-tag-action, but did not create a fork. This means the workflow will fail at runtime when attempting to use this non-existent action.
Additionally, the stated rationale is incorrect: mathieudutour/github-tag-action has supported Node 20 since March 2024 and is actively maintained (with a pending Node 24 upgrade PR). If the intent is to use an alternative or updated version, either restore the original mathieudutour/github-tag-action or identify and use a verified, existing fork.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/tag-on-merge.yaml around lines 22 - 24, The workflow step
"Bump version and push tag" references a non-existent fork
nickkostov/github-tag-action@b3aa34... which will break CI; replace that action
reference with a valid, existing action such as
mathieudutour/github-tag-action@v1 (or a verified commit/tag) or remove the step
if tagging is handled elsewhere, and update the comment that incorrectly claims
lack of Node 20 support; ensure you change the uses: line to point at
mathieudutour/github-tag-action (or another verified fork) and keep any required
inputs the same so the step continues to work.
| - name: Mark the required-check as succeeded so the PR can be merged | ||
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| gh api \ | ||
| -X POST -H "Accept: application/vnd.github.v3+json" \ | ||
| "${{ github.event.pull_request.statuses_url }}" \ | ||
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | ||
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
There was a problem hiding this comment.
statuses_url is undefined for merge_group events.
The step condition includes merge_group, but github.event.pull_request.statuses_url is only populated for pull_request events. For merge_group events, this will be empty/undefined, causing the gh api call to fail.
Proposed fix: restrict to pull_request only or handle merge_group separately
- name: Mark the required-check as succeeded so the PR can be merged
- if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+ if: ${{ github.event_name == 'pull_request' }}
env:
GH_TOKEN: ${{ github.token }}If you need to mark status for merge_group, you'll need to construct the statuses URL differently using github.event.merge_group.head_sha.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Mark the required-check as succeeded so the PR can be merged | |
| if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh api \ | |
| -X POST -H "Accept: application/vnd.github.v3+json" \ | |
| "${{ github.event.pull_request.statuses_url }}" \ | |
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | |
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| - name: Mark the required-check as succeeded so the PR can be merged | |
| if: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh api \ | |
| -X POST -H "Accept: application/vnd.github.v3+json" \ | |
| "${{ github.event.pull_request.statuses_url }}" \ | |
| -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \ | |
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@template/.github/workflows/ci.yaml.jinja` around lines 219 - 228, The "Mark
the required-check as succeeded so the PR can be merged" step uses
github.event.pull_request.statuses_url but also runs for merge_group events, and
statuses_url is undefined for merge_group; either restrict the step condition to
only pull_request, or add branching so the gh api call uses
github.event.pull_request.statuses_url when the event is pull_request and
constructs the statuses API URL from the merge_group head SHA
(github.event.merge_group.head_sha) when the event is merge_group before calling
gh api; update the step condition or add an if/else that selects the correct URL
and keeps the gh api invocation (gh api ... -X POST ...) unchanged.
1 participant
Pull in upstream template changes
Tested in downstream repos, including LabAutomationAndScreening/cloud-courier#51
Summary by CodeRabbit
Release Notes
New Features
Chores
Documentation