Skip to content

ci: fix ready-for-review label automation for fork pull requests#838

Merged
xdustinface merged 3 commits into
dashpay:devfrom
xdustinface:ci/ready-for-review-fork-prs
Jul 2, 2026
Merged

ci: fix ready-for-review label automation for fork pull requests#838
xdustinface merged 3 commits into
dashpay:devfrom
xdustinface:ci/ready-for-review-fork-prs

Conversation

@xdustinface

@xdustinface xdustinface commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Problem

The ready-for-review label automation has never worked for pull requests opened from a fork, which is the normal case for contributor PRs. Two compounding causes:

  1. Read-only token, no secrets. For fork PRs, GitHub runs the pull_request and pull_request_review events with a read-only GITHUB_TOKEN and no access to secrets. So the evaluate job could not add or remove labels. When CodeRabbit approved a PR whose CI was already green (e.g. fix(key-wallet): don't build asset locks on unconfirmed funds #836), the job hit every gate and then died on addLabelsToLabelable with Resource not accessible by integration. This is also why a GitHub App token or PAT cannot help on that event: the secret holding the key is unavailable there.

  2. Silent no-op on the privileged path. The workflow already had a workflow_run trigger, which does get a write token even for forks. But it read the PR number from github.event.workflow_run.pull_requests, and that array is always empty for cross-repository (fork) PRs. A real run log showed No associated pull requests found, skipping, so the label was never applied even after CI passed.

The prior fix (#811) only added issues: write to the job, which does nothing for forks.

Fix

Restructure around the GitHub-recommended workflow_run relay pattern. No new secrets are needed.

  • New Ready for Review Trigger workflow (ready-for-review-trigger.yml): runs on pull_request and pull_request_review with permissions: {}. It does nothing but complete, which fires a workflow_run event. This is the only way a CodeRabbit approval (a pull_request_review) can reach a privileged context on a fork PR.
  • Ready for Review Label workflow (ready-for-review.yml) now runs only on workflow_run (the CI workflows plus the new trigger), where it holds a write-capable token for forks. It resolves the PR by matching workflow_run.head_sha against the open pull requests, because the commits/{sha}/pulls endpoint does not index fork heads (verified against fix(key-wallet): don't build asset locks on unconfirmed funds #836). Matching the exact head sha also ignores stale runs whose commit the PR has moved past.
  • Dismissal, changes-requested, and merge-conflict handling are folded into the single re-evaluation path (latest CodeRabbit state != APPROVED or a merge-conflict label removes the label).
  • The relay job is excluded from the CI gate in check_ci_status.sh.

The applier never checks out or runs fork code (sparse-checkout of .github/scripts from the base only), so there is no pwn-request risk.

Validation caveat

workflow_run workflows always execute the default-branch (dev) version of the workflow. So the applier half of this change cannot be fully exercised from this PR branch, it only takes effect once merged to dev. The trigger workflow runs from the PR branch and is observable here. Locally verified: actionlint clean, pre-commit (including the actionlint hook) passing, validate-triggers coverage check passes with the new workflow, and the head-sha PR resolution returns the correct PR for the fork PR #836.

Summary by CodeRabbit

  • New Features

    • Added an automated “Ready for Review” workflow that reacts to pull request and review activity, then updates labels based on the latest status.
    • Improved label handling so pull requests with merge conflicts or without the required approval no longer keep the ready-for-review label.
  • Bug Fixes

    • Refined CI status tracking to ignore additional background check jobs, making aggregate PR status more accurate.

Fork pull requests run the `pull_request` and `pull_request_review` events with a read-only `GITHUB_TOKEN` and no access to secrets, so the `evaluate` job could not mutate labels and failed with "Resource not accessible by integration" when it tried to add `ready-for-review` after CodeRabbit approved. The privileged `workflow_run` path that should have covered this was a silent no-op for forks because `github.event.workflow_run.pull_requests` is always empty for cross-repository PRs.

Restructure the automation around the `workflow_run` relay pattern. A new lightweight `Ready for Review Trigger` workflow runs on `pull_request` and `pull_request_review`, does nothing but complete, and thereby fires a `workflow_run` event. The `Ready for Review Label` workflow now runs only on `workflow_run`, where it holds a write-capable token even for forks, resolves the PR by matching the head sha against the open pull requests (the commit-to-PR endpoint does not index fork heads), and applies or removes the label. No new secrets are required.

Fold the dismissal, changes-requested and merge-conflict handling into the single re-evaluation path and exclude the relay job from the CI gate.
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@xdustinface, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 67ca749e-2213-4ada-ac31-71f2f7d7b732

📥 Commits

Reviewing files that changed from the base of the PR and between 3a852d5 and 3790907.

📒 Files selected for processing (2)
  • .github/workflows/ready-for-review-trigger.yml
  • .github/workflows/ready-for-review.yml
📝 Walkthrough

Walkthrough

A new GitHub Actions workflow relays pull request and review events to trigger a downstream workflow_run-based process. The existing ready-for-review workflow is rewritten to consume workflow_run events, resolve PRs by head_sha, and add/remove the ready-for-review label based on merge-conflict labels and CodeRabbit review state. The CI status script excludes the new trigger job.

Changes

CI Workflow Trigger and Label Management

Layer / File(s) Summary
New relay trigger workflow
.github/workflows/ready-for-review-trigger.yml
New workflow listens on pull_request (ready_for_review, labeled) and pull_request_review (submitted, dismissed) events, with no permissions and per-PR concurrency, running a relay job to trigger downstream workflow_run processing.
Ready-for-review workflow rework
.github/workflows/ready-for-review.yml
Workflow triggers switch to workflow_run completion, concurrency keys on head_sha, permissions expand to include issues: write, monitored workflow name parsing is simplified, PR resolution now matches head.sha via the GitHub API, and the label logic removes ready-for-review on merge-conflict or non-approved CodeRabbit review state.
CI status exclusion update
.github/scripts/check_ci_status.sh
The jq exclusion filter for check aggregation now also excludes the ready-for-review-trigger job.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHub
  participant ReadyForReviewTrigger
  participant ReadyForReviewWorkflow
  participant CodeRabbit

  GitHub->>ReadyForReviewTrigger: pull_request/pull_request_review event
  ReadyForReviewTrigger->>ReadyForReviewTrigger: relay job completes
  GitHub->>ReadyForReviewWorkflow: workflow_run completed event
  ReadyForReviewWorkflow->>GitHub: find open PRs matching head_sha
  ReadyForReviewWorkflow->>GitHub: check draft status and merge-conflict label
  ReadyForReviewWorkflow->>CodeRabbit: check latest review state
  CodeRabbit-->>ReadyForReviewWorkflow: review state (APPROVED or not)
  ReadyForReviewWorkflow->>GitHub: add or remove ready-for-review label
Loading

Possibly related PRs

  • dashpay/rust-dashcore#811: Prior fix to permissions enabling label mutation that this PR's ready-for-review.yml rework directly builds upon.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: fixing ready-for-review label automation for fork pull requests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.49%. Comparing base (788c19d) to head (3790907).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files
@@            Coverage Diff             @@
##              dev     #838      +/-   ##
==========================================
+ Coverage   73.13%   73.49%   +0.36%     
==========================================
  Files         324      324              
  Lines       72562    72562              
==========================================
+ Hits        53066    53331     +265     
+ Misses      19496    19231     -265     
Flag Coverage Δ
core 76.94% <ø> (ø)
ffi 47.96% <ø> (+2.65%) ⬆️
rpc 20.00% <ø> (ø)
spv 90.54% <ø> (+0.08%) ⬆️
wallet 72.57% <ø> (ø)
see 21 files with indirect coverage changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ready-for-review-trigger.yml:
- Line 9: The PR review trigger in ready-for-review-trigger.yml only listens for
ready_for_review and labeled, so it misses draft conversions; add
converted_to_draft to the trigger and update the ready-for-review workflow logic
in .github/workflows/ready-for-review.yml so the draft path removes the
ready-for-review label instead of skipping. Use the workflow names
ready-for-review-trigger and ready-for-review to locate the event handling and
label-clearing behavior.

In @.github/workflows/ready-for-review.yml:
- Around line 21-24: The workflow permissions block is overriding the default
repo read access, which can break both actions/checkout@v4 steps before the
label logic runs. Update the permissions in ready-for-review.yml to include
contents: read alongside the existing pull-requests, checks, and issues scopes,
and if evaluate gets a separate permissions block, ensure it keeps the mutating
scopes plus contents: read as well.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 40ed1256-d930-43c7-bfcc-cdbd83aa8306

📥 Commits

Reviewing files that changed from the base of the PR and between 788c19d and 3a852d5.

📒 Files selected for processing (3)
  • .github/scripts/check_ci_status.sh
  • .github/workflows/ready-for-review-trigger.yml
  • .github/workflows/ready-for-review.yml

Comment thread .github/workflows/ready-for-review-trigger.yml Outdated
Comment thread .github/workflows/ready-for-review.yml
Setting a workflow-level `permissions` block drops the default `contents: read`, which both `actions/checkout@v4` steps need. Restore it alongside the existing scopes.

Addresses CodeRabbit review comment on PR dashpay#838
dashpay#838 (comment)
The trigger workflow did not relay `converted_to_draft`, so converting a labeled PR back to draft fired no `workflow_run` and the label survived. Relay that event and make the draft branch remove the label instead of skipping, matching the defensive `|| true` used by the sibling merge-conflict and CodeRabbit branches so a `gh` hiccup on one PR does not abort a multi-PR batch.

Addresses CodeRabbit review comment on PR dashpay#838
dashpay#838 (comment)
@xdustinface xdustinface merged commit b0a909c into dashpay:dev Jul 2, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant