Update tenet-pr-review.yml#111
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThe TENET PR review workflow is restructured: the trigger changes to ChangesTENET Security Review Workflow Update
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 98b9a9667a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/tenet-pr-review.yml:
- Around line 24-27: The Checkout repository step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly set
persist-credentials: false to avoid persisting git credentials; update the
checkout step's with block to include persist-credentials: false (refer to the
"Checkout repository" step and the uses: actions/checkout entry) so credentials
are not stored and cannot be leaked when running under pull_request_target.
- Line 34: The workflow uses a non-existent path
`agent/tenet_agent/requirements.txt` for cache-dependency-path and pip install
but later cd's into `.github/tenet_agent`; fix by making the dependency/cache
paths consistent with the actual directory: replace occurrences of
`agent/tenet_agent/requirements.txt` and any `pip install -r
agent/tenet_agent/requirements.txt` with `.github/tenet_agent/requirements.txt`
(or vice versa if you prefer moving the dir), ensuring `cache-dependency-path`,
the `pip install -r ...` invocation, and the `cd .github/tenet_agent` reference
all point to the same directory name.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: f6b84624-b7c6-4d8b-ba49-4fd19693a55e
📒 Files selected for processing (1)
.github/workflows/tenet-pr-review.yml
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/tenet-pr-review.yml">
<violation number="1" location=".github/workflows/tenet-pr-review.yml:63">
P1: This path change is inconsistent with earlier workflow steps, which still use `agent/tenet_agent`; the review job will fail before execution due to invalid dependency paths.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
| @@ -57,4 +61,4 @@ jobs: | |||
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |||
| run: | | |||
| cd .github/tenet_agent | |||
There was a problem hiding this comment.
P1: This path change is inconsistent with earlier workflow steps, which still use agent/tenet_agent; the review job will fail before execution due to invalid dependency paths.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/tenet-pr-review.yml, line 63:
<comment>This path change is inconsistent with earlier workflow steps, which still use `agent/tenet_agent`; the review job will fail before execution due to invalid dependency paths.</comment>
<file context>
@@ -60,5 +60,5 @@ jobs:
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
- cd agent/tenet_agent
+ cd .github/tenet_agent
python tenet_review.py
\ No newline at end of file
</file context>
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/tenet-pr-review.yml">
<violation number="1" location=".github/workflows/tenet-pr-review.yml:63">
P1: This path change is inconsistent with earlier workflow steps, which still use `agent/tenet_agent`; the review job will fail before execution due to invalid dependency paths.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
|
@coderabbitai re review and provide analysis |
🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Fetch PR diff
gh pr view 111 --repo TENET-DEV-AI/TENET-AI --json title,body,files,additions,deletions
# Get the workflow file content on the PR branch
gh api repos/TENET-DEV-AI/TENET-AI/contents/.github/workflows/tenet-pr-review.yml \
--jq '.content' | base64 -d
echo "---DIFF---"
gh pr diff 111 --repo TENET-DEV-AI/TENET-AILength of output: 7103
🔍 Analysis:
|
| Change | Assessment |
|---|---|
Pinned action SHAs (checkout@de0fac2e..., setup-python@a309ff8b...) |
✅ Excellent supply-chain hygiene |
persist-credentials: false |
✅ Reduces secret exposure in pull_request_target context |
Bot filter: github.event.pull_request.user.login instead of github.actor |
✅ More accurate for pull_request_target where actor could be the workflow runner |
API key check via GITHUB_OUTPUT + if: conditional |
✅ Cleaner than exit 0; prevents false-positive job failures |
🔵 Minor
- Missing newline at end of file — the diff shows
\ No newline at end of fileon the last line. This is a cosmetic issue but violates POSIX file standards and may trigger linters.
Summary
| Severity | Issue |
|---|---|
| 🚨 Critical | cd .github/tenet_agent not updated to cd agent/tenet_agent — workflow will fail |
pull_request_target requires strict access control on this workflow file (e.g., CODEOWNERS) |
|
| 🔵 Minor | Missing newline at end of file |
The critical path bug must be fixed before merging — it will cause every triggered run to fail at the Run TENET PR Review step. Everything else in the PR is solid security-hardening work.
✅ Action performed
Full review finished.
|
@coderabbitai update the whole workflow file and provide me the updated patched file which will work for contributors and maintainers prs |
1 participant
Summary by cubic
Hardens the TENET PR review workflow for fork safety and secret hygiene. Switches to
pull_request_target, avoids checking out fork refs, reads diffs viaHEAD_SHA, gates onTENET_AI_KEY, and skips bot PRs.Refactors
pull_request_target; do not checkout fork refs; read diffs viaHEAD_SHA; setpersist-credentials: false.TENET_AI_KEYvia a step output; skipgithub-actions[bot]andcoderabbitai[bot].agent/tenet_agent; run the agent from.github/tenet_agent.Dependencies
actions/checkoutandactions/setup-pythonto exact SHAs for stability.Written for commit 6a85340. Summary will update on new commits.
Summary by CodeRabbit