Update CodeRabbit config: refine action pinning, enforce AI attribution

[adalton]

Summary

• Refine action-pinning rule: allow tag refs for GitHub-owned actions (actions/*), require SHA pins only for third-party actions
• Update ai-attribution check: accept Made-with trailers (e.g., Made-with: Cursor) alongside Assisted-by and Generated-by
• Escalate ai-attribution from warning to error

Test plan

• Verify CodeRabbit does not flag actions/checkout@v4 or similar GitHub-owned action tag refs
• Verify ai-attribution fires at error severity on PRs with Co-Authored-By AI trailers

Assisted-by: Claude noreply@anthropic.com

Summary of Changes

Affected Area: CI configuration (.coderabbit.yaml)

Changes Made:

1. Refined GitHub Actions pinning guidance to explicitly allow GitHub-owned actions/* entries to use semantic version tag refs (e.g., @v4) without requiring full SHA pins, while maintaining SHA-pin enforcement for third-party actions
2. Escalated ai-attribution pre-merge check from warning to error severity
3. Extended ai-attribution acceptable attribution trailers to include Assisted-by, Generated-by, and Made-with (e.g., Made-with: Cursor), while continuing to flag Co-Authored-By for AI tools

Impact Assessment:

• Changes affect only CodeRabbit automated code review configuration
• No impact on module API surface, shared utilities, plugin behavior, test coverage, or collection metadata (galaxy.yml, meta/runtime.yml)
• No backward-compatibility implications for the Ansible collection itself

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 9b5104df-a245-4384-b0cc-24110031cfdf

📥 Commits

Reviewing files that changed from the base of the PR and between dea4246 and 581545c.

📒 Files selected for processing (1)

• .coderabbit.yaml

---

Walkthrough

This PR refines two distinct policies in .coderabbit.yaml: GitHub Actions pinning guidance is loosened for GitHub-owned actions (allowing tag refs), and AI attribution enforcement is strengthened with explicit trailer validation and error-level severity in pre-merge checks.

Changes

CodeRabbit Configuration Updates

Layer / File(s)	Summary
GitHub Actions pinning guidance exemption .coderabbit.yaml	CI/CD security rule updated to explicitly allow GitHub-owned actions/* entries to use tag refs such as @v4 without full-SHA pinning, while retaining strict pinning requirements for third-party actions.
AI attribution policy enforcement .coderabbit.yaml	Pre-merge check ai-attribution policy strengthened with mode: "error" severity and explicit acceptance of Assisted-by, Generated-by, and Made-with trailers, while flagging Co-Authored-By for AI tools.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• flightctl/flightctl-ansible#56: Both PRs modify the shared .coderabbit.yaml review rules—this PR updates pre_merge_checks AI attribution handling and GitHub Actions pinning guidance, which directly overlaps with PR #56's .coderabbit.yaml pre-merge gate and AI attribution/pinning-related configuration.

Suggested reviewers

• amir-yogev-gh

Poem

🔐 GitHub actions now trusted with tags,
While AI trails must show their crags,
Config refined, enforcement strong,
Rules that keep the workflows throng. ✨

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: refining action pinning rules and enforcing AI attribution in the CodeRabbit configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	PR #57 only updates .coderabbit.yaml rule text; the diff and scanned file contain no credential literals (no api_key/secret/token/password assignments or high-entropy secret-like strings).
No-Weak-Crypto	✅ Passed	Scanned PR-changed files for MD5/SHA1/DES/RC4/3DES/Blowfish/ECB and crypto/comparison patterns; none found in code—only .coderabbit.yaml references them in rule text.
No-Injection-Vectors	✅ Passed	Only .coderabbit.yaml changed in PR (git diff origin/main..HEAD). Repo Python scan found no shell=True, eval/exec, pickle.loads, yaml.load without SafeLoader, or os.system patterns.
No-Sensitive-Data-In-Logs	✅ Passed	PR appears to update only .coderabbit.yaml (action pinning + ai-attribution). No Ansible task code changes were introduced, so no new missing no_log/sensitive logging issues were added.
Ansible-Idempotency	✅ Passed	PR only updates .coderabbit.yaml; this workspace shows a clean git diff (no changed files), so no Ansible idempotency-impacting changes to flag.
Ai-Attribution	✅ Passed	PR updates .coderabbit.yaml ai-attribution instructions to accept Assisted-by/Generated-by/Made-with and to flag Co-Authored-By for AI tools, per diff.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}