Update CodeRabbit config: refine action pinning, enforce AI attribution

[adalton]

Summary

• Refine action-pinning rule: allow tag refs for GitHub-owned actions (actions/*), require SHA pins only for third-party actions
• Update ai-attribution check: accept Made-with trailers (e.g., Made-with: Cursor) alongside Assisted-by and Generated-by
• Escalate ai-attribution from warning to error

Test plan

• Verify CodeRabbit does not flag actions/checkout@v4 or similar GitHub-owned action tag refs
• Verify ai-attribution fires at error severity on PRs with Co-Authored-By AI trailers

Assisted-by: Claude noreply@anthropic.com

Files affected:

• .coderabbit.yaml (new configuration file)

Areas impacted:

• CI/CD pipelines (code review automation configuration only)

What changed:

This PR introduces the complete CodeRabbit code review configuration for the flightctl-demos repository. The configuration is a new, comprehensive set of instructions and automation rules, not modifications to an existing file.

Key elements of the configuration include:

1. GitHub Actions security guidance — Refined action pinning rules that explicitly permit tag refs (e.g., @v4) for GitHub-owned actions under actions/* namespace, while requiring full-SHA pins with trailing version comments for third-party actions.
2. AI attribution enforcement — Updated ai-attribution pre-merge check that accepts Assisted-by, Generated-by, or Made-with (e.g., Made-with: Cursor) trailers as valid attribution, flags Co-Authored-By for AI tools, and escalates severity from warning to error.
3. Path-specific review instructions — Comprehensive guidance for reviewing bootc Containerfiles (base and demo images), demo application images, Fleet manifests, Kubernetes/OpenShift manifests, Quadlet units, workflows, composite actions, and application code (Python, JavaScript, shell, HTML, CSS).
4. Security scanning tools — Enables gitleaks, semgrep, checkov, hadolint, actionlint, yamllint, markdownlint, and ast-grep.

No runtime or build artifacts affected — this is a configuration-only change to code review automation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 04e278ca-90a7-4e7c-b8b4-e72019f3af39

📥 Commits

Reviewing files that changed from the base of the PR and between 6132aeb and 966c07b.

📒 Files selected for processing (1)

• .coderabbit.yaml

---

Walkthrough

Updated CodeRabbit review configuration to exempt GitHub-owned GitHub Actions using tag refs from SHA pinning requirements and refined the AI-attribution pre-merge check to accept specific attribution trailers while escalating check severity to error.

Changes

CodeRabbit Review Configuration

Layer / File(s)	Summary
GitHub Actions pinning exemption .coderabbit.yaml	GitHub Actions workflow review guidance exempts actions/* steps using tag refs (e.g., @v4) from missing-SHA pin flagging; third-party actions remain required to use full-SHA pins with version comments.
AI-attribution check enhancement .coderabbit.yaml	The pre_merge_checks ai-attribution rule now allows Assisted-by, Generated-by, and Made-with trailers as acceptable attribution, continues flagging Co-Authored-By for AI tools, and upgrades severity from warning to error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• flightctl/flightctl-demos#160: Updates .coderabbit.yaml with GitHub Actions SHA pinning and AI-attribution pre-merge check refinements that directly overlap with this PR's configuration changes.

Suggested labels

configuration

Poem

Config shifts like gentle breeze through rules—
GitHub Actions breathe free with tags,
while AI trails find their proper place,
warnings now echo louder as errors. ✨

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the two main changes: refining action pinning rules and enforcing AI attribution in the CodeRabbit config.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	PR #161 only updates .coderabbit.yaml policy text; secret-like strings (AKIA, eyJ, -----BEGIN, ghp_, xoxb) aren’t present—no hardcoded secrets detected.
No-Injection-Vectors	✅ Passed	PR #161 only changes .coderabbit.yaml (action pinning + ai-attribution); no GitHub Actions workflow run blocks or Python eval/exec/shell=True/os.system with variables were added.
Container-Image-Provenance	✅ Passed	Checked existing Containerfile FROM lines: base/* images use @sha256 digests; third-party uses tag pytorch-2.1.0 (no :latest). No container-image-provenance violations found.
Arch-Containerfile-Consistency	✅ Passed	Containerfile.amd64/arm64 were added for centos-bootc and fedora-bootc; package install + systemctl enable steps match across arches (only arch-specific repo URLs differ).
No-Sensitive-Data-In-Logs	✅ Passed	.coderabbit.yaml’s no-sensitive-data-in-logs block only instructs to flag secret-revealing logs/echoes; it contains no credentials or echo/token examples, and PR’s related changes are action pinnin...
Ai-Attribution	✅ Passed	In .coderabbit.yaml, the ai-attribution custom check accepts Made-with/Assisted-by/Generated-by and flags Co-Authored-By, with mode set to "error".

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}