Conversation
…ation. (#910) * feat(SDK-5351): optimises cicd - makes all tasks parallel within module - adds gradle cache - adds baseline for linting so only new issues surface - makes main workflow parallel rather than sequential * feat(SDK-5351): adds manual dispatch for testing. * feat(SDK-5351): fixes syntax * feat(SDK-5351): adds lint baseline generation action. * feat(SDK-5351): fixes jacoco report building and uses cache - uses cache for jacoco * feat(SDK-5351): removes jacoco testing for 2 variants - since we use single test source set - 2 parallel runs not needed * feat(SDK-5351): changes main workflows to fail fast - static checks fail -> do not trigger tests - uses single source test set * feat(SDK-5351): fixes names * feat(SDK-5351): fixes names * feat(SDK-5351): generates lint baseline file. * feat(SDK-5351): uses checkout action v4 instead of older one - uses newer action for checkout * feat(SDK-5351): corrects titles. * feat(SDK-5351): removes comments from gen. * feat(SDK-5351): names correctly. * feat(SDK-5351): names correctly. * feat(SDK-5351): names workflow correctly. * feat(SDK-5351): prevents build heap mem abuse. * feat(SDK-5351): removes unused file. * feat(SDK-5351): uses latest setup java * feat(SDK-5351): provides missing metadata to the mini workflows.
Release v7.7.0
Release v7.7.1
Release 7.8.0
Release 8.0.0 [Core SDK]
Release PT 2.3.0
Release PT 2.4.0
Core Release 8.1.0
Release 8.2.0
Only reverts a commit. Overriding the checks manually. Needs updating git actions.
ci: add Vision AI Review workflow
The on-pr job already skips fork PRs via head.repo.full_name check, but issue_comment events don't expose pull_request.head.repo in the payload, so the on-comment job was firing for any PR a repo member commented on — including forks. That's coherent (member opt-in) but inconsistent with the on-pr behavior. This change makes it uniform: forks are never reviewed automatically OR via the comment trigger. Adds a small pull-requests: read scope on the on-comment job, fetches the PR by github.event.issue.pull_request.url, and only triggers the notifier when head.repo.full_name matches the current repo. A separate "Skipped (fork PR)" step makes the skip visible in the Actions UI.
|
Warning Review limit reached
More reviews will be available in 16 minutes and 9 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![clevertap-vision[bot]](https://avatars.githubusercontent.com/in/648995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
Summary
This PR ("Updating develop.") syncs master into develop; the only net change is the addition of .github/workflows/vision-ai-review.yml, the Vision AI Review GitHub Actions workflow (already introduced on master via #1014/#1015). The workflow auto-triggers reviews on PR open/ready/synchronize and on a /vision-review-deep comment, calling an external review-notifier endpoint with Cloudflare Access credentials.
Security hygiene is solid: top-level permissions: {} (least privilege), explicit fork gating on both the pull_request and issue_comment paths, author-association gating on the comment trigger, and untrusted values passed through env: rather than interpolated into shell (avoiding the classic GHA script-injection pitfall).
📊 Visual Overview
flowchart TD
A[pull_request: opened / ready_for_review / synchronize] --> B{same-repo AND not draft?}
B -- no --> X[skip]
B -- yes --> T[POST review-notifier]
C[issue_comment: created] --> D{body == /vision-review-deep AND OWNER/MEMBER/COLLABORATOR?}
D -- no --> X
D -- yes --> E[fetch PR head repo via API]
E --> F{head.repo == this repo?}
F -- yes --> T
F -- no --> Y[Skipped fork PR]
Verdict
APPROVE
The workflow is well-constructed and security-conscious, with no blocking issues. The two inline notes are non-blocking suggestions: adding a concurrency group (consistent with the repo's other workflows) to avoid redundant concurrent triggers on rapid pushes, and keeping the env-var discipline consistent in the final echo step. Since this PR merely forward-ports an already-reviewed workflow file onto develop, it is safe to merge.
To retrigger this review, comment /vision-review-deep on the PR.
Reviewed by Vision AI
|
|
||
| permissions: {} | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
💡 Suggestion: Consider adding a concurrency group so rapid pushes don't fan out into multiple in-flight reviews for the same PR. synchronize fires on every push, and the file's own comments note a desire to avoid paying twice — a concurrency group is the standard way to enforce that. This is also consistent with the repo's other workflows (on_pr_from_task_to_develop.yml, on_pr_from_develop_to_master.yml, on_pr_merged_in_master.yml all use concurrency).
| jobs: | |
| concurrency: | |
| group: vision-ai-review-${{ github.event.pull_request.number || github.event.issue.number }} | |
| cancel-in-progress: true | |
| jobs: |
| - name: Skipped (fork PR) | ||
| if: steps.pr.outputs.head != github.repository | ||
| run: | | ||
| echo "PR head '${{ steps.pr.outputs.head }}' is not '${{ github.repository }}'; skipping fork PR." |
There was a problem hiding this comment.
🧹 Code Quality: This is the one spot that interpolates ${{ ... }} directly into a run: script instead of routing through env:, which the rest of the workflow does consistently to avoid GHA script injection. The value here (steps.pr.outputs.head, derived from the GitHub API head.repo.full_name) is constrained to valid repo-name characters and is not attacker-controllable, so this is not exploitable — purely a consistency note. Optionally pass it via env: like the other steps:
env:
HEAD: ${{ steps.pr.outputs.head }}
REPO: ${{ github.repository }}
run: |
echo "PR head '$HEAD' is not '$REPO'; skipping fork PR."6 participants
Merge commits and CICD