Skip to content

fix(ci): bind E2E gate to exact PR diff#6788

Merged
cv merged 1 commit into
mainfrom
codex/fix-advisor-e2e-gate
Jul 13, 2026
Merged

fix(ci): bind E2E gate to exact PR diff#6788
cv merged 1 commit into
mainfrom
codex/fix-advisor-e2e-gate

Conversation

@cv

@cv cv commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

This follow-up to #6745 binds E2E / PR Gate to the exact pull request number, head SHA, and base SHA, so base retargets and stale workflow events cannot reuse or overwrite another diff's result. Unrelated main advances no longer force a full CI rerun when GitHub proves the trusted E2E control plane is unchanged; ambiguous or changed trust boundaries still fail closed.

Changes

  • Give canonical PR CI a strict run identity and require the trusted .github/workflows/pr.yaml path before the privileged coordinator accepts it.
  • Isolate metadata-only edits from eligible CI/advisor concurrency while rerunning both advisors for real base retargets.
  • Bind check external IDs, controller state, child dispatch inputs, evidence finalization, and manual exceptions to both head and base SHAs; serialize seed/coordinator mutations and revalidate the live open PR before every security-sensitive transition.
  • Pass the accepted workflow SHA to the child E2E workflow and reject a dispatch race before matrix generation or secret-bearing jobs.
  • Accept a newer main only when GitHub proves it is a stable descendant with fewer than 300 fully enumerated changed files and no e2e-control-plane match. This compatibility path is required by the trusted workflow-run controller because exact tip equality made unrelated merges invalidate completed PR CI; test/pr-e2e-gate.test.ts covers safe advances, control-plane paths and renames, divergence, truncation, and second advances.
  • Add regression coverage for out-of-order base events, A→B→A retargets, failed-CI provenance, closed/retargeted finalization, late manual-exception races, workflow source identity, and concurrency cancellation boundaries. Update the internal E2E and maintainer contracts.
  • Preserve the packaged fdfind fix from fix(ci): verify packaged fdfind identity #6785 without duplicating it in this diff.

Type of Change

  • Code change (feature, bug fix, or refactor)
  • Code change with doc updates
  • Doc only (prose changes, no code sample modifications)
  • Doc only (includes code sample changes)

Quality Gates

  • Tests added or updated for changed behavior
  • Existing tests cover changed behavior — justification:
  • Tests not applicable — justification:
  • Docs updated for user-facing behavior changes
  • Docs not applicable — justification: This changes internal CI and maintainer behavior only; the internal E2E and merge-gate contracts were updated.
  • Sensitive paths changed (security, policy, credentials, preflight, onboarding, inference, runner, sandbox, or messaging)
  • Sensitive-path review completed or maintainer-approved waiver recorded — reviewer/approval link/justification: Independent correctness and security review covered workflow-event provenance, cancellation domains, exact-diff check identity, compare completeness, and race windows; every finding was addressed with a regression test.
  • Non-success, skipped, or missing CI check accepted by maintainer — check name, approval link, and follow-up issue:

Verification

  • PR description includes the DCO sign-off declaration and every commit appears as Verified in GitHub
  • Normal pre-commit, commit-msg, and pre-push hooks passed, or npm run check:diff passed when hooks were skipped or unavailable
  • Targeted behavior tests pass for the current change set, or tests are marked not applicable above — npx vitest run --project integration test/pr-e2e-gate.test.ts test/pr-e2e-gate-lifecycle.test.ts test/pr-e2e-gate-exceptions.test.ts test/pr-e2e-gate-workflow.test.ts test/pr-review-advisor-workflow-boundary.test.ts test/pr-workflow-contract.test.ts (104 passed); npx vitest run --project e2e-support test/e2e/support/e2e-operations-workflow-boundary.test.ts (23 passed)
  • Applicable broad gate passed — npm test for broad runtime/test-harness changes; npm run check for repo-wide validation/coverage changes — command/result:
  • Quality Gates section completed with required justifications or waivers
  • No secrets, API keys, or credentials committed
  • npm run docs builds without warnings (doc changes only)
  • Doc pages follow the style guide (doc changes only)
  • New doc pages include SPDX header and frontmatter (new pages only)

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

  • New Features

    • PR E2E gates now track exact head and base revisions, preventing results from being applied after retargeting or new commits.
    • Added secure workflow and base revision validation before E2E jobs are dispatched.
    • Added controlled manual resolution paths for eligible no-secret exceptions.
  • Bug Fixes

    • Improved handling of edited and retargeted pull requests.
    • Prevented stale or mismatched CI results from completing gates.
    • Strengthened cancellation and failure handling for incomplete or invalid E2E runs.
  • Documentation

    • Updated maintainer guidance for gate exceptions, ruleset rollouts, and validation requirements.

Signed-off-by: Carlos Villela <cvillela@nvidia.com>
@cv cv self-assigned this Jul 13, 2026
@github-code-quality

github-code-quality Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/plugin

The overall coverage remains at 96%, unchanged from the branch.

TypeScript / code-coverage/cli

The overall coverage in the branch remains at 79%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File 834bf7d 8469ce8 +/-
src/lib/actions...ge-preflight.ts 89% 74% -15%
src/lib/onboard...reachability.ts 72% 63% -9%
src/lib/name-validation.ts 100% 94% -6%
src/lib/runner.ts 75% 72% -3%
src/lib/state/gateway.ts 93% 91% -2%
src/lib/securit...ntial-filter.ts 99% 98% -1%
src/lib/adapter...shell/client.ts 88% 90% +2%
src/lib/security/redact.ts 95% 99% +4%

Updated July 13, 2026 22:08 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The PR gate changes from head-only identity to exact head/base identity, adds trusted workflow SHA validation, supports base-changing PR events, strengthens safe dispatch and exception resolution, and expands controller lifecycle and workflow-boundary tests.

Changes

Exact-diff PR E2E gate

Layer / File(s) Summary
Exact-diff identity and lifecycle
tools/e2e/pr-e2e-gate.mts, test/pr-e2e-gate.test.ts, test/pr-e2e-gate-lifecycle.test.ts
Gate state, check identities, seeding, dispatch completion, cancellation, and exception resolution now include and validate the PR base SHA.
Trusted workflow dispatch validation
.github/workflows/e2e.yaml, tools/e2e/operations-workflow-boundary.mts, test/pr-e2e-gate-workflow.test.ts
Child dispatches carry base_sha and workflow_sha; validation checks PR head/base, checkout, and trusted workflow commits, including safe main-branch advancement.
Workflow event and concurrency wiring
.github/workflows/pr.yaml, .github/workflows/pr-e2e-gate.yaml, .github/workflows/pr-review-advisor.yaml, test/*workflow-contract.test.ts
PR workflows handle edited base changes, exact-diff reservations, trusted CI titles, and eligibility-aware concurrency and publication conditions.
Exception safety and maintainer procedures
test/pr-e2e-gate-exceptions.test.ts, test/e2e/README.md, .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
Fork and control-plane exceptions require exact head/base validation, while documentation defines stricter no-secret and staged-rollout procedures.

Estimated code review effort: 5 (Critical) | ~120 minutes

Suggested labels: bug-fix, area: ci, area: e2e

Suggested reviewers: amata-human, ericksoa, prekshivyas, hoyalim, jyaunches

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: binding the CI E2E gate to the exact PR diff.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-advisor-e2e-gate

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Review Advisor — Informational

Advisor assessment: Informational / low confidence
Primary next action: No advisor follow-up required beyond maintainer review.
Findings: 0 blockers · 0 warnings · 0 optional suggestions
Status: No actionable findings remain in the canonical review ledger.

E2E guidance

Advisory only: coverage and selector recommendations are non-authoritative. E2E / PR Gate independently computes and dispatches trusted jobs without consuming this output.

Recommended coverage: cloud-onboard, credential-sanitization, security-posture
Recommended selectors: cloud-onboard, credential-sanitization, security-posture

  • cloud-onboard — Selected from the trusted checked-in E2E coverage inventory.

  • credential-sanitization — Selected from the trusted checked-in E2E coverage inventory.

  • security-posture — Selected from the trusted checked-in E2E coverage inventory.

  • cloud-onboard — Selected as a trusted checked-in E2E job.

  • credential-sanitization — Selected as a trusted checked-in E2E job.

  • security-posture — Selected as a trusted checked-in E2E job.

Workflow run details

This is an automated, non-authoritative review. Findings are inputs to maintainer adjudication. Warnings and optional suggestions do not require a response or follow-up. A human maintainer makes the final merge decision.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/pr-review-advisor-workflow-boundary.test.ts (1)

255-263: 🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy lift

Test the edited-event behavior semantically.

These assertions only check that each condition contains two text fragments. A future operator/grouping mistake could still pass while allowing metadata-only edited events to run or publish. Add behavioral fixtures for base-changing and metadata-only edits, and assert the resulting eligibility/concurrency decisions rather than matching source substrings.

As per path instructions, tests should prefer observable behavioral outcomes over source-text or implementation-shape assertions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/pr-review-advisor-workflow-boundary.test.ts` around lines 255 - 263,
Replace the substring-based assertions in the edited-event test with behavioral
fixtures covering base-changing and metadata-only pull request edits. Exercise
the workflow eligibility and concurrency decisions for each fixture, asserting
that base changes proceed while metadata-only edits do not run or publish;
retain only source checks that are necessary for observable behavior.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/pr-review-advisor-workflow-boundary.test.ts`:
- Around line 255-263: Replace the substring-based assertions in the
edited-event test with behavioral fixtures covering base-changing and
metadata-only pull request edits. Exercise the workflow eligibility and
concurrency decisions for each fixture, asserting that base changes proceed
while metadata-only edits do not run or publish; retain only source checks that
are necessary for observable behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 237e816d-1773-4059-800e-47a2852ae447

📥 Commits

Reviewing files that changed from the base of the PR and between 834bf7d and 8469ce8.

📒 Files selected for processing (15)
  • .agents/skills/nemoclaw-maintainer-day/MERGE-GATE.md
  • .github/workflows/e2e.yaml
  • .github/workflows/pr-e2e-gate.yaml
  • .github/workflows/pr-review-advisor.yaml
  • .github/workflows/pr.yaml
  • test/e2e/README.md
  • test/e2e/support/e2e-operations-workflow-boundary.test.ts
  • test/pr-e2e-gate-exceptions.test.ts
  • test/pr-e2e-gate-lifecycle.test.ts
  • test/pr-e2e-gate-workflow.test.ts
  • test/pr-e2e-gate.test.ts
  • test/pr-review-advisor-workflow-boundary.test.ts
  • test/pr-workflow-contract.test.ts
  • tools/e2e/operations-workflow-boundary.mts
  • tools/e2e/pr-e2e-gate.mts

@cv cv merged commit 989eea9 into main Jul 13, 2026
79 of 81 checks passed
@github-actions github-actions Bot added the v0.0.82 Release target label Jul 13, 2026
@wscurran wscurran added area: ci CI workflows, checks, release automation, or GitHub Actions area: e2e End-to-end tests, nightly failures, or validation infrastructure bug-fix PR fixes a bug or regression labels Jul 13, 2026
@cv cv deleted the codex/fix-advisor-e2e-gate branch July 13, 2026 22:10
cv added a commit that referenced this pull request Jul 13, 2026
<!-- markdownlint-disable MD041 -->
## Summary
<!-- 1-3 plain sentences: what changes and why. Describe
before-and-after behavior when it applies. Use existing repository
terms; do not invent a label for this PR. -->

This follow-up to #6745 and #6788 makes the combined PR Review Advisor
disclose both model lanes without giving Nemotron authority over GPT's
assessment, fixes contradictory confidence and E2E guidance, and ensures
stale CI events close only the seeded in-progress E2E check. Missing or
malformed Nemotron artifacts now degrade to an unavailable second
opinion while a valid GPT review still publishes.

## Changes
<!-- List concrete changes. If this adds an abstraction, configuration,
fallback, migration, or compatibility path, name its current requirement
and consumer, explain why a direct change is insufficient, and identify
the test that protects it. -->

- Download the exact same-run Nemotron artifact in the write-capable
publisher, validate its raw status, final result, summary, size, path,
and head SHA, and pass it to the comment renderer only through a trusted
validation output. GPT remains fail-closed and authoritative; the
nonblocking Nemotron lane reports only allowlisted status, confidence,
severity counts, and opaque structural agreement or disagreement.
- Render the actual normalized confidence for informational reviews,
reconcile trusted E2E coverage and selector tiers through the existing
target normalizer, and avoid “Why no…” text when optional guidance
exists.
- Delete only `github-actions[bot]` comments whose first line is one of
the two retired E2E Advisor markers, after the combined sticky comment
publishes. The bot-owner and exact-marker restrictions are covered by
the security-boundary tests.
- Recover an existing exact-diff check ID before stale workflow-run
validation only when the check is still `in_progress`, allowing the
existing cleanup step to terminalize abandoned checks without rewriting
completed historical results.
- Extend workflow-boundary, comment, normalization, GitHub API, and gate
regression tests for complete, partial, failed, skipped, malformed,
stale, and completed-check cases.

## Type of Change

- [x] Code change (feature, bug fix, or refactor)
- [ ] Code change with doc updates
- [ ] Doc only (prose changes, no code sample modifications)
- [ ] Doc only (includes code sample changes)

## Quality Gates
<!-- Check exactly one tests line and one docs line. Check other lines
when applicable. Add every requested justification or approval
reference. -->
- [x] Tests added or updated for changed behavior
- [ ] Existing tests cover changed behavior — justification:
- [ ] Tests not applicable — justification:
- [ ] Docs updated for user-facing behavior changes
- [x] Docs not applicable — justification: This changes internal
maintainer automation and GitHub workflow behavior only; the required
documentation-writer pass found no user-facing CLI, configuration, API,
policy, or product documentation change.
- [x] Sensitive paths changed (security, policy, credentials, preflight,
onboarding, inference, runner, sandbox, or messaging)
- [x] Sensitive-path review completed or maintainer-approved waiver
recorded — reviewer/approval link/justification: Independent final
reviews found no remaining findings after checking `pull_request_target`
privilege separation, same-run artifact provenance, primary fail-closed
behavior, nonblocking secondary validation, prose isolation, exact
bot-owned legacy comment deletion, E2E selector trust, and
stale/completed check races. The nine-category security checklist also
found no secret, injection, authorization, dependency, logging,
cryptography, configuration, test, or holistic posture regression.
- [ ] Non-success, skipped, or missing CI check accepted by maintainer —
check name, approval link, and follow-up issue:

## Verification
<!-- Check each applicable item only when supported by the requested
evidence. Run targeted tests once per relevant change set and rerun
after later edits or hook autofixes that can affect that behavior. Do
not rerun hook-covered checks. -->
- [x] PR description includes the DCO sign-off declaration and every
commit appears as `Verified` in GitHub
- [x] Normal `pre-commit`, `commit-msg`, and `pre-push` hooks passed, or
`npm run check:diff` passed when hooks were skipped or unavailable
- [x] Targeted behavior tests pass for the current change set, or tests
are marked not applicable above — final advisor suites passed 120/120
tests, the compacted advisor regression passed 44/44, and all four PR
E2E gate suites passed 69/69; CLI type-check passed in the normal
pre-push hook.
- [ ] Applicable broad gate passed — `npm test` for broad
runtime/test-harness changes; `npm run check` for repo-wide
validation/coverage changes — command/result:
- [x] Quality Gates section completed with required justifications or
waivers
- [x] No secrets, API keys, or credentials committed
- [ ] `npm run docs` builds without warnings (doc changes only)
- [ ] Doc pages follow the [style
guide](https://github.com/NVIDIA/NemoClaw/blob/main/docs/CONTRIBUTING.md)
(doc changes only)
- [ ] New doc pages include SPDX header and frontmatter (new pages only)

---
<!-- DCO sign-off is required in this PR description, and every commit
must appear as Verified in GitHub. Run: git config user.name && git
config user.email -->
Signed-off-by: Carlos Villela <cvillela@nvidia.com>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* PR review comments now support an optional second-opinion analysis,
including model-lane status and comparison details when compatible.
* Comments show clearer confidence-aware model-lane information, with
improved E2E “no coverage” messaging.
* Legacy advisor sticky comments are cleaned up automatically during
updates.
* **Bug Fixes**
* E2E recommendations/coverage handling is corrected when only optional
coverage is selected.
* E2E coverage/target reconciliation is more accurately aligned with
available trusted capabilities.
* PR gate handling is improved for stale, duplicate, and superseded
checks—avoiding unnecessary check reopens and recording recovered check
IDs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: ci CI workflows, checks, release automation, or GitHub Actions area: e2e End-to-end tests, nightly failures, or validation infrastructure bug-fix PR fixes a bug or regression v0.0.82 Release target

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants