Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThe release workflow is consolidated into ChangesRelease workflow consolidation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/main.yml (1)
283-287: 🔒 Security & Privacy | 🔵 Trivial | 🏗️ Heavy liftPrefer PyPI trusted publishing for this workflow.
If the PyPI project can be configured for GitHub trusted publishing, this release path no longer needs a long-lived
PYPI_API_TOKENsecret.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/main.yml around lines 283 - 287, The Publish to pypi step in the main workflow still uses a long-lived PYPI_API_TOKEN secret; update this release path to use PyPI trusted publishing instead. Adjust the workflow job around the publish step so it relies on GitHub OIDC/trusted publishing configuration for Poetry rather than the POETRY_PYPI_TOKEN_PYPI environment secret, and make sure the publishing step remains gated by the main branch condition.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/main.yml:
- Around line 241-243: The workflow currently grants `contents: write` to the
whole job even on non-`main` runs, so narrow that permission to the actual
release path only. Split the release/publish logic in the workflow so the
`ncipollo/release-action` step runs in a `main`-only job with write access, and
keep the always-running test-release job read-only. Use the existing job/step
structure around the release action to separate these paths without changing the
test execution flow.
- Around line 255-258: The apt install step in the workflow can prompt for
confirmation on fresh runners, so make the install noninteractive in the main
release/test-release job. Update the install block that runs sudo apt-get update
and sudo apt-get install in the workflow to pass a noninteractive mode or
equivalent apt option, keeping the rest of the setup (including curl | python3 -
for Poetry) unchanged.
- Around line 279-280: The version bump step in the workflow is using a sed
pattern that treats the capture group as literal text, so the replacement
backreference in the Update version step cannot work. Update the workflow’s
Update version command to either enable extended regex support with sed or
replace the whole operation with poetry version, and make sure the change still
targets pyproject.toml and preserves the intended post-release suffix using the
existing TAG variable.
- Around line 249-253: The workflow step in main.yml needs to stop using mutable
action tags and avoid leaving Git credentials in the release job. Update the
actions referenced by setup-python and checkout in the job to pinned commit
SHAs, and set persist-credentials to false on the checkout step since this job
only publishes to PyPI. Use the existing action steps in the release workflow as
the locations to update.
---
Nitpick comments:
In @.github/workflows/main.yml:
- Around line 283-287: The Publish to pypi step in the main workflow still uses
a long-lived PYPI_API_TOKEN secret; update this release path to use PyPI trusted
publishing instead. Adjust the workflow job around the publish step so it relies
on GitHub OIDC/trusted publishing configuration for Poetry rather than the
POETRY_PYPI_TOKEN_PYPI environment secret, and make sure the publishing step
remains gated by the main branch condition.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: f63ba611-8f1b-4716-b0a2-8250adc8dad3
📒 Files selected for processing (2)
.github/workflows/main.yml.github/workflows/python-publish.yml
💤 Files with no reviewable changes (1)
- .github/workflows/python-publish.yml
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/main.yml (1)
287-291: 🔒 Security & Privacy | 🔵 TrivialPrefer PyPI trusted publishing if this project supports it.
secrets.PYPI_API_TOKENkeeps a reusable PyPI secret in GitHub; if the PyPI project is configured for trusted publishing, switch this step to OIDC (permissions: id-token: write+pypa/gh-action-pypi-publish) and remove the token secret.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/main.yml around lines 287 - 291, The publish step currently uses a stored PyPI token via poetry publish, but it should use PyPI trusted publishing if supported. Update the workflow around the Publish to pypi step to use OIDC-based publishing with pypa/gh-action-pypi-publish, add the required id-token: write permission, and remove the POETRY_PYPI_TOKEN_PYPI secret usage from this job.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/main.yml:
- Around line 287-291: The publish step currently uses a stored PyPI token via
poetry publish, but it should use PyPI trusted publishing if supported. Update
the workflow around the Publish to pypi step to use OIDC-based publishing with
pypa/gh-action-pypi-publish, add the required id-token: write permission, and
remove the POETRY_PYPI_TOKEN_PYPI secret usage from this job.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 98a1d9f9-0e48-4a8c-9eda-801f9bfb0ff8
📒 Files selected for processing (1)
.github/workflows/main.yml
Summary by CodeRabbit
New Features
Chores