Skip to content

fix: expose request-changes on reusable review workflow#72

Merged
antongulin merged 5 commits into
mainfrom
fix/reusable-workflow-request-changes-input
Jul 9, 2026
Merged

fix: expose request-changes on reusable review workflow#72
antongulin merged 5 commits into
mainfrom
fix/reusable-workflow-request-changes-input

Conversation

@antongulin

@antongulin antongulin commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

  • feat: configurable review event (request_changes vs comment) #61 shipped request-changes on the action and .github/robin.yml, but not on .github/workflows/review.yml, so reusable-workflow callers got Invalid input, request-changes is not defined.
  • Declares and forwards request-changes, plus the other documented-but-missing inputs (config-file, use-json-response-mode).
  • Hardens dual-entry parity: consumer fixture + actionlint in Self-Test (checksum-verified install) + Jest set-equality tests + PR/CONTRIBUTING checklist.
  • Docs: advisor-mode example; clarify string defaults so empty still defers to repo config.

Root cause

Reusable workflows only accept inputs listed under on.workflow_call.inputs. Adding an action input alone is not enough for the common uses: .../review.yml@main path.

Test plan

  • npm test — 72 passed
  • Self-Test green (actionlint + suite) on latest commit
  • actionlint fails with Cesar-class error if request-changes is stripped from review.yml (verified locally)
  • Robin loop: pass-1 Medium fixed; pass-2 LEGIT Lows fixed; remaining Low/Suggestion justified as NOISE and threads resolved

Fixes the report on #59.

#61 added the action input and repo-config key, but callers of
review.yml@main could not pass request-changes because it was never
declared under workflow_call. Wire request-changes, config-file, and
use-json-response-mode through the reusable workflow, and add a parity
test so new action inputs cannot silently skip that layer again.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏹 Robin

✅ Review done. I flagged 1 thing worth a look.

Push fixes whenever you like, then comment /robin for another pass.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏹 Robin

Heads up: this is a point-in-time review. Push fixes freely, then comment /robin whenever you want another pass.

⚠️ 1 Medium

Summary

The change cleanly adds three new workflow inputs (request-changes, config-file, use-json-response-mode) with thoughtful tri-state string defaults that defer to repo config, and the docs are updated consistently. A new meta-test verifies that all non-secret action inputs are exposed and forwarded by the reusable workflow, which is a great guardrail. The main concern is that the test's regex for parsing action.yml inputs is not scoped to the inputs section and will also match outputs, making it fragile when outputs are added to action.yml.


Robin — the Robin Hood of code review. Free for every PR.

Comment thread src/workflow.test.ts Outdated
The #61 miss was a dual-entry-point gap: action.yml gained
request-changes, review.yml did not. Add a consumer fixture that
passes every workflow_call input, run actionlint in Self-Test (same
schema check GitHub uses), harden Jest parity/docs checks, and put a
dual-entry checklist in the PR template and CONTRIBUTING.

Co-authored-by: Cursor <cursoragent@cursor.com>
@antongulin

Copy link
Copy Markdown
Owner Author

Follow-up hardening on this PR so we don't repeat the dual-entry miss:

  1. actionlint in Self-Test — lints .github/workflows/*.yml and testdata/consumer-workflows/*.yml. Confirmed it fails with Cesar's exact error if request-changes is stripped from review.yml.
  2. Consumer fixture testdata/consumer-workflows/all-inputs.yml — passes every workflow_call input.
  3. Stronger Jest parity — exact set equality for action ↔ workflow_call ↔ forward; empty-string defaults for defer-to-config knobs; ADVANCED.md must document each public input; fixture must list every workflow input.
  4. PR template + CONTRIBUTING — dual-entry checklist (action.yml + review.yml + robin.yml + docs + fixture).

npm test: 71 passed.

Robin flagged that the parity-test regex matched any 2-space key with
a description, including a future outputs: block. Slice to the inputs:
section first and add a regression case with a synthetic outputs key.

Co-authored-by: Cursor <cursoragent@cursor.com>
@antongulin

Copy link
Copy Markdown
Owner Author

/robin

Fixed in 88408f2:

  • Scoped parseActionInputs to the inputs: section so a future outputs: block cannot pollute workflow_call parity
  • Added a regression test with a synthetic outputs.summary key

Verification:

  • npm test -- --testPathPattern=workflow.test — 13 passed
  • Self-Test (actionlint + full suite) green on the push

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏹 Robin

✅ Review done. I flagged 5 things worth a look.

Push fixes whenever you like, then comment /robin for another pass.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏹 Robin

Heads up: this is a point-in-time review. Push fixes freely, then comment /robin whenever you want another pass.

⚠️ 1 Medium | 🔵 2 Low | 💡 2 Suggestions

Summary

This is a well-structured change that adds new workflow_call inputs (request-changes, config-file, use-json-response-mode), introduces actionlint in CI, and adds comprehensive parity tests plus a consumer fixture to prevent undeclared-input regressions. The test coverage for action/workflow input parity is thoughtful and the documentation updates are thorough. A few minor concerns around supply-chain safety of the actionlint install, a potential docs/code default mismatch for max-comments, and an internal name reference in a public fixture.


Robin — the Robin Hood of code review. Free for every PR.

Comment thread docs/ADVANCED.md
Comment thread .github/workflows/self-test.yml Outdated
Comment thread testdata/consumer-workflows/all-inputs.yml Outdated
Comment thread src/workflow.test.ts
Comment thread .github/workflows/self-test.yml Outdated
Download the pinned linux_amd64 tarball and sha256sum-check it instead
of curl|bash, and genericize the consumer-fixture comment so it does
not name a reporter.

Co-authored-by: Cursor <cursoragent@cursor.com>
@antongulin

Copy link
Copy Markdown
Owner Author

/robin

Fixed in 92667c1:

  • Self-Test installs actionlint via pinned release tarball + sha256sum (no curl|bash)
  • Consumer fixture comment no longer names a reporter

Skipped (with replies):

  • max-comments docs Medium — both action.yml and review.yml already default to 15
  • js-yaml Suggestion — keep lightweight parsers
  • actionlint cache Suggestion — checksum verify is the higher-value hardening

Verification:

  • Self-Test green including actionlint checksum install + workflow lint

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏹 Robin

✅ Review done. I flagged 3 things worth a look.

Push fixes whenever you like, then comment /robin for another pass.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏹 Robin

Heads up: this is a point-in-time review. Push fixes freely, then comment /robin whenever you want another pass.

🔵 2 Low | 💡 1 Suggestions

Summary

Well-structured change that adds three new workflow_call inputs (request-changes, config-file, use-json-response-mode) to the reusable review workflow, forwards them to the action step, and adds comprehensive parity tests plus an actionlint-validated consumer fixture. The defer-to-config pattern using string-typed inputs with empty defaults is consistent and correctly documented. The actionlint installation uses a pinned SHA256 checksum, which is good supply-chain hygiene. No high or medium severity issues found.


Robin — the Robin Hood of code review. Free for every PR.

Comment thread src/workflow.test.ts
Comment thread src/workflow.test.ts
Comment thread src/workflow.test.ts
Cesar's consumer YAML uses `request-changes: false`. A string-typed
workflow_call input rejects that as a bool/string mismatch under
actionlint (and is awkward for real callers). Use type: boolean with
no default so omit still defers to .github/robin.yml.

Co-authored-by: Cursor <cursoragent@cursor.com>
@antongulin antongulin merged commit d648b4b into main Jul 9, 2026
3 of 4 checks passed
@antongulin antongulin deleted the fix/reusable-workflow-request-changes-input branch July 9, 2026 06:25
@github-actions github-actions Bot mentioned this pull request Jul 9, 2026
github-actions Bot added a commit that referenced this pull request Jul 9, 2026
🤖 I have created a release *beep* *boop*
---


## [2.4.3](v2.4.2...v2.4.3)
(2026-07-09)


### Bug Fixes

* expose request-changes on reusable review workflow
([#72](#72))
([d648b4b](d648b4b))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant