Skip to content

ci: add code-audit PR-comment workflow#1423

Open
jakebromberg wants to merge 2 commits into
mainfrom
ci/audit-pr-comment
Open

ci: add code-audit PR-comment workflow#1423
jakebromberg wants to merge 2 commits into
mainfrom
ci/audit-pr-comment

Conversation

@jakebromberg

@jakebromberg jakebromberg commented Jun 14, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds .github/workflows/code-audit-pr-comment.yml — calls jakebromberg/code-audit-pipeline/.github/workflows/pr-comment-reusable.yml@v0.3.2 to post a sticky structural-impact comment on every PR (duplicate clusters, cross-package shadows, near-duplicates touched by the diff). Fail-quiet — the audit never blocks a PR.
  • Adds .audit/ to .gitignore so the pipeline's runner-temp output never ends up tracked.

Notes

  • Pinned to @v0.3.2 (latest stable). Bump to @v1 once the pipeline cuts v1.0.0 — at that point both the uses: ref and the audit-binary-version input can move to a floating major pin.
  • contents: read + pull-requests: write granted at the workflow level (reusable-workflow permissions are an upper bound, not additive). No new secrets required.
  • First run lands as a comment on this PR itself, which doubles as the smoke test.

Test plan

  • CI runs the new workflow on this PR
  • Sticky structural-impact comment appears on this PR with no error/diagnostic body
  • Comment marker matches code-audit-pipeline-v1 (so a future re-run edits in place rather than posting again)

Closes #1422

@jakebromberg
ci: add code-audit PR-comment workflow
635e67d 
Wires Backend-Service into the code-audit-pipeline reusable workflow at
pr-comment-reusable.yml@v0.3.2. Every PR to main gets a sticky structural-
impact comment (duplicate clusters, cross-package shadows, near-duplicates
touched by the diff). Fail-quiet so the audit never blocks a PR.

Also gitignores .audit/ — the pipeline's runner-temp output should never
end up tracked.

Pinned to v0.3.2 (latest stable); bump to @v1 once the pipeline cuts v1.

Closes #1422
@jakebromberg jakebromberg marked this pull request as draft June 14, 2026 05:34
@jakebromberg
ci: bump code-audit pin v0.3.2 → v0.3.3
0150841 
v0.3.3 fixes the cross-repo path-resolution bug in pr-comment-reusable.yml that 404'd on the audit-core action lookup when invoked from a sibling consumer repo. See jakebromberg/code-audit-pipeline#273.
@jakebromberg jakebromberg marked this pull request as ready for review June 14, 2026 20:13
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

shape-sig-frequency

shape_sig values by frequency — discovery helper for migration-progress. 20 row(s), shape: metric.

shape-sig-frequency:querychunks?:array<string-|-{-value?:-string-|-string[]-}>|sql?:string-|-string[]

  • count: 16
  • sample_names: ["SqlLike"]
  • shape_sig: querychunks?:array<string | { value?: string | string[] }>|sql?:string | string[]

shape-sig-frequency:repo:string|run_id:string|tool:string

  • count: 11
  • sample_names: ["BaseTags"]
  • shape_sig: repo:string|run_id:string|tool:string

shape-sig-frequency:repo:string|runid?:string|tool:string

  • count: 11
  • sample_names: ["LoggerConfig"]
  • shape_sig: repo:string|runid?:string|tool:string

shape-sig-frequency:totals:totals

  • count: 7
  • sample_names: ["RunResult"]
  • shape_sig: totals:totals

shape-sig-frequency:album:string-|-null|artist:string|name:string|track:string-|-null

  • count: 3
  • sample_names: ["Case"]
  • shape_sig: album:string | null|artist:string|name:string|track:string | null

shape-sig-frequency:album_title:string|artist_name:string|id:number

  • count: 3
  • sample_names: ["Candidate","EnrichRow","LibraryRow"]
  • shape_sig: album_title:string|artist_name:string|id:number

shape-sig-frequency:artists:string[]|duration:string-|-null|position:string|title:string

  • count: 3
  • sample_names: ["RotationTrack","RotationTrackMock"]
  • shape_sig: artists:string[]|duration:string | null|position:string|title:string

shape-sig-frequency:querychunks?:array<string-|-{-value?:-string-|-string[];-raw?:-string-}>|raw?:string|sql?:string-|-string[]

  • count: 3
  • sample_names: ["SqlLike"]
  • shape_sig: querychunks?:array<string | { value?: string | string[]; raw?: string }>|raw?:string|sql?:string | string[]

shape-sig-frequency:setattribute:typeof-mockspansetattribute|setattributes:typeof-mockspansetattributes

  • count: 3
  • sample_names: ["SpanLike"]
  • shape_sig: setattribute:typeof mockspansetattribute|setattributes:typeof mockspansetattributes

shape-sig-frequency:album_id:number-|-null|album_title:string-|-null|artist_name:string|id:number|track_title:string-|-null

  • count: 2
  • sample_names: ["EnrichRow"]
  • shape_sig: album_id:number | null|album_title:string | null|artist_name:string|id:number|track_title:string | null

shape-sig-frequency:album_id:number|album_title:string|artist_name:string

  • count: 2
  • sample_names: ["LinkedAlbum","ResolvedAlbum"]
  • shape_sig: album_id:number|album_title:string|artist_name:string

shape-sig-frequency:album_title:string-|-null|artist_name:string-|-null|id:number

  • count: 2
  • sample_names: ["LibraryRow"]
  • shape_sig: album_title:string | null|artist_name:string | null|id:number

shape-sig-frequency:apple_music_url:string-|-null|artist_bio:string-|-null|artist_wikipedia_url:string-|-null|artwork_url:string-|-null|bandcamp_url:string-|-null|discogs_url:string-|-null|release_year:number-|-null|soundcloud_url:string-|-null|spotify_url:string-|-null|youtube_music_url:string-|-null

  • count: 2
  • sample_names: ["IFSEntryMetadata","PersistedAlbumMetadata"]
  • shape_sig: apple_music_url:string | null|artist_bio:string | null|artist_wikipedia_url:string | null|artwork_url:string | null|bandcamp_url:string | null|discogs_url:string | null|release_year:number | null|soundcloud_url:string | null|spotify_url:string | null|youtube_music_url:string | null

shape-sig-frequency:dryrunreport:dryrunreport-|-null|totals:totals

  • count: 2
  • sample_names: ["RunResult"]
  • shape_sig: dryrunreport:dryrunreport | null|totals:totals

shape-sig-frequency:id:number

  • count: 2
  • sample_names: ["LmlLookupResultItem.library_item"]
  • shape_sig: id:number

shape-sig-frequency:inlinetracklist:rotationtrack[]-|-null|releaseid:number-|-null

  • count: 2
  • sample_names: ["PickerSource","RotationPickerSource"]
  • shape_sig: inlinetracklist:rotationtrack[] | null|releaseid:number | null

shape-sig-frequency:message:string|skipparsing?:boolean|skipslack?:boolean

  • count: 2
  • sample_names: ["RequestLineBody","RequestLineRequestBody"]
  • shape_sig: message:string|skipparsing?:boolean|skipslack?:boolean

shape-sig-frequency:querychunks?:array<string-|-sqlchunk>|raw?:string|sql?:string-|-string[]|values?:unknown[]

  • count: 2
  • sample_names: ["SqlLike"]
  • shape_sig: querychunks?:array<string | sqlchunk>|raw?:string|sql?:string | string[]|values?:unknown[]

shape-sig-frequency:querychunks?:sqlchunk[]|raw?:string|value?:string-|-string[]

  • count: 2
  • sample_names: ["SqlChunk"]
  • shape_sig: querychunks?:sqlchunk[]|raw?:string|value?:string | string[]

shape-sig-frequency:status:number|stderr:string|stdout:string

  • count: 2
  • sample_names: ["ExecResult"]
  • shape_sig: status:number|stderr:string|stdout:string

touched-window-debt-summary

PR-time meta-summary: clusters intersecting the touched-in-window set. 4 row(s), shape: metric.

touched-window-debt-summary:exact-duplicates

  • cluster_type: exact-duplicates
  • percent_touched: 0
  • total: 20
  • touched: 0
  • touched_clusters: []

touched-window-debt-summary:name-collisions

  • cluster_type: name-collisions
  • percent_touched: 0
  • total: 55
  • touched: 0
  • touched_clusters: []

touched-window-debt-summary:cross-package-shadows

  • cluster_type: cross-package-shadows
  • percent_touched: 0
  • total: 0
  • touched: 0
  • touched_clusters: []

touched-window-debt-summary:near-duplicates

  • cluster_type: near-duplicates
  • percent_touched: 0
  • total: 64
  • touched: 0
  • touched_clusters: []

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: add code-audit PR-comment workflow

1 participant

@jakebromberg