ci: enhance CI workflows with CODEOWNERS and feedback

[Zzackllack]

Description

This pull request updates the repository’s automation and documentation to improve the clarity and usefulness of pull request feedback. The main changes include separating CODEOWNERS validation from contributor notices, enhancing PR test feedback to support both Pytest and Pylint with formatted output, and providing clearer, more actionable messages when PR titles do not follow Conventional Commits. Documentation and workflows have also been updated to reflect these improvements.

CODEOWNERS and Contributor Feedback Improvements:

• The CODEOWNERS workflow now only blocks malformed or unresolved rules, and no longer flags files covered only by the global fallback (*). A new, separate notice is posted to inform external contributors that they do not need to add themselves to CODEOWNERS for a single PR. [1] [2] [3] [4]
• .github/CONTRIBUTING.md has been expanded to clarify the purpose of CODEOWNERS and when contributors should be added. [1] [2]
• The .github/CODEOWNERS file was updated to reflect correct path ownership for the apps/api structure.

Pull Request Test Feedback Automation:

• The PR feedback workflow now supports both Pytest and Pylint, posting formatted output as a comment on PRs when tests or linting fail. The workflow dynamically adjusts its messaging and artifact handling based on the tool. [1] [2] [3] [4] [5] [6] [7]
• The Pylint workflow uploads failure output as an artifact for PR feedback integration. [1] [2]

PR Title Validation:

• The PR title check now provides detailed feedback, including the reason for failure and examples of valid titles, making it easier for contributors to correct mistakes. [1] [2]

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Testing

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Screenshots (if applicable)

Additional Notes

Any additional information that reviewers should know.

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced pull request validation with detailed feedback for conventional title formatting and code ownership verification.
  • Expanded PR feedback integration to simultaneously support multiple quality analysis tools.
  • Added contributor ownership notices for pull request authors not listed as current code owners.

• Documentation

  • Updated contribution guidelines for codeowners management.

• Chores

  • Removed legacy development environment setup scripts.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/codeowners-review.yml (1)

11-15: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reduce pull-requests scope to read-only.

This job reads PR metadata/files and writes comments via the Issues API; pull-requests: write is unnecessary for this flow and expands token blast radius under pull_request_target.

Suggested permission tightening

 permissions:
   contents: read
   issues: write
-  pull-requests: write
+  pull-requests: read

As per coding guidelines, "Workflow changes should be reviewed for least privilege and secret exposure."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeowners-review.yml around lines 11 - 15, The
permissions block in the codeowners-review.yml workflow has pull-requests set to
write, but this job only reads PR metadata and writes comments via the Issues
API, which doesn't require write access to pull-requests. Change the
pull-requests permission from write to read to follow the principle of least
privilege and reduce the token blast radius under pull_request_target.

Source: Coding guidelines

🧹 Nitpick comments (1)

.github/workflows/pylint-quality.yml (1)

74-81: Consider pinning the upload-artifact action to a commit SHA for better supply-chain security.

The repository currently uses tag-based action references throughout. While this is a common practice, pinning to specific commit SHAs prevents tags from being inadvertently moved or maliciously reassigned, reducing supply-chain attack surface. This is a straightforward one-line change with no functional impact.

Example using commit SHA

-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@ea24e79295cd63c8e080f7a7f33c4b1d0b66ee43  # v7.0.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pylint-quality.yml around lines 74 - 81, The
upload-artifact action reference in the Upload pylint failure output step is
currently pinned to the tag version v7 instead of a specific commit SHA. Change
the uses directive from actions/upload-artifact@v7 to pin it to a specific
commit SHA (e.g., actions/upload-artifact@<commit-hash>) to prevent tag
reassignment risks and improve supply-chain security. This is a single-line
change requiring only the version specifier to be updated.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeowners-review.yml:
- Line 241: The actions/github-script action is referenced with a version tag
(`@v9`) instead of a full commit SHA, which weakens supply-chain integrity.
Replace the unpinned action reference at lines 31, 180, and 241 in
.github/workflows/codeowners-review.yml. For each occurrence of "uses:
actions/github-script@v9", change it to use a pinned full commit SHA format
(e.g., uses: actions/github-script@<full-commit-sha>) to ensure reproducibility
and prevent unexpected changes from version updates.

In @.github/workflows/pr-test-feedback.yml:
- Around line 35-37: The workflow name detection logic uses a ternary operator
that defaults to 'Pytest' for any workflow that isn't 'QA / Pylint Score', which
will cause incorrect behavior if additional QA workflows are added in the
future. Replace the simple ternary check in the isPylint variable assignment
with explicit detection for both known workflow types (check for both 'QA /
Pylint Score' and the Pytest workflow name), and add defensive handling to throw
an error or skip processing if the workflow_run.name does not match either known
workflow, preventing incorrect artifact naming and confusing PR comments for
unknown workflows.
- Around line 67-68: The unzip command on line 68 does not specify which file to
extract from the zip archive. Since actions/upload-artifact@v7 preserves
directory structure and contains files at paths like apps/api/pytest-output.txt,
modify the unzip -p qa-output.zip command to explicitly specify the target file
path instead of extracting all files. Consider using a fallback approach that
attempts to extract from the full path first (apps/api/pytest-output.txt) and
then falls back to a flat structure to handle potential differences in artifact
behavior across versions.

In @.github/workflows/pr-title-conventional.yml:
- Around line 80-85: The markdown injection vulnerability exists because the
current code escapes backticks using backslashes in an inline code span, but
CommonMark does not honor backslash escaping inside inline code, allowing
malicious PR titles to break out and inject markdown. Replace the inline code
approach by removing the replaceAll backtick escaping logic on the line defining
safeTitle, and instead restructure the body array to use a fenced code block
(triple backticks) around process.env.PR_TITLE directly, which treats all
content literally and eliminates the need for any escaping.

---

Outside diff comments:
In @.github/workflows/codeowners-review.yml:
- Around line 11-15: The permissions block in the codeowners-review.yml workflow
has pull-requests set to write, but this job only reads PR metadata and writes
comments via the Issues API, which doesn't require write access to
pull-requests. Change the pull-requests permission from write to read to follow
the principle of least privilege and reduce the token blast radius under
pull_request_target.

---

Nitpick comments:
In @.github/workflows/pylint-quality.yml:
- Around line 74-81: The upload-artifact action reference in the Upload pylint
failure output step is currently pinned to the tag version v7 instead of a
specific commit SHA. Change the uses directive from actions/upload-artifact@v7
to pin it to a specific commit SHA (e.g., actions/upload-artifact@<commit-hash>)
to prevent tag reassignment risks and improve supply-chain security. This is a
single-line change requiring only the version specifier to be updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 27bca482-9c87-4051-aee1-79745fc08078

📥 Commits

Reviewing files that changed from the base of the PR and between e01bfb7 and 15fd33e.

⛔ Files ignored due to path filters (2)

• internal/agents/change-log.md is excluded by !internal/**
• internal/agents/release-ci.md is excluded by !internal/**

📒 Files selected for processing (8)

• .github/CODEOWNERS
• .github/CONTRIBUTING.md
• .github/workflows/codeowners-review.yml
• .github/workflows/pr-test-feedback.yml
• .github/workflows/pr-title-conventional.yml
• .github/workflows/pylint-quality.yml
• scripts/setup-codex-overlay.sh
• scripts/startup-script.sh

💤 Files with no reviewable changes (2)

• scripts/startup-script.sh
• scripts/setup-codex-overlay.sh

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: copilot-pull-request-reviewer

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

.github/workflows/**/*.{yml,yaml}: CI and release changes must respect protected branches, rulesets, secrets, deploy keys, and fork-safe workflow design
Workflow changes should be reviewed for least privilege and secret exposure

Files:

• .github/workflows/pylint-quality.yml
• .github/workflows/pr-title-conventional.yml
• .github/workflows/pr-test-feedback.yml
• .github/workflows/codeowners-review.yml

🪛 LanguageTool

.github/CONTRIBUTING.md

[uncategorized] ~81-~81: The official name of this software platform is spelled with a capital “H”.
Context: ...repository are listed in the CODEOWNERS file. CODEOWNERS records on...

(GITHUB)

🪛 zizmor (1.25.2)

.github/workflows/pylint-quality.yml

[error] 76-76: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/codeowners-review.yml

[error] 241-241: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (9)

.github/CODEOWNERS (1)

21-22: LGTM!

.github/CONTRIBUTING.md (1)

81-84: LGTM!

Also applies to: 93-95

.github/workflows/pylint-quality.yml (3)

50-51: LGTM!

---

54-55: LGTM!

---

83-85: LGTM!

.github/workflows/pr-test-feedback.yml (3)

46-46: LGTM!

---

70-111: LGTM!

---

113-176: LGTM!

.github/workflows/pr-title-conventional.yml (1)

100-142: LGTM!