Skip to content

ci(bump-callers): wire cloud-code-bot review identity into flagged callers (BE-1814)#32

Open
mattmillerai wants to merge 1 commit into
mainfrom
matt/be-1814-wire-bot-identity-callers
Open

ci(bump-callers): wire cloud-code-bot review identity into flagged callers (BE-1814)#32
mattmillerai wants to merge 1 commit into
mainfrom
matt/be-1814-wire-bot-identity-callers

Conversation

@mattmillerai

Copy link
Copy Markdown
Contributor

ELI-5

The cursor-review bot can now post its review under a dedicated cloud-code-bot identity instead of the generic github-actions[bot] (that ability landed in Story 1.1, PR #13). Each consumer repo has to opt in by adding two lines to its thin caller: the app id (bot_app_id) and the paired private key secret. Rather than hand-edit every repo, this teaches the existing caller-bump workflow to add those two lines automatically — but only for the repos that actually hold the cloud-code-bot creds. Repos without the creds are untouched and keep posting as github-actions[bot].

What & why

Story 1.3 of BE-1800, refit to the existing cloud-code-bot creds (vars.APP_ID = app 2016716 / secrets.CLOUD_CODE_BOT_PRIVATE_KEY). No new secrets to provision — each consumer maps creds it already has.

  • .github/cursor-review/wire-bot-identity.py (new) — idempotently injects into a caller:

    • bot_app_id: ${{ vars.APP_ID }} as the first child of with:
    • BOT_APP_PRIVATE_KEY: ${{ secrets.CLOUD_CODE_BOT_PRIVATE_KEY }} under secrets:

    It edits only those two anchors (line-based, not a PyYAML round-trip) so the fan-out PR diff is exactly the wiring — the callers' comments, folded diff_excludes, and SHA-pin lines are preserved byte-for-byte. Already-wired callers are a no-op.

  • bump-cursor-review-callers.yml — each CALLERS entry gains a 4th wire_bot field. When set, the caller is piped through the helper alongside the SHA bump. Flagged only for repos confirmed to hold the creds:

    • cloud + comfy-cloud-mcp-server — already wired by hand ⇒ injection is a verified no-op (they still get the SHA bump).
    • comfy-inapp-agent + Comfy-iOS — their cursor-review-auto-label.yml callers already use vars.APP_ID + secrets.CLOUD_CODE_BOT_PRIVATE_KEY, so the creds are provisioned. These are the repos this actually wires.
    • Not flagged: comfy-local-mcp / ComfySwiftSDK / comfy-infra / the public OSS repos (no cloud-code-bot creds), and not swarmhost (its own caller comment states the app isn't provisioned there yet).
  • Added unit tests (tests/test_wire_bot_identity.py, 8 cases) that run under the existing test-cursor-review-scripts.yml CI.

Non-breaking / incremental: both bot_app_id (input) and BOT_APP_PRIVATE_KEY (secret) are optional in the reusable workflow — a caller without them keeps posting as github-actions[bot].

How it propagates

This PR gives the bump workflow the capability; the wiring lands in the consumer repos the next time the workflow runs — either on the next cursor-review.yml push, or via a manual workflow_dispatch after merge (recommended, to propagate to comfy-inapp-agent + Comfy-iOS immediately without waiting for an upstream change).

Verification

  • Full python3 -m unittest discover suite green (22 tests: 8 new + 14 existing).
  • End-to-end simulation of bump_one's transform against the real remote callers:
    • comfy-inapp-agent / Comfy-iOS → SHA bump + wiring added (exactly 1 bot_app_id + 1 BOT_APP_PRIVATE_KEY, valid YAML, parsed values are the ticket's mapping).
    • cloud / mcp-server → SHA bump only, wiring a verified no-op (no duplicate keys).
    • swarmhost → SHA bump only, no wiring.
    • A caller already at the target SHA and wired → correctly skipped (the new content-equality skip converges — no no-op PRs, no PR loop).
  • bash -n on the extracted run script; confirmed no GitHub-Actions expression tokens leak into the run: block (they'd be interpolated at parse time).

Judgment calls

  • Chesterton's Fence: replaced the old grep -qF "$NEW_SHA" early-skip with a content-equality check (NEW_CONTENT == OLD_CONTENT). Intent (avoid no-op PRs) is preserved and generalized so a wiring-only change on an already-SHA-current caller still opens a PR. Idempotent injection guarantees convergence.
  • Scope of wire_bot: deliberately conservative — flagged only where creds are provably present (existing wiring or an auto-label caller using the same app). swarmhost excluded per its own caller's note. A repo that references a missing secret would still degrade safely to github-actions[bot], but flagging one without the app would be misleading, so it's opt-in per caller.
  • actions/checkout SHA-pinned to match the repo's pin policy (README) and cursor-review.yml.

…llers (BE-1814)

Story 1.3 of BE-1800: fan out the optional bot-identity wiring the reusable
cursor-review.yml gained in Story 1.1 (PR #13) through the caller-bump workflow
instead of hand-editing each consumer.

- New idempotent helper .github/cursor-review/wire-bot-identity.py injects
  bot_app_id: ${{ vars.APP_ID }} under with: and
  BOT_APP_PRIVATE_KEY: ${{ secrets.CLOUD_CODE_BOT_PRIVATE_KEY }} under secrets:,
  preserving comments/formatting (line-based, not a YAML round-trip).
- bump-cursor-review-callers.yml gains a per-caller wire_bot flag (4th field);
  flagged only for repos that already hold the creds (cloud, mcp-server,
  comfy-inapp-agent, Comfy-iOS). Others stay github-actions[bot] (non-breaking).
- Skip check is now content-based so a wiring-only change still opens a PR.
- Unit tests for the helper run under the existing test-cursor-review-scripts CI.
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 60cac003-d32f-4d88-8497-494f0e4e0ef0

📥 Commits

Reviewing files that changed from the base of the PR and between 3ea5dce and 4758456.

📒 Files selected for processing (3)
  • .github/cursor-review/tests/test_wire_bot_identity.py
  • .github/cursor-review/wire-bot-identity.py
  • .github/workflows/bump-cursor-review-callers.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch matt/be-1814-wire-bot-identity-callers
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch matt/be-1814-wire-bot-identity-callers

Comment @coderabbitai help to get the list of available commands.

@mattmillerai mattmillerai added the agent-coded Authored by the agent-work loop label Jul 16, 2026
@mattmillerai
mattmillerai marked this pull request as ready for review July 16, 2026 20:14
@mattmillerai mattmillerai added the cursor-review Multi-model cursor review label Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent-coded Authored by the agent-work loop cursor-review Multi-model cursor review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant