fix(observability): keep github scope repo-bound#5353
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-12 21:48:08 UTC
⏸️ Suggested Action - Manual Review Review summary Blockers
Nits — 5 non-blocking
Concerns raised — review before merging
📋 Copy for AI agents — paste into your coding agent
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
8a98ca6 to
de0517a
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5353 +/- ##
==========================================
- Coverage 94.71% 94.67% -0.04%
==========================================
Files 555 555
Lines 44526 44526
Branches 14664 14664
==========================================
- Hits 42172 42155 -17
- Misses 1619 1636 +17
Partials 735 735
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Motivation
org:<owner>value that could expose metadata for repositories the reporting DB does not track.repo:<owner>/<repo>qualifiers so dashboard queries are strictly bounded to tracked repositories.Description
grafana/dashboards/github-prs.jsonto remove the synthesizedAll repos/org:option and emit only explicitrepo:<owner>/<repo>entries fromreview_targets, and update the variable description and default current value accordingly.test/unit/selfhost-grafana-dashboard.test.tsto assert the scope query is query-backed but never containsorg:orAll repos, and add a regression test that verifies only repo-scoped rows are produced.cf-typegenstep, producing an updatedworker-configuration.d.tsso thecf-typegen:checkremains current.Testing
npx vitest run test/unit/selfhost-grafana-dashboard.test.tsand all tests in that file passed.npm run selfhost:validate-observabilityto validate Grafana dashboards and Prometheus alert rules and it reported the observability configs are valid.npm run cf-typegenwhich updatedworker-configuration.d.tsto keep runtime types in sync.npm run test:ciwhich progressed through several pre-checks but stopped attsc --noEmit(npm run typecheck) due to existing TypeScript errors in unrelated files, so the full CI gate did not complete successfully.npm audit --audit-level=moderatebut the registry audit endpoint returned403 Forbidden, so the security audit step could not be completed.Codex Task