Skip to content

fix(observability): keep github scope repo-bound#5353

Merged
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-github-repo-visibility-issue
Jul 12, 2026
Merged

fix(observability): keep github scope repo-bound#5353
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-github-repo-visibility-issue

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent the Grafana GitHub panels from accepting an implicit org-wide org:<owner> value that could expose metadata for repositories the reporting DB does not track.
  • Replace the synthesized "All repos" option with explicit repo:<owner>/<repo> qualifiers so dashboard queries are strictly bounded to tracked repositories.

Description

  • Change grafana/dashboards/github-prs.json to remove the synthesized All repos/org: option and emit only explicit repo:<owner>/<repo> entries from review_targets, and update the variable description and default current value accordingly.
  • Update test/unit/selfhost-grafana-dashboard.test.ts to assert the scope query is query-backed but never contains org: or All repos, and add a regression test that verifies only repo-scoped rows are produced.
  • Regenerate Cloudflare worker runtime types via the cf-typegen step, producing an updated worker-configuration.d.ts so the cf-typegen:check remains current.

Testing

  • Ran the dashboard unit test file with npx vitest run test/unit/selfhost-grafana-dashboard.test.ts and all tests in that file passed.
  • Ran npm run selfhost:validate-observability to validate Grafana dashboards and Prometheus alert rules and it reported the observability configs are valid.
  • Ran npm run cf-typegen which updated worker-configuration.d.ts to keep runtime types in sync.
  • Ran npm run test:ci which progressed through several pre-checks but stopped at tsc --noEmit (npm run typecheck) due to existing TypeScript errors in unrelated files, so the full CI gate did not complete successfully.
  • Ran npm audit --audit-level=moderate but the registry audit endpoint returned 403 Forbidden, so the security audit step could not be completed.

Codex Task

@JSONbored JSONbored marked this pull request as draft July 12, 2026 14:49
@JSONbored JSONbored self-assigned this Jul 12, 2026
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 21:48:08 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
This PR removes the synthesized org:<owner> scope value from the Grafana GitHub dashboard's scope variable and replaces it with strictly repo:<owner>/<repo> qualifiers pulled from review_targets, updating the description, default current value, and query text consistently. The accompanying test changes correctly assert the new query never emits 'org:' or 'All repos' and pin the expected row output to only repo-scoped entries, which matches the new SQL. The change is small, self-contained, and the security rationale (avoiding org-wide token scope leaking untracked private repos) is sound and clearly stated.

Blockers

  • grafana/dashboards/github-prs.json:22 still hardcodes the dashboard's current scope to repo:JSONbored/gittensory, so a self-hoster that does not track that repository can load the dashboard with a scope outside review_targets; change it to an empty/default variable value that Grafana resolves from the query, or tell me why Grafana cannot issue panel queries before the query-backed variable refreshes.
  • Pull request fix(observability): keep github scope repo-bound #5353 does not close or clearly link an eligible open repository issue; link the maintainer-authorized issue this observability change is meant to close before this can proceed.
Nits — 5 non-blocking
  • The PR description does not reference or link an eligible open issue justifying this change, which this repo's contribution policy requires for external PRs.
  • grafana/dashboards/github-prs.json: the queryText/rawQueryText duplication (identical strings) is pre-existing pattern from before the diff, but consider deriving one from the other to avoid drift, nit only.
  • Confirm with the maintainers whether this fix should link a tracked issue (e.g., an org-scope security concern) per repo policy before merge.
  • Consider adding a one-line changelog/comment near the dashboard JSON scope variable noting the security rationale so future edits don't reintroduce an org: option.
  • nit: test/unit/selfhost-grafana-dashboard.test.ts should also assert scope.current is not a hardcoded repo value, since the current regression only checks rawQueryText and missed the remaining fixed repository scope.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
📋 Copy for AI agents — paste into your coding agent
Fix the following blocker(s) from this PR review:

1. No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

2. Maintainer requires a linked issue — Link the relevant issue (for example `Closes #123`) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 44 registered-repo PR(s), 36 merged, 435 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 44 PR(s), 435 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ⚠️ ℹ️ Insufficient signal risk: clean · value: insufficient-signal — Nothing measurable for the structural-improvement analyzers on this PR (e.g. no code files changed).
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, Ruby, Go, JavaScript, MDX, Shell, Solidity
  • Official Gittensor activity: 44 PR(s), 435 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@JSONbored JSONbored force-pushed the codex/propose-fix-for-github-repo-visibility-issue branch from 8a98ca6 to de0517a Compare July 12, 2026 21:32
@JSONbored JSONbored marked this pull request as ready for review July 12, 2026 21:32
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.67%. Comparing base (ecb18c1) to head (de0517a).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5353      +/-   ##
==========================================
- Coverage   94.71%   94.67%   -0.04%     
==========================================
  Files         555      555              
  Lines       44526    44526              
  Branches    14664    14664              
==========================================
- Hits        42172    42155      -17     
- Misses       1619     1636      +17     
  Partials      735      735              
Flag Coverage Δ
shard-1 43.77% <ø> (-0.25%) ⬇️
shard-2 35.22% <ø> (-0.01%) ⬇️
shard-3 32.07% <ø> (+0.06%) ⬆️
shard-4 31.56% <ø> (-0.53%) ⬇️
shard-5 33.12% <ø> (+0.39%) ⬆️
shard-6 43.75% <ø> (+0.27%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 12, 2026
@JSONbored JSONbored merged commit 15b267c into main Jul 12, 2026
18 checks passed
@JSONbored JSONbored deleted the codex/propose-fix-for-github-repo-visibility-issue branch July 12, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant