feat: generate .cve-fix/examples.md guidance for Observability repos#111
Closed
vmrh21 wants to merge 24 commits intoambient-code:mainfrom
Closed
feat: generate .cve-fix/examples.md guidance for Observability repos#111vmrh21 wants to merge 24 commits intoambient-code:mainfrom
vmrh21 wants to merge 24 commits intoambient-code:mainfrom
Conversation
Analyzes a repository's merged and closed fix PRs to generate compact guidance files (.cve-fix/examples.md, .bugfix/guidance.md) that teach automated workflows how to create PRs matching that repo's conventions. Then opens a PR in the target repo with the generated files. Commands: - /guidance.generate <repo-url> — full pipeline: fetch, analyze, generate, PR - /guidance.update <repo-url> — refresh existing files with new PRs, open update PR Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Previously the workflow skipped generating guidance entirely if a bucket had fewer than 3 merged PRs. This left users with nothing for repos that have few fix PRs. Now uses an adaptive per-rule threshold based on available data: - 10+ merged PRs: require 3+ PRs per rule - 3-9 merged PRs: require 2+ PRs per rule - 1-2 merged PRs: require 1+ PR per rule + limited-data warning in header - 0 merged PRs: skip that file (no data to learn from) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
PR review comments and closing comments can contain control characters (null bytes, form feeds, etc.) that break jq JSON construction when passed through shell variables via --arg. Changes: - Add sanitize_str() helper using tr to strip non-printable chars from title and branch fields at extraction time - Add gsub for U+0000-U+001F control chars inside jq for review bodies and closing comments before they enter shell variables - Add explicit error handling per PR: failed PRs now print a WARNING with the jq error instead of being silently dropped - Both guidance.generate and guidance.update updated Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Allows users to analyze specific PRs of their choice instead of fetching the full repo history. Usage: /guidance.generate <repo> --pr <url1>,<url2> /guidance.update <repo> --pr <url1> Accepts full GitHub PR URLs or plain PR numbers, comma-separated. Behavior: - Skips bulk gh pr list entirely; fetches only the specified PRs - Still auto-classifies into CVE/bugfix buckets by title/branch pattern - PRs that match neither pattern are included in both buckets with a NOTE, letting Claude classify them during synthesis - Generated file header includes manual-selection field listing the PRs - last-analyzed date is still updated to today in guidance.update Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…shold - README: document --pr flag usage for both commands, add rule threshold table, note --pr mode skips Pass 1 bulk fetch - ambient.json: update description, systemPrompt core principles, and startupPrompt to reflect --pr flag, adaptive threshold, and control character sanitization Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…pdate The hard 80-line enforcement in guidance.update was problematic: with a file already at 74 lines, adding 3 new rules would silently drop the lowest-evidence existing rules — including ones deliberately added via --pr. Changes: - guidance.generate: 80 lines is now a formatting target, not a hard cap. All rules meeting the evidence threshold are always included. - guidance.update: remove silent drop logic entirely. New rules are always appended. If the file exceeds 80 lines, the line count is flagged in the PR description with a suggestion to rebuild via /guidance.generate. - README: add Line Count Behaviour section explaining the distinction. - Success criteria updated in both command files. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Artifacts are generated output and should not be tracked in the repo, following the same convention as the cve-fixer workflow. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Both commands now accept multiple repos — space-separated, comma-separated, or mixed. Each repo is processed independently in a loop; one failure does not abort the others. Changes: - Arguments: accept <repo> [<repo2> ...] or <repo1>,<repo2>,... - Step 1: parse all repo refs into REPOS array (normalize URLs, deduplicate) - --pr flag: full URLs apply only to their matching repo; plain numbers apply to all repos via REPO_SPECIFIC_PRS + GLOBAL_PR_NUMBERS maps - Steps 2-8 (generate) / 2-9 (update): wrapped in for REPO in REPOS loop - Per-repo cleanup inside the loop; failure skips to next repo - Summary: lists all repos with PR URLs, skips, and failures - README and ambient.json updated with multi-repo examples Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…rtupPrompt
1. --pr accepts space-separated, comma-separated, or mixed refs on both
commands (bash already handled this via tr; docs now reflect it)
2. guidance.update gains --cve-only and --bugfix-only flags:
- Parsed in Step 1 alongside other flags
- Skips reading the unwanted guidance file in Step 2
- Zeroes out the skipped bucket's meta file after filtering so all
subsequent steps (fetch details, synthesize, merge) naturally skip it
3. startupPrompt rewritten as an agent directive: instructs the agent to
ask the user which repos and which command, and to help them choose
between generate vs update based on whether guidance files already exist.
Replaces the previous canned greeting.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
For any bucket with fewer than 3 merged PRs, the workflow now scans recent commits as a supplementary signal source. This makes the workflow useful for brand new repos or repos that land fixes directly on branches. Implementation: - New step 3.5 (generate) / 4.5 (update): fetch_commit_fallback() - Triggered when merged PR count < 3 in a bucket - Skipped entirely when --pr is specified (user chose the data) - Fetches up to 100 commit messages (lightweight, no file data) - Filters by CVE/bugfix message patterns - Fetches file list for up to 50 matched commits (one API call each) - Builds compact records with source: "commit" field - Saves to artifacts/guidance/<repo-slug>/raw/<bucket>-commits.json - Commit records merged into PR detail files via jq -s before synthesis - Synthesis step updated with source-aware thresholds: - PRs: 3/2/1 depending on bucket size (existing adaptive threshold) - Commits only: 5 minimum per rule - Mixed: 3 total with at least 1 PR - Evidence notation: (N commits), (N/M merged PRs + K commits) - Commits cannot populate Don'ts section (no rejection signal) - Header gains cve-commits/bugfix-commits field when fallback was used Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ty body scan
The previous pattern only matched explicit CVE numbers, Security: titles,
and fix(cve): prefixes — missing security patches that arrive through
dependency updates (Dependabot, Renovate) or version bumps.
Changes:
- Expand CVE_PATTERN to include dep/bump title patterns:
^Bump , ^deps(, ^build(deps), ^chore.*upgrade, ^chore.*bump
- Expand CVE_BRANCH_PATTERN to include:
^dependabot/, ^renovate/
- Add GHSA- (GitHub Security Advisory IDs) to explicit pass-through patterns
Two-stage filtering to avoid flooding the bucket with all dep updates:
- Dep-pattern matches without explicit CVE/GHSA in title undergo a body scan
- gh pr view --json body fetched only for those PRs (targeted, not all)
- If body lacks security keywords (CVE-, GHSA-, security, vulnerab) → dropped
- Explicit CVE/GHSA/Security titles always pass through unconditionally
Commit fallback: same logic but body check uses MSG_RAW (already fetched),
so zero extra API calls needed for commits.
Applies to both guidance.generate (Step 3) and guidance.update (Step 4),
and to the fetch_commit_fallback calls in both Step 3.5 / 4.5.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
These patterns were too broad — they matched non-security chore commits like 'chore: upgrade golangci-lint' (a linter tool upgrade) regardless of whether the body scan had anything to flag. The remaining dep patterns are specifically Dependabot/Renovate formats: ^Bump - "Bump X from Y to Z" (Dependabot standard) ^deps\( - "deps(go): bump ..." (conventional commits) ^build\(deps\) - "build(deps): bump ..." (another Dependabot format) These are narrow enough to be intentional dependency updates. The body scan (checking for CVE-, GHSA-, security, vulnerab) then gates whether they're security-relevant before including them in the CVE bucket. Changed in 3 places in each command file: - CVE_DEP_PATTERN definition - Inline body check condition in fetch_commit_fallback - fetch_commit_fallback call MSG_PATTERN argument Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Previously the workflow used 'git push origin' which fails if the user
doesn't have write access to the target repo, leaving a hard failure
with no recovery path.
New behavior (same in both guidance.generate and guidance.update):
1. Resolve GH_USER from gh api user (or app installation endpoint for bots)
2. Attempt direct push to origin
3. If direct push fails and gh is authenticated:
a. Check for existing fork: gh repo list GH_USER --fork --json ...
filtering by parent.owner.login + parent.name to match the upstream
b. If no fork: gh repo fork --clone=false; sleep 3 for provisioning
c. If fork creation also fails: print URL, tell user to create manually
d. Add fork remote; push to fork
4. Create PR:
- Direct push: standard gh pr create (no --head needed)
- Fork push: gh pr create --repo UPSTREAM --head FORK_OWNER:BRANCH
5. If not authenticated at all: print exact manual commands and continue
to next repo (does not abort the whole run)
Fork detection uses the correct GitHub API field path:
.parent.owner.login and .parent.name (not .parent.nameWithOwner
which does not exist in the API response)
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Copies the rhoai-manager workflow from angaduom/workflows (add-rhoai-workflow branch). Includes commands: - /oc-login - Login to OpenShift cluster - /rhoai-install - Fresh RHOAI installation - /rhoai-update - Update RHOAI to latest nightly (supports EA and stable channels) - /rhoai-uninstall - Uninstall RHOAI - /rhoai-version - Check installed RHOAI version - /odh-pr-tracker - Track ODH PRs in RHOAI builds Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
New commands for installing and updating Open Data Hub (ODH) nightlies: - /odh-install: Fresh ODH install via OLM using odh-stable-nightly catalog - Creates CatalogSource, Subscription, DSCInitialization, DataScienceCluster - No olminstall needed (uses openshift-operators global OperatorGroup) - /odh-update: Update existing ODH to latest nightly - Updates CatalogSource, forces catalog pod refresh - Auto-detects new CSV version (OLM handles upgrade naturally) - Falls back to forced reinstall if only component images changed Key differences from RHOAI: - Package: opendatahub-operator (vs rhods-operator) - Namespace: openshift-operators (vs redhat-ods-operator) - Catalog: quay.io/opendatahub/opendatahub-operator-catalog:odh-stable-nightly - Channel: fast Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
odh-install: Add RHOAI detection — if rhods-operator CSV found, block install and tell user to run /rhoai-uninstall first with clear message explaining why (shared cluster-scoped DataScienceCluster CRD) odh-uninstall: New command to cleanly remove ODH including: - DataScienceCluster and DSCInitialization - Subscription, CSV, and CatalogSource - User namespaces and resources (optional keep-crds / keep-all flags) - CRDs (unless keep-crds) - Finalizer cleanup for stuck namespaces Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…RHOAI switch rhoai-install: Add ODH detection — if opendatahub-operator CSV found, block install and direct user to /odh-uninstall first odh-uninstall: Add explicit guidance that default (no flags) is required when switching to RHOAI — keep-crds/keep-all would leave conflicting CRDs Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- README: add ODH commands section, coexistence warning, switch workflows, updated structure tree with all 9 command files - ambient.json: update name/description/systemPrompt/startupPrompt to include ODH install/update/uninstall and coexistence guidance Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ring Adds a new command to mirror RHOAI operator and component images from a connected cluster to disconnected bastion registries using pod-based mirroring for fast AWS-internal transfers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove RHOAI_VERSION as a user input — detect it automatically from the deployed CSV version on the connected cluster instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ands mirror-images: - Add registry fallback (registry.redhat.io → quay.io/rhoai) for nightlies - Add bastion duplicate check to skip already-mirrored images - Add IDMS YAML auto-generation script after mirroring - Expand image categories and infrastructure coverage rhoai-disconnected: - Add dependent operator prerequisite check (Service Mesh, Serverless, Pipelines, cert-manager) - Add disconnected DSC config (nim.airGapped, KServe Headless, TrustyAI) - Use IDMS entries for bastion path resolution instead of hardcoding - Make persistenceAgent TLS fix proactive instead of reactive-only - Expand IDMS verification to cover all required registries Also includes rhoai-verify command and updated README/ambient.json. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a formatted summary table displayed after mirroring completes, showing total/verified/skipped/failed counts, duration, per-category breakdown, artifact paths, and next steps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Generate .cve-fix/examples.md guidance for all 14 Observability repos - Patterns extracted from merged CVE/dependency PRs in stolostron org - Repos with <3 CVE PRs include org-wide patterns as fallback Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 24 minutes and 31 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (34)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Component Onboarding: Observability (Guidance Regeneration)
Generated
.cve-fix/examples.mdguidance files for all 14 Observability repos based on analysis of merged CVE/dependency PRs.Repositories Covered
Key Patterns Extracted
Security: Fix CVE-YYYY-XXXXX (<package>)andfix(cve): CVE-YYYY-XXXXX - <package>fix/cve-<id>-<pkg>-<branch>-attempt-Ngo.mod+go.sumalways together; Dockerfiles for Go version bumps🤖 Generated by /onboard