Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/aireceipts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: aireceipts
on: [pull_request]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use a writable event for fork PR receipts

For pull requests from forks or Dependabot, this pull_request trigger downgrades GITHUB_TOKEN write scopes to read-only even though the workflow asks for pull-requests: write (GitHub's workflow syntax docs state that forked PR write permissions are changed to read unless the repository explicitly sends write tokens). In that context, a branch that carries an aireceipts receipt ref still cannot have the receipt posted back to the PR, so the new check silently misses the external-contributor cases it is meant to annotate; use a safe pull_request_target/separate trusted posting path or explicitly gate/skip those events.

Useful? React with 👍 / 👎.

permissions:
contents: read
pull-requests: write
jobs:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[SUGGESTION]: Add a concurrency group to cancel superseded runs.

This workflow runs on every pull_request event with no concurrency control, so each push to a PR starts a new job (re-downloading aireceipts-cli@latest each time) while earlier runs may still be in flight. A workflow-level concurrency group keyed on the PR ref with cancel-in-progress: true cancels superseded runs and avoids wasted CI across every PR in the repo:

concurrency:
  group: aireceipts-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

Reply with @kilocode-bot fix it to have Kilo Code address this issue.

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep the notice-only receipt step from failing PRs

In the .github/workflows/aireceipts.yml workflow I checked, this step is the whole job and it has no continue-on-error or || true, so any non-zero exit from npx—including failing to resolve/download aireceipts-cli@latest before the CLI's own notice-only handling runs—marks the PR workflow as failed. npx --help describes this as running a command from a local or remote npm package, so this adds a remote package-resolution failure mode that can turn a best-effort receipt into a red PR check; make the step/job explicitly non-blocking if the workflow is meant to never fail builds.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the npm CLI before granting PR write access

This job runs aireceipts-cli@latest with GH_TOKEN set to a token that requests pull-requests: write; since npx --help confirms this resolves and runs a local or remote npm package at workflow time, any later publish or compromise of that npm package immediately gets write access to PR metadata/comments without a repo change. Pin the package to an audited version (or vend/pin an action by digest/SHA) before passing it the write-scoped token.

Useful? React with 👍 / 👎.

env:
GH_TOKEN: ${{ github.token }}
Loading