Skip to content

ci: add aireceipts pr-check (notice-only cost receipt)#105

Open
anandgupta42 wants to merge 3 commits into
mainfrom
dogfood/aireceipts-pr-check
Open

ci: add aireceipts pr-check (notice-only cost receipt)#105
anandgupta42 wants to merge 3 commits into
mainfrom
dogfood/aireceipts-pr-check

Conversation

@anandgupta42

@anandgupta42 anandgupta42 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Adds a notice-only aireceipts cost-receipt check (pr-check) — one self-contained workflow, no external reusable workflow, no org Actions-policy change. Never fails a build; posts an aireceipts cost receipt only once a branch carries an aireceipts receipt ref, otherwise a quiet no-op. Coexists with any existing check; remove anytime by deleting the file. Part of an org-wide aireceipts dogfood.


Note

Low Risk
Low risk: adds an optional PR workflow with minimal repo write scope; uses a floating @latest npm CLI on each run, which is a minor supply-chain consideration but not build-blocking.

Overview
Introduces .github/workflows/aireceipts.yml, a new GitHub Actions job on pull_request that runs npx -y aireceipts-cli@latest pr-check with GH_TOKEN: ${{ github.token }}.

Workflow permissions are scoped to contents: read and pull-requests: write so the CLI can read the repo and comment on the PR. This is intended as a notice-only dogfood check (cost receipt when the branch has an aireceipts receipt ref; otherwise no-op) and is additive—remove the file to turn it off.

Reviewed by Cursor Bugbot for commit ed1328e. Bugbot is set up for automated code reviews on this repo. Configure here.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 80d6849f7a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Make the notice-only check non-blocking

Because this is a plain run step, any non-zero exit from npx or aireceipts-cli marks the new aireceipts job as failed. In cases like an npm registry/install failure, a CLI regression, or a GitHub API permission error on a PR, this turns the intended notice-only receipt into a red PR check; add continue-on-error: true or otherwise swallow failures if this workflow must never block builds.

Useful? React with 👍 / 👎.

Comment on lines +10 to +12
- run: npx -y aireceipts-cli@latest pr-check
env:
GH_TOKEN: ${{ github.token }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid giving the PR token to an unpinned install

This step gives GH_TOKEN with pull-requests: write to the entire npx ...@latest process, so on same-repository PRs any newly published aireceipts-cli version or npm install/lifecycle code gets a writable PR token before this repo has reviewed that code. Pin the CLI to a vetted version and avoid exposing the token during package installation (or otherwise use a trusted, pinned action) so a bad npm release cannot immediately mutate PRs across the repo.

Useful? React with 👍 / 👎.

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Missing continue-on-error: true — a tool failure fails this check

The PR describes this as a "notice-only" check that "never fails a build," but this run step has no continue-on-error: true. If npx aireceipts-cli@latest pr-check exits non-zero (npm/network errors, a broken @latest release, or any CLI exception), the check job fails and appears as a red check on the PR — potentially blocking merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@kilo-code-bot

kilo-code-bot Bot commented Jul 8, 2026

Copy link
Copy Markdown

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 @latest with pull-requests: write token reintroduces an unpinned supply-chain risk (reverts the @0.5.0 pin).
.github/workflows/aireceipts.yml 10 Still missing continue-on-error: true; a CLI/npx failure fails the check job, contradicting the notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 2 issues

Fix these issues in Kilo Cloud

Previous Review Summaries (2 snapshots, latest commit f13c3a2)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit f13c3a2)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 Missing continue-on-error: true — a CLI/npx failure fails the check job, contradicting the "never fails a build" notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 1 issue

Fix these issues in Kilo Cloud

Previous review (commit 80d6849)

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
.github/workflows/aireceipts.yml 10 Missing continue-on-error: true — a CLI/npx failure fails the check job, contradicting the "never fails a build" notice-only intent.
Files Reviewed (1 file)
  • .github/workflows/aireceipts.yml - 1 issue

Fix these issues in Kilo Cloud


Reviewed by glm-5.2 · Input: 24.3K · Output: 13.6K · Cached: 137.8K

Comment thread .github/workflows/aireceipts.yml Outdated
check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@0.5.0 pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Missing continue-on-error: true — a tool failure fails this check job

The PR describes this as a "notice-only" check that "never fails a build," but this run step still has no continue-on-error: true. If npx aireceipts-cli@0.5.0 pr-check exits non-zero (npm/network errors, a broken CLI release, or any unhandled exception), the check job fails and renders as a red check on the PR — which can block merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

@anandgupta42

Copy link
Copy Markdown
Contributor Author

Hi @suryaiyer95 @kulvirgit — could one of you give this a quick review + approve when you get a moment? 🙏

It's a notice-only aireceipts cost-receipt check (a single .github/workflows/aireceipts.yml, pull-requests: write, never fails a build — it posts a cost receipt only once a branch carries an aireceipts ref, otherwise a quiet no-op). Part of an org-wide aireceipts dogfood; it's blocked only on the required 1 approving review. Remove anytime by deleting the file. Thanks!

check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: @latest reintroduces an unpinned supply-chain risk with a write token

This commit reverts the @0.5.0 pin (added explicitly for "supply-chain: no mutable @latest with write token") back to @latest. Since the step exposes GH_TOKEN with pull-requests: write, every run resolves and executes whatever aireceipts-cli version is @latest at run time — so a compromised or broken newly published release runs with PR-write capability before this repo has reviewed it. If the floating version is intentional, consider isolating the install step from the write token (or otherwise limiting the token's blast radius) to reduce the risk.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant