feat: add org-level commit-check.toml and dogfooding workflow#19
Conversation
- Create commit-check.toml as the org-level base configuration for
the commit-check org. Other repos can inherit it via:
inherit_from = "github:commit-check/.github:commit-check.toml"
- Add .github/workflows/commit-check.yml to dogfood commit-check
on the .github repo itself (validate commit messages, branch
naming, and PR titles on every PR to main).
|
Warning Review limit reached
More reviews will be available in 15 minutes and 20 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds repository commit-check rules in ChangesCommit Check Setup
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Commit-Check ✔️ |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/commit-check.yml:
- Line 19: The workflow step using commit-check/commit-check-action should be
pinned to an immutable full commit SHA instead of the mutable v2.10.0 tag.
Update the uses entry in the commit-check job to reference the exact SHA for
that release, matching the pinning approach already used by actions/checkout, so
the action reference is reproducible and not subject to upstream tag changes.
In `@commit-check.toml`:
- Line 35: The branch ignore list in commit-check.toml is missing
coderabbitai[bot], which will cause bot-authored PRs to fail validation
unexpectedly. Update the ignore_authors setting to restore coderabbitai[bot]
alongside the existing bot entries, and keep the shared-policy list aligned with
the base config around the commit-check configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b3c08bc3-9ece-49c4-ae57-994e4def25dc
📒 Files selected for processing (2)
.github/workflows/commit-check.ymlcommit-check.toml
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 # Required for merge-base checks | ||
| - uses: commit-check/commit-check-action@v2.10.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
Pin commit-check-action to a full commit SHA.
Line 19 uses the mutable tag v2.10.0. Since this job has pull-requests: write permission (lines 12–14), using a mutable reference weakens supply-chain security. Pin commit-check-action to the specific commit SHA corresponding to v2.10.0 to ensure reproducible and secure execution, matching the pattern used for actions/checkout on line 16.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/commit-check.yml at line 19, The workflow step using
commit-check/commit-check-action should be pinned to an immutable full commit
SHA instead of the mutable v2.10.0 tag. Update the uses entry in the
commit-check job to reference the exact SHA for that release, matching the
pinning approach already used by actions/checkout, so the action reference is
reproducible and not subject to upstream tag changes.
| conventional_branch = true | ||
| allow_branch_types = ["feature", "bugfix", "hotfix", "release", "chore", "feat", "fix", "ai", "claude", "codex", "copilot", "cursor"] | ||
| require_rebase_target = "main" | ||
| ignore_authors = ["dependabot[bot]", "copilot[bot]", "pre-commit-ci[bot]", "shenxianpeng"] |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Restore coderabbitai[bot] in the branch ignore list.
Line 35 diverges from both Line 28 and the stated shared-policy objective: coderabbitai[bot] is no longer ignored for branch checks, while shenxianpeng gets a repo-specific exemption in the org-wide base config. That will make bot-authored PRs fail branch validation unexpectedly.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@commit-check.toml` at line 35, The branch ignore list in commit-check.toml is
missing coderabbitai[bot], which will cause bot-authored PRs to fail validation
unexpectedly. Update the ignore_authors setting to restore coderabbitai[bot]
alongside the existing bot entries, and keep the shared-policy list aligned with
the base config around the commit-check configuration.
actions/checkout with fetch-depth: 0 does not create a local branch ref for main, causing commit-check's require_rebase_target check to fail with "Current branch is not rebased onto target branch". Explicitly fetch origin/main to a local main ref so git merge-base can resolve it correctly.
The merge-base check causes CI failures because actions/checkout does not create a local main branch ref. Remove this option from the org config since it cannot run reliably in a standard PR workflow.
2 participants
Summary
Create an org-level
commit-check.tomlas a single source of truth for commit and branch conventions across thecommit-checkorg.Changes
commit-check.toml(root) — Org-level base configuration that all repos can inherit via:dependabot,copilot,pre-commit-ci,coderabbitai)ai/,claude/,codex/,copilot/,cursor/).github/workflows/commit-check.yml— Dogfooding workflow that runs commit-check on every PR tomainof this repo, validating commit messages, branch names, and PR titles.Usage in other repos
Add this to any repo's
commit-check.toml:Closes:
Summary by CodeRabbit