ci: add aireceipts pr-check (notice-only cost receipt)#105
ci: add aireceipts pr-check (notice-only cost receipt)#105anandgupta42 wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 80d6849f7a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: npx -y aireceipts-cli@latest pr-check |
There was a problem hiding this comment.
Make the notice-only check non-blocking
Because this is a plain run step, any non-zero exit from npx or aireceipts-cli marks the new aireceipts job as failed. In cases like an npm registry/install failure, a CLI regression, or a GitHub API permission error on a PR, this turns the intended notice-only receipt into a red PR check; add continue-on-error: true or otherwise swallow failures if this workflow must never block builds.
Useful? React with 👍 / 👎.
| - run: npx -y aireceipts-cli@latest pr-check | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
Avoid giving the PR token to an unpinned install
This step gives GH_TOKEN with pull-requests: write to the entire npx ...@latest process, so on same-repository PRs any newly published aireceipts-cli version or npm install/lifecycle code gets a writable PR token before this repo has reviewed that code. Pin the CLI to a vetted version and avoid exposing the token during package installation (or otherwise use a trusted, pinned action) so a bad npm release cannot immediately mutate PRs across the repo.
Useful? React with 👍 / 👎.
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: npx -y aireceipts-cli@latest pr-check |
There was a problem hiding this comment.
WARNING: Missing continue-on-error: true — a tool failure fails this check
The PR describes this as a "notice-only" check that "never fails a build," but this run step has no continue-on-error: true. If npx aireceipts-cli@latest pr-check exits non-zero (npm/network errors, a broken @latest release, or any CLI exception), the check job fails and appears as a red check on the PR — potentially blocking merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review SummaryStatus: 2 Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 file)
Fix these issues in Kilo Cloud Previous Review Summaries (2 snapshots, latest commit f13c3a2)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit f13c3a2)Status: 1 Issue Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 file)
Fix these issues in Kilo Cloud Previous review (commit 80d6849)Status: 1 Issue Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 file)
Reviewed by glm-5.2 · Input: 24.3K · Output: 13.6K · Cached: 137.8K |
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: npx -y aireceipts-cli@0.5.0 pr-check |
There was a problem hiding this comment.
WARNING: Missing continue-on-error: true — a tool failure fails this check job
The PR describes this as a "notice-only" check that "never fails a build," but this run step still has no continue-on-error: true. If npx aireceipts-cli@0.5.0 pr-check exits non-zero (npm/network errors, a broken CLI release, or any unhandled exception), the check job fails and renders as a red check on the PR — which can block merges under branch protection. Add continue-on-error: true to this step to honor the notice-only intent.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
|
Hi @suryaiyer95 @kulvirgit — could one of you give this a quick review + approve when you get a moment? 🙏 It's a notice-only aireceipts cost-receipt check (a single |
| check: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: npx -y aireceipts-cli@latest pr-check |
There was a problem hiding this comment.
WARNING: @latest reintroduces an unpinned supply-chain risk with a write token
This commit reverts the @0.5.0 pin (added explicitly for "supply-chain: no mutable @latest with write token") back to @latest. Since the step exposes GH_TOKEN with pull-requests: write, every run resolves and executes whatever aireceipts-cli version is @latest at run time — so a compromised or broken newly published release runs with PR-write capability before this repo has reviewed it. If the floating version is intentional, consider isolating the install step from the write token (or otherwise limiting the token's blast radius) to reduce the risk.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
|
Hi @suryaiyer95 👋 — friendly nudge as the top contributor here. This is a lightweight aireceipts dogfood PR (part of an org-wide rollout). It adds a notice-only CI is green. Could you give it a quick review + merge when you have a moment? (It needs one approving review from someone with write access — admin bypass is off here.) Happy to answer any questions. Thanks! 🙏 |
Adds a notice-only aireceipts cost-receipt check (pr-check) — one self-contained workflow, no external reusable workflow, no org Actions-policy change. Never fails a build; posts an aireceipts cost receipt only once a branch carries an aireceipts receipt ref, otherwise a quiet no-op. Coexists with any existing check; remove anytime by deleting the file. Part of an org-wide aireceipts dogfood.
Note
Low Risk
Low risk: adds an optional PR workflow with minimal repo write scope; uses a floating
@latestnpm CLI on each run, which is a minor supply-chain consideration but not build-blocking.Overview
Introduces
.github/workflows/aireceipts.yml, a new GitHub Actions job onpull_requestthat runsnpx -y aireceipts-cli@latest pr-checkwithGH_TOKEN: ${{ github.token }}.Workflow permissions are scoped to
contents: readandpull-requests: writeso the CLI can read the repo and comment on the PR. This is intended as a notice-only dogfood check (cost receipt when the branch has an aireceipts receipt ref; otherwise no-op) and is additive—remove the file to turn it off.Reviewed by Cursor Bugbot for commit ed1328e. Bugbot is set up for automated code reviews on this repo. Configure here.