ci: refine PR template and add PR submission checks#4076
ci: refine PR template and add PR submission checks#4076seefs001 wants to merge 1 commit intoQuantumNous:mainfrom
Conversation
WalkthroughUpdates the PR template with stricter submission guidance requiring Issue associations for bug fixes and new features, adds anti-AI-slop recommendations, and implements a new GitHub Actions workflow to automatically enforce PR quality standards including template validation, anti-spam detection, and minimum account age checks. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-check.yml:
- Around line 9-10: The pull_request_target trigger currently only lists types:
[opened, reopened]; update the pull_request_target types array to also include
synchronize and edited so the workflow runs when new commits are pushed to a PR
or its title/description is changed (i.e., change the types value on
pull_request_target to include "synchronize" and "edited" alongside "opened" and
"reopened").
- Line 16: Replace the mutable tag usage "peakoss/anti-slop@v0.2.1" with the
action's immutable full commit SHA to eliminate supply-chain risk; locate the
step that uses peakoss/anti-slop in the pull_request_target workflow (note the
workflow has pull-requests: write permission) and update the reference to
"peakoss/anti-slop@<full-commit-sha>" where <full-commit-sha> is the exact
40-character commit hash from the action repository's commit you want to pin.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: da4138e7-5adf-4d16-9d79-7059ac8552fa
📒 Files selected for processing (2)
.github/PULL_REQUEST_TEMPLATE/pull_request_template.md.github/workflows/pr-check.yml
| pull_request_target: | ||
| types: [opened, reopened] |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd .github/workflows && ls -laRepository: QuantumNous/new-api
Length of output: 576
🏁 Script executed:
cat -n .github/workflows/pr-check.yml | head -20Repository: QuantumNous/new-api
Length of output: 519
🌐 Web query:
GitHub Actions pull_request_target event types documentation
💡 Result:
The pull_request_target event in GitHub Actions triggers workflows on pull request activity (similar to pull_request), but runs in the context of the base branch (target branch) of the pull request, using the workflow file from the base branch. This grants access to repository secrets and a read/write GITHUB_TOKEN, even for PRs from forks, enabling actions like labeling or commenting on PRs. Supported activity types (triggering actions) are the same as pull_request: by default opened, synchronize, reopened. All pull_request types are supported, including assigned, unassigned, review_requested, review_request_removed, labeled, unlabeled, closed, etc. Specify with types: to limit. Example: on: pull_request_target: types: [opened, synchronize, reopened] Official documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target (results 3,5). Security note: Use cautiously; do not checkout untrusted PR code without safeguards, as it has elevated permissions.
Citations:
- 1: https://docs.github.com/actions/reference/workflows-and-actions/events-that-trigger-workflows
- 2: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
- 3: https://www.qobiltu.id
- 4: https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git
- 5: https://runs-on.com/github-actions/pull-request-vs-pull-request-target
Add missing event types to re-run checks on PR updates.
The current configuration only triggers on opened and reopened, but omits synchronize (new commits) and edited (description/title changes). This prevents automatic validation of important updates to pull requests, weakening code quality enforcement.
🔧 Suggested update
on:
pull_request_target:
- types: [opened, reopened]
+ types: [opened, reopened, edited, synchronize, ready_for_review]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-check.yml around lines 9 - 10, The pull_request_target
trigger currently only lists types: [opened, reopened]; update the
pull_request_target types array to also include synchronize and edited so the
workflow runs when new commits are pushed to a PR or its title/description is
changed (i.e., change the types value on pull_request_target to include
"synchronize" and "edited" alongside "opened" and "reopened").
| pr-quality: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: peakoss/anti-slop@v0.2.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify whether any workflow actions are pinned by mutable refs (tags/branches)
rg -n '^\s*-?\s*uses:\s+[^@]+@(v[0-9].*|main|master)$' .github/workflows/*.yml .github/workflows/*.yaml || true
# Expected after fix: no matches for mutable refs in security-sensitive workflows.Repository: QuantumNous/new-api
Length of output: 1033
🏁 Script executed:
cat .github/workflows/pr-check.ymlRepository: QuantumNous/new-api
Length of output: 1254
🌐 Web query:
peakoss/anti-slop v0.2.1 commit hash SHA github
💡 Result:
The commit hash (short SHA) for peakoss/anti-slop v0.2.1 is 85daca1. This is the commit to which the v0.2.1 tag points, as shown on the GitHub tags and releases pages. The full SHA is not explicitly listed in the search results, but GitHub typically displays the first 7 characters as the short SHA, and 85daca1 is consistently associated with this release across official GitHub pages. The commit is signed by peaklabs-dev and titled "chore(release): v0.2.1". View it at peakoss/anti-slop@85daca1.
Citations:
- 1: https://github.com/peakoss/anti-slop/releases/tag/v0.2.1
- 2: https://github.com/peakoss/anti-slop/tags
- 3: https://github.com/peakoss/anti-slop/releases
Pin third-party action to a full commit SHA.
Line 16 references peakoss/anti-slop@v0.2.1 by tag. In a pull_request_target workflow with pull-requests: write permission, this is a supply-chain risk. Tags are mutable and can be re-tagged with malicious code. Pin to an immutable commit SHA instead.
🔒 Suggested update
- - uses: peakoss/anti-slop@v0.2.1
+ - uses: peakoss/anti-slop@85daca1 # pin release immutably🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-check.yml at line 16, Replace the mutable tag usage
"peakoss/anti-slop@v0.2.1" with the action's immutable full commit SHA to
eliminate supply-chain risk; locate the step that uses peakoss/anti-slop in the
pull_request_target workflow (note the workflow has pull-requests: write
permission) and update the reference to "peakoss/anti-slop@<full-commit-sha>"
where <full-commit-sha> is the exact 40-character commit hash from the action
repository's commit you want to pin.
1 participant
优化PR模版,引入对缺乏人工参与的AI Slop检查。
合并前需要先设置github action的环境变量