feat(ci): canonical bypass-audit standard + pipeline drift detection by chris-yyau · Pull Request #51 · chris-yyau/helmet

chris-yyau · 2026-06-04T16:50:53Z

What

Two things, one foundation:

Single canonical bypass-audit standard — adopt diveanddev.com's design as helmet's template: push-only, identity-skip only (no commit-message skip a human could forge), fail-the-run on an indeterminate PR-lookup, and no dedup (issue metadata is mutable → a title/SHA dedup is an insider-editable suppression primitive; the org audit log is the authoritative trail).
Pipeline drift detection — every generated workflow now carries a # helmet-pipeline: vX.Y.Z stamp, and scripts/check-pipeline-drift.sh flags any repo behind the canonical (read from helmet's own template stamp, so unrelated plugin bumps don't cause false drift).

Why

helmet vendors workflows into each repo at onboarding, so they froze at their adoption generation — chrisyau.me/jikdak sat at v1.12 while a freshly-authored diveanddev.com was far ahead. Dependabot bumps action SHAs but never the logic, so the drift was silent. This makes the design uniform and the drift loud — while keeping every repo self-contained (no reusable-workflow coupling; see ADR-0001 for why).

Changes

.github/workflows/bypass-audit.yml — canonical design + version stamp.
skills/helmet/SKILL.md — excerpt + detection-logic updated to match; stamp instruction.
scripts/check-pipeline-drift.sh — fleet drift scanner (shellcheck-clean).
.helmet-fleet.example + .gitignore — fleet-list scaffolding.
docs/adr/0001-bypass-audit-standard-and-drift-detection.md — the decision record.

Follow-up (separate, after this lands)

Converge the 5 push-time repos (busdriver, perch, chrisyau.me, jikdak, growth-engine) to the standard + stamp; close the 6 superseded dedup PRs.
diveanddev.com = the reference (no change). seatbelt = documented sweep exception.
Optional: a scheduled fleet-scan / auto-re-adoption bot.

Test plan

actionlint (only pre-existing SC2016 jq-filter notes), shellcheck clean, litmus PASS
Post-merge: scripts/check-pipeline-drift.sh --fleet reports the fleet honestly

coderabbitai · 2026-06-04T16:51:03Z

Warning

Review limit reached

@chris-yyau, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 37 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 044d54e8-def7-478b-9626-333bb30c1805

📥 Commits

Reviewing files that changed from the base of the PR and between 97b7f07 and 94188c7.

📒 Files selected for processing (6)

.github/workflows/bypass-audit.yml
.gitignore
.helmet-fleet.example
docs/adr/0001-bypass-audit-standard-and-drift-detection.md
scripts/check-pipeline-drift.sh
skills/helmet/SKILL.md

📝 Walkthrough

Walkthrough

This PR adds SHA-based deduplication to the bypass-audit workflow to prevent duplicate admin-bypass audit issues. The workflow now computes a short commit SHA, queries for prior issues from the workflow bot matching that SHA, and exits early if found instead of creating a new issue. Documentation is updated accordingly.

Changes

Audit Issue Deduplication

Layer / File(s)	Summary
SHA-based deduplication logic `.github/workflows/bypass-audit.yml`	Workflow computes `SHA_SHORT` and adds a dedup check that queries existing issues matching the short SHA in title and full commit SHA in body (author-filtered to `github-actions[bot]`); exits early if found, uses precomputed `SHA_SHORT` in the issue title.
Documentation and workflow template updates `skills/helmet/SKILL.md`	SKILL.md template and "Detection logic" section updated to document the new SHA deduplication checkpoint and reflect the revised step ordering after direct-push bypass confirmation.

Sequence Diagram

sequenceDiagram
  participant Workflow as bypass-audit workflow
  participant GitHub as GitHub API
  Workflow->>Workflow: Compute SHA_SHORT (7-char commit SHA)
  Workflow->>GitHub: Query for existing issues with SHA_SHORT in title
  GitHub-->>Workflow: Return matching issues
  Workflow->>Workflow: Filter by github-actions[bot] author<br/>and full commit SHA in body
  alt Match Found
    Workflow->>Workflow: Exit without creating new issue
  else No Match Found
    Workflow->>GitHub: Create new admin-bypass audit issue
  end

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

codescene-delta-analysis

Poem

A rabbit hops through GitHub's halls, 🐰
Finding each commit's audit call,
But now we skip the duplicate song—
Short SHA checks keep things from going wrong!
One issue per commit, clear and bright, ✨
The dedup logic shines just right!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title states 'canonical bypass-audit standard + pipeline drift detection', but the actual changes focus specifically on deduplicating admin-bypass audit issues by commit SHA. The title suggests broader standardization and drift detection work, which is not the main change.	Update the title to reflect the primary change: 'fix(ci): dedup admin-bypass audit issues by commit sha' or similar, which accurately describes the deduplication guard implementation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

cubic-dev-ai

No issues found across 2 files

_{Re-trigger cubic}

greptile-apps

chris-yyau has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

…ction Supersedes the dedup approach. Two things: 1. Canonical standard — adopt diveanddev.com's design as helmet's template: push-only, identity-skip ONLY (no message-based skip a human could forge), fail-the-run on an indeterminate PR-lookup (never silent-skip, never false-positive), and NO dedup. Issue metadata is mutable, so a title/SHA dedup is an insider-editable suppression primitive (even an author filter is defeated by editing a bot-authored issue); the org audit log is the authoritative trail and a duplicate on a rare re-run is harmless. 2. Drift detection — vendored boilerplate was silently freezing at its onboarding generation (chrisyau.me/jikdak sat at v1.12 while helmet hit v1.21). Now: stamp `# helmet-pipeline: vX.Y.Z` into the template, and scripts/check-pipeline-drift.sh compares each repo's stamp to helmet's own template stamp (not plugin.json — avoids false drift on unrelated bumps), failing on any behind/unstamped/unreadable repo. Update SKILL.md template excerpt + detection-logic to match. ADR-0001 records the design, the vendored-not-reusable choice (keep repos self-contained), and the seatbelt sweep exception. .helmet-fleet.example documents the scan list. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0216cc1d0c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-06-04T20:23:19Z

            --description "Commit bypassed required status checks" \
-            --repo "$REPO" 2>/dev/null || LABEL_OK=0
+            --repo "$REPO" 2>/dev/null \
+            || gh label list --repo "$REPO" --json name --jq '.[].name' 2>/dev/null | grep -qx "admin-bypass" \


Fetch all labels before deciding the audit label is missing

In repos with more than 30 labels where admin-bypass is not in the first page, this fallback treats an existing label as unavailable and creates the audit issue without the label. The GitHub CLI manual for gh label list documents --limit <int> (default 30) (https://cli.github.com/manual/gh_label_list), so the existence check can be a false negative even though the labeled gh issue create would have worked; this loses the label-based audit filtering the workflow depends on.

Useful? React with 👍 / 👎.

check-pipeline-drift.sh derives the canonical version from helmet's own bypass-audit.yml `# helmet-pipeline:` stamp (not plugin.json), so the onboarding instruction must tell the generator to copy that pipeline-template stamp verbatim and bump it only when the template changes. Stamping the plugin version (the old wording) would make every repo show false "ahead" drift on any unrelated plugin release. Also fix a dangling "see B4" pointer (B4 is multi-repo deployment, not drift detection) to reference ADR-0001, the authoritative decision record. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>

harden admin-bypass label-exists fallback: query the exact label endpoint instead of a page-capped label list scan (bypass-audit.yml)

Query the exact label endpoint instead of a page-capped label-list scan, so the existence check can't false-negative on a repo with many labels (codex P2 on PR #51). Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>

# [1.22.0](v1.21.0...v1.22.0) (2026-06-05) ### Features * **ci:** canonical bypass-audit standard + pipeline drift detection ([#51](#51)) ([cd8b160](cd8b160))