Conversation
Tracks which workflow jobs have github-script but lack setup-api-client. Identifies 10 gaps requiring fixes for complete rate limit remediation. Columns track fix status, PR number, and date for audit trail.
Systematic audit found 8 jobs with github-script that make API calls but were missing setup-api-client for rate limit mitigation. Fixed jobs: - agents-autofix-loop.yml / metrics - agents-bot-comment-handler.yml / cleanup - reusable-10-ci-python.yml / logs_summary - reusable-16-agents.yml / preflight - reusable-20-pr-meta.yml / keepalive_orchestrator - reusable-20-pr-meta.yml / keepalive_from_gate - reusable-20-pr-meta.yml / pr_body_update - reusable-bot-comment-handler.yml / dispatch Identified false positive (no fix needed): - reusable-16-agents.yml / verify_issue_summary (uses core.summary only) Audit tracked in docs/fixes/setup-api-client-coverage-audit.csv Refs: #1183
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 626e159283
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Automated Status SummaryHead SHA: bb0efa1
Coverage Overview
Coverage Trend
Top Coverage Hotspots (lowest coverage)
Updated automatically; will refresh on subsequent CI/Docker completions. Keepalive checklistScopeNo scope information available Tasks
Acceptance criteria
|
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
🤖 Keepalive Loop StatusPR #1189 | Agent: Codex | Iteration 0/5 Current State
🔍 Failure Classification| Error type | infrastructure | |
Review pointed out that in reusable-20-pr-meta.yml, jobs that checkout workflows-lib should use ./workflows-lib/.github/actions/setup-api-client, while jobs that checkout consumer first should use ./consumer/.github/... Corrected: - keepalive_orchestrator, keepalive_from_gate, pr_body_update: use workflows-lib (Workflows repo is checked out to workflows-lib/ with setup-api-client) - keepalive_dispatch: kept using consumer checkout (consumer repo is checked out first, workflows-lib comes later) Updated audit spreadsheet to reflect the two different patterns.
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
There was a problem hiding this comment.
Pull request overview
Adds setup-api-client coverage in several workflows/jobs that use actions/github-script, and records an audit of the coverage/fix status.
Changes:
- Added
setup-api-client+ required sparse-checkout deps to multiple workflows/jobs usinggithub-script. - Added consumer checkout +
setup-api-clientinitialization to additional jobs inreusable-20-pr-meta.yml. - Added an audit CSV documenting coverage/fix status for targeted jobs.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/fixes/setup-api-client-coverage-audit.csv | Tracks which workflow jobs use github-script and whether setup-api-client coverage is present. |
| .github/workflows/reusable-bot-comment-handler.yml | Adds sparse-checkout deps + setup-api-client step for the dispatch job. |
| .github/workflows/reusable-20-pr-meta.yml | Adds consumer checkout + setup-api-client steps to additional jobs. |
| .github/workflows/reusable-16-agents.yml | Adds sparse-checkout deps + setup-api-client step in preflight. |
| .github/workflows/reusable-10-ci-python.yml | Adds checkout + setup-api-client in logs_summary (was missing checkout). |
| .github/workflows/agents-bot-comment-handler.yml | Adds sparse-checkout deps + setup-api-client step in cleanup. |
| .github/workflows/agents-autofix-loop.yml | Adds sparse-checkout deps + setup-api-client step in metrics; minor whitespace cleanup. |
Comments suppressed due to low confidence (3)
.github/workflows/reusable-20-pr-meta.yml:289
- The
setup-api-clientcomposite installs@octokit/*deps under$GITHUB_WORKSPACE/.github/scripts, but this job later loads JS helpers from$GITHUB_WORKSPACE/workflows-lib/.github/scripts. Node module resolution won’t pick up deps from.github/scripts/node_modules, so token_load_balancer’simport('@octokit/*')will still fail (token rotation won’t actually be enabled). Consider installing deps inworkflows-lib/.github/scripts(or repo-rootnode_modules) and/or extendingsetup-api-clientwith an install_dir input. Also,service_bot_patis lower-case inworkflow_callsecrets, sotoJSON(secrets)won’t populateSERVICE_BOT_PATunless you pass the action’sservice_bot_patinput (or update parsing to handle lower-case keys).
- name: Mint GitHub App token (preferred)
id: app_token
continue-on-error: true
uses: actions/create-github-app-token@v2
.github/workflows/reusable-20-pr-meta.yml:365
- The
setup-api-clientcomposite installs@octokit/*deps under$GITHUB_WORKSPACE/.github/scripts, but this job loads shared scripts from$GITHUB_WORKSPACE/workflows-lib/.github/scripts. Node won’t resolve deps from.github/scripts/node_modules, so token_load_balancer’simport('@octokit/*')will still fail (no real token rotation). Consider installing deps inworkflows-lib/.github/scripts(or repo-rootnode_modules) and/or extendingsetup-api-clientwith an install_dir input. Also,service_bot_patis lower-case inworkflow_callsecrets, sotoJSON(secrets)won’t populateSERVICE_BOT_PATunless you pass the action’sservice_bot_patinput (or update parsing to handle lower-case keys).
with:
script: |
const scriptsPath = process.env.WORKFLOWS_SCRIPTS_PATH;
const { evaluateKeepaliveGate } = require(`${scriptsPath}/.github/scripts/keepalive_gate.js`);
const result = await evaluateKeepaliveGate({
.github/workflows/reusable-20-pr-meta.yml:510
- The
setup-api-clientcomposite installs@octokit/*deps under$GITHUB_WORKSPACE/.github/scripts, but this job loads shared scripts from$GITHUB_WORKSPACE/workflows-lib/.github/scripts. Node won’t resolve deps from.github/scripts/node_modules, so token_load_balancer’simport('@octokit/*')will still fail (no real token rotation). Consider installing deps inworkflows-lib/.github/scripts(or repo-rootnode_modules) and/or extendingsetup-api-clientwith an install_dir input. Also,service_bot_patis lower-case inworkflow_callsecrets, sotoJSON(secrets)won’t populateSERVICE_BOT_PATunless you pass the action’sservice_bot_patinput (or update parsing to handle lower-case keys).
github, context, core,
inputs: {
pr_number: process.env.PR_NUMBER,
dry_run: process.env.DRY_RUN === 'true',
},
| uses: ./.github/actions/setup-api-client | ||
| with: | ||
| secrets: ${{ toJSON(secrets) }} | ||
| github_token: ${{ github.token }} |
There was a problem hiding this comment.
In this reusable workflow, workflow_call secrets like service_bot_pat / gh_app_id are lower-case. setup-api-client’s JSON parsing looks for upper-case keys (e.g., SERVICE_BOT_PAT, GH_APP_ID), so passing only secrets: ${{ toJSON(secrets) }} won’t export these tokens to the environment. Pass the action’s individual inputs (service_bot_pat, gh_app_id, gh_app_private_key, etc.) or update setup-api-client to also recognize lower-case secret keys.
| github_token: ${{ github.token }} | |
| github_token: ${{ github.token }} | |
| service_bot_pat: ${{ secrets.service_bot_pat }} | |
| gh_app_id: ${{ secrets.gh_app_id }} | |
| gh_app_private_key: ${{ secrets.gh_app_private_key }} |
| uses: ./.github/actions/setup-api-client | ||
| with: | ||
| secrets: ${{ toJSON(secrets) }} | ||
| github_token: ${{ github.token }} |
There was a problem hiding this comment.
workflow_call defines service_bot_pat as a lower-case secret name, but setup-api-client’s toJSON(secrets) parsing only extracts SERVICE_BOT_PAT (upper-case). As a result this step won’t export the service bot token unless you also pass the action’s service_bot_pat input (or update parsing to handle lower-case keys).
| github_token: ${{ github.token }} | |
| github_token: ${{ github.token }} | |
| service_bot_pat: ${{ secrets.service_bot_pat }} |
No description provided.