feat: implement issue #313 — SonarCloud: S7635 secrets-inherit caller stubs#314
feat: implement issue #313 — SonarCloud: S7635 secrets-inherit caller stubs#314don-petry wants to merge 1 commit into
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Review limit reached
Next review available in: 55 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
|
Advisory bots were rate-limited; auto-approval is withheld until they recover. pr-review-sweep will re-review this PR after 2026-07-07T20:24:59Z. |
There was a problem hiding this comment.
Pull request overview
This PR addresses SonarCloud rule githubactions:S7635 by removing secrets: inherit from Markets’ thin GitHub Actions workflow caller stubs and replacing it with explicit secrets: mappings that pass only the secrets declared by each reusable workflow (no functional workflow logic changes intended).
Changes:
- Replaced
secrets: inheritwith explicit secret mappings in five caller workflows to satisfy S7635. - Updated inline documentation/comments in the caller stubs to reflect the new explicit secret-passing approach and required/optional secrets.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/pr-review.yml | Passes only the reusable PR review agent’s declared secrets via explicit mapping. |
| .github/workflows/pr-review-mention.yml | Replaces inherited secrets with explicit GH_PAT_WORKFLOWS + DON_PETRY_BOT_GH_PAT mapping for the mention trigger reusable. |
| .github/workflows/dev-lead.yml | Replaces inherited secrets with explicit mapping matching the dev-lead reusable’s declared secrets. |
| .github/workflows/dependabot-automerge.yml | Replaces inherited secrets with explicit APP_ID + APP_PRIVATE_KEY mapping for the Dependabot automerge reusable. |
| .github/workflows/auto-rebase.yml | Replaces inherited secrets with explicit (optional) GH_PAT_WORKFLOWS mapping for the auto-rebase reusable. |



Closes #313
Implemented by dev-lead agent. Please review.