fix(triage-bot): skip gracefully when TRIAGE_PAT secret is missing#15
Conversation
Without TRIAGE_PAT set, the github-script step received github-token: "" and failed at action-input validation with "Input required and not supplied: github-token". Every PR in repos that adopted the workflow without also setting the secret painted red — unactionable, since the runner can't tell the user which secret to add. Add a preflight step that: - Reads TRIAGE_PAT via env (you can't reference secrets in `if:`) - Sets an output flag, warns on console annotation if empty - Gates the actual triage step on the output Missing-secret runs now show green with a "warning" annotation that names the missing secret. Also align templates/triage-bot.yml's action pin with the live workflow (v9 SHA-pinned). The template was still on @v7 floating tag; the next sweep would have regressed the live file. Same edit, same surface, no behavior change for repos that already have the secret. Live and template files are now identical (verified by diff). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
@coderabbitai autofix |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📜 Recent review details⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
📝 WalkthroughSummary by CodeRabbit
WalkthroughTwo workflow files add a preflight check for the ChangesTRIAGE_PAT Secret Preflight Check
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found. |
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
Codacy results indicate the PR is up to standards. The primary functional change—a preflight check for the TRIAGE_PAT secret—lacks documented verification for both the skip and execution paths. Additionally, a versioning label discrepancy in the template file requires clarification to avoid confusion for downstream users of the triage-bot.
Test suggestions
- Verify the workflow skips the triage step and remains green when TRIAGE_PAT is not configured.
- Verify the workflow executes the triage script normally when TRIAGE_PAT is provided.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify the workflow skips the triage step and remains green when TRIAGE_PAT is not configured.
2. Verify the workflow executes the triage script normally when TRIAGE_PAT is provided.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
1 participant
Symptom
Every PR push to repos that adopted `triage-bot.yml` without also setting the `TRIAGE_PAT` secret painted the Triage Bot check red with:
```
Error: Unhandled error: Error: Input required and not supplied: github-token
at Object.getInput (/home/runner/work/_actions/actions/github-script/...)
```
`actions/github-script` requires `github-token` and explicitly rejects an empty value. `${{ secrets.TRIAGE_PAT }}` resolves to `""` when the secret is unset, hitting that validation.
Confirmed against this repo's own runs (e.g. 26382977900, 26382977909).
Fix
Add a preflight step that reads `TRIAGE_PAT` via `env:` (since `secrets.*` isn't allowed in `if:`) and sets an output flag. The github-script step gates on the flag.
When the secret is missing:
When the secret is set: behaves identically to before.
Template alignment
`templates/triage-bot.yml` was on `actions/github-script@v7` (floating tag) while the live workflow had moved to `@v9` SHA-pinned. The next `enforce-repo-settings` sweep would have regressed the live file. Same edit applied to both so they're identical post-merge — `diff` returns clean.
What this does NOT do
Doesn't add the secret. That's a deliberate per-repo opt-in: triage bot needs a PAT with `pull_requests: write` because the default `GITHUB_TOKEN` can't `resolveReviewThread` on threads it didn't author. Documentation in the file header already says this; the warning now points to that header instead of leaving a cryptic action-input error.