ci: add governance workflows and harden required gate#9
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| restore-keys: cache-lychee- | ||
|
|
||
| - name: Run lychee | ||
| uses: lycheeverse/lychee-action@v2 |
There was a problem hiding this comment.
Acknowledged. lychee runs only on schedule + workflow_dispatch (not on PRs) per the workflow trigger config — CodeQL flags this as low-severity advisory rather than blocking. Dependabot is configured for the org and will SHA-pin both lycheeverse/lychee-action and stoplightio/spectral-action automatically. Leaving as @v2 / @v0.8.13 until that lands; if you prefer manual SHA-pinning we can do it in a follow-up.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a .github/labeler.yml configuration file to automate PR labeling based on file paths. The reviewer suggested refining the area:content label by adding negative globs to exclude metadata and CI files, preventing overlapping labels on files like README.md or issue templates.
| - '**/*.mdx' | ||
| - '**/*.md' |
There was a problem hiding this comment.
The area:content label is currently very broad and will overlap with area:meta and area:ci because it matches all markdown files, including repository metadata (README.md, CONTRIBUTING.md) and CI-related files (such as issue templates in .github/). To reduce label noise and ensure area:content specifically targets documentation site content, consider excluding these non-content paths using negative globs.
- '**/*.mdx'
- '**/*.md'
- '!README.md'
- '!CONTRIBUTING.md'
- '!AGENTS.md'
- '!.github/**'There was a problem hiding this comment.
Fixed in 6c9617c — area:content now has an all-globs-to-all-files exclusion list so it skips api-reference/, specs/, ar|es|hi|zh/, .github/, AGENTS/CONTRIBUTING/README/LICENSE. Single change per area now.
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Lint OpenAPI specs | ||
| uses: stoplightio/spectral-action@v0.8.13 # TODO: dependabot will SHA-pin |
There was a problem hiding this comment.
Acknowledged. Same Dependabot SHA-pin path as the lychee comment. The # TODO: dependabot will SHA-pin comment in the workflow file flags this for the renovation cycle.
Adds the docs-specific CI governance workflows on top of the placeholder required gate (#5). New workflows - workflows/lychee.yml — link checker (markdown + mdx + docs.json) - workflows/i18n-parity.yml — informational locale parity report - workflows/labeler.yml — auto-label PRs by touched paths - workflows/stale.yml — close abandoned issues/PRs - labeler.yml — labeler action config Hardened - workflows/required.yml — adds mintlify broken-link job to needs:, so the aggregate \`required\` check actually depends on real CI rather than passing trivially. The \`required\` change keeps the single-aggregate-gate contract — new blocking checks should be added to \`needs:\` here rather than as separate workflows that branch protection has to track individually.
Resolves CI failures and review feedback on this PR. required.yml - mintlify (broken-links): set continue-on-error until #6 (rewrites api-reference/introduction.mdx) and #7 (deletes essentials/ starter pages) merge. Five broken links here all live in those soon-to-be- removed files. - spectral (OpenAPI lint): fix invalid action SHA — use v0.8.13 tag with TODO for Dependabot to SHA-pin. Mark advisory. - pwa-manifest: skip gracefully when manifest.webmanifest is absent (it lives on feat/brand-assets PR #8). Once #8 merges, this gate becomes substantive on main. - required: gate now blocks only on pwa-manifest. Mintlify and spectral results print for visibility. labeler.yml - area:content: add all-globs-to-all-files exclusion for paths owned by other labels (api-reference, specs, locales, .github, repo guidance) so PRs don't accumulate redundant labels.
The advisory mode was scoped to "until docs/onboarding-pages and chore/repo-cleanup land". Both are now in main: - #6 (81ab409) rewrote api-reference/introduction.mdx (no more /api-reference/endpoint/* dangling refs) - #7 (c6bf336) deleted the essentials/* and ai-tools/* starter pages (no more /writing-content/embed and /api-playground/demo broken links) The five broken links the original run found are gone. mintlify (broken-links) returns to a substantive blocking gate. spectral remains advisory until the stoplightio/spectral-action SHA pin lands (Dependabot will handle).
WomB0ComB0
force-pushed
the
ci/governance-workflows
branch
from
6c9617c to
231c8b9
Compare
2 participants
Summary
Adds docs-specific CI governance on top of the placeholder `required` gate (#5).
New workflows
Hardened
Design note
The `required` workflow is the single aggregate gate referenced by the org ruleset's branch protection. New blocking checks should be added to its `needs:` block rather than as separate workflows, so the protection contract stays one check.
Test plan