refactor(sdlc-pipeline): enforce PR-based docs flow, fix auth/security issues, add sprint scripts#5
refactor(sdlc-pipeline): enforce PR-based docs flow, fix auth/security issues, add sprint scripts#5codeartstest wants to merge 3 commits into
Conversation
…y issues, add sprint scripts - Replace direct-push docs/reports with docs branch + PR to dev (GitHub branch protection applies to whole branch, not paths) - Fix Jira API auth: require Atlassian gateway URL + MCP Authorization header from mcp_settings.json (direct site URL always returns 401) - Fix Windows PowerShell: use .ps1 script files instead of inline commands (Bash tool strips $ from inline PowerShell) - Add sprint-start/sprint-close template scripts (ps1/sh) - Fix git clone: use credential helper, never embed PAT in URL - Fix merge conflict resolution: domain-owner based instead of blanket prefer-dev (main may contain production hotfixes) - Move JFrog non-secret config to GitHub Actions variables - Add deployment rollback using captured previous image - Persist user-selected integration branch across all downstream agents - PM Agent no longer creates/merges PRs (developer agents handle)
📝 WalkthroughWalkthroughThe PR updates SDLC pipeline documentation and templates to enforce PR-based branch protection, secure repository and SSH access, gateway-based Jira sprint operations, stronger CI/CD validation, immutable release metadata, and rollback handling. ChangesSDLC pipeline and agent workflows
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 11
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
skills/sdlc-agentic-pipeline/SKILL.md (1)
1-1: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winStale "direct push" references contradict the new PR-based documentation flow. The PR updated several sections to require a docs branch + PR targeting
dev, but three other sections still reference the old direct-push approach, creating contradictory guidance within the same file.
skills/sdlc-agentic-pipeline/SKILL.md#L174-L175: Update the heading at line 173 from "Direct push for docs/reports" to reflect the PR-based flow (e.g., "PR-based flow for docs/reports").skills/sdlc-agentic-pipeline/SKILL.md#L694-L696: Update Warning#10at lines 636–637 to replace "SDD docs use direct push (no PR needed, path-based branch protection gates)" with the PR-based requirement now described at lines 694–696.skills/sdlc-agentic-pipeline/SKILL.md#L712-L713: Update the "Push Report to GitHub" section at lines 389–393 to replace "DIRECT PUSH todev(no PR needed -reports/**exempt via path-based branch protection)" with the PR-based flow now described at lines 712–713.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/SKILL.md` at line 1, Replace the three stale direct-push references in SKILL.md with consistent PR-based documentation guidance: rename the docs/reports heading, update Warning `#10`, and revise the “Push Report to GitHub” section to require a docs branch and PR targeting dev. Preserve the wording and workflow established by the existing PR-based sections.
🧹 Nitpick comments (2)
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py (1)
22-22: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRemove extraneous
fprefix.
f"Then re-run this script."has no interpolated placeholders. Ruff flags this as F541.♻️ Proposed fix
- print(f"Then re-run this script.") + print("Then re-run this script.")🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` at line 22, Remove the unnecessary f-string prefix from the static print message in the add_ssh_key script, changing it to a regular string while preserving the existing output.Source: Linters/SAST tools
skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml (1)
148-149: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win
sonar-qg-checkjob is now redundant withsonar.qualitygate.wait=true.With
-Dsonar.qualitygate.wait=true, thesonar-scanstep itself waits for QG evaluation and fails if the gate doesn't pass. The separatesonar-qg-checkjob (lines 151–168, whichneeds: sonar-scan) will never run when the QG fails (becausesonar-scanalready failed) and is unnecessary when it passes. Consider removingsonar-qg-checkand updatingdeploy-to-jfrogtoneeds: sonar-scandirectly.♻️ Proposed refactor
sonar-scan: needs: - build # ... (sonar-scan step with qualitygate.wait=true already gates) - sonar-qg-check: - needs: - - sonar-scan - runs-on: ubuntu-latest - steps: - - name: Check SonarCloud Quality Gate - run: | - QG_STATUS=$(curl -s -u "${{ secrets.SONAR_TOKEN }}:" \ - "https://sonarcloud.io/api/qualitygates/project_status?projectKey=${{ vars.SONAR_PROJECT_KEY }}" \ - | jq -r '.projectStatus.status') - if [ "$QG_STATUS" != "OK" ]; then - echo "ERROR: SonarCloud Quality Gate FAILED ($QG_STATUS)" - echo "Docker image will NOT be built or pushed to JFrog" - exit 1 - fi - echo "SonarCloud Quality Gate PASSED - proceeding to deploy" - deploy-to-jfrog: needs: - - sonar-qg-check + - sonar-scan🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 148 - 149, Remove the redundant sonar-qg-check job now that the sonar-scan step waits for and enforces the quality gate via sonar.qualitygate.wait=true. Update deploy-to-jfrog to depend directly on sonar-scan, preserving the existing deployment gating behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md`:
- Around line 558-564: Update the deployment-failure rollback flow to check
whether previousImage is empty before running the rollback SSH/docker command.
For a first deployment with no previous image, skip rollback and report
“Deployment to Huawei Cloud ECS FAILED - no previous image available for
rollback”; retain the existing rollback command and success/failure message only
when previousImage is available.
In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md`:
- Line 94: The workflow hard-codes dev instead of consistently using the
PM-selected integration/release branch. In
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:94, define the
persisted branch value and its contract for downstream agents; in
skills/sdlc-agentic-pipeline/references/pipeline.md:46-50, 100-105, 186-187, and
313-316, replace hard-coded dev references with that propagated value for merge
checks, SDD and report PR targets, workflow monitoring, and idempotency
evaluation.
- Around line 225-228: Update the .env-reading loop in the Step 1
project-context setup to process the final unterminated line by using a read
condition that accepts EOF, and strip trailing carriage returns from each parsed
value before exporting JIRA_* variables. Preserve safe parsing without sourcing
or evaluating the .env file.
In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md`:
- Around line 407-430: Update the frontend dispatch flow described in the
“Frontend Agent builds concurrently with Backend” section so dispatch occurs
only after the Backend Agent reports the repository URL and confirms the remote
origin/dev branch exists. Preserve concurrency only for frontend implementation
after this repository bootstrap gate, and adjust the heading and sequencing
instructions to reflect that constraint.
- Around line 111-114: Move the Q0 question and selection storage before the
provisioning procedure, so the user-level or project-level choice is established
before any agent files are copied. Update the provisioning flow to derive all
skill, config, and reference source/target paths from that stored selection
instead of hard-coding `.codeartsdoer/...`; keep the question and option
descriptions concise.
In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Around line 17-23: Update the exception handler around ssh.connect in the
add_ssh_key flow to catch OSError alongside paramiko.SSHException. Route both
SSH and network connection failures through the existing helpful error messages
and clean sys.exit(1) behavior, preserving the current connection parameters and
success path.
In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 227-234: Update the verify-jfrog flow to inspect the same image
tag pushed by deploy-to-jfrog, using the github.sha tag instead of latest.
Remove the unused RELEASE_IMAGE and RELEASE_DIGEST GITHUB_ENV assignments, or
expose them as outputs only if downstream jobs consume them; keep the digest
inspection and logging aligned with the pushed image.
In
`@skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1`:
- Line 55: Convert the timestamps to UTC before formatting them with the
trailing Z: update the close timestamp in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1
lines 55-55, and both start and end timestamps in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1
lines 57-58. Preserve the existing yyyy-MM-ddTHH:mm:ss.fff format.
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 712-713: Update the “Push Report to GitHub” instructions to remove
the direct-push and path-based-exemption workflow, and require creating a docs
branch with a pull request targeting dev before merging. Keep the workflow
consistent with the backend/developer ownership rule described in the changed
section.
- Around line 694-696: Update Warning `#10` in the SDD workflow documentation to
remove the direct-push/no-PR guidance and describe the required developer-agent
docs branch with a pull request targeting dev, consistent with the SDD document
publishing flow.
- Around line 174-175: Update the stale headings and instructions in SKILL.md
that describe direct pushes for docs/reports: revise the section around the docs
branch guidance, the “DIRECT PUSH to dev” section, and the “SDD docs use direct
push” section to consistently describe the required PR-based flow targeting dev.
Preserve the surrounding workflow details while removing contradictory no-PR
language.
---
Outside diff comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Line 1: Replace the three stale direct-push references in SKILL.md with
consistent PR-based documentation guidance: rename the docs/reports heading,
update Warning `#10`, and revise the “Push Report to GitHub” section to require a
docs branch and PR targeting dev. Preserve the wording and workflow established
by the existing PR-based sections.
---
Nitpick comments:
In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Line 22: Remove the unnecessary f-string prefix from the static print message
in the add_ssh_key script, changing it to a regular string while preserving the
existing output.
In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 148-149: Remove the redundant sonar-qg-check job now that the
sonar-scan step waits for and enforces the quality gate via
sonar.qualitygate.wait=true. Update deploy-to-jfrog to depend directly on
sonar-scan, preserving the existing deployment gating behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: e142f9a0-02ef-42b9-9956-de68f7414b6c
📒 Files selected for processing (18)
skills/sdlc-agentic-pipeline/SKILL.mdskills/sdlc-agentic-pipeline/references/agents/backend-agent.mdskills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.mdskills/sdlc-agentic-pipeline/references/agents/devops-agent.mdskills/sdlc-agentic-pipeline/references/agents/frontend-agent.mdskills/sdlc-agentic-pipeline/references/agents/pm-agent.mdskills/sdlc-agentic-pipeline/references/pipeline.mdskills/sdlc-agentic-pipeline/references/setup/service-onboarding.mdskills/sdlc-agentic-pipeline/references/templates/add_ssh_key.pyskills/sdlc-agentic-pipeline/references/templates/ci-cd.ymlskills/sdlc-agentic-pipeline/references/templates/env-template.envskills/sdlc-agentic-pipeline/references/templates/mcp-settings.jsonskills/sdlc-agentic-pipeline/references/templates/set-secrets.jsskills/sdlc-agentic-pipeline/references/templates/sprint-scripts/README.mdskills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.shskills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.sh
| - If deployment fails: rollback using the captured previous image: | ||
| ```bash | ||
| ssh -i "$sshKey" "$ecsUser@$ecsHost" "docker stop $containerName; docker rm $containerName; docker run -d --name $containerName -p 80:80 $previousImage" | ||
| ``` | ||
| - Report success or failure to PM Agent via Jira comment: | ||
| - Success: `@agent:pm Deployment to Huawei Cloud ECS complete - version <tag> live at http://<ECS_HOST>` | ||
| - Failure: `@agent:pm Deployment to Huawei Cloud ECS FAILED - rollback executed` | ||
| - Success: `@agent:pm Deployment to Huawei Cloud ECS complete - version <RELEASE_TAG> live at http://<ECS_HOST>` | ||
| - Failure: `@agent:pm Deployment to Huawei Cloud ECS FAILED - rollback executed to previous image` |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Rollback fails silently on first deployment when previousImage is empty.
On the first deployment, previousImage will be empty (lines 524 and 503 capture it with a fallback to empty string). The rollback command docker run -d --name $containerName -p 80:80 $previousImage with an empty image argument will fail, and the Jira comment will still say "rollback executed to previous image" — misleading when there was no previous image.
Add a guard before attempting rollback:
🛡️ Proposed fix
- If deployment fails: rollback using the captured previous image:
+ If `previousImage` is non-empty:
```bash
ssh -i "$sshKey" "$ecsUser@$ecsHost" "docker stop $containerName; docker rm $containerName; docker run -d --name $containerName -p 80:80 $previousImage"- If
previousImageis empty (first deployment): do NOT attempt rollback. Report: @agent:pm Deployment to Huawei Cloud ECS FAILED - no previous image available for rollback
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @skills/sdlc-agentic-pipeline/references/agents/devops-agent.md around lines
558 - 564, Update the deployment-failure rollback flow to check whether
previousImage is empty before running the rollback SSH/docker command. For a
first deployment with no previous image, skip rollback and report “Deployment to
Huawei Cloud ECS FAILED - no previous image available for rollback”; retain the
existing rollback command and success/failure message only when previousImage is
available.
</details>
<!-- cr-indicator-types:potential_issue -->
<!-- cr-comment:v1:b7c993e925966ad350593441 -->
<!-- This is an auto-generated comment by CodeRabbit -->
| - Inventories existing artifacts (Dockerfiles, docker-compose.yml, ci-cd.yml, etc.) | ||
| - Asks the user about their development intent (new features, bug fixes, etc.) | ||
| - Asks the user about their preferred branch strategy | ||
| - Asks the user about their preferred branch strategy and **persists the selected integration/release branch** — this branch is passed to every downstream agent (Backend, Frontend, DevOps) and used for CI/CD triggers, feature merges, and release PRs instead of hard-coding `dev` |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Propagate the selected integration branch as an explicit workflow value.
The PM instruction promises propagation, but downstream instructions still hard-code dev. Existing repositories choosing another integration branch will create PRs, monitor CI, and evaluate idempotency against the wrong branch.
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L94-L94: define the persisted integration/release branch contract passed to agents.skills/sdlc-agentic-pipeline/references/pipeline.md#L46-L50: check merge state against the selected integration branch.skills/sdlc-agentic-pipeline/references/pipeline.md#L100-L105: target SDD PRs at that branch.skills/sdlc-agentic-pipeline/references/pipeline.md#L186-L187: monitor the workflow trigger on that branch.skills/sdlc-agentic-pipeline/references/pipeline.md#L313-L316: target report PRs at that branch.
📍 Affects 2 files
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L94-L94(this comment)skills/sdlc-agentic-pipeline/references/pipeline.md#L46-L50skills/sdlc-agentic-pipeline/references/pipeline.md#L100-L105skills/sdlc-agentic-pipeline/references/pipeline.md#L186-L187skills/sdlc-agentic-pipeline/references/pipeline.md#L313-L316
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` at line 94, The
workflow hard-codes dev instead of consistently using the PM-selected
integration/release branch. In
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:94, define the
persisted branch value and its contract for downstream agents; in
skills/sdlc-agentic-pipeline/references/pipeline.md:46-50, 100-105, 186-187, and
313-316, replace hard-coded dev references with that propagated value for merge
checks, SDD and report PR targets, workflow monitoring, and idempotency
evaluation.
| # Step 1: Read .env for project context (safe parsing — never source/eval .env) | ||
| while IFS='=' read -r key value; do | ||
| case "$key" in JIRA_*) export "$key=$value" ;; esac | ||
| done < "<PROJECT_ROOT>/.env" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Handle CRLF files and an unterminated final .env line.
Line 226 retains \r in Windows-authored values and skips a final line without a newline. JIRA_PROJECT_KEY can become SCRUM\r, causing the board filter to miss its board.
Proposed fix
-while IFS='=' read -r key value; do
- case "$key" in JIRA_*) export "$key=$value" ;; esac
+while IFS='=' read -r key value || [ -n "$key" ]; do
+ key=${key%$'\r'}
+ value=${value%$'\r'}
+ case "$key" in JIRA_[A-Za-z0-9_]*) export "$key=$value" ;; esac
done < "<PROJECT_ROOT>/.env"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Step 1: Read .env for project context (safe parsing — never source/eval .env) | |
| while IFS='=' read -r key value; do | |
| case "$key" in JIRA_*) export "$key=$value" ;; esac | |
| done < "<PROJECT_ROOT>/.env" | |
| # Step 1: Read .env for project context (safe parsing — never source/eval .env) | |
| while IFS='=' read -r key value || [ -n "$key" ]; do | |
| key=${key%$'\r'} | |
| value=${value%$'\r'} | |
| case "$key" in JIRA_[A-Za-z0-9_]*) export "$key=$value" ;; esac | |
| done < "<PROJECT_ROOT>/.env" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 225
- 228, Update the .env-reading loop in the Step 1 project-context setup to
process the final unterminated line by using a read condition that accepts EOF,
and strip trailing carriage returns from each parsed value before exporting
JIRA_* variables. Preserve safe parsing without sourcing or evaluating the .env
file.
| > All subsequent skill, config, and reference source/target paths are derived from | ||
| > this selection (user-level: `~/.codeartsdoer/...`, project-level: `.codeartsdoer/...`). | ||
|
|
||
| Ask the user via the `question` tool which option they want. **Keep the question and option descriptions short** - do NOT include long explanations of agent roles or internal pipeline details. The user only needs to understand the choice, not the implementation: | ||
| Ask the user via the `question` tool which option they want. **Keep the question and option descriptions short** - do NOT include long explanations of agent roles or internal pipeline details. The user only needs to understand the choice, not the implementation. Store the selection for use in all subsequent path derivations. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Ask Q0 before auto-provisioning agent files.
The procedure at Lines 13-101 runs first and hard-codes .codeartsdoer/...; Q0 is only asked afterward. A user selecting user-level storage therefore gets agent definitions copied to the wrong location. Move Q0 ahead of provisioning and derive those source/target paths from the stored selection.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 111 - 114, Move the Q0 question and selection storage before the
provisioning procedure, so the user-level or project-level choice is established
before any agent files are copied. Update the provisioning flow to derive all
skill, config, and reference source/target paths from that stored selection
instead of hard-coding `.codeartsdoer/...`; keep the question and option
descriptions concise.
| 3. **Frontend Agent builds concurrently with Backend** (PM dispatches via Jira async): | ||
| - The Backend Agent has already created the repo, cloned it, and created the `dev` branch | ||
| - Pass the frontend scope, tech stack, project prompt, AND the repository URL to the Frontend Agent | ||
| - The Frontend Agent clones the repository from the URL provided by the Backend Agent | ||
| - The Frontend Agent works on an isolated feature branch (not directly on `dev`): | ||
| ```bash | ||
| git clone "https://github.com/<GITHUB_OWNER>/<NEW_REPO_NAME>.git" | ||
| cd <NEW_REPO_NAME> | ||
| git checkout -b feature/frontend/initial-build dev | ||
| ``` | ||
| - The Frontend Agent generates: | ||
| - Complete directory structure (`frontend/src/`, `frontend/public/`) | ||
| - Actual implementation code for all UI features | ||
| - Configuration files (`package.json`, frontend `Dockerfile`) | ||
| - Component-level tests | ||
| - The Frontend Agent writes files into the cloned repo's `frontend/` directory | ||
| - The Frontend Agent commits frontend code and pushes to `dev`: | ||
| ```bash | ||
| cd <NEW_REPO_NAME> | ||
| git add frontend/ | ||
| git commit -m "feat: initial frontend build from prompt" | ||
| git push origin dev | ||
| ``` | ||
| - The Frontend Agent writes files into the cloned repo's `frontend/` directory | ||
| - The Frontend Agent commits frontend code and pushes to its feature branch: | ||
| ```bash | ||
| git add frontend/ | ||
| git commit -m "feat: initial frontend build from prompt" | ||
| git push origin feature/frontend/initial-build | ||
| ``` | ||
| - After Backend Agent completes, the Frontend Agent (or Backend Agent if both active) | ||
| creates a PR from `feature/frontend/initial-build` to `dev` and merges it |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Gate frontend dispatch on repository bootstrap.
Line 407 says this runs concurrently, but Lines 408-416 require the Backend Agent to have already created and pushed dev. The frontend clone/checkout fails if it starts before that point. Dispatch frontend work only after Backend reports the repository URL and confirms origin/dev exists; parallelize implementation only after bootstrap.
🧰 Tools
🪛 markdownlint-cli2 (0.23.0)
[warning] 407-407: Inconsistent indentation for list items at the same level
Expected: 0; Actual: 1
(MD005, list-indent)
[warning] 418-418: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5
(MD005, list-indent)
[warning] 419-419: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5
(MD005, list-indent)
[warning] 420-420: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5
(MD005, list-indent)
[warning] 421-421: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5
(MD005, list-indent)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 407 - 430, Update the frontend dispatch flow described in the “Frontend
Agent builds concurrently with Backend” section so dispatch occurs only after
the Backend Agent reports the repository URL and confirms the remote origin/dev
branch exists. Preserve concurrency only for frontend implementation after this
repository bootstrap gate, and adjust the heading and sequencing instructions to
reflect that constraint.
| - name: Publish image digest as release artifact | ||
| run: | | ||
| DIGEST=$(docker buildx imagetools inspect ${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }} --format '{{.Digest}}' 2>/dev/null || echo "") | ||
| echo "RELEASE_IMAGE=${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }}" >> $GITHUB_ENV | ||
| echo "RELEASE_DIGEST=${DIGEST}" >> $GITHUB_ENV | ||
| echo "Deployable image: ${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }}" | ||
| echo "Digest: ${DIGEST}" | ||
|
|
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if a :latest tag is pushed anywhere in ci-cd.yml (including hidden lines 1-63)
grep -n 'latest' skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
# Check if RELEASE_IMAGE or RELEASE_DIGEST are consumed anywhere
grep -n 'RELEASE_IMAGE\|RELEASE_DIGEST' skills/sdlc-agentic-pipeline/references/templates/ci-cd.ymlRepository: CodeArtsAgent/CodeArtsSkills
Length of output: 844
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE='skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml'
# Show the relevant job/step context around the export and verify sections.
sed -n '210,270p' "$FILE" | cat -n
# Show the top portion in case a latest tag is pushed earlier in the workflow.
sed -n '1,80p' "$FILE" | cat -nRepository: CodeArtsAgent/CodeArtsSkills
Length of output: 6954
Align verify-jfrog with the pushed image tag
deploy-to-jfrogonly pushes:${{ github.sha }}, butverify-jfrogchecks:latest, so the verification step will fail unlesslatestis pushed elsewhere.RELEASE_IMAGEandRELEASE_DIGESTare written toGITHUB_ENVbut never read; if they need to cross jobs, expose them as job outputs instead.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 227
- 234, Update the verify-jfrog flow to inspect the same image tag pushed by
deploy-to-jfrog, using the github.sha tag instead of latest. Remove the unused
RELEASE_IMAGE and RELEASE_DIGEST GITHUB_ENV assignments, or expose them as
outputs only if downstream jobs consume them; keep the digest inspection and
logging aligned with the pushed image.
| # Step 2: PUT with complete body (all required fields) | ||
| Write-Output "" | ||
| Write-Output "Step 2: Closing sprint..." | ||
| $endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ") |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Convert PowerShell timestamps to UTC before appending Z.
Get-Date returns local time, while Z declares UTC. On non-UTC hosts this shifts sprint start, end, and close timestamps by the timezone offset.
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1#L55-L55: convert the close timestamp to UTC.skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1#L57-L58: convert both start and end timestamps to UTC.
Proposed fix
- $endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $endDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")- $startDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
- $endDate = (Get-Date).AddDays(14).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $startDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $endDate = (Get-Date).AddDays(14).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| $endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ") | |
| $endDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") |
| $endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ") | |
| $startDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") | |
| $endDate = (Get-Date).AddDays(14).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") |
📍 Affects 2 files
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1#L55-L55(this comment)skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1#L57-L58
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1`
at line 55, Convert the timestamps to UTC before formatting them with the
trailing Z: update the close timestamp in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1
lines 55-55, and both start and end timestamps in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1
lines 57-58. Preserve the existing yyyy-MM-ddTHH:mm:ss.fff format.
|
improve the skill according to suggestions of coderabbitai[bot]: (CodeArtsAgent/CodeArtsSkills#4) |
… remove redundant QG job - SKILL.md: replace remaining 'direct push' references with PR-based flow (heading, warning #10, step 7 conflict resolution) - SKILL.md: fix conflict resolution description from 'prefer dev' blanket strategy to domain-owner strategy - add_ssh_key.py: remove extraneous f-string prefix (Ruff F541) - ci-cd.yml: remove redundant sonar-qg-check job since sonar.qualitygate.wait=true already blocks on QG result; deploy-to-jfrog now depends directly on sonar-scan
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
skills/sdlc-agentic-pipeline/SKILL.md (1)
617-623: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winUse the same reliable PowerShell invocation for sprint close.
Line 623 omits
-NoProfile -ExecutionPolicy Bypass, although the corresponding Jira setup guidance requires those flags. On hosts with restrictive execution policy, sprint-close may fail; align the command or document why the difference is intentional.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 617 - 623, Update the sprint-close PowerShell invocation in the sprint close guidance to include both -NoProfile and -ExecutionPolicy Bypass, matching the established Jira setup invocation. Preserve the existing requirement to write and execute a .ps1 script with powershell -File, unless a documented intentional exception is required.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 636-637: Reflow the wrapped blockquote in the Step 7 documentation
so every `>` marker is followed by exactly one space, eliminating the MD027
warning while preserving the existing text and list structure.
---
Outside diff comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 617-623: Update the sprint-close PowerShell invocation in the
sprint close guidance to include both -NoProfile and -ExecutionPolicy Bypass,
matching the established Jira setup invocation. Preserve the existing
requirement to write and execute a .ps1 script with powershell -File, unless a
documented intentional exception is required.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: fb7d303d-59f5-4979-89c7-c18a2938e8a4
📒 Files selected for processing (3)
skills/sdlc-agentic-pipeline/SKILL.mdskills/sdlc-agentic-pipeline/references/templates/add_ssh_key.pyskills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
🚧 Files skipped from review as they are similar to previous changes (2)
- skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
- skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py
| > time (Step 7). SDD docs use a docs branch + PR targeting `dev` (GitHub branch protection | ||
| > applies to the whole branch, so a PR is required); code changes require the full PR Merge Gate (5 sign-offs). |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Resolve the MD027 blockquote warning.
These wrapped lines contain multiple spaces immediately after >, which markdownlint flags. Reflow the blockquote so each marker has a single following space while preserving the warning’s list structure.
🧰 Tools
🪛 markdownlint-cli2 (0.23.0)
[warning] 636-636: Multiple spaces after blockquote symbol
(MD027, no-multiple-space-blockquote)
[warning] 637-637: Multiple spaces after blockquote symbol
(MD027, no-multiple-space-blockquote)
🪛 SkillSpector (2.3.11)
[warning] 619: [E1] External Transmission: Data is being sent to an external URL. This could be legitimate telemetry or data exfiltration. Manual review is recommended.
Remediation: Verify the destination URL is trusted and necessary. Remove or replace with documented APIs. Ensure no secrets, tokens, or PII are transmitted.
(Data Exfiltration (E1))
[warning] 27: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.
Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.
(Memory Poisoning (MP2))
[warning] 562: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.
Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.
(Memory Poisoning (MP2))
[warning] 567: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.
Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.
(Memory Poisoning (MP2))
[warning] 568: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.
Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.
(Memory Poisoning (MP2))
[warning] 570: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.
Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.
(Memory Poisoning (MP2))
[error] 216: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
[error] 144: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 636 - 637, Reflow the
wrapped blockquote in the Step 7 documentation so every `>` marker is followed
by exactly one space, eliminating the MD027 warning while preserving the
existing text and list structure.
Source: Linters/SAST tools
|
improve the skill according to suggestions of coderabbitai[bot]: #5 (review) |
Replace direct-push for docs/reports with docs branch + PR targeting dev (GitHub branch protection applies to whole branch, not individual paths)
Fix Jira API auth: require Atlassian gateway URL + MCP Authorization header from mcp_settings.json (direct site URL always returns 401)
Fix Windows PowerShell: use .ps1 script files instead of inline commands (Bash tool strips $ from inline PowerShell)
Add cross-platform sprint-start/sprint-close template scripts (ps1/sh)
Fix git clone: use credential helper, never embed PAT in URL
Fix merge conflict resolution: domain-owner based instead of blanket prefer-dev (main may contain production hotfixes not in dev)
Move JFrog non-secret config to GitHub Actions variables (separate secrets from variables)
Add deployment rollback using captured previous Docker image
Persist user-selected integration branch across all downstream agents
PM Agent no longer creates/merges PRs — developer agents handle all git operations
Summary by CodeRabbit