Skip to content

refactor(sdlc-pipeline): enforce PR-based docs flow, fix auth/security issues, add sprint scripts#5

Open
codeartstest wants to merge 3 commits into
CodeArtsAgent:mainfrom
codeartstest:main
Open

refactor(sdlc-pipeline): enforce PR-based docs flow, fix auth/security issues, add sprint scripts#5
codeartstest wants to merge 3 commits into
CodeArtsAgent:mainfrom
codeartstest:main

Conversation

@codeartstest

@codeartstest codeartstest commented Jul 18, 2026

Copy link
Copy Markdown
Contributor
  • Replace direct-push for docs/reports with docs branch + PR targeting dev (GitHub branch protection applies to whole branch, not individual paths)

  • Fix Jira API auth: require Atlassian gateway URL + MCP Authorization header from mcp_settings.json (direct site URL always returns 401)

  • Fix Windows PowerShell: use .ps1 script files instead of inline commands (Bash tool strips $ from inline PowerShell)

  • Add cross-platform sprint-start/sprint-close template scripts (ps1/sh)

  • Fix git clone: use credential helper, never embed PAT in URL

  • Fix merge conflict resolution: domain-owner based instead of blanket prefer-dev (main may contain production hotfixes not in dev)

  • Move JFrog non-secret config to GitHub Actions variables (separate secrets from variables)

  • Add deployment rollback using captured previous Docker image

  • Persist user-selected integration branch across all downstream agents

  • PM Agent no longer creates/merges PRs — developer agents handle all git operations

Summary by CodeRabbit

  • Documentation
    • Clarified branch protection with PR-based docs/report publishing and refined the dev→main merge/agent responsibilities.
    • Expanded Jira sprint guidance to require Atlassian API gateway auth and added Windows execution notes.
  • Security
    • Removed credential/pat-in-URL practices and tightened SSH host-key verification behavior.
  • CI/CD
    • Improved SonarCloud quality-gate timing, added image digest tracking for deployments/rollback, extended build caching, and updated trigger/verification flow.
  • Tooling
    • Added cross-platform sprint start/close script templates.

agentman3334 and others added 2 commits July 18, 2026 11:41
…y issues, add sprint scripts

- Replace direct-push docs/reports with docs branch + PR to dev
  (GitHub branch protection applies to whole branch, not paths)
- Fix Jira API auth: require Atlassian gateway URL + MCP Authorization
  header from mcp_settings.json (direct site URL always returns 401)
- Fix Windows PowerShell: use .ps1 script files instead of inline
  commands (Bash tool strips $ from inline PowerShell)
- Add sprint-start/sprint-close template scripts (ps1/sh)
- Fix git clone: use credential helper, never embed PAT in URL
- Fix merge conflict resolution: domain-owner based instead of
  blanket prefer-dev (main may contain production hotfixes)
- Move JFrog non-secret config to GitHub Actions variables
- Add deployment rollback using captured previous image
- Persist user-selected integration branch across all downstream agents
- PM Agent no longer creates/merges PRs (developer agents handle)
@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The PR updates SDLC pipeline documentation and templates to enforce PR-based branch protection, secure repository and SSH access, gateway-based Jira sprint operations, stronger CI/CD validation, immutable release metadata, and rollback handling.

Changes

SDLC pipeline and agent workflows

Layer / File(s) Summary
Branch and agent workflow updates
skills/sdlc-agentic-pipeline/SKILL.md, references/pipeline.md, references/agents/*, references/setup/service-onboarding.md
SDD, reports, frontend changes, and supplemental files now use developer-created branches and PRs targeting dev; merge ownership and idempotency guidance are updated.
Jira sprint operation templates
references/agents/pm-agent.md, references/pipeline.md, references/templates/sprint-scripts/*
Jira sprint operations use the Atlassian gateway, MCP-provided authorization, cross-platform scripts, full update payloads, state validation, and script cleanup.
Secure repository and SSH access
references/agents/backend-agent.md, references/agents/devops-agent.md, references/setup/service-onboarding.md, references/templates/add_ssh_key.py
PATs are removed from clone URLs, and SSH connections validate known hosts with explicit failure handling.
CI, release, and deployment configuration
references/agents/devops-agent.md, references/templates/ci-cd.yml, references/templates/env-template.env, references/templates/set-secrets.js, references/templates/mcp-settings.json
CI waits for Sonar quality gates, publishes image digests, validates GitHub settings, deploys release tags, and restores captured images during rollback.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: PR-based docs flow, security/auth fixes, and added sprint scripts.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
skills/sdlc-agentic-pipeline/SKILL.md (1)

1-1: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Stale "direct push" references contradict the new PR-based documentation flow. The PR updated several sections to require a docs branch + PR targeting dev, but three other sections still reference the old direct-push approach, creating contradictory guidance within the same file.

  • skills/sdlc-agentic-pipeline/SKILL.md#L174-L175: Update the heading at line 173 from "Direct push for docs/reports" to reflect the PR-based flow (e.g., "PR-based flow for docs/reports").
  • skills/sdlc-agentic-pipeline/SKILL.md#L694-L696: Update Warning #10 at lines 636–637 to replace "SDD docs use direct push (no PR needed, path-based branch protection gates)" with the PR-based requirement now described at lines 694–696.
  • skills/sdlc-agentic-pipeline/SKILL.md#L712-L713: Update the "Push Report to GitHub" section at lines 389–393 to replace "DIRECT PUSH to dev (no PR needed - reports/** exempt via path-based branch protection)" with the PR-based flow now described at lines 712–713.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/SKILL.md` at line 1, Replace the three stale
direct-push references in SKILL.md with consistent PR-based documentation
guidance: rename the docs/reports heading, update Warning `#10`, and revise the
“Push Report to GitHub” section to require a docs branch and PR targeting dev.
Preserve the wording and workflow established by the existing PR-based sections.
🧹 Nitpick comments (2)
skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py (1)

22-22: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove extraneous f prefix.

f"Then re-run this script." has no interpolated placeholders. Ruff flags this as F541.

♻️ Proposed fix
-        print(f"Then re-run this script.")
+        print("Then re-run this script.")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py` at line 22,
Remove the unnecessary f-string prefix from the static print message in the
add_ssh_key script, changing it to a regular string while preserving the
existing output.

Source: Linters/SAST tools

skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml (1)

148-149: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

sonar-qg-check job is now redundant with sonar.qualitygate.wait=true.

With -Dsonar.qualitygate.wait=true, the sonar-scan step itself waits for QG evaluation and fails if the gate doesn't pass. The separate sonar-qg-check job (lines 151–168, which needs: sonar-scan) will never run when the QG fails (because sonar-scan already failed) and is unnecessary when it passes. Consider removing sonar-qg-check and updating deploy-to-jfrog to needs: sonar-scan directly.

♻️ Proposed refactor
   sonar-scan:
     needs:
       - build
     # ... (sonar-scan step with qualitygate.wait=true already gates)

-  sonar-qg-check:
-    needs:
-      - sonar-scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check SonarCloud Quality Gate
-        run: |
-          QG_STATUS=$(curl -s -u "${{ secrets.SONAR_TOKEN }}:" \
-            "https://sonarcloud.io/api/qualitygates/project_status?projectKey=${{ vars.SONAR_PROJECT_KEY }}" \
-            | jq -r '.projectStatus.status')
-          if [ "$QG_STATUS" != "OK" ]; then
-            echo "ERROR: SonarCloud Quality Gate FAILED ($QG_STATUS)"
-            echo "Docker image will NOT be built or pushed to JFrog"
-            exit 1
-          fi
-          echo "SonarCloud Quality Gate PASSED - proceeding to deploy"
-
   deploy-to-jfrog:
     needs:
-      - sonar-qg-check
+      - sonar-scan
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 148
- 149, Remove the redundant sonar-qg-check job now that the sonar-scan step
waits for and enforces the quality gate via sonar.qualitygate.wait=true. Update
deploy-to-jfrog to depend directly on sonar-scan, preserving the existing
deployment gating behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/sdlc-agentic-pipeline/references/agents/devops-agent.md`:
- Around line 558-564: Update the deployment-failure rollback flow to check
whether previousImage is empty before running the rollback SSH/docker command.
For a first deployment with no previous image, skip rollback and report
“Deployment to Huawei Cloud ECS FAILED - no previous image available for
rollback”; retain the existing rollback command and success/failure message only
when previousImage is available.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md`:
- Line 94: The workflow hard-codes dev instead of consistently using the
PM-selected integration/release branch. In
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:94, define the
persisted branch value and its contract for downstream agents; in
skills/sdlc-agentic-pipeline/references/pipeline.md:46-50, 100-105, 186-187, and
313-316, replace hard-coded dev references with that propagated value for merge
checks, SDD and report PR targets, workflow monitoring, and idempotency
evaluation.
- Around line 225-228: Update the .env-reading loop in the Step 1
project-context setup to process the final unterminated line by using a read
condition that accepts EOF, and strip trailing carriage returns from each parsed
value before exporting JIRA_* variables. Preserve safe parsing without sourcing
or evaluating the .env file.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md`:
- Around line 407-430: Update the frontend dispatch flow described in the
“Frontend Agent builds concurrently with Backend” section so dispatch occurs
only after the Backend Agent reports the repository URL and confirms the remote
origin/dev branch exists. Preserve concurrency only for frontend implementation
after this repository bootstrap gate, and adjust the heading and sequencing
instructions to reflect that constraint.
- Around line 111-114: Move the Q0 question and selection storage before the
provisioning procedure, so the user-level or project-level choice is established
before any agent files are copied. Update the provisioning flow to derive all
skill, config, and reference source/target paths from that stored selection
instead of hard-coding `.codeartsdoer/...`; keep the question and option
descriptions concise.

In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Around line 17-23: Update the exception handler around ssh.connect in the
add_ssh_key flow to catch OSError alongside paramiko.SSHException. Route both
SSH and network connection failures through the existing helpful error messages
and clean sys.exit(1) behavior, preserving the current connection parameters and
success path.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 227-234: Update the verify-jfrog flow to inspect the same image
tag pushed by deploy-to-jfrog, using the github.sha tag instead of latest.
Remove the unused RELEASE_IMAGE and RELEASE_DIGEST GITHUB_ENV assignments, or
expose them as outputs only if downstream jobs consume them; keep the digest
inspection and logging aligned with the pushed image.

In
`@skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1`:
- Line 55: Convert the timestamps to UTC before formatting them with the
trailing Z: update the close timestamp in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1
lines 55-55, and both start and end timestamps in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1
lines 57-58. Preserve the existing yyyy-MM-ddTHH:mm:ss.fff format.

In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 712-713: Update the “Push Report to GitHub” instructions to remove
the direct-push and path-based-exemption workflow, and require creating a docs
branch with a pull request targeting dev before merging. Keep the workflow
consistent with the backend/developer ownership rule described in the changed
section.
- Around line 694-696: Update Warning `#10` in the SDD workflow documentation to
remove the direct-push/no-PR guidance and describe the required developer-agent
docs branch with a pull request targeting dev, consistent with the SDD document
publishing flow.
- Around line 174-175: Update the stale headings and instructions in SKILL.md
that describe direct pushes for docs/reports: revise the section around the docs
branch guidance, the “DIRECT PUSH to dev” section, and the “SDD docs use direct
push” section to consistently describe the required PR-based flow targeting dev.
Preserve the surrounding workflow details while removing contradictory no-PR
language.

---

Outside diff comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Line 1: Replace the three stale direct-push references in SKILL.md with
consistent PR-based documentation guidance: rename the docs/reports heading,
update Warning `#10`, and revise the “Push Report to GitHub” section to require a
docs branch and PR targeting dev. Preserve the wording and workflow established
by the existing PR-based sections.

---

Nitpick comments:
In `@skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py`:
- Line 22: Remove the unnecessary f-string prefix from the static print message
in the add_ssh_key script, changing it to a regular string while preserving the
existing output.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml`:
- Around line 148-149: Remove the redundant sonar-qg-check job now that the
sonar-scan step waits for and enforces the quality gate via
sonar.qualitygate.wait=true. Update deploy-to-jfrog to depend directly on
sonar-scan, preserving the existing deployment gating behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e142f9a0-02ef-42b9-9956-de68f7414b6c

📥 Commits

Reviewing files that changed from the base of the PR and between 87bbc34 and 0428f67.

📒 Files selected for processing (18)
  • skills/sdlc-agentic-pipeline/SKILL.md
  • skills/sdlc-agentic-pipeline/references/agents/backend-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/code-reviewer-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/devops-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/frontend-agent.md
  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md
  • skills/sdlc-agentic-pipeline/references/pipeline.md
  • skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md
  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
  • skills/sdlc-agentic-pipeline/references/templates/env-template.env
  • skills/sdlc-agentic-pipeline/references/templates/mcp-settings.json
  • skills/sdlc-agentic-pipeline/references/templates/set-secrets.js
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/README.md
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.sh
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.sh

Comment on lines +558 to +564
- If deployment fails: rollback using the captured previous image:
```bash
ssh -i "$sshKey" "$ecsUser@$ecsHost" "docker stop $containerName; docker rm $containerName; docker run -d --name $containerName -p 80:80 $previousImage"
```
- Report success or failure to PM Agent via Jira comment:
- Success: `@agent:pm Deployment to Huawei Cloud ECS complete - version <tag> live at http://<ECS_HOST>`
- Failure: `@agent:pm Deployment to Huawei Cloud ECS FAILED - rollback executed`
- Success: `@agent:pm Deployment to Huawei Cloud ECS complete - version <RELEASE_TAG> live at http://<ECS_HOST>`
- Failure: `@agent:pm Deployment to Huawei Cloud ECS FAILED - rollback executed to previous image`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Rollback fails silently on first deployment when previousImage is empty.

On the first deployment, previousImage will be empty (lines 524 and 503 capture it with a fallback to empty string). The rollback command docker run -d --name $containerName -p 80:80 $previousImage with an empty image argument will fail, and the Jira comment will still say "rollback executed to previous image" — misleading when there was no previous image.

Add a guard before attempting rollback:

🛡️ Proposed fix
 - If deployment fails: rollback using the captured previous image:
+  If `previousImage` is non-empty:
   ```bash
   ssh -i "$sshKey" "$ecsUser@$ecsHost" "docker stop $containerName; docker rm $containerName; docker run -d --name $containerName -p 80:80 $previousImage"
  • If previousImage is empty (first deployment): do NOT attempt rollback. Report:
  • @agent:pm Deployment to Huawei Cloud ECS FAILED - no previous image available for rollback
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @skills/sdlc-agentic-pipeline/references/agents/devops-agent.md around lines
558 - 564, Update the deployment-failure rollback flow to check whether
previousImage is empty before running the rollback SSH/docker command. For a
first deployment with no previous image, skip rollback and report “Deployment to
Huawei Cloud ECS FAILED - no previous image available for rollback”; retain the
existing rollback command and success/failure message only when previousImage is
available.


</details>

<!-- cr-indicator-types:potential_issue -->

<!-- cr-comment:v1:b7c993e925966ad350593441 -->

<!-- This is an auto-generated comment by CodeRabbit -->

- Inventories existing artifacts (Dockerfiles, docker-compose.yml, ci-cd.yml, etc.)
- Asks the user about their development intent (new features, bug fixes, etc.)
- Asks the user about their preferred branch strategy
- Asks the user about their preferred branch strategy and **persists the selected integration/release branch** — this branch is passed to every downstream agent (Backend, Frontend, DevOps) and used for CI/CD triggers, feature merges, and release PRs instead of hard-coding `dev`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Propagate the selected integration branch as an explicit workflow value.

The PM instruction promises propagation, but downstream instructions still hard-code dev. Existing repositories choosing another integration branch will create PRs, monitor CI, and evaluate idempotency against the wrong branch.

  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L94-L94: define the persisted integration/release branch contract passed to agents.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L46-L50: check merge state against the selected integration branch.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L100-L105: target SDD PRs at that branch.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L186-L187: monitor the workflow trigger on that branch.
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L313-L316: target report PRs at that branch.
📍 Affects 2 files
  • skills/sdlc-agentic-pipeline/references/agents/pm-agent.md#L94-L94 (this comment)
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L46-L50
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L100-L105
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L186-L187
  • skills/sdlc-agentic-pipeline/references/pipeline.md#L313-L316
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` at line 94, The
workflow hard-codes dev instead of consistently using the PM-selected
integration/release branch. In
skills/sdlc-agentic-pipeline/references/agents/pm-agent.md:94, define the
persisted branch value and its contract for downstream agents; in
skills/sdlc-agentic-pipeline/references/pipeline.md:46-50, 100-105, 186-187, and
313-316, replace hard-coded dev references with that propagated value for merge
checks, SDD and report PR targets, workflow monitoring, and idempotency
evaluation.

Comment on lines +225 to +228
# Step 1: Read .env for project context (safe parsing — never source/eval .env)
while IFS='=' read -r key value; do
case "$key" in JIRA_*) export "$key=$value" ;; esac
done < "<PROJECT_ROOT>/.env"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Handle CRLF files and an unterminated final .env line.

Line 226 retains \r in Windows-authored values and skips a final line without a newline. JIRA_PROJECT_KEY can become SCRUM\r, causing the board filter to miss its board.

Proposed fix
-while IFS='=' read -r key value; do
-  case "$key" in JIRA_*) export "$key=$value" ;; esac
+while IFS='=' read -r key value || [ -n "$key" ]; do
+  key=${key%$'\r'}
+  value=${value%$'\r'}
+  case "$key" in JIRA_[A-Za-z0-9_]*) export "$key=$value" ;; esac
 done < "<PROJECT_ROOT>/.env"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Step 1: Read .env for project context (safe parsing — never source/eval .env)
while IFS='=' read -r key value; do
case "$key" in JIRA_*) export "$key=$value" ;; esac
done < "<PROJECT_ROOT>/.env"
# Step 1: Read .env for project context (safe parsing — never source/eval .env)
while IFS='=' read -r key value || [ -n "$key" ]; do
key=${key%$'\r'}
value=${value%$'\r'}
case "$key" in JIRA_[A-Za-z0-9_]*) export "$key=$value" ;; esac
done < "<PROJECT_ROOT>/.env"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/agents/pm-agent.md` around lines 225
- 228, Update the .env-reading loop in the Step 1 project-context setup to
process the final unterminated line by using a read condition that accepts EOF,
and strip trailing carriage returns from each parsed value before exporting
JIRA_* variables. Preserve safe parsing without sourcing or evaluating the .env
file.

Comment on lines +111 to +114
> All subsequent skill, config, and reference source/target paths are derived from
> this selection (user-level: `~/.codeartsdoer/...`, project-level: `.codeartsdoer/...`).

Ask the user via the `question` tool which option they want. **Keep the question and option descriptions short** - do NOT include long explanations of agent roles or internal pipeline details. The user only needs to understand the choice, not the implementation:
Ask the user via the `question` tool which option they want. **Keep the question and option descriptions short** - do NOT include long explanations of agent roles or internal pipeline details. The user only needs to understand the choice, not the implementation. Store the selection for use in all subsequent path derivations.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Ask Q0 before auto-provisioning agent files.

The procedure at Lines 13-101 runs first and hard-codes .codeartsdoer/...; Q0 is only asked afterward. A user selecting user-level storage therefore gets agent definitions copied to the wrong location. Move Q0 ahead of provisioning and derive those source/target paths from the stored selection.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 111 - 114, Move the Q0 question and selection storage before the
provisioning procedure, so the user-level or project-level choice is established
before any agent files are copied. Update the provisioning flow to derive all
skill, config, and reference source/target paths from that stored selection
instead of hard-coding `.codeartsdoer/...`; keep the question and option
descriptions concise.

Comment on lines +407 to +430
3. **Frontend Agent builds concurrently with Backend** (PM dispatches via Jira async):
- The Backend Agent has already created the repo, cloned it, and created the `dev` branch
- Pass the frontend scope, tech stack, project prompt, AND the repository URL to the Frontend Agent
- The Frontend Agent clones the repository from the URL provided by the Backend Agent
- The Frontend Agent works on an isolated feature branch (not directly on `dev`):
```bash
git clone "https://github.com/<GITHUB_OWNER>/<NEW_REPO_NAME>.git"
cd <NEW_REPO_NAME>
git checkout -b feature/frontend/initial-build dev
```
- The Frontend Agent generates:
- Complete directory structure (`frontend/src/`, `frontend/public/`)
- Actual implementation code for all UI features
- Configuration files (`package.json`, frontend `Dockerfile`)
- Component-level tests
- The Frontend Agent writes files into the cloned repo's `frontend/` directory
- The Frontend Agent commits frontend code and pushes to `dev`:
```bash
cd <NEW_REPO_NAME>
git add frontend/
git commit -m "feat: initial frontend build from prompt"
git push origin dev
```
- The Frontend Agent writes files into the cloned repo's `frontend/` directory
- The Frontend Agent commits frontend code and pushes to its feature branch:
```bash
git add frontend/
git commit -m "feat: initial frontend build from prompt"
git push origin feature/frontend/initial-build
```
- After Backend Agent completes, the Frontend Agent (or Backend Agent if both active)
creates a PR from `feature/frontend/initial-build` to `dev` and merges it

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Gate frontend dispatch on repository bootstrap.

Line 407 says this runs concurrently, but Lines 408-416 require the Backend Agent to have already created and pushed dev. The frontend clone/checkout fails if it starts before that point. Dispatch frontend work only after Backend reports the repository URL and confirms origin/dev exists; parallelize implementation only after bootstrap.

🧰 Tools
🪛 markdownlint-cli2 (0.23.0)

[warning] 407-407: Inconsistent indentation for list items at the same level
Expected: 0; Actual: 1

(MD005, list-indent)


[warning] 418-418: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5

(MD005, list-indent)


[warning] 419-419: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5

(MD005, list-indent)


[warning] 420-420: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5

(MD005, list-indent)


[warning] 421-421: Inconsistent indentation for list items at the same level
Expected: 4; Actual: 5

(MD005, list-indent)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/setup/service-onboarding.md` around
lines 407 - 430, Update the frontend dispatch flow described in the “Frontend
Agent builds concurrently with Backend” section so dispatch occurs only after
the Backend Agent reports the repository URL and confirms the remote origin/dev
branch exists. Preserve concurrency only for frontend implementation after this
repository bootstrap gate, and adjust the heading and sequencing instructions to
reflect that constraint.

Comment on lines +227 to +234
- name: Publish image digest as release artifact
run: |
DIGEST=$(docker buildx imagetools inspect ${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }} --format '{{.Digest}}' 2>/dev/null || echo "")
echo "RELEASE_IMAGE=${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }}" >> $GITHUB_ENV
echo "RELEASE_DIGEST=${DIGEST}" >> $GITHUB_ENV
echo "Deployable image: ${{ env.JF_DOCKER_REGISTRY }}/<JFROG_REPO_KEY>/<GITHUB_REPO>:${{ github.sha }}"
echo "Digest: ${DIGEST}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if a :latest tag is pushed anywhere in ci-cd.yml (including hidden lines 1-63)
grep -n 'latest' skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml

# Check if RELEASE_IMAGE or RELEASE_DIGEST are consumed anywhere
grep -n 'RELEASE_IMAGE\|RELEASE_DIGEST' skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml

Repository: CodeArtsAgent/CodeArtsSkills

Length of output: 844


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE='skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml'

# Show the relevant job/step context around the export and verify sections.
sed -n '210,270p' "$FILE" | cat -n

# Show the top portion in case a latest tag is pushed earlier in the workflow.
sed -n '1,80p' "$FILE" | cat -n

Repository: CodeArtsAgent/CodeArtsSkills

Length of output: 6954


Align verify-jfrog with the pushed image tag

  • deploy-to-jfrog only pushes :${{ github.sha }}, but verify-jfrog checks :latest, so the verification step will fail unless latest is pushed elsewhere.
  • RELEASE_IMAGE and RELEASE_DIGEST are written to GITHUB_ENV but never read; if they need to cross jobs, expose them as job outputs instead.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml` around lines 227
- 234, Update the verify-jfrog flow to inspect the same image tag pushed by
deploy-to-jfrog, using the github.sha tag instead of latest. Remove the unused
RELEASE_IMAGE and RELEASE_DIGEST GITHUB_ENV assignments, or expose them as
outputs only if downstream jobs consume them; keep the digest inspection and
logging aligned with the pushed image.

# Step 2: PUT with complete body (all required fields)
Write-Output ""
Write-Output "Step 2: Closing sprint..."
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Convert PowerShell timestamps to UTC before appending Z.

Get-Date returns local time, while Z declares UTC. On non-UTC hosts this shifts sprint start, end, and close timestamps by the timezone offset.

  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1#L55-L55: convert the close timestamp to UTC.
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1#L57-L58: convert both start and end timestamps to UTC.
Proposed fix
- $endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $endDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
- $startDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
- $endDate = (Get-Date).AddDays(14).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $startDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
+ $endDate = (Get-Date).AddDays(14).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$endDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
Suggested change
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$startDate = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$endDate = (Get-Date).AddDays(14).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
📍 Affects 2 files
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1#L55-L55 (this comment)
  • skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1#L57-L58
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1`
at line 55, Convert the timestamps to UTC before formatting them with the
trailing Z: update the close timestamp in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-close.ps1
lines 55-55, and both start and end timestamps in
skills/sdlc-agentic-pipeline/references/templates/sprint-scripts/sprint-start.ps1
lines 57-58. Preserve the existing yyyy-MM-ddTHH:mm:ss.fff format.

Comment thread skills/sdlc-agentic-pipeline/SKILL.md
Comment thread skills/sdlc-agentic-pipeline/SKILL.md
Comment thread skills/sdlc-agentic-pipeline/SKILL.md
@codeartstest

Copy link
Copy Markdown
Contributor Author

improve the skill according to suggestions of coderabbitai[bot]: (CodeArtsAgent/CodeArtsSkills#4)

… remove redundant QG job

- SKILL.md: replace remaining 'direct push' references with PR-based
  flow (heading, warning #10, step 7 conflict resolution)
- SKILL.md: fix conflict resolution description from 'prefer dev'
  blanket strategy to domain-owner strategy
- add_ssh_key.py: remove extraneous f-string prefix (Ruff F541)
- ci-cd.yml: remove redundant sonar-qg-check job since
  sonar.qualitygate.wait=true already blocks on QG result;
  deploy-to-jfrog now depends directly on sonar-scan

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
skills/sdlc-agentic-pipeline/SKILL.md (1)

617-623: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Use the same reliable PowerShell invocation for sprint close.

Line 623 omits -NoProfile -ExecutionPolicy Bypass, although the corresponding Jira setup guidance requires those flags. On hosts with restrictive execution policy, sprint-close may fail; align the command or document why the difference is intentional.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 617 - 623, Update the
sprint-close PowerShell invocation in the sprint close guidance to include both
-NoProfile and -ExecutionPolicy Bypass, matching the established Jira setup
invocation. Preserve the existing requirement to write and execute a .ps1 script
with powershell -File, unless a documented intentional exception is required.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 636-637: Reflow the wrapped blockquote in the Step 7 documentation
so every `>` marker is followed by exactly one space, eliminating the MD027
warning while preserving the existing text and list structure.

---

Outside diff comments:
In `@skills/sdlc-agentic-pipeline/SKILL.md`:
- Around line 617-623: Update the sprint-close PowerShell invocation in the
sprint close guidance to include both -NoProfile and -ExecutionPolicy Bypass,
matching the established Jira setup invocation. Preserve the existing
requirement to write and execute a .ps1 script with powershell -File, unless a
documented intentional exception is required.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fb7d303d-59f5-4979-89c7-c18a2938e8a4

📥 Commits

Reviewing files that changed from the base of the PR and between 0428f67 and 9cf66f5.

📒 Files selected for processing (3)
  • skills/sdlc-agentic-pipeline/SKILL.md
  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • skills/sdlc-agentic-pipeline/references/templates/ci-cd.yml
  • skills/sdlc-agentic-pipeline/references/templates/add_ssh_key.py

Comment on lines +636 to +637
> time (Step 7). SDD docs use a docs branch + PR targeting `dev` (GitHub branch protection
> applies to the whole branch, so a PR is required); code changes require the full PR Merge Gate (5 sign-offs).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Resolve the MD027 blockquote warning.

These wrapped lines contain multiple spaces immediately after >, which markdownlint flags. Reflow the blockquote so each marker has a single following space while preserving the warning’s list structure.

🧰 Tools
🪛 markdownlint-cli2 (0.23.0)

[warning] 636-636: Multiple spaces after blockquote symbol

(MD027, no-multiple-space-blockquote)


[warning] 637-637: Multiple spaces after blockquote symbol

(MD027, no-multiple-space-blockquote)

🪛 SkillSpector (2.3.11)

[warning] 619: [E1] External Transmission: Data is being sent to an external URL. This could be legitimate telemetry or data exfiltration. Manual review is recommended.

Remediation: Verify the destination URL is trusted and necessary. Remove or replace with documented APIs. Ensure no secrets, tokens, or PII are transmitted.

(Data Exfiltration (E1))


[warning] 27: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.

Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.

(Memory Poisoning (MP2))


[warning] 562: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.

Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.

(Memory Poisoning (MP2))


[warning] 567: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.

Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.

(Memory Poisoning (MP2))


[warning] 568: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.

Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.

(Memory Poisoning (MP2))


[warning] 570: [MP2] Context Window Stuffing: Skill attempts to fill the context window with filler content, displacing legitimate instructions and safety constraints. This can degrade agent performance or bypass safety boundaries.

Remediation: Implement context-window management that detects and rejects padding or stuffing attempts. Prioritize system instructions over user-injected content.

(Memory Poisoning (MP2))


[error] 216: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 144: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/sdlc-agentic-pipeline/SKILL.md` around lines 636 - 637, Reflow the
wrapped blockquote in the Step 7 documentation so every `>` marker is followed
by exactly one space, eliminating the MD027 warning while preserving the
existing text and list structure.

Source: Linters/SAST tools

@codeartstest

Copy link
Copy Markdown
Contributor Author

improve the skill according to suggestions of coderabbitai[bot]: #5 (review)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants