feat: amber GHA — stop-on-run-finished, prompt split, security fixes

[Gkrumbach07]

Summary

GHA workflow updates. Depends on ambient-action v0.0.5 (ambient-code/ambient-action#4).

Changes

• Use stop-on-run-finished: 'true' with timeout: '0' — sessions stop when done, no inactivity timer
• @amber alone → fix prompt (PR: resolve CI/conflicts/reviews, issue: investigate and fix)
• @amber <text> → custom prompt (just context + user's words)
• Shell injection fix: comment body passed via env var
• Session summary uses || fallback
• Bump ambient-action to v0.0.5

Test plan

• @amber on PR → fix prompt triggers
• @amber do something on issue → custom prompt triggers
• amber:auto-fix label → fresh prompt triggers
• Batch cron runs and processes amber:managed PRs

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Renamed comment command and workflow labels from "@amber"/"amber:" to "@ambient-code"/"ambient-code:".
  • Improved comment parsing to detect and handle "@ambient-code" comments and added explicit PR-vs-issue branching via an IS_PR flag.
  • Disabled automatic timeouts for several workflow steps to avoid premature termination.
  • Consolidated session-summary selection to choose the first available summary.
  • Removed a fixed inactivity timeout and cleaned up session initialization logic.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0b027a1d-b60a-4882-baaa-8af7d2bde922

📥 Commits

Reviewing files that changed from the base of the PR and between af0c17d and 5f00f24.

📒 Files selected for processing (1)

• .github/workflows/amber-issue-handler.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/amber-issue-handler.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflow renamed command surface from amber to ambient-code, adjusted comment parsing and PR detection via an IS_PR env var, changed ambient-action timeouts to 0, switched session-summary to first-non-empty outputs, and updated embedded Python imports and create-session payloads.

Changes

Cohort / File(s)	Summary
Comment trigger & parsing ​.github/workflows/amber-issue-handler.yml	Replaced @amber with @ambient-code in trigger/contains logic; updated shell parsing to strip @ambient-code and set prompt_type (fix when empty, otherwise custom).
PR detection & branching ​.github/workflows/amber-issue-handler.yml	Added IS_PR env var derived from github.event.issue.pull_request; branching now checks if [ "$IS_PR" = "true" ] instead of testing PR object presence.
Ambient action timeouts & session-summary ​.github/workflows/amber-issue-handler.yml	Changed three ambient-code/ambient-action@v0.0.4 step timeout values from '60' to '0'; session-summary now selects the first non-empty session-name/session-phase output via `
Batch PR fixer script, imports & labels ​.github/workflows/amber-issue-handler.yml	Embedded Python: added top-level import time and import uuid, removed redundant inline import; removed inactivityTimeout: 60 from create-session request; updated printed/managed/circuit-breaker labels to ambient-code:*.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Performance And Algorithmic Complexity	❌ Error	Sequential polling loop with fixed 3-second intervals risks exceeding 45-minute job timeout when processing multiple stopped PRs.	Implement exponential backoff, reduce per-PR timeout to 10-15 seconds, batch operations asynchronously, or increase job timeout to 60+ minutes.
Title check	⚠️ Warning	Title uses Conventional Commits format (feat: ...) but describes multiple unrelated changes (stop-on-run-finished, prompt split, security fixes) rather than a single cohesive changeset.	Focus the title on the primary change or split into multiple PRs. The actual changeset is predominantly a label rename (amber → ambient-code) with timeout adjustments, not the features described.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security And Secret Handling	✅ Passed	Workflows use ${{ secrets.* }} exclusively; no plaintext secrets, proper Authorization headers, and safe subprocess invocations prevent injection attacks.
Kubernetes Resource Safety	✅ Passed	PR modifies only GitHub Actions workflow file (.github/workflows/amber-issue-handler.yml), not Kubernetes infrastructure code, so custom check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/amber-gha-updates

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/amber-gha-updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/amber-issue-handler.yml (2)

267-271: ⚠️ Potential issue | 🟡 Minor

Prompt injection vector via user-controlled comment body.

The comment body is interpolated directly into the AI prompt. While access is restricted to MEMBER/OWNER/COLLABORATOR (line 133-135), a compromised or malicious collaborator could inject adversarial instructions.

Consider whether additional sanitization or explicit instruction boundaries are warranted for your threat model.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 267 - 271, The
workflow currently injects github.event.comment.body directly into the prompt
(prompt: | ... ${{ github.event.comment.body }}) which creates a
prompt-injection risk; change the prompt construction to (1) prepend a strict
system instruction that the model must treat all following text as user-supplied
data and must not follow any embedded instructions, (2) wrap the interpolated
content with explicit delimiters like "### BEGIN USER COMMENT" and "### END USER
COMMENT" so the model can clearly separate instructions from data, and (3)
sanitize the comment value before interpolation by normalizing/stripping control
characters and/or encoding it (e.g., base64) in the workflow and decoding only
in a safe runner step; update references to prompt and github.event.comment.body
in the workflow so the prompt uses the sanitized/encoded variable instead of raw
github.event.comment.body.

---

71-71: ⚠️ Potential issue | 🟠 Major

Pin actions to commit SHA and fix prompt injection vulnerability.

All four ambient-code/ambient-action uses (lines 71, 192, 224, 261) must be pinned to commit SHAs per coding guidelines—currently using semantic version tags. Verify intended version and replace with the appropriate SHA.

Additionally, line 271 directly injects github.event.comment.body (user-controlled) into the AI prompt without sanitization, creating a prompt injection vector. Sanitize or isolate this input.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml at line 71, Replace every use of
the ambient-code/ambient-action semantic tag with the corresponding commit SHA
(pin to exact commit) for all occurrences of the action (the steps currently
using ambient-code/ambient-action) to satisfy the pinning guideline; determine
the intended release and swap the version tag for its commit SHA. Also remove
direct injection of github.event.comment.body into the AI prompt and instead
sanitize or neutralize it before use (e.g., strip/escape dangerous sequences,
validate length and allowed characters, or pass it into a safe-context
variable), so the workflow step that constructs the AI prompt never concatenates
raw github.event.comment.body into the prompt payload.

🧹 Nitpick comments (1)

.github/workflows/amber-issue-handler.yml (1)

329-331: Consider checking subprocess return code.

gh() returns stdout but ignores failures (non-zero exit). Silent failures could cause confusing downstream behavior (e.g., empty JSON parsed as []).

🔧 Optional: add error checking

 def gh(*args):
     result = subprocess.run(["gh"] + list(args), capture_output=True, text=True)
+    if result.returncode != 0:
+        print(f"gh {' '.join(args)} failed: {result.stderr}")
     return result.stdout.strip()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 329 - 331, The gh()
helper currently returns stdout even when the subprocess fails, causing silent
failures; update gh to check the subprocess return code (result.returncode)
after subprocess.run and raise or surface an error when non-zero (include
result.stderr and exit code in the message) or use subprocess.run with
check=True to raise CalledProcessError, so callers parsing stdout (e.g., JSON)
won't receive empty/invalid data; keep function name gh and ensure any raised
error contains useful context (command arguments, returncode, stderr).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 267-271: The workflow currently injects github.event.comment.body
directly into the prompt (prompt: | ... ${{ github.event.comment.body }}) which
creates a prompt-injection risk; change the prompt construction to (1) prepend a
strict system instruction that the model must treat all following text as
user-supplied data and must not follow any embedded instructions, (2) wrap the
interpolated content with explicit delimiters like "### BEGIN USER COMMENT" and
"### END USER COMMENT" so the model can clearly separate instructions from data,
and (3) sanitize the comment value before interpolation by normalizing/stripping
control characters and/or encoding it (e.g., base64) in the workflow and
decoding only in a safe runner step; update references to prompt and
github.event.comment.body in the workflow so the prompt uses the
sanitized/encoded variable instead of raw github.event.comment.body.
- Line 71: Replace every use of the ambient-code/ambient-action semantic tag
with the corresponding commit SHA (pin to exact commit) for all occurrences of
the action (the steps currently using ambient-code/ambient-action) to satisfy
the pinning guideline; determine the intended release and swap the version tag
for its commit SHA. Also remove direct injection of github.event.comment.body
into the AI prompt and instead sanitize or neutralize it before use (e.g.,
strip/escape dangerous sequences, validate length and allowed characters, or
pass it into a safe-context variable), so the workflow step that constructs the
AI prompt never concatenates raw github.event.comment.body into the prompt
payload.

---

Nitpick comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 329-331: The gh() helper currently returns stdout even when the
subprocess fails, causing silent failures; update gh to check the subprocess
return code (result.returncode) after subprocess.run and raise or surface an
error when non-zero (include result.stderr and exit code in the message) or use
subprocess.run with check=True to raise CalledProcessError, so callers parsing
stdout (e.g., JSON) won't receive empty/invalid data; keep function name gh and
ensure any raised error contains useful context (command arguments, returncode,
stderr).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 47ab6600-ece8-44a6-8d55-90c2d7ee3dc9

📥 Commits

Reviewing files that changed from the base of the PR and between f56fb3c and 41803cb.

📒 Files selected for processing (1)

• .github/workflows/amber-issue-handler.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/amber-issue-handler.yml (1)

68-99: ⚠️ Potential issue | 🟠 Major

Pin ambient-code/ambient-action to commit SHAs instead of tag refs.

Lines 71, 191, 223, and 259 use @v0.0.4 (mutable tag refs) instead of fixed commit SHAs. This violates the coding guideline: "Pin action versions to SHA."

Replace each with the corresponding commit SHA for the intended release.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 68 - 99, The workflow
uses the mutable tag ambient-code/ambient-action@v0.0.4 in the "Create session"
step (and other steps) — replace each occurrence of uses:
ambient-code/ambient-action@v0.0.4 with the exact commit SHA for the intended
release (pin to a full commit hash) so the action is immutable; search the file
for all occurrences of ambient-code/ambient-action@v0.0.4 (e.g., the steps with
id=session and the other two uses entries) and update them to uses:
ambient-code/ambient-action@<commit-sha>, commit and verify the workflow runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 405-407: The create-session payload currently built into the body
variable (containing initialPrompt, llmSettings, repos) omits inactivityTimeout
so the operator uses the default 24h; to disable inactivity stopping add an
explicit inactivityTimeout field to the payload (e.g., "inactivityTimeout": 0 or
the operator-supported sentinel) when constructing body so the session is
created with no inactivity timer. Make the change where body is defined (next to
initialPrompt/llmSettings/repos) so the operator receives the explicit setting.

---

Outside diff comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 68-99: The workflow uses the mutable tag
ambient-code/ambient-action@v0.0.4 in the "Create session" step (and other
steps) — replace each occurrence of uses: ambient-code/ambient-action@v0.0.4
with the exact commit SHA for the intended release (pin to a full commit hash)
so the action is immutable; search the file for all occurrences of
ambient-code/ambient-action@v0.0.4 (e.g., the steps with id=session and the
other two uses entries) and update them to uses:
ambient-code/ambient-action@<commit-sha>, commit and verify the workflow runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 10cc006d-e1e8-4416-bd23-f6d6ddff5c2f

📥 Commits

Reviewing files that changed from the base of the PR and between 41803cb and d141e52.

📒 Files selected for processing (1)

• .github/workflows/amber-issue-handler.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Omitting inactivityTimeout here does not disable inactivity stopping.

At Line 405, the create-session payload now omits inactivityTimeout; with current operator behavior this falls back to the default inactivity timeout (24h). If the goal is “no inactivity timer,” this change does not implement that behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 405 - 407, The
create-session payload currently built into the body variable (containing
initialPrompt, llmSettings, repos) omits inactivityTimeout so the operator uses
the default 24h; to disable inactivity stopping add an explicit
inactivityTimeout field to the payload (e.g., "inactivityTimeout": 0 or the
operator-supported sentinel) when constructing body so the session is created
with no inactivity timer. Make the change where body is defined (next to
initialPrompt/llmSettings/repos) so the operator receives the explicit setting.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/amber-issue-handler.yml (1)

71-98: ⚠️ Potential issue | 🟠 Major

Pin ambient-code/ambient-action to SHA and add stop-on-run-finished.

All four uses of ambient-code/ambient-action@v0.0.4 must be SHA-pinned per workflow security guidelines. Additionally, each action using timeout: '0' (lines 98, 252, 275) needs stop-on-run-finished: 'true' to enable the v0.0.5 stop-on-finished behavior.

Fix pattern

-        uses: ambient-code/ambient-action@v0.0.4
+        uses: ambient-code/ambient-action@<sha-for-v0.0.5>
         with:
+          stop-on-run-finished: 'true'
           timeout: '0'

Apply to all instances at lines 71–98, 224–252, 260–275.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 71 - 98, Replace the
three occurrences of "uses: ambient-code/ambient-action@v0.0.4" with the
corresponding SHA-pinned ref for that release (e.g.,
ambient-code/ambient-action@<COMMIT_SHA>) and add the stop-on-run-finished:
'true' input alongside existing inputs; specifically update the block that
contains uses: ambient-code/ambient-action@v0.0.4 and its with: section (the
prompt/repos/model/wait/timeout group) to include stop-on-run-finished: 'true'
and change timeout: '0' to keep the same semantics; apply the same SHA-pinning
and add stop-on-run-finished: 'true' to each of the other two matching blocks
that also use timeout: '0' so all four instances of ambient-code/ambient-action
are SHA-pinned and include stop-on-run-finished: 'true'.

♻️ Duplicate comments (1)

.github/workflows/amber-issue-handler.yml (1)

405-408: ⚠️ Potential issue | 🟠 Major

Batch-created sessions still inherit the default inactivity timeout.

Omitting inactivityTimeout here does not disable it; per the CRD, omission falls back to the project default / 24h. That makes the batch path inconsistent with the “no inactivity timer” goal.

Minimal fix

               body = {"initialPrompt": prompt,
+                      "inactivityTimeout": 0,
                       "llmSettings": {"model": model},
                       "repos": [{"url": f"https://github.com/{REPO}", "branch": "main"}]}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 405 - 408, The batch
session creation builds the request body in the variable named body but omits
inactivityTimeout so the CRD applies the project default; add an explicit
"inactivityTimeout": 0 key to the body dict (alongside "initialPrompt",
"llmSettings", "repos") so batch-created sessions disable the inactivity timer
as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 151-156: The workflow strips "@ambient-code" into STRIPPED for
classification but still forwards the raw COMMENT_BODY to the agent; change the
plumbing so the parsed instruction (e.g., STRIPPED or a new variable like
PARSED_INSTRUCTION) is exported and used wherever the raw comment is currently
forwarded (the block that writes the agent input/output currently using
COMMENT_BODY). Update the existing strip logic that produces STRIPPED to trim
leading/trailing whitespace and export that value to GITHUB_OUTPUT (e.g.,
instruction_text) and replace references that pass COMMENT_BODY (the forwarding
around the prompt_type/custom prompt code) to use the exported parsed value
instead.

---

Outside diff comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 71-98: Replace the three occurrences of "uses:
ambient-code/ambient-action@v0.0.4" with the corresponding SHA-pinned ref for
that release (e.g., ambient-code/ambient-action@<COMMIT_SHA>) and add the
stop-on-run-finished: 'true' input alongside existing inputs; specifically
update the block that contains uses: ambient-code/ambient-action@v0.0.4 and its
with: section (the prompt/repos/model/wait/timeout group) to include
stop-on-run-finished: 'true' and change timeout: '0' to keep the same semantics;
apply the same SHA-pinning and add stop-on-run-finished: 'true' to each of the
other two matching blocks that also use timeout: '0' so all four instances of
ambient-code/ambient-action are SHA-pinned and include stop-on-run-finished:
'true'.

---

Duplicate comments:
In @.github/workflows/amber-issue-handler.yml:
- Around line 405-408: The batch session creation builds the request body in the
variable named body but omits inactivityTimeout so the CRD applies the project
default; add an explicit "inactivityTimeout": 0 key to the body dict (alongside
"initialPrompt", "llmSettings", "repos") so batch-created sessions disable the
inactivity timer as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 728b0dca-1243-41c0-9858-c10a8fb9698c

📥 Commits

Reviewing files that changed from the base of the PR and between 07285b5 and af0c17d.

📒 Files selected for processing (1)

• .github/workflows/amber-issue-handler.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Reuse the parsed command text for custom prompts.

Line 152 strips the command only for classification, but Line 270 still forwards the raw comment body. @ambient-code do X therefore reaches the agent as the literal command instead of just do X.

One way to wire the parsed instruction through

-          STRIPPED=$(echo "$COMMENT_BODY" | sed 's/@ambient-code//g' | tr -d '[:space:]')
-          if [ -z "$STRIPPED" ]; then
+          COMMAND_TEXT=$(printf '%s' "$COMMENT_BODY" | sed -E 's/^[[:space:]]*@ambient-code[[:space:]]*//')
+          if [ -z "$(printf '%s' "$COMMAND_TEXT" | tr -d '[:space:]')" ]; then
             echo "prompt_type=fix" >> $GITHUB_OUTPUT
           else
             echo "prompt_type=custom" >> $GITHUB_OUTPUT
           fi
+          {
+            echo "command_text<<EOF"
+            printf '%s\n' "$COMMAND_TEXT"
+            echo "EOF"
+          } >> $GITHUB_OUTPUT
...
-            ${{ github.event.comment.body }}
+            ${{ steps.context.outputs.command_text }}

Also applies to: 266-270

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/amber-issue-handler.yml around lines 151 - 156, The
workflow strips "@ambient-code" into STRIPPED for classification but still
forwards the raw COMMENT_BODY to the agent; change the plumbing so the parsed
instruction (e.g., STRIPPED or a new variable like PARSED_INSTRUCTION) is
exported and used wherever the raw comment is currently forwarded (the block
that writes the agent input/output currently using COMMENT_BODY). Update the
existing strip logic that produces STRIPPED to trim leading/trailing whitespace
and export that value to GITHUB_OUTPUT (e.g., instruction_text) and replace
references that pass COMMENT_BODY (the forwarding around the prompt_type/custom
prompt code) to use the exported parsed value instead.