refactor: simplify mapping schema and add guidance generation to /onboard#108
refactor: simplify mapping schema and add guidance generation to /onboard#108vmrh21 wants to merge 6 commits intoambient-code:mainfrom
Conversation
component-repository-mappings.json: - Flatten schema: components now have a 'repos' array instead of nested 'repositories' object + 'container_to_repo_mapping' object - Containers move onto the repo that builds them (more logical) - Remove prose-only fields: branch_strategy, cve_fix_workflow, protected_branches, repository_type, monorepo_packages - Keep essential fields: url, type, default_branch, active_branches, containers, subcomponent (optional), build_location (optional) - File size reduced from ~30KB to ~20KB onboard.md: - Updated to use new simplified schema when adding components - Added Step 5: generate .cve-fix/examples.md for each repo by analyzing CVE PR history (titles, branches, files, co-upgrades, don'ts) — same approach as /guidance.generate --cve-only - Examples file included in the onboarding PR alongside mapping update Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 34 minutes and 40 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
WalkthroughThe CVE fixer onboarding workflow is restructured to request repo-specific container images instead of separate mappings, generate per-repo guidance files, and simplify Jira validation to always use MCP when available. The repository mapping schema shifts from a component-keyed structure with nested container mappings to a simplified Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@workflows/cve-fixer/.claude/commands/onboard.md`:
- Line 244: Replace the hardcoded co-author line "Co-Authored-By: Claude Sonnet
4.6 (1M context) <noreply@anthropic.com>" with a version-agnostic value or
template variable (e.g., CO_AUTHOR or a templated string) so the attribution
doesn't become stale; update the onboarding artifact that emits the string in
workflows/cve-fixer/.claude/commands/onboard.md to use the generic attribution
(for example "Co-Authored-By: Claude Sonnet <noreply@anthropic.com>") or pull
the version from a parameter so future version changes don't require code edits.
- Around line 231-237: The current transformation that builds EXAMPLES_DIR from
REPO_FULL uses tr '/' '-' which can collide (e.g., org/repo-name vs
org-repo/name); change the separator logic that sets EXAMPLES_DIR (the line that
computes EXAMPLES_DIR from REPO_FULL and the use of tr '/' '-') to replace '/'
with a double-underscore (e.g., use a substitution that maps '/' -> '__' so
EXAMPLES_DIR becomes "workflows/cve-fixer/.cve-fix/$(echo \"$REPO_FULL\" |
<replace '/' with '__'>)" ), preserving the rest of the loop (mkdir -p, echo to
examples.md, git add) unchanged.
In `@workflows/cve-fixer/component-repository-mappings.json`:
- Line 7: Several repository entries in component-repository-mappings.json have
"type": "unknown", which breaks routing for the CVE fix workflow; locate each
object with "type": "unknown" and replace it with the correct canonical role
("upstream", "midstream", or "downstream") for that repository, using the repo's
role in your org (or upstream project) as the source of truth; update all
occurrences (e.g., the entry currently showing "type": "unknown") and run the
repository mapping validation step (or add a simple schema check) to ensure no
"unknown" values remain so the workflow can route fixes correctly.
- Around line 1-24: The new schema flattened repositories into
components.*.repos[], so update code and docs that reference the old
container_to_repo_mapping and repositories objects: in
workflows/cve-fixer/.claude/commands/cve.find.md replace the jq query
`$c.container_to_repo_mapping | to_entries[]` and any
`$c.repositories[.value].subcomponent` lookups with queries that iterate over
`$c.components[] .repos[]` and, for each repo, iterate its `.containers[]` to
build container→repo mappings (use `.default_branch`, `.type` or `.repo_type`
field mapping and any `.branch_strategy` now on the repo object); in
workflows/cve-fixer/.claude/commands/cve.fix.md update Step 3.1 and the example
usages that still reference `container_to_repo_mapping`/`repositories` to the
same components[].repos[] traversal; and in workflows/cve-fixer/README.md
replace schema examples and docs (instances of `container_to_repo_mapping`,
`repositories`, `branch_strategy`, `repo_type`) with the new repos array
structure and field names so the commands’ jq queries match the new schema.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: bf4991ab-1bce-4d09-a053-1a6ff42a3897
📒 Files selected for processing (2)
workflows/cve-fixer/.claude/commands/onboard.mdworkflows/cve-fixer/component-repository-mappings.json
| for i in "${!REPO_URLS[@]}"; do | ||
| REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||') | ||
| EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')" | ||
| mkdir -p "$EXAMPLES_DIR" | ||
| echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md" | ||
| git add "${EXAMPLES_DIR}/examples.md" | ||
| done |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider alternative separator to avoid potential directory collisions.
Using tr '/' '-' means org/repo-name becomes org-repo-name, but a theoretical repo org-repo/name would produce the same directory. While GitHub naming rules make this unlikely, using __ as separator (e.g., org__repo-name) would be unambiguous.
💡 Optional: Use double-underscore separator
- EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')"
+ EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | sed 's|/|__|')"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| for i in "${!REPO_URLS[@]}"; do | |
| REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||') | |
| EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | tr '/' '-')" | |
| mkdir -p "$EXAMPLES_DIR" | |
| echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md" | |
| git add "${EXAMPLES_DIR}/examples.md" | |
| done | |
| for i in "${!REPO_URLS[@]}"; do | |
| REPO_FULL=$(echo "${REPO_URLS[$i]}" | sed 's|https://github.com/||') | |
| EXAMPLES_DIR="workflows/cve-fixer/.cve-fix/$(echo "$REPO_FULL" | sed 's|/|__|')" | |
| mkdir -p "$EXAMPLES_DIR" | |
| echo "${GENERATED_EXAMPLES[$i]}" > "${EXAMPLES_DIR}/examples.md" | |
| git add "${EXAMPLES_DIR}/examples.md" | |
| done |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workflows/cve-fixer/.claude/commands/onboard.md` around lines 231 - 237, The
current transformation that builds EXAMPLES_DIR from REPO_FULL uses tr '/' '-'
which can collide (e.g., org/repo-name vs org-repo/name); change the separator
logic that sets EXAMPLES_DIR (the line that computes EXAMPLES_DIR from REPO_FULL
and the use of tr '/' '-') to replace '/' with a double-underscore (e.g., use a
substitution that maps '/' -> '__' so EXAMPLES_DIR becomes
"workflows/cve-fixer/.cve-fix/$(echo \"$REPO_FULL\" | <replace '/' with '__'>)"
), preserving the rest of the loop (mkdir -p, echo to examples.md, git add)
unchanged.
| - Add ${COMPONENT_NAME} to component-repository-mappings.json | ||
| - Generate .cve-fix/examples.md guidance for each repo | ||
|
|
||
| Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>" |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Consider making the co-author attribution version-agnostic.
Hardcoding "Claude Sonnet 4.6" in the commit message will become stale. Consider a generic attribution or parameterizing the version.
💡 Optional: Use generic attribution
- Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>"
+ Co-Authored-By: Claude <noreply@anthropic.com>"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>" | |
| Co-Authored-By: Claude <noreply@anthropic.com>" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workflows/cve-fixer/.claude/commands/onboard.md` at line 244, Replace the
hardcoded co-author line "Co-Authored-By: Claude Sonnet 4.6 (1M context)
<noreply@anthropic.com>" with a version-agnostic value or template variable
(e.g., CO_AUTHOR or a templated string) so the attribution doesn't become stale;
update the onboarding artifact that emits the string in
workflows/cve-fixer/.claude/commands/onboard.md to use the generic attribution
(for example "Co-Authored-By: Claude Sonnet <noreply@anthropic.com>") or pull
the version from a parameter so future version changes don't require code edits.
| { | ||
| "components": { | ||
| "AI Core Dashboard": { | ||
| "container_to_repo_mapping": { | ||
| "odh-dashboard-container": "opendatahub-io/odh-dashboard", | ||
| "rhoai/odh-dashboard-rhel8": "opendatahub-io/odh-dashboard", | ||
| "rhoai/odh-dashboard-rhel9": "opendatahub-io/odh-dashboard", | ||
| "rhoai/odh-mod-arch-gen-ai-rhel9": "opendatahub-io/odh-dashboard", | ||
| "rhoai/odh-mod-arch-model-registry-rhel9": "opendatahub-io/odh-dashboard", | ||
| "mod-arch-maas": "opendatahub-io/odh-dashboard" | ||
| }, | ||
| "repositories": { | ||
| "opendatahub-io/odh-dashboard": { | ||
| "github_url": "https://github.com/opendatahub-io/odh-dashboard", | ||
| "default_branch": "main", | ||
| "protected_branches": [ | ||
| "main", | ||
| "rhoai-release", | ||
| "odh-release" | ||
| ], | ||
| "active_release_branches": [ | ||
| "repos": [ | ||
| { | ||
| "url": "https://github.com/opendatahub-io/odh-dashboard", | ||
| "type": "unknown", | ||
| "default_branch": "main", | ||
| "active_branches": [ | ||
| "v2.29.0-fixes", | ||
| "v2.28.0-fixes", | ||
| "v2.27.0-fixes" | ||
| ], | ||
| "branch_strategy": "Fix in main → auto-propagates to stable → rhoai (every 2 hours). Manual cherry-pick to release branches during code freeze.", | ||
| "cve_fix_workflow": { | ||
| "primary_target": "main", | ||
| "backport_targets": "Active vX.X.X-fixes branches for released versions", | ||
| "automation": "Auto-sync every 2 hours (main → stable → rhoai)", | ||
| "manual_intervention": "Cherry-pick during code freeze or for patch releases" | ||
| }, | ||
| "repository_type": "monorepo", | ||
| "monorepo_packages": { | ||
| "packages/gen-ai": "Builds odh-mod-arch-gen-ai container", | ||
| "packages/model-registry": "Builds odh-mod-arch-modular-architecture container", | ||
| "packages/maas": "Builds mod-arch-maas container", | ||
| "packages/kserve": "KServe UI module", | ||
| "packages/model-serving": "Model serving UI module" | ||
| } | ||
| "containers": [ | ||
| "mod-arch-maas", | ||
| "odh-dashboard-container", | ||
| "rhoai/odh-dashboard-rhel8", | ||
| "rhoai/odh-dashboard-rhel9", | ||
| "rhoai/odh-mod-arch-gen-ai-rhel9", | ||
| "rhoai/odh-mod-arch-model-registry-rhel9" | ||
| ] | ||
| } | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if cve.fix.md and cve.find.md still reference old schema fields
echo "=== Checking for old schema references ==="
rg -n "container_to_repo_mapping|repositories\[|\.repo_type|\.branch_strategy" \
--type md workflows/cve-fixer/
echo ""
echo "=== Files that may need updates ==="
rg -l "container_to_repo_mapping" workflows/cve-fixer/Repository: ambient-code/workflows
Length of output: 312
🏁 Script executed:
#!/bin/bash
# List all files in the cve-fixer directory
echo "=== Files in workflows/cve-fixer/ ==="
find workflows/cve-fixer/ -type f | sort
echo ""
echo "=== All markdown files ==="
find workflows/cve-fixer/ -type f -name "*.md"
echo ""
echo "=== Check for exact filenames mentioned in review ==="
ls -la workflows/cve-fixer/cve.fix.md 2>&1
ls -la workflows/cve-fixer/cve.find.md 2>&1Repository: ambient-code/workflows
Length of output: 1017
🏁 Script executed:
#!/bin/bash
echo "=== Content of cve.find.md ==="
cat -n workflows/cve-fixer/.claude/commands/cve.find.md
echo ""
echo "=== Content of cve.fix.md ==="
cat -n workflows/cve-fixer/.claude/commands/cve.fix.mdRepository: ambient-code/workflows
Length of output: 50381
🏁 Script executed:
#!/bin/bash
echo "=== Old schema references in cve.fix.md ==="
rg -n "container_to_repo_mapping|repositories\[|\.repo_type|\.branch_strategy" \
workflows/cve-fixer/.claude/commands/cve.fix.md
echo ""
echo "=== Check context around these lines ==="
rg -n -B2 -A2 "container_to_repo_mapping" workflows/cve-fixer/.claude/commands/cve.fix.mdRepository: ambient-code/workflows
Length of output: 784
Breaking change: existing schema queries will fail until files are updated.
The schema migration from container_to_repo_mapping + repositories object structure to a flat repos array will break executable code in two command files:
-
workflows/cve-fixer/.claude/commands/cve.find.md(lines 154–155): The jq query$c.container_to_repo_mapping | to_entries[]and$c.repositories[.value].subcomponentwill fail since these fields no longer exist in the new schema. -
workflows/cve-fixer/.claude/commands/cve.fix.md(line 135): Step 3.1 references lookup incontainer_to_repo_mapping, which no longer exists. Line 1488 also shows the old schema in documentation examples. -
workflows/cve-fixer/README.md(lines 35, 262): Schema documentation still shows the old structure withcontainer_to_repo_mapping,repositories,branch_strategy, andrepo_type.
Update these files before merging, or the /cve.find and /cve.fix commands will fail when querying the mapping file.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@workflows/cve-fixer/component-repository-mappings.json` around lines 1 - 24,
The new schema flattened repositories into components.*.repos[], so update code
and docs that reference the old container_to_repo_mapping and repositories
objects: in workflows/cve-fixer/.claude/commands/cve.find.md replace the jq
query `$c.container_to_repo_mapping | to_entries[]` and any
`$c.repositories[.value].subcomponent` lookups with queries that iterate over
`$c.components[] .repos[]` and, for each repo, iterate its `.containers[]` to
build container→repo mappings (use `.default_branch`, `.type` or `.repo_type`
field mapping and any `.branch_strategy` now on the repo object); in
workflows/cve-fixer/.claude/commands/cve.fix.md update Step 3.1 and the example
usages that still reference `container_to_repo_mapping`/`repositories` to the
same components[].repos[] traversal; and in workflows/cve-fixer/README.md
replace schema examples and docs (instances of `container_to_repo_mapping`,
`repositories`, `branch_strategy`, `repo_type`) with the new repos array
structure and field names so the commands’ jq queries match the new schema.
…/onboard Instead of asking users to provide container image names manually, query Jira for pscomponent: labels on existing CVE issues and extract the container names automatically. Each Jira CVE ticket has labels like: pscomponent:rhoai/odh-container-rhel9 These are collected, deduplicated, and assigned to the downstream repo in the mapping entry. No manual input needed for containers. If Jira is unavailable or no pscomponent: labels exist, the containers field is omitted and can be added later. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Remove AI Core Dashboard, Model Serving, Notebooks Images, AI Pipelines, Notebooks Server, and Training Kubeflow — these components have not been onboarded yet and have incomplete data. They can be re-added via /onboard when teams are ready to use the CVE fixer workflow. Remaining: Model as a Service, llm-d, AI Evaluations, AutoML, AutoRAG Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…tream opendatahub-io/* → midstream red-hat-data-services/* → downstream all other orgs (llm-d, eval-hub, trustyai-explainability, kubeflow, IBM) → upstream Only change: opendatahub-io/models-as-a-service was incorrectly upstream → midstream Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Standalone dashboard (similar style to shepard) that tracks: - Fix PRs opened / merged - Unique CVEs the workflow attempted to fix - Per-component breakdown - Components onboarded Scripts: - scripts/collect-data.js: scans onboarded repos from mapping file, finds fix/cve-* PRs, aggregates metrics, pushes data.json to repo Dashboard (public/index.html): - Overview: stat cards + timeline chart + component/status charts - Fix PRs: full table with status, CVE, component, repo, dates - CVEs: list of unique CVEs with PR counts and component breakdown - Components: per-component stat cards PatternFly + Chart.js, same visual style as shepard dashboard. No dependency on or mixing with any other dashboard. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
Simplified
component-repository-mappings.jsonThe old schema had deeply nested objects with lots of prose-only fields that the workflow never actually read. The new schema is flat and focused on what the workflow needs:
Before:
{ "ComponentName": { "container_to_repo_mapping": { "container": "repo" }, "repositories": { "org/repo": { "github_url": "...", "default_branch": "main", "active_release_branches": [...], "branch_strategy": "...", "repo_type": "upstream", "subcomponent": "...", "cve_fix_workflow": { "primary_target": "...", "backport_targets": "..." }, "build_location": "..." } } } }After:
{ "ComponentName": { "repos": [ { "url": "https://github.com/org/repo", "type": "upstream|midstream|downstream", "default_branch": "main", "active_branches": ["rhoai-3.4"], "containers": ["rhoai/odh-container-rhel9"], "subcomponent": "optional" } ] } }Removed fields:
branch_strategy,cve_fix_workflow,protected_branches,repository_type,monorepo_packages— none of these were read by the workflow commands.Containers now live on the repo that builds them instead of a separate top-level mapping.
File size: ~30KB → ~20KB.
/onboardnow generates.cve-fix/examples.mdAdded Step 5 to the onboard command: after collecting repo info, it analyzes recent CVE-related merged PRs in each repo and generates a
.cve-fix/examples.mdfile covering:The guidance file is included in the same onboarding PR alongside the mapping update. Repos with <3 CVE PRs get a placeholder noting they should run
/guidance.updateafter more CVE fixes accumulate.Test plan
/cve.find llm-d— verify it reads new schema correctly/cve.fix— verify it readsrepos[].containersandrepos[].active_branches/onboard— verify it writes new schema format and generates examples.md🤖 Generated with Claude Code