fix(ci): CR Thread Gate caller job emits 'gate / CodeRabbit Thread Check' [OMN-9032]

[jonahgabriel]

Summary

• Root cause: cr-thread-gate.yml had a gate: caller job but pr-number: ${{ ... || ... }} evaluates to boolean false in merge_group/push context → workflow fails with 0 jobs → gate / CodeRabbit Thread Check never emitted.
• Fix: Add merge_group trigger; use format('{0}', ... || 0) for pr-number (always a string); standardize triggers to match other repos (add pull_request_review_comment, pull_request_review_thread).

Test plan

• Push to open PR → gate job runs → gate / CodeRabbit Thread Check appears in PR checks

Summary by CodeRabbit

• New Features
  • Reworked CI into a reusable, callable workflow with optional inputs and secrets, and added a caller workflow that triggers on PRs, reviews and comments to invoke it.
• Chores
  • Improved token handling, added conditional skip for empty/zero PR inputs, and emit explicit failure annotations when checks detect unresolved threads.

[coderabbitai]

Warning

Rate limit exceeded

@jonahgabriel has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 36 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 0 minutes and 36 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b319a2b9-a5b0-438c-8dd6-5fbb44d29726

📥 Commits

Reviewing files that changed from the base of the PR and between 00c260f and 618dd56.

📒 Files selected for processing (1)

• .github/workflows/cr-thread-gate.yml

📝 Walkthrough

Walkthrough

Replaced an event-driven workflow with a reusable workflow_call (.github/workflows/cr-thread-gate.yml) exposing optional inputs (repo, pr-number) and secrets (CROSS_REPO_PAT, deprecated github-token). Added a caller workflow (.github/workflows/cr-thread-gate-caller.yml) that triggers on PR/review/comment/merge_group events and invokes the reusable workflow, passing pr-number and CROSS_REPO_PAT.

Changes

Cohort / File(s)	Summary
Reusable workflow /.github/workflows/cr-thread-gate.yml	Converted from event triggers to on: workflow_call; added optional inputs repo, pr-number and optional secrets CROSS_REPO_PAT, deprecated github-token; resolves owner/repo and PR number at runtime; skips when PR number empty/"0"; runs scripts/check-unresolved-threads.sh and emits ::error:: + exit 1 if unresolved threads found.
Caller workflow /.github/workflows/cr-thread-gate-caller.yml	New workflow triggered on PR/review/review_comment/issue_comment and merge_group; computes and passes pr-number (pull_request.number

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GitHub as "GitHub Event"
  participant Caller as "cr-thread-gate-caller.yml"
  participant Reusable as "cr-thread-gate.yml (workflow_call)"
  participant Runner as "Actions runner"
  participant Script as "scripts/check-unresolved-threads.sh"

  GitHub->>Caller: Trigger (PR / review / comment / merge_group)
  Caller->>Reusable: workflow_call(pr-number, CROSS_REPO_PAT)
  Reusable->>Runner: start job (ubuntu-latest)
  Runner->>Runner: checkout specified script from OmniNode-ai/omniclaude
  Runner->>Runner: resolve owner/repo, determine PR number, set GH_TOKEN
  Runner->>Script: run check-unresolved-threads.sh
  Script-->>Runner: exit code and COUNT
  alt COUNT > 0
    Runner->>GitHub: emit ::error:: annotation and fail job
  else COUNT == 0 or skipped
    Runner->>GitHub: succeed or skip
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped from event to a callable gate,
Passing numbers, tokens, and a tiny fate,
I fetched a script and gave it a spin,
Counted threads twined tightly within,
Thump-thump—done! The checks begin.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: converting CR Thread Gate to use a caller job that emits the 'gate / CodeRabbit Thread Check' check result.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jonah/cr-gate-caller-job

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Hostile Reviewer — DEGRADED (informational)

Blocking findings (critical/error): 0
Total findings: 0
Models succeeded: none

Note: All reviewer models failed or were unavailable. Degraded results are informational during the pilot phase (OMN-8524) and do not block merge. Error: cli_review exited non-zero (all models failed or binary error)

---

Gate semantics (pilot phase)

Verdict	Meaning	Blocks merge?
passed	No critical/error findings	No
blocked	CRITICAL or ERROR findings found	Yes
degraded	All models unavailable (infra)	No (pilot)

Powered by omniintelligence.review_pairing.cli_review — node-based adversarial review via HandlerLlmCliSubprocess (OMN-8524)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cr-thread-gate.yml:
- Around line 9-10: Remove the unsupported GitHub Actions trigger entry
"pull_request_review_thread" (and its types array like "types: [resolved,
unresolved]") from the workflow; locate the block containing the symbol
pull_request_review_thread and delete that event declaration so the workflow
uses only supported triggers (e.g., keep other valid events or replace with a
supported event such as pull_request_review if you intended review-related
events).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c84481bf-ee78-49cc-80c9-6779cff462a3

📥 Commits

Reviewing files that changed from the base of the PR and between 63e456f and c084ff3.

📒 Files selected for processing (1)

• .github/workflows/cr-thread-gate.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/cr-thread-gate.yml (2)

64-79: Validate the helper output before declaring success.

COUNT is treated as success unless it is a number greater than zero. If check-unresolved-threads.sh ever emits anything but digits on stdout, this step still reaches All CodeRabbit threads resolved. and exits 0. Fail closed on empty/non-numeric output before the numeric comparison.

Suggested change

           COUNT=$(bash scripts/check-unresolved-threads.sh \
             "${{ steps.resolve-repo.outputs.owner }}" \
             "${{ steps.resolve-repo.outputs.repo }}" \
             "$PR")
+          case "$COUNT" in
+            ''|*[!0-9]*)
+              echo "::error::Unexpected unresolved-thread count: '$COUNT'"
+              exit 1
+              ;;
+          esac
           echo "Unresolved CodeRabbit threads: $COUNT"
           if [ "$COUNT" -gt 0 ]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cr-thread-gate.yml around lines 64 - 79, The step assumes
COUNT (from scripts/check-unresolved-threads.sh) is a numeric value; validate
COUNT before using the -gt comparison and fail closed on empty/non-numeric
output. Modify the logic after COUNT=... to trim whitespace, check that COUNT
matches a digits-only regex (e.g. using shell pattern or grep), and if not
numeric or empty call echo "::error::" with a descriptive message and exit 1;
only proceed to the existing numeric comparison (if [ "$COUNT" -gt 0 ]) when the
validation passes. Ensure you update references to COUNT and the invocation of
scripts/check-unresolved-threads.sh to reflect this validation.

---

33-36: Harden this cross-repo checkout step.

actions/checkout documents that ${{ github.token }} is scoped to the current repository, so a private/internal secondary repo needs an explicit PAT. This step also follows two mutable refs (actions/checkout@v4 and OmniNode-ai/omniclaude@main), which makes a required gate non-reproducible. Wire CROSS_REPO_PAT into token: here and pin both refs to immutable SHAs. (github.com)

Suggested change

-        uses: actions/checkout@v4
+        uses: actions/checkout@<checkout-v4-sha>
         with:
           repository: OmniNode-ai/omniclaude
-          ref: main
+          ref: <omniclaude-commit-sha>
+          token: ${{ secrets.CROSS_REPO_PAT || secrets.github-token || secrets.GITHUB_TOKEN }}
           sparse-checkout: scripts/check-unresolved-threads.sh
           sparse-checkout-cone-mode: false

Based on learnings, third-party action references should remain pinned to specific commit SHAs that match the latest release when the PR was created; this is intentional for reproducibility and supply-chain security.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cr-thread-gate.yml around lines 33 - 36, The checkout step
uses mutable refs and the default github token (uses: actions/checkout@v4 and
repository: OmniNode-ai/omniclaude ref: main); change it to use an explicit
cross-repo PAT and pin both refs to immutable SHAs: replace the token usage with
token: ${{ secrets.CROSS_REPO_PAT }} (or the designated secret name) and replace
actions/checkout@v4 and ref: main with their corresponding commit SHAs so the
step is reproducible and can access the private repo.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cr-thread-gate.yml:
- Around line 40-47: The owner/repo splitting uses TARGET and always sets both
owner and repo from TARGET, so a bare repo name incorrectly sets owner to the
repo; update the resolve-repo step to detect whether TARGET contains a slash and
if not set owner to github.repository_owner (use the existing github input
variable) while setting repo to TARGET, otherwise split as currently done (i.e.,
when TARGET contains '/', use ${TARGET%%/*} for owner and ${TARGET##*/} for
repo); ensure the outputs written to GITHUB_OUTPUT remain "owner=..." and
"repo=..." and that the logic references TARGET and github.repository_owner
accordingly.

---

Nitpick comments:
In @.github/workflows/cr-thread-gate.yml:
- Around line 64-79: The step assumes COUNT (from
scripts/check-unresolved-threads.sh) is a numeric value; validate COUNT before
using the -gt comparison and fail closed on empty/non-numeric output. Modify the
logic after COUNT=... to trim whitespace, check that COUNT matches a digits-only
regex (e.g. using shell pattern or grep), and if not numeric or empty call echo
"::error::" with a descriptive message and exit 1; only proceed to the existing
numeric comparison (if [ "$COUNT" -gt 0 ]) when the validation passes. Ensure
you update references to COUNT and the invocation of
scripts/check-unresolved-threads.sh to reflect this validation.
- Around line 33-36: The checkout step uses mutable refs and the default github
token (uses: actions/checkout@v4 and repository: OmniNode-ai/omniclaude ref:
main); change it to use an explicit cross-repo PAT and pin both refs to
immutable SHAs: replace the token usage with token: ${{ secrets.CROSS_REPO_PAT
}} (or the designated secret name) and replace actions/checkout@v4 and ref: main
with their corresponding commit SHAs so the step is reproducible and can access
the private repo.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1963fe6a-289b-4249-8d79-66ae1c7c74d4

📥 Commits

Reviewing files that changed from the base of the PR and between e2301cc and 00c260f.

📒 Files selected for processing (2)

• .github/workflows/cr-thread-gate-caller.yml
• .github/workflows/cr-thread-gate.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/cr-thread-gate-caller.yml