fix: prepare dbt review action for v0.8.5

[anandgupta42]

Summary

• replace the dangling VS Code image symlinks with self-contained assets so GitHub can download the github/review composite action archive
• decouple dbt manifest parsing from native dispatcher initialization and track manifest availability explicitly, preventing valid manifests from being mislabeled as lint-only
• pin the installed CLI binary to the composite action's semver ref instead of a floating latest release
• write hosted Altimate credentials with owner-only permissions
• point the GitHub App installer directly at GitHub's repository-selection flow
• link the public dbt PR review demo from the README and reviewer docs
• update review-action examples to the proposed v0.8.5 tag

v0.8.4 was published from main for the trace-durability fix while this PR was open. Its archive still contains the broken dangling symlinks, so this PR now targets v0.8.5. It does not create or publish the tag.

Adversarial and end-to-end validation

• composite-action YAML structure and shell declarations
• semver action ref pins the matching binary without consulting latest
• hostile base, head, and manifest values remain argv data and cannot execute shell commands
• hosted credentials are mode 0600, are not logged, and invalid combinations fail closed
• committed git archive extracts with regular, non-empty action dependencies
• docs cannot regress to the already-published broken v0.8.4 tag
• real reviewPullRequest execution against a temporary git/dbt project with a valid manifest
• 34 adversarial and trace regression tests passed
• 88 reviewer, manifest, action, and installer tests passed
• 215 repository and upstream-merge guards passed
• full repository typecheck passed

The branch is merged with the released main state and preserves the v0.8.4 trace-durability release changes.

Summary by CodeRabbit

• Bug Fixes

  • Restored GitHub Action download and improved reliability of action version resolution.
  • Corrected dbt manifest handling so lint vs full-run classification is accurate.

• New Features

  • Installer flow now opens repository-selection directly and adds an Install GitHub App badge/link.
  • Runs now report manifest availability so summaries reflect true status.

• Documentation

  • Changelog, README, and docs updated with install/linking, demo PRs, and workflow examples.

• Security

  • Hardening for installer/workflow steps to avoid leaking credentials and restrict config file permissions.

• Tests

  • Added/updated tests for manifest loading, installer URL, composite action behavior, and repository asset integrity.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Too much diff to scan? Review this PR in Change Stack to start with the highest-impact changes.

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR exposes runner.manifestAvailable(), seeds orchestrator anyManifest from that signal, centralizes the GitHub App install URL, hardens composite action steps and permissions, adds asset and adversarial tests, and updates docs/examples/changelog to reference v0.8.5.

Changes

0.8.5 Release Readiness

Layer / File(s)	Summary
Manifest availability signal in runner and orchestrator packages/opencode/src/altimate/review/runner.ts, packages/opencode/src/altimate/review/orchestrate.ts, packages/opencode/test/altimate/review-runner.test.ts, packages/opencode/test/altimate/review.test.ts	Runner now parses the dbt manifest via parseManifest and exposes manifestAvailable(): Promise<boolean>. Orchestrator seeds anyManifest from input.runner.manifestAvailable?.() instead of unconditionally defaulting, and tests verify manifest-loading, absent-model handling, and safe degradation when manifest parsing throws.
Shared GitHub App install URL in CLI flow packages/opencode/src/cli/cmd/github.ts, packages/opencode/test/cli/github-action.test.ts	Adds and exports GITHUB_APP_INSTALL_URL used by the CLI to open the GitHub App installation page; unit test asserts the constant targets the expected /installations/new endpoint.
Composite action version detection & permissions hardening github/review/action.yml, github/review/examples/altimate-ingestion.yml	Strengthens the composite action's version-detection shell safety, tolerates release-query failures, sets umask 077 before writing advisory config, and bumps example workflow uses: pins to @v0.8.5.
Adversarial composite-action tests and end-to-end review packages/opencode/test/skill/release-v0.8.5-adversarial.test.ts	New adversarial test suite parses action.yml, executes step scripts in controlled env, stubs curl/CLI, verifies credential file mode 0600, confirms release archive contents and docs reference @v0.8.5, and runs an end-to-end review pipeline test asserting non-degraded results.
Repository asset file integrity test packages/opencode/test/install/repository-symlinks.test.ts	New Bun test verifies VS Code image assets are regular files (not symlinks) and non-empty.
Docs, examples, and changelog alignment for 0.8.5 CHANGELOG.md, README.md, docs/docs/usage/dbt-pr-review.md, github/README.md	Adds README GitHub App install badge/link and demo PR references, updates dbt-pr-review docs and example workflows to use AltimateAI/altimate-code/github/review@v0.8.5, and adds a 0.8.5 Unreleased changelog section documenting fixes and onboarding/docs updates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• AltimateAI/altimate-code#856: Introduced the dbt review orchestrator/runner architecture that this PR modifies by adding manifestAvailable() and adjusting manifest degradation behavior.

Suggested labels

needs-review:blocked

Suggested reviewers

• yukthagv

Poem

🐰 A manifest now shines so clear,
Decoupled checks hop out of fear.
Install links point where apps are born,
Action pins snug for v0.8.5's morn.
Tests guard assets — joy, hop on!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive and covers all required sections: Summary (explains the changes), Test Plan (lists validation performed), and Checklist items are addressed. However, it lacks the required 'PINEAPPLE' declaration at the top as specified in the template for AI-generated contributions.	Add 'PINEAPPLE' at the very top of the PR description before any other content as required by the template for AI-generated contributions.
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main purpose of the PR: preparing the dbt review action for version 0.8.5. It accurately reflects the primary objective stated in the PR description.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/v0.8.4-dbt-review-launch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencode/src/altimate/review/orchestrate.ts`:
- Line 1006: Awaiting the optional hook input.runner.manifestAvailable() is
currently unprotected and can reject and crash runReview; wrap the call in a
try/catch (while still honoring the optional nature) so that if
input.runner.manifestAvailable throws or rejects you set anyManifest = false (or
a safe default) and optionally log the error, instead of letting the exception
bubble; update the code around the anyManifest assignment (the await of
input.runner.manifestAvailable) to perform this guarded call.

In `@packages/opencode/test/altimate/review-runner.test.ts`:
- Around line 2-17: Replace the manual temp-dir lifecycle (mkdtempSync, tempDirs
array and afterEach cleanup) with the test fixture helper: import tmpdir from
"fixture/fixture" and use the await using pattern to create the directory for
the test; specifically, remove tempDirs and the afterEach block and change the
mkdtempSync usage in the test to an await using (const tmp =
tmpdir("altimate-review-manifest-")) { const dir = tmp.path; const manifestPath
= path.join(dir, "manifest.json"); ... } so the fixture automatically cleans up
when the scope exits; keep existing references to createDispatcherRunner and
other test logic unchanged.

In `@packages/opencode/test/altimate/review.test.ts`:
- Around line 1236-1241: The test currently sets manifestAvailable() to true but
leaves impact().hasManifest true, so it doesn't validate the decoupling; change
the stubbed impact() return to set hasManifest: false while keeping
manifestAvailable() === true so env.summary.degraded will reflect the new
contract. Update the same change in the other test seed that mirrors this
behavior (the second occurrence of these stubs) so both cases assert
manifestAvailable() is respected independently of impact().hasManifest.

In `@packages/opencode/test/install/repository-symlinks.test.ts`:
- Line 13: The test currently only asserts the symlink target exists; update the
assertion to also verify the resolved target is inside the repository root by
computing the absolute target (using readlinkSync and path.resolve) and then
checking path.relative(repoRoot, target) does not start with '..' (and is not
equal to '') or by asserting target.startsWith(path.resolve(repoRoot) ) before
asserting existsSync(target) is true; reference the variables/functions link,
readlinkSync, path.resolve, path.relative, and existsSync when making the
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 47534ee8-5ec9-4572-9b02-cd16b0ee76e2

📥 Commits

Reviewing files that changed from the base of the PR and between 7e909a9 and b0d0a8d.

⛔ Files ignored due to path filters (6)

• packages/identity/mark-192x192.png is excluded by !**/*.png
• packages/identity/mark-512x512-light.png is excluded by !**/*.png
• packages/identity/mark-512x512.png is excluded by !**/*.png
• packages/identity/mark-96x96.png is excluded by !**/*.png
• packages/identity/mark-light.svg is excluded by !**/*.svg
• packages/identity/mark.svg is excluded by !**/*.svg

📒 Files selected for processing (12)

• CHANGELOG.md
• README.md
• docs/docs/usage/dbt-pr-review.md
• github/README.md
• github/review/examples/altimate-ingestion.yml
• packages/opencode/src/altimate/review/orchestrate.ts
• packages/opencode/src/altimate/review/runner.ts
• packages/opencode/src/cli/cmd/github.ts
• packages/opencode/test/altimate/review-runner.test.ts
• packages/opencode/test/altimate/review.test.ts
• packages/opencode/test/cli/github-action.test.ts
• packages/opencode/test/install/repository-symlinks.test.ts

[cubic-dev-ai]

2 issues found across 18 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[dev-punia-altimate]

Multi-Persona Review — Verdict: skipped

Multi-persona review completed.

0/0 agents completed · 2s · 0 findings (0 critical, 0 high, 0 medium)

---

_{Multi-Persona Review · vllm:qwen3-next-80b (waves) + vllm-fallback (synth) ·}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@github/review/action.yml`:
- Line 67: The VERSION fallback uses a curl invocation that has no timeouts and
can hang; update the curl call that sets VERSION (the line starting with
VERSION=$(curl -sf ...)) to include sensible timeout flags (e.g.
--connect-timeout and --max-time) and optional retry behavior (e.g. --retry) so
the job won't stall on transient network issues; keep the existing -s -f
behavior and ensure the whole subshell still falls back to empty on failure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5bee33e3-ec0e-46ee-9526-c4872b9a36a0

📥 Commits

Reviewing files that changed from the base of the PR and between 5803b2f and 18d311c.

📒 Files selected for processing (5)

• CHANGELOG.md
• docs/docs/usage/dbt-pr-review.md
• github/review/action.yml
• github/review/examples/altimate-ingestion.yml
• packages/opencode/test/skill/release-v0.8.5-adversarial.test.ts

✅ Files skipped from review due to trivial changes (2)

• CHANGELOG.md
• docs/docs/usage/dbt-pr-review.md

🚧 Files skipped from review as they are similar to previous changes (1)

• github/review/examples/altimate-ingestion.yml