feat: dispatch centralized ocr review on PR ready

[dev-punia-altimate]

PINEAPPLE

Summary

altimate-code had no centralized code-review dispatcher — its CI runs bun test locally, and the silent-close-shim is unmerged and only handles pr-closed. This adds dispatch-code-review.yml so altimate-code PRs trigger the centralized ocr/Gemini review in AltimateAI/altimate-qa when opened non-draft or marked Ready for review.

synchronize is intentionally omitted (gated loop — re-review only on the next Ready, after altimate-qa flips the PR back to draft on critical findings). Reuses the org-level AUTOPILOT_DISPATCH_TOKEN with a skip-guard, so no new token is required.

Pairs with AltimateAI/altimate-qa #534 (now merged — enables posting + severity-gated draft-flip).

Test Plan

• YAML validated (yaml.safe_load).
• Mirrors the proven altimate-backend/dispatch-code-review.yml mechanism (gh api repos/AltimateAI/altimate-qa/dispatches, event_type=code-review).
• Token skip-guard verified: if AUTOPILOT_DISPATCH_TOKEN isn't visible to this repo, the step no-ops cleanly (an admin then extends the org-secret's repo visibility).
• The "Notify altimate-qa" check already passed on this PR.

Checklist

• Tests added/updated (n/a — CI workflow only)
• Documentation updated (inline comments in the workflow)
• CHANGELOG updated (n/a — internal CI)

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a new GitHub Actions workflow that automatically dispatches code review events to a centralized service repository whenever a pull request is opened or marked ready for review on the main branch. The workflow includes token validation, concurrency controls, and payload assembly with PR metadata.

Changes

Code Review Dispatch Integration

Layer / File(s)	Summary
Dispatch workflow setup .github/workflows/dispatch-code-review.yml	Workflow triggers on PR opened and ready_for_review events targeting main, runs only for non-draft PRs, uses per-PR concurrency to cancel in-progress runs, validates the AUTOPILOT_DISPATCH_TOKEN secret before dispatching, and sends a code-review event to AltimateAI/altimate-qa with origin repo, PR number, head ref, commit SHA, author, and PR title.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A workflow takes flight,
PR events in the night,
Dispatched with great care,
To reviewers out there. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description fully adheres to the template with all required sections present and complete.
Title check	✅ Passed	The title 'feat: dispatch centralized ocr review on PR ready' directly and clearly summarizes the main change: adding a workflow that dispatches a centralized OCR review when a pull request is ready.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ocr-review-dispatch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dispatch-code-review.yml:
- Line 52: The workflow currently hardcodes the repository value in the curl
payload (client_payload[repo]=AltimateAI/altimate-code); update the dispatch
payload to use the GitHub Actions repository context instead (e.g., use the
GITHUB_REPOSITORY/GITHUB_REPOSITORY env or the github.repository context) so
client_payload[repo] is set dynamically; locate the line that sets
client_payload[repo] and replace the literal string with the appropriate
variable reference (using the same shell/templating style used elsewhere in the
workflow) to ensure the correct repository is sent.
- Around line 43-58: The gh api call is vulnerable to shell injection because
PR_TITLE, PR_AUTHOR, PR_HEAD_REF, etc. are expanded inside double quotes;
instead of passing these values as -f form fields, construct a JSON payload and
feed it to gh api via stdin (using --input -) so the shell does not perform
command substitution; update the dispatch invocation that currently uses gh api
repos/AltimateAI/altimate-qa/dispatches and the -f "client_payload[...]" fields
to build a proper JSON object from PR_NUMBER, PR_TITLE, PR_AUTHOR, PR_HEAD_REF,
PR_HEAD_SHA and pass it safely to gh api --input -, ensuring all user-controlled
variables are serialized/escaped (e.g., via a JSON serializer or toJSON helper)
and remove direct double-quoted variable expansion in the existing dispatch
block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ada14a66-768b-406b-b6f9-8927dcc780e8

📥 Commits

Reviewing files that changed from the base of the PR and between 5ffeadb and 4feb8c8.

📒 Files selected for processing (1)

• .github/workflows/dispatch-code-review.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use dynamic repository reference instead of hardcoded value.

The repository name is hardcoded as AltimateAI/altimate-code. If this workflow is copied to another repository or the repository is renamed, it will send incorrect metadata to the centralized review service.

♻️ Proposed fix

Use the GitHub context variable instead:

-            -f "client_payload[repo]=AltimateAI/altimate-code" \
+            -f "client_payload[repo]=${{ github.repository }}" \

Note: This fix is included in the JSON-based approach suggested for the shell injection fix above.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	-f "client_payload[repo]=AltimateAI/altimate-code" \
	-f "client_payload[repo]=${{ github.repository }}" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dispatch-code-review.yml at line 52, The workflow
currently hardcodes the repository value in the curl payload
(client_payload[repo]=AltimateAI/altimate-code); update the dispatch payload to
use the GitHub Actions repository context instead (e.g., use the
GITHUB_REPOSITORY/GITHUB_REPOSITORY env or the github.repository context) so
client_payload[repo] is set dynamically; locate the line that sets
client_payload[repo] and replace the literal string with the appropriate
variable reference (using the same shell/templating style used elsewhere in the
workflow) to ensure the correct repository is sent.

[dev-punia-altimate]

Fair, minor. The literal AltimateAI/altimate-code is correct because this workflow only ever runs in this repo, but ${{ github.repository }} (or $GITHUB_REPOSITORY) is cleaner and copy-paste-safe. If this PR lands, we'll switch the payload to the GitHub-provided repo context (alongside a jq-built JSON body).

[coderabbitai]

@dev-punia-altimate, that sounds like a solid plan — using $GITHUB_REPOSITORY together with a jq-built JSON body addresses both this concern and the shell-injection risk in one pass. Would you like me to open a follow-up issue to track the $GITHUB_REPOSITORY + jq payload refactor so it doesn't get lost?

[dev-punia-altimate]

Multi-Persona Review — Verdict: skipped

Multi-persona review completed.

0/0 agents completed · 2s · 0 findings (0 critical, 0 high, 0 medium)

---

_{Multi-Persona Review · vllm:qwen3-next-80b (waves) + vllm-fallback (synth) ·}

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[dev-punia-altimate]

❌ Tests — Failures Detected

TypeScript — 15 failure(s)

• connection_refused [1.00ms]
• timeout
• permission_denied
• parse_error
• network_error
• auth_failure
• rate_limit
• internal_error
• empty_error [1.00ms]
• connection_refused
• timeout [1.00ms]
• permission_denied
• parse_error
• network_error
• auth_failure

Next Step

Please address the failing cases above and re-run verification.

cc @dev-punia-altimate