Add PR comment command to trigger full CI suite and fix workflow issues

[justin808]

Summary

This PR adds a /run-skipped-ci command that can be used in PR comments to trigger the complete CI suite, including tests that are normally skipped on PRs for faster feedback. It also fixes several workflow issues identified during development.

What Changed

New GitHub Actions Workflows:

• .github/workflows/run-skipped-ci.yml - Listens for /run-skipped-ci comments and triggers all CI workflows with verification
• .github/workflows/pr-welcome-comment.yml - Automatically comments on new PRs explaining the command

New Documentation:

• .github/README.md - Comprehensive documentation of all workflows and the comment command feature

Workflow Fixes:

• Fixed duplicate if conditions in examples.yml and main.yml that caused YAML parsing errors
• Replaced inefficient SKIP_MINIMUM_ON_PR env var pattern with cleaner matrix-level exclude approach
• Added workflow verification logic to confirm triggered workflows actually start
• Improved error handling with detailed status reporting (verified/pending/failed workflows)

How It Works

1. Default PR behavior - Runs subset of CI (latest Ruby/Node only) for fast feedback
2. Full CI on demand - Comment /run-skipped-ci on any PR to run:
   • Main test suite with all Ruby/Node version combinations
   • Example generator tests
   • Pro package integration tests
   • Pro package unit tests
3. User feedback - Bot reacts with 🚀, waits 5 seconds for workflows to queue, verifies they started, and posts detailed status

Why This Approach

By default, PRs run a limited CI suite to keep feedback loops fast:

• Only latest versions (Ruby 3.4, Node 22, Shakapacker 9.3.0, React 19)
• Skips minimum versions (Ruby 3.2, Node 20, Shakapacker 8.2.0, React 18)

Before merging, we want to verify compatibility across all supported versions. This command makes it easy to run full CI without:

• Waiting for merge to master
• Manually triggering individual workflows
• Modifying workflow files

Technical Improvements

Matrix Filtering

Before:

env:
  SKIP_MINIMUM_ON_PR: ${{ matrix.dependency-level == 'minimum' && ... }}
steps:
  - uses: actions/checkout@v4
    if: env.SKIP_MINIMUM_ON_PR != 'true'  # ❌ Step-level conditional

After:

matrix:
  include: [...]
  exclude:  # ✅ Job-level filtering - more efficient
    - ruby-version: ${{ ... && '3.2' || '' }}
      dependency-level: ${{ ... && 'minimum' || '' }}

Workflow Verification

The /run-skipped-ci command now:

1. Triggers all workflows via API
2. Waits 5 seconds for workflows to queue
3. Queries GitHub Actions API to verify workflows started
4. Reports detailed status showing which workflows are verified, pending, or failed

Testing Notes

Important: The comment-triggered workflow must be merged to master before it can be tested, because GitHub Actions only executes issue_comment workflows from the default branch (security feature).

Once merged, test by:

1. Creating a test PR
2. Commenting /run-skipped-ci
3. Verifying all workflows trigger and status is reported accurately

Inspiration

Based on similar pattern from shakacode/react-webpack-rails-tutorial#687

🤖 Generated with Claude Code

---

This change is 

[github-actions]

👋 Thanks for opening this PR!

🚀 Running Full CI Suite

By default, PRs run a subset of CI jobs for faster feedback (latest Ruby/Node versions only).

To run the complete CI suite including all dependency combinations and skipped jobs, comment:

/run-full-ci

This will trigger:

• ✅ Minimum supported versions (Ruby 3.2, Node 20)
• ✅ All example app tests
• ✅ Pro package integration tests
• ✅ All test matrices

The full CI suite takes longer but ensures compatibility across all supported versions before merging.

[coderabbitai]

Walkthrough

Adds GitHub Actions docs, enables manual workflow_dispatch for several CI jobs, introduces a PR welcome-comment workflow, and adds a new comment-triggered orchestration workflow that dispatches multiple CI workflows when /run-skipped-ci is posted and verified.

Changes

Cohort / File(s)	Summary
Documentation .github/README.md	New CI/CD documentation for GitHub Actions describing commands, testing scope, concurrency, permissions, and conditional execution.
Examples & Main Workflows .github/workflows/examples.yml, .github/workflows/main.yml	Adjusted matrix and job conditions to allow workflow_dispatch; added gating so minimum-version matrix runs only on master or manual dispatch; updated related comments and matrix excludes.
Pro Integration & Package Workflows .github/workflows/pro-integration-tests.yml, .github/workflows/pro-package-tests.yml	Added workflow_dispatch handling to job if expressions so selected jobs can run on manual dispatch as well as existing triggers.
PR Welcome Comment .github/workflows/pr-welcome-comment.yml	New workflow that posts a welcome comment on new PRs (non-bot authors) explaining how to trigger the full CI via /run-skipped-ci and what that run includes.
Full CI Orchestration .github/workflows/run-skipped-ci.yml	New issue_comment-triggered workflow that validates commenter write access, reacts to and acknowledges the comment, dispatches multiple workflows (main.yml, examples.yml, pro-integration-tests.yml, pro-package-tests.yml) via workflow_dispatch, verifies dispatches, and posts a summary comment; fails on dispatch errors.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor User
    participant PR as Pull Request
    participant GH as GitHub Actions API
    participant Orchestrator as run-skipped-ci
    participant Workflows as CI Workflows

    User->>PR: Posts "/run-skipped-ci" comment
    PR->>GH: issue_comment event -> trigger run-skipped-ci
    GH->>Orchestrator: Start job
    Orchestrator->>GH: Check commenter write permission
    GH-->>Orchestrator: Permission result
    alt denied
        Orchestrator->>PR: Post denial comment
    else allowed
        Orchestrator->>PR: Add reaction & acknowledgment comment
        Orchestrator->>GH: Read PR head_ref & head_sha
        par Dispatch workflows
            Orchestrator->>Workflows: Dispatch main.yml (workflow_dispatch)
            Orchestrator->>Workflows: Dispatch examples.yml (workflow_dispatch)
            Orchestrator->>Workflows: Dispatch pro-integration-tests.yml (workflow_dispatch)
            Orchestrator->>Workflows: Dispatch pro-package-tests.yml (workflow_dispatch)
        end
        Orchestrator->>GH: Verify dispatched runs exist with head_sha
        GH-->>Orchestrator: Verification results
        Orchestrator->>PR: Post summary comment (success / failures)
        alt any failures
            Orchestrator->>GH: Exit job with failure
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review attention areas:
  • .github/workflows/run-skipped-ci.yml — permission checks, error handling, dispatch verification, and comments.
  • Conditional expressions and matrix excludes in .github/workflows/main.yml and .github/workflows/examples.yml for correct gating.
  • Consistency of workflow_dispatch changes across pro workflows.

Possibly related PRs

• Fix problems with GitHub actions #1691 — Modifies same workflow files (main.yml, examples.yml); likely related changes to CI triggers and matrices.
• Migrate React on Rails Pro CI from CircleCI to GitHub Actions #1872 — Touches pro-integration-tests.yml and pro-package-tests.yml; related to enabling manual dispatch for pro tests.
• Fix CI failures on master and add workflow_dispatch to all workflows #1928 — Also updates workflows to allow manual/dispatch triggers; overlaps with this PR's dispatch additions.

Suggested reviewers

• Judahmeek

Poem

🐰 Hop, I tap a comment key,

"Run the rest!" — they ask of me.
I nudge the workflows, one, two, four,
Queues hum softly, CI galore.
✨ Pipelines dance — a rabbit's chore.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately captures both main changes: adding a PR comment command to trigger full CI and fixing workflow matrix/actionlint issues.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin808/ci-comment-trigger

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review - PR 1974: Add PR Comment Command to Trigger Full CI Suite

Thanks for this contribution! This is a well-thought-out approach to managing CI complexity.

Strengths

1. Clear Problem-Solution Fit: Addresses the balance between fast PR feedback and comprehensive testing
2. Good Documentation: The .github/README.md is comprehensive and explains limitations well
3. User Experience: Welcome comment and reaction emoji provide good feedback
4. Proper Permissions: Minimal permissions scoped appropriately

Critical Issues That Must Be Fixed

1. SECURITY: Missing Comment Author Validation

PROBLEM: Any user (including external contributors) can trigger full CI by commenting /run-full-ci

LOCATION: .github/workflows/run-skipped-ci.yml lines 13-16

IMPACT: Resource abuse, potential DoS, external contributors triggering Pro package tests

RECOMMENDATION: Add permission check step to validate comment author has write access. Only maintainers should trigger full CI.

2. Error Handling: Silent Failures

PROBLEM: Workflow triggers wrapped in try-catch only log to console. Users won't see if a workflow fails to trigger.

LOCATION: .github/workflows/run-skipped-ci.yml lines 70-104

IMPACT: False confidence that full CI is running when it's not

RECOMMENDATION: Consolidate trigger steps and post comment when workflows fail to trigger

3. Race Conditions: Multiple Comments

PROBLEM: Posting /run-full-ci multiple times triggers duplicate runs

IMPACT: Wasted resources, higher costs, confusing results

RECOMMENDATION: Add concurrency controls with PR number as group identifier

Other Issues

• Documentation could explain how to test workflow changes before merging
• Welcome comment might be overwhelming for frequent contributors (consider limiting to first-time contributors)
• Four workflow trigger steps are repetitive (could use matrix)
• README line 95 references script/ci-changes-detector without explanation

Verified

All four referenced workflows (main.yml, examples.yml, pro-integration-tests.yml, pro-package-tests.yml) correctly have workflow_dispatch enabled.

Summary

VERDICT: Good feature, but needs security hardening before merge

MUST FIX: User permission validation, concurrency controls, error handling feedback

RISK LEVEL: Medium (security issues important but feature itself is low-risk)

Overall valuable addition - with security fixes will be great DX improvement!

[claude]

Code Review - PR #1974

Summary

This PR adds a useful feature that allows triggering the full CI suite via a /run-full-ci comment on PRs. The implementation is well-structured and follows GitHub Actions best practices. Overall, this is a solid addition that will improve the development workflow.

✅ Strengths

1. Clear Documentation: The .github/README.md is comprehensive and well-organized, explaining the purpose, usage, and limitations effectively.

2. Good User Experience: The workflow provides clear feedback through reactions and comments, making it easy for users to understand what's happening.

3. Proper Permissions: Minimal permissions are used appropriately (contents: read, pull-requests: write, actions: write).

4. Workflow Already Enabled: All target workflows (main.yml, examples.yml, pro-integration-tests.yml, pro-package-tests.yml) already have workflow_dispatch enabled, so the triggering mechanism will work.

5. Security Aware: The documentation correctly explains the issue_comment limitation for security reasons.

🔍 Issues & Recommendations

1. Critical: Error Handling in Workflow Triggers

Issue: The workflow trigger steps use try/catch with console.error but don't fail the workflow or notify users when triggers fail.

# Current implementation
try {
  await github.rest.actions.createWorkflowDispatch({...});
  console.log('✅ Triggered main.yml');
} catch (error) {
  console.error('❌ Failed to trigger main.yml:', error.message);
}

Problem: If a workflow fails to trigger, the user sees "🚀 Running full CI suite" but some workflows silently don't run.

Recommendation:

• Track failures and add a follow-up comment listing which workflows failed to trigger
• Alternatively, let the step fail naturally (remove try/catch) so users can see the error in Actions logs
• Or at minimum, include failure information in the initial acknowledgment comment

2. Potential Race Condition with Matrix Jobs

Issue: The workflows being triggered (main.yml, examples.yml) have conditional matrix entries that only run on master:

# From main.yml lines 52-54
- ruby-version: '3.2'
  node-version: '20'  
  dependency-level: 'minimum'

These jobs check if: github.ref == 'refs/heads/master' || ... which won't be true when triggered via workflow_dispatch on a PR branch.

Recommendation:

• Update the conditional logic in target workflows to also check for workflow_dispatch events:

  if: |
    github.ref == 'refs/heads/master' || 
    github.event_name == 'workflow_dispatch' ||
    needs.detect-changes.outputs.run_dummy_tests == 'true'

• Or document that the command still won't run minimum versions unless the code is merged to master

3. Welcome Comment Triggers on All PRs

Issue: The pr-welcome-comment.yml workflow triggers on ALL new PRs, including those from external contributors and bots.

Recommendation:

on:
  pull_request:
    types: [opened]
    
jobs:
  welcome:
    # Skip for dependabot and other bots
    if: github.event.pull_request.user.type \!= 'Bot'

This prevents noise on automated PRs.

4. Minor: Incomplete Comment Body Check

Issue: The trigger condition uses contains() which could match unwanted text:

if: contains(github.event.comment.body, '/run-full-ci')

This would trigger on comments like "Don't use /run-full-ci yet" or code blocks containing the command.

Recommendation:

if: |
  github.event.issue.pull_request &&
  (
    startsWith(github.event.comment.body, '/run-full-ci') ||
    contains(github.event.comment.body, '\n/run-full-ci')
  )

This ensures the command is at the start of a line.

📋 Suggestions

1. Testing Plan: The PR notes testing can only happen after merge. Consider:

   • Creating a test PR in a fork to validate the workflow syntax
   • Adding a note in the initial comment about expected timeline for CI results

2. Rate Limiting: Consider adding a check to prevent multiple simultaneous triggers (e.g., check if workflows are already running for this commit).

3. Permissions: Document that the GitHub token needs actions: write permission, which might not be available in private repos with restricted settings.

🧪 Test Coverage

N/A - GitHub Actions workflows don't have traditional tests. The PR correctly documents that testing requires merging to master first.

Post-Merge Testing Checklist:

• Create a test PR
• Comment /run-full-ci and verify rocket reaction appears
• Verify confirmation comment is posted
• Check that all 4 workflows are triggered
• Verify workflows run on the correct branch/commit
• Test with minimum version workflows and ensure they actually run

🔒 Security

No issues identified. The PR properly:

• Uses minimal required permissions
• Leverages GitHub's security model (workflows from default branch only)
• Doesn't expose secrets or sensitive data

⚡ Performance

No concerns. The workflow is lightweight and only triggers when needed.

📖 Code Quality

• YAML syntax is correct
• Formatting is consistent with existing workflows
• Documentation is clear and comprehensive
• Follows established patterns in the repository

🎯 Overall Assessment

This is a well-designed feature that will improve the development workflow. The main concern is the matrix job conditionals (issue #2) which could make the feature less useful than intended. I recommend verifying the conditional logic before or immediately after merge.

Recommendation: Approve with minor fixes suggested above.

Great work on the comprehensive documentation! 🎉

[justin808]

🔒 Security & Reliability Fixes Applied

I've addressed the critical security and reliability issues with a second commit:

Security Enhancements

✅ Permission Validation

• Only users with write access can trigger /run-full-ci
• External contributors and unauthorized users receive a polite message
• Prevents resource abuse and unauthorized Pro package test access

✅ Concurrency Protection

• Multiple /run-full-ci comments cancel in-progress runs
• Prevents duplicate workflows and resource waste
• Uses PR number as concurrency group

Reliability Improvements

✅ Better Error Handling

• Consolidated workflow triggers with try/catch for each
• Posts detailed results comment showing succeeded/failed workflows
• Job fails if any workflow fails to trigger (no silent failures)

✅ Improved Command Matching

• Now requires /run-full-ci at start of line
• Won't trigger on "Don't use /run-full-ci" or code blocks
• Uses startsWith() and newline detection

✅ Workflow Dispatch Support

• Updated main.yml and examples.yml to run minimum versions on workflow_dispatch
• Updated all Pro workflows to honor workflow_dispatch events
• Matrix exclude logic prevents minimum versions running on regular PRs

✅ Bot Filtering

• Welcome comment skips bot PRs (dependabot, renovate, etc.)

Documentation Updates

The .github/README.md now documents:

• Security controls and access restrictions
• Concurrency protection mechanism
• How workflows respond to workflow_dispatch events

---

Note: These fixes won't be testable until the PR is merged to master, since issue_comment workflows only execute from the default branch.

[justin808]

✅ Actionlint Fixes Applied

Fixed the actionlint errors that were failing CI. The issue was using matrix context in the exclude section, which is not allowed.

Solution:

• Moved conditional logic to job-level if statements
• Combined event type and dependency level checks in single expression
• Cleanly filters out minimum dependency runs on regular PRs

The workflows will now:

• Regular PRs: Run only latest versions (Ruby 3.4, Node 22)
• Master pushes: Run all versions including minimum (Ruby 3.2, Node 20)
• workflow_dispatch (via /run-full-ci): Run all versions including minimum

This should resolve the actionlint errors in CI.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/README.md (1)

11-13: Add language specifier to code fence.

The Markdown linter requires a language specifier for code fences.

-```
+```
 /run-full-ci
-```
+```

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 28405e3 and 67ea4b4.

📒 Files selected for processing (7)

• .github/README.md (1 hunks)
• .github/workflows/examples.yml (1 hunks)
• .github/workflows/main.yml (3 hunks)
• .github/workflows/pr-welcome-comment.yml (1 hunks)
• .github/workflows/pro-integration-tests.yml (3 hunks)
• .github/workflows/pro-package-tests.yml (3 hunks)
• .github/workflows/run-skipped-ci.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-01-23T18:20:45.824Z

Learnt from: alexeyr-ci
Repo: shakacode/react_on_rails PR: 1687
File: spec/dummy/package.json:0-0
Timestamp: 2025-01-23T18:20:45.824Z
Learning: When adding or updating dependencies in spec/dummy/package.json, maintain version consistency with other package.json files in the codebase to avoid potential version conflicts.

Applied to files:

• .github/workflows/main.yml

🪛 LanguageTool

.github/README.md

[uncategorized] ~96-~96: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...check-markdown-links.yml`** - Validates markdown links ## Workflow Permissions Most wo...

(MARKDOWN_NNP)

🪛 markdownlint-cli2 (0.18.1)

.github/README.md

11-11: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (9)

.github/workflows/pro-integration-tests.yml (1)

37-37: ✅ Consistent workflow_dispatch support added.

The workflow_dispatch event support is correctly integrated across all three jobs. The absence of minimum-version gating (unlike main.yml/examples.yml) is appropriate since the Pro workflows don't use a dependency-level matrix.

Also applies to: 127-127, 307-307

.github/workflows/examples.yml (1)

43-45: ✅ Gating logic correctly prevents minimum-version runs on PRs.

The compound condition effectively ensures that minimum-version tests only run on master/workflow_dispatch, not on regular PRs. This aligns with the performance goal of providing fast feedback on PRs while maintaining full coverage on manual/default branch runs.

.github/workflows/pr-welcome-comment.yml (1)

1-37: ✅ PR welcome workflow looks good.

The workflow correctly filters bots, uses appropriate permissions, and provides clear guidance on triggering full CI. The trigger configuration (pull_request.types: [opened]) prevents redundant comments on edits.

.github/workflows/main.yml (1)

44-46: ✅ Consistent workflow_dispatch and gating logic.

The conditions correctly gate minimum-version runs to master/workflow_dispatch scenarios. The pattern is consistent with examples.yml and well-commented.

Also applies to: 132-133

.github/workflows/pro-package-tests.yml (1)

37-37: ✅ workflow_dispatch support correctly added to all three jobs.

The changes are consistent with the Pro integration tests workflow and enable proper orchestration via the full CI trigger.

Also applies to: 127-127, 208-208

.github/workflows/run-skipped-ci.yml (4)

15-20: ✅ Command parsing correctly balances safety and convenience.

The dual-pattern matching (startsWith + newline-prefixed contains) effectively prevents false positives from inline mentions while allowing the command on a new line. The logic is sound for typical user behavior.

Minor edge case: commands with leading whitespace on a new line (e.g., " /run-full-ci") won't match, but this is acceptable for a PR comment command.

---

27-61: ✅ Permission check implementation is secure and user-friendly.

The workflow correctly validates write access before proceeding, posts a denial message for unauthorized users, and handles API errors gracefully. This prevents resource abuse while maintaining good UX.

---

99-154: ✅ Workflow dispatch orchestration with proper error aggregation.

The implementation correctly:

• Dispatches all four workflows in a loop with individual try/catch handling
• Tracks succeeded/failed results
• Posts an aggregate summary comment
• Fails the orchestrator job if any dispatch fails (prevents silent failures)

This provides good visibility into which workflows were triggered and any dispatch failures.

---

8-10: ✅ Concurrency control prevents duplicate runs and resource waste.

Using the PR number as the concurrency group with cancel-in-progress: true ensures that multiple /run-full-ci comments on the same PR cancel prior runs rather than queuing them. This is the correct pattern.

[justin808]

@claude review this PR

[claude]

Claude finished @justin808's task —— View job

---

PR Review: Add PR Comment Command to Trigger Full CI Suite

Reviewing PR #1974 by @justin808

Summary

This PR adds a /run-full-ci command that allows repository collaborators to trigger the complete CI suite on any PR, including tests normally skipped for faster feedback. The implementation is well-thought-out and addresses the key concerns raised in previous reviews.

---

✅ Strengths

1. Excellent Security Implementation

   • Properly validates user permissions before allowing full CI runs (lines 27-56 in run-skipped-ci.yml)
   • Only users with write access can trigger full CI
   • Prevents resource abuse from external contributors
   • Good error messaging for unauthorized users

2. Robust Error Handling

   • Individual try/catch blocks for each workflow trigger (lines 115-129)
   • Tracks succeeded/failed workflows separately
   • Posts detailed results comment showing which workflows succeeded/failed
   • Fails the orchestrator job if any dispatch fails (line 152-154)
   • No silent failures ✅

3. Concurrency Protection

   • Uses PR number as concurrency group (lines 8-10)
   • cancel-in-progress: true prevents duplicate runs
   • Prevents resource waste from multiple /run-full-ci comments

4. Smart Command Matching

   • Uses startsWith() and newline detection (lines 18-19)
   • Won't trigger on false positives like "Don't use /run-full-ci"
   • Properly handles the command at start of line or on new lines

5. Proper Workflow Dispatch Support

   • All target workflows correctly support workflow_dispatch events
   • Matrix job conditionals properly gate minimum versions (main.yml:44-46, examples.yml:43-45)
   • Pro workflows correctly honor workflow_dispatch (pro-integration-tests.yml:37, pro-package-tests.yml:37, 127, 208)

6. Good Documentation

   • Comprehensive .github/README.md explaining the feature
   • Documents security restrictions, concurrency protection, and testing limitations
   • Welcome comment provides clear guidance to PR authors

7. User Experience

   • Rocket reaction provides immediate feedback
   • Acknowledgment comment shows what's being triggered
   • Results comment shows succeeded/failed workflows with links
   • Bot filtering prevents noise on automated PRs (pr-welcome-comment.yml:10)

---

🔍 Issues & Recommendations

1. Documentation Error - Critical

Location: .github/README.md:85

Issue: The README references run-full-ci.yml but the actual workflow file is named run-skipped-ci.yml:

- **`run-full-ci.yml`** - Triggered by `/run-full-ci` comment on PRs

Fix:

- **`run-skipped-ci.yml`** - Triggered by `/run-full-ci` comment on PRs

2. Markdown Linting Issue - Minor

Location: .github/README.md:11-13

Issue: Code fence missing language specifier (triggers markdownlint warning)

Current:

/run-full-ci

Fix:

```bash
/run-full-ci

#### 3. **Potential Enhancement - Workflow Status Links**

**Location:** `run-skipped-ci.yml:140`

**Suggestion:** The results comment includes a generic link to the Actions tab. Consider adding direct links to each triggered workflow run for easier navigation:

```javascript
const succeededList = succeeded.length > 0 
  ? succeeded.map(w => `- ✅ ${w} - [View run](#${runId})`)
  : '- None';

This would require capturing the run IDs from the dispatch responses, which may not be immediately available from the API.

4. Matrix Job Verification

Status: ✅ Verified correctly implemented

The conditional logic for minimum versions is correct:

• Regular PRs: Only run dependency-level: 'latest' (Ruby 3.4, Node 22)
• Master pushes: Run all versions including dependency-level: 'minimum' (Ruby 3.2, Node 20)
• workflow_dispatch: Run all versions including minimum

The double condition pattern prevents minimum versions on regular PRs while allowing them on workflow_dispatch:

if: |
  (github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true') &&
  (matrix.dependency-level != 'minimum' || github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch')

This is excellent - it ensures /run-full-ci actually runs the full matrix as intended.

---

🧪 Testing Considerations

The PR correctly documents that testing requires merging to master first due to GitHub's security model. After merge, testing should verify:

• Rocket reaction appears on comment
• Permission check works (test with non-collaborator if possible)
• All 4 workflows trigger successfully
• Workflows run on correct PR branch/commit
• Minimum version matrix jobs actually run on workflow_dispatch
• Results comment shows accurate succeeded/failed status
• Concurrency cancellation works with multiple comments

---

📊 Code Quality

• ✅ YAML syntax is valid
• ✅ Formatting is consistent with existing workflows
• ✅ Follows established patterns in the repository
• ✅ Permissions are minimal and appropriate
• ✅ Comments explain complex conditional logic

---

🔒 Security Assessment

No security issues identified. The implementation properly:

• Validates user permissions before executing privileged actions
• Uses minimal required permissions (contents: read, pull-requests: write, actions: write)
• Leverages GitHub's security model (workflows execute from default branch only)
• Doesn't expose secrets or sensitive data
• Prevents resource abuse via permission checks and concurrency controls

---

🎯 Overall Assessment

This is a well-designed and well-implemented feature that significantly improves the development workflow. The author has addressed all major concerns from previous reviews:

• ✅ Security hardening with permission validation
• ✅ Concurrency protection to prevent duplicate runs
• ✅ Comprehensive error handling with user feedback
• ✅ Improved command matching to avoid false triggers
• ✅ Proper workflow_dispatch support across all target workflows
• ✅ Bot filtering to reduce noise

Recommendation

✅ Approve with minor documentation fix

The only required fix is updating the workflow filename in the README (issue #1 above). The markdown linting issue (issue #2) should also be fixed to keep CI clean.

The workflow status links suggestion (issue #3) is optional but would improve UX.

---

Great work on this feature! The security and reliability improvements in the second commit demonstrate excellent attention to detail. This will be a valuable addition to the development workflow. 🎉

---

[justin808]

📝 Command Renamed for Consistency

Changed the PR comment command from /run-full-ci to /run-skipped-ci to match the workflow filename (run-skipped-ci.yml).

Rationale:

• The command name now clearly indicates it runs the normally-skipped CI jobs
• Matches the workflow filename for easier navigation
• More accurate description of what the command does (runs minimum versions, examples, Pro tests that are skipped on regular PRs)

All documentation and workflows have been updated consistently.

[justin808]

✅ Actionlint Errors Fixed (For Real This Time)

Fixed the actionlint errors properly using environment variables and step-level conditionals.

The Problem:

• Cannot use matrix context in job-level if statements
• Cannot use matrix context in matrix exclude sections
• GitHub Actions context availability is limited at different levels

The Solution:

• Set SKIP_MINIMUM environment variable at job level (matrix context IS available here)
• Add if: env.SKIP_MINIMUM != 'true' to every step in the job
• First step exits early with a helpful message for skipped runs
• All other steps check the same condition

How It Works Now:

• Regular PRs: Minimum dependency matrix job starts, first step exits immediately
• Master/workflow_dispatch: All steps run normally including minimum versions
• Clean, actionlint-compliant implementation

This should pass all CI checks now!

[claude]

Code Review - PR #1974

Thank you for this well-thought-out PR! The implementation of the /run-skipped-ci command is solid and addresses a real need for on-demand full CI execution. Here's my detailed review:

---

✅ Strengths

1. Excellent Documentation

• The new .github/README.md is comprehensive and well-structured
• Clear explanation of why the feature exists and how to use it
• Good coverage of security considerations and testing limitations

2. Security Implementation

• Proper permission checks via getCollaboratorPermissionLevel API
• Access restricted to users with write permissions (admin/write roles)
• Helpful error message for unauthorized users
• Minimal required permissions (contents: read, pull-requests: write, actions: write)

3. User Experience

• Rocket emoji reaction provides immediate feedback
• Clear acknowledgment comment with workflow status
• Welcome comment on new PRs educates users proactively
• Proper error handling and user-facing messages

4. Concurrency Protection

• Good use of concurrency groups to prevent duplicate runs
• cancel-in-progress: true prevents resource waste

---

⚠️ Issues & Suggestions

1. Critical: Duplicate if Conditions in examples.yml

Location: .github/workflows/examples.yml:41-46

Problem: Two if conditions on the same job - only the second one will be used, making the first one ineffective.

Impact: This could cause the workflow to behave differently than intended.

Fix: Combine into a single if condition or remove the first one if the second is the intended logic.

---

2. Logic Issue: SKIP_MINIMUM in examples.yml

Location: .github/workflows/examples.yml:51-59

Problem: The SKIP_MINIMUM environment variable checks might not work as intended. Environment variables in GitHub Actions are strings, and the step-level conditionals checking if: env.SKIP_MINIMUM != 'true' may not skip correctly.

Impact: Steps might not skip correctly on PRs for minimum dependency versions.

Recommended approach: Use the if condition at the job level (preferred - cleaner and more efficient) to eliminate the need for SKIP_MINIMUM env var and step-level conditionals.

---

3. Similar Issues in main.yml

Location: .github/workflows/main.yml:145-155

The same patterns appear in main.yml:

• Duplicate if conditions on dummy-app-integration-tests job
• SKIP_MINIMUM env var with step-level conditionals

Fix: Apply the same solution as above.

---

4. Potential Race Condition

Location: .github/workflows/run-skipped-ci.yml:99-154

Issue: The workflow triggers are asynchronous (createWorkflowDispatch), but there's no waiting or verification that they actually started.

Potential problems:

• Workflows might fail to start (e.g., disabled workflows, YAML errors)
• The acknowledgment comment posts before workflows actually queue
• No way to confirm if workflows are actually running

Suggestion: Consider adding a brief delay and polling to verify workflows are queued after triggering them.

---

5. Error Handling: Silent Failures

Location: .github/workflows/run-skipped-ci.yml:151-154

Issue: The job fails at the end, but the user already received a comment saying workflows triggered successfully (line 84-97).

Fix: Only post the initial acknowledgment after successfully triggering workflows, or update the comment if failures occur.

---

6. Incomplete Step in build-dummy-app-webpack-test-bundles

Location: .github/workflows/main.yml:158-162

Issue: exit 0 won't actually skip the job - it just makes that one step succeed. Subsequent steps will still run unless they also check SKIP_MINIMUM.

Fix: Remove this step and use job-level if condition instead.

---

7. Minor: Inconsistent Terminology

The command is /run-skipped-ci but the documentation sometimes refers to it as "Run Full CI Suite". Consider being consistent throughout.

---

🔒 Security Review

Positive Security Measures:

• ✅ Permission checks before triggering workflows
• ✅ Minimal required permissions
• ✅ Concurrency limits prevent abuse
• ✅ Bot detection in welcome workflow

Considerations:

• Rate limiting: GitHub API has rate limits. Consider adding rate limit checks if this becomes heavily used.
• Audit logging: All triggers are logged in Actions tab (good for accountability).

---

🧪 Testing Recommendations

Since this can only be tested after merging (due to issue_comment limitations), I recommend:

1. Pre-merge validation:

   • Validate YAML syntax
   • Test the JavaScript logic locally
   • Verify permissions are correctly scoped

2. Post-merge testing checklist:

   • Create a test PR
   • Comment /run-skipped-ci as authorized user
   • Verify all 4 workflows trigger
   • Test unauthorized user scenario
   • Test multiple comments (concurrency protection)
   • Test welcome comment on new PR

---

📊 Performance Considerations

• ✅ Workflows only run on-demand (good for resource usage)
• ✅ Concurrency groups prevent duplicate runs
• ⚠️ Full CI suite is expensive - ensure users understand when to use it

---

🎯 Summary

Overall assessment: This is a well-designed feature that solves a real problem. The main issues are:

1. Critical: Duplicate if conditions need to be fixed
2. Important: SKIP_MINIMUM logic may not work as intended
3. Nice to have: Better error handling for workflow trigger failures

Recommendation: Fix the critical and important issues before merging. The nice-to-have improvements can be addressed in follow-up PRs if needed.

Great work on this PR! The documentation and overall approach are excellent. 🚀

---

Files reviewed:

• .github/workflows/run-skipped-ci.yml ✅
• .github/workflows/pr-welcome-comment.yml ✅
• .github/workflows/main.yml ⚠️
• .github/workflows/examples.yml ⚠️
• .github/workflows/pro-integration-tests.yml ✅
• .github/workflows/pro-package-tests.yml ✅
• .github/README.md ✅

[claude]

Code Review - PR #1974: Add PR comment command to trigger full CI suite

Overview

This is a well-designed PR that adds a practical feature for triggering full CI runs on demand via PR comments. The implementation follows GitHub Actions best practices and includes good documentation.

---

✅ Strengths

1. Excellent Documentation

• The new .github/README.md is comprehensive and well-structured
• Clear explanation of why the feature exists (fast PR feedback vs full coverage)
• Good security documentation explaining access control
• Helpful testing guidance about the issue_comment event limitation

2. Security Considerations

• ✅ Access control properly implemented - Only users with write access can trigger full CI
• ✅ Concurrency protection prevents resource waste with cancel-in-progress: true
• ✅ Bot filtering in welcome workflow prevents spam
• ✅ Minimal permissions using least-privilege principle

3. Good UX Design

• Rocket emoji reaction provides immediate feedback
• Detailed confirmation comment with workflow status
• Welcome comment educates new contributors proactively
• Links to Actions tab for easy monitoring

4. Solid Error Handling

• Graceful permission denial with user-friendly message
• Try-catch blocks around API calls
• Verification step to confirm workflows actually queued
• Status differentiation (verified, not yet queued, failed)

---

🔍 Areas for Improvement

1. Workflow Matrix Exclusion Logic (Medium Priority)

The exclude logic in .github/workflows/main.yml and examples.yml has a potential issue:

exclude:
  - ruby-version: ${{ github.event_name == 'pull_request' && github.ref != 'refs/heads/master' && '3.2' || '' }}
    node-version: ${{ github.event_name == 'pull_request' && github.ref != 'refs/heads/master' && '20' || '' }}
    dependency-level: ${{ github.event_name == 'pull_request' && github.ref != 'refs/heads/master' && 'minimum' || '' }}

Issue: When the condition is false, this produces empty strings ('') which won't match any matrix values, making the exclusion ineffective. The exclude will never actually match.

Better approach: Use conditional matrix includes or separate jobs:

# Option 1: Use if conditions on jobs
jobs:
  test-latest:
    # Always run
    
  test-minimum:
    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch'

Files affected:

• .github/workflows/main.yml:55-58, 146-149
• .github/workflows/examples.yml:54-56

2. Race Condition in Workflow Verification (Low Priority)

In run-skipped-ci.yml:116-143, there's a 5-second wait before verifying workflows are queued. This is fragile:

await new Promise(resolve => setTimeout(resolve, 5000));

Issues:

• Under load, 5 seconds may be insufficient
• Creates false "not yet verified" warnings
• No retry logic

Suggestion: Add retry logic with exponential backoff or increase timeout with retries.

File: .github/workflows/run-skipped-ci.yml:116

3. Command Name Inconsistency (Low Priority)

The workflow and command use /run-skipped-ci, but consider if /run-full-ci might be more intuitive since you're running the FULL suite, not specifically "skipped" tests. The current name requires users to understand the negative framing.

Suggestion: Consider renaming to /run-full-ci for clarity, or document why "skipped" framing was chosen.

4. Missing Edge Cases (Low Priority)

Force-pushed PRs: If someone force-pushes after commenting /run-skipped-ci, the workflows will run against the old SHA. This might confuse users.

Suggestion: Add a note in the documentation or consider checking if the PR head SHA changed.

Deleted branches: If a PR's branch is deleted while workflows are running, they'll fail. Not a blocker, but worth documenting.

5. Pro Package Tests Matrix (Question)

The pro workflows (pro-integration-tests.yml, pro-package-tests.yml) don't have matrix exclusion logic like main.yml. Looking at the conditions:

if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'

This means pro tests run on PRs if run_pro_tests == 'true'. Is this intentional? Should these also have minimum dependency matrix logic?

Files: .github/workflows/pro-integration-tests.yml, .github/workflows/pro-package-tests.yml

---

🧪 Testing Considerations

Concern: Cannot Test Before Merge

The PR description correctly notes that issue_comment workflows must be on the default branch to run. This is a GitHub security feature.

Recommendation:

1. ✅ Merge this PR (code looks solid)
2. Create a test PR immediately after
3. Verify the command works as expected
4. If issues found, fix in follow-up PR

Missing Test Coverage

This feature cannot have automated tests due to the issue_comment event limitation. However, you could:

• Add a manual testing checklist to the PR description
• Document the manual testing process in .github/README.md
• Consider adding a local test script that validates the workflow YAML syntax

---

🎯 Performance Considerations

Positive:

• Concurrency groups prevent duplicate runs
• Only triggers workflows on-demand rather than always
• Verification step is efficient (single API call)

Suggestion: Monitor GitHub Actions minutes usage after this is deployed to ensure the feature isn't being overused.

---

📝 Code Quality

Strengths:

• Clean, readable GitHub Actions syntax
• Good error messages
• Appropriate use of actions (peter-evans/create-or-update-comment)
• Consistent code style across workflows

Minor Suggestions:

1. Consider extracting the workflow list into a matrix for easier maintenance
2. The verification logic in run-skipped-ci.yml:123-147 is quite long. Consider adding more comments for clarity.

---

🔐 Security Review

Overall: Secure ✅

• ✅ Permission checks implemented correctly
• ✅ No secrets exposed
• ✅ Minimal permissions requested
• ✅ Bot protection in welcome workflow
• ✅ No shell injection vulnerabilities (using GitHub Script API calls)

---

📋 Documentation Quality

The .github/README.md is excellent. Specifically:

• Clear command documentation
• Security explanation
• Testing limitations explained
• Workflow inventory
• Good use of formatting and emojis

Minor suggestion: Add examples of when to use vs not use the command:

• ✅ Use: Before requesting final review
• ✅ Use: After significant dependency updates
• ❌ Don't use: For every small commit

---

🎬 Final Recommendation

✅ Approve with minor suggestions

This PR is well-implemented and ready to merge. The workflow matrix exclusion logic needs attention (point #1 above), but you can address that based on testing results.

Action Items Before Merge:

1. ⚠️ Consider: Review the matrix exclusion logic in main.yml and examples.yml - it may not work as intended
2. 📝 Optional: Consider improvements to workflow verification retry logic
3. 📝 Optional: Address naming/documentation suggestions

Action Items After Merge:

1. Test the /run-skipped-ci command on a real PR
2. Verify the matrix exclusion actually works (may need follow-up fix)
3. Document any issues found
4. Consider adding usage metrics to track adoption

---

Great work on this feature! The documentation and security considerations are particularly well done. 🚀

---

Review generated with Claude Code following React on Rails code review standards from CLAUDE.md

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/README.md (2)

11-13: Add language specifier to fenced code block.

Per Markdown linting standards (MD040), fenced code blocks should specify a language.

-```
+```bash
 /run-skipped-ci
-```
+```

---

96-96: Capitalize "Markdown" as a proper noun.

-- **`check-markdown-links.yml`** - Validates markdown links
+- **`check-markdown-links.yml`** - Validates Markdown links

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67ea4b4 and 1f5b84c.

📒 Files selected for processing (5)

• .github/README.md (1 hunks)
• .github/workflows/examples.yml (1 hunks)
• .github/workflows/main.yml (3 hunks)
• .github/workflows/pr-welcome-comment.yml (1 hunks)
• .github/workflows/run-skipped-ci.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/pr-welcome-comment.yml
• .github/workflows/examples.yml

🧰 Additional context used

🪛 LanguageTool

.github/README.md

[uncategorized] ~96-~96: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...check-markdown-links.yml`** - Validates markdown links ## Workflow Permissions Most wo...

(MARKDOWN_NNP)

🪛 markdownlint-cli2 (0.18.1)

.github/README.md

11-11: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: lint-js-and-ruby
• GitHub Check: build
• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: rspec-package-tests (3.4, latest)
• GitHub Check: rspec-package-tests (3.2, minimum)
• GitHub Check: markdown-link-check
• GitHub Check: claude-review

🔇 Additional comments (8)

.github/workflows/main.yml (3)

14-14: ✅ Workflow dispatch trigger properly added.

The addition of workflow_dispatch: enables manual triggering and orchestration by the run-skipped-ci.yml workflow, which aligns with the PR objectives.

---

41-59: Verify actionlint compliance of matrix exclude logic.

The current matrix exclude pattern uses context expressions within matrix field values, which may conflict with actionlint validation that the PR objectives mention was resolved. Per the PR description, the final fix should use an environment variable set at job level with conditional step gating.

Please confirm whether this exclude pattern is actionlint-compliant or if it should be refactored to set SKIP_MINIMUM at the job level and gate steps accordingly as described in the PR objectives.

---

130-149: Verify actionlint compliance and consistency with first job.

The second job (dummy-app-integration-tests) applies the same matrix exclude pattern. Ensure consistency with any fixes applied to the first job, and confirm actionlint compliance.

.github/workflows/run-skipped-ci.yml (5)

15-20: ✅ Command detection logic properly prevents false positives.

The condition correctly uses startsWith() for line start and contains('\n/run-skipped-ci') to detect the command after newlines, preventing accidental triggers inside phrases or code blocks.

---

27-61: ✅ Permission check appropriately gates access.

The workflow properly validates write-access permissions using the GitHub API and denies unauthorized users with a courteous message. The try/catch error handling prevents silent failures.

---

84-189: Verify robustness of workflow verification timing.

The workflow uses a 60-second search window (line 132) after a 5-second delay to verify triggered workflows. If workflow dispatch API latency or queuing exceeds this window, verified workflows may be missed, and the status message would show them as "not yet queued" even though they eventually run.

Consider whether the 60-second window is sufficient for your typical queue times, or if this should be configurable/more conservative.

---

136-140: ✅ Workflow verification checks are thorough.

The verification correctly matches on workflow path, head SHA, and workflow_dispatch event type, ensuring triggered workflows correspond to the correct PR branch and dispatch action.

---

187-188: ✅ Job failure on workflow dispatch errors prevents silent failures.

The job correctly fails if any workflows fail to trigger, ensuring visibility of problems rather than silently queuing partial CI runs.