Skip to content

Disable Docker Scout PR comment to prevent accidental @mentions#269

Merged
IhorMasechko merged 2 commits intomainfrom
fix/scout-comment-mentions
Apr 9, 2026
Merged

Disable Docker Scout PR comment to prevent accidental @mentions#269
IhorMasechko merged 2 commits intomainfrom
fix/scout-comment-mentions

Conversation

@IhorMasechko
Copy link
Copy Markdown
Contributor

@IhorMasechko IhorMasechko commented Apr 2, 2026
edited by coderabbitai bot
Loading

We disabled Docker Scout auto-comments in CI by setting write-comment: false in the security-scan job.
This prevents scoped package names like @apostrophecms/... from being parsed as GitHub mentions and notifying unrelated users.
Security scanning is still active and results are still uploaded via SARIF.

Disabled Docker Scout's automatic PR comments by configuring write-comment: false in the security-scan job within the CI workflow. This prevents scoped package names, such as @apostrophecms/..., from being incorrectly parsed as GitHub user mentions that would notify unrelated users. Security scanning remains fully active and SARIF results continue to be uploaded as before.

@IhorMasechko IhorMasechko self-assigned this Apr 2, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 2, 2026
edited
Loading

Walkthrough

The pull request modifies .github/workflows/code-quality.yml to disable PR comment reporting for the Docker Scout scan step by adding write-comment: false to the step's configuration. This prevents the scan action from automatically posting results as a comment on pull requests. No other workflow logic, inputs, or control flow changes were made.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: disabling Docker Scout's PR comment feature to prevent @mentions. It is concise (63 characters), well under the 75-character requirement, and directly relates to the changeset modification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/code-quality.yml (1)

31-33: ⚠️ Potential issue | 🟡 Minor

Remove unnecessary pull-requests: write permission.

The github/codeql-action/upload-sarif action requires only security-events: write to upload SARIF files. Since Docker Scout scanning now has write-comment: false, no step in this job needs to write to pull requests.

Proposed change 
     permissions:
       security-events: write
-      pull-requests: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/code-quality.yml around lines 31 - 33, Remove the
unnecessary pull-requests write permission from the workflow permissions block:
delete the "pull-requests: write" entry so only "security-events: write"
remains; update the permissions mapping in the code-quality job (the permissions
YAML block containing security-events and pull-requests) to stop granting
pull-request write access since upload-sarif only needs security-events and no
step writes PRs.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/code-quality.yml:
- Around line 31-33: Remove the unnecessary pull-requests write permission from
the workflow permissions block: delete the "pull-requests: write" entry so only
"security-events: write" remains; update the permissions mapping in the
code-quality job (the permissions YAML block containing security-events and
pull-requests) to stop granting pull-request write access since upload-sarif
only needs security-events and no step writes PRs.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6da0e92b-cb7c-4e54-b26d-c58f6a26312e

📥 Commits

Reviewing files that changed from the base of the PR and between 2d19c8f and a01c1d0.

📒 Files selected for processing (1)
  • .github/workflows/code-quality.yml

@IhorMasechko IhorMasechko enabled auto-merge (squash) April 2, 2026 11:41
@IhorMasechko IhorMasechko requested a review from a-nomad April 2, 2026 11:49
@IhorMasechko IhorMasechko disabled auto-merge April 9, 2026 10:24
@IhorMasechko IhorMasechko enabled auto-merge (squash) April 9, 2026 10:25
@IhorMasechko IhorMasechko merged commit 9d28dd3 into main Apr 9, 2026
11 checks passed
@IhorMasechko IhorMasechko deleted the fix/scout-comment-mentions branch April 9, 2026 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@vasilyyaremchuk vasilyyaremchuk vasilyyaremchuk approved these changes

@a-nomad a-nomad a-nomad approved these changes

@killev killev Awaiting requested review from killev killev is a code owner

Assignees

@IhorMasechko IhorMasechko

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IhorMasechko @vasilyyaremchuk @a-nomad