fix(ci): split capgo and cli release workflows

[riderx]

Summary (AI generated)

• split the monorepo release flow into separate Capgo and CLI lanes
• run the reusable test workflow only for the component that actually needs a release on main and development pushes
• add a release-scope script so workflow-only and docs-only pushes do not bump product versions
• publish CLI releases from cli-v* tags and limit Capgo deploys to v* tags

Motivation (AI generated)

After moving the CLI into the monorepo, the repository still had a single root bump_version.yml path. That meant Capgo versioning remained global, the CLI had no monorepo-native publish lane, and any future CLI tag would also trigger the Capgo deploy workflow because tag matching was still *.

Business Impact (AI generated)

This keeps release automation aligned with the product that actually changed. Capgo deployments no longer risk being triggered by CLI-only releases, CLI releases can publish independently again, and non-product changes stop creating unnecessary version churn on the main application.

Test Plan (AI generated)

• Parse the updated workflow YAML locally
• Run the release-scope script against workflow-only changes and a real monorepo merge commit
• Let the local commit hook complete successfully
• Verify GitHub Actions passes on the PR
• Verify the new workflow topology is accepted by GitHub Actions

Generated with AI

Summary by CodeRabbit

• New Features

  • Automated CLI publishing with AI-generated changelogs.
  • Release-scope detection to decide which component(s) to release and semver bump.

• Chores

  • CI tag triggers restricted to specific patterns and scoped release flows; version bumps gated by detected scope and tests.
  • Standardized runtime setup with added OS-specific Bun install scripts and workflow refinements.

• Tests

  • Test cleanup switched to a direct database helper for API key deletion.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Tag-triggered workflows were narrowed and split by component; CI gained scope-detection to decide capgo/cli releases; a new tag-driven CLI publish workflow (with AI changelog) was added; Bun setup was standardized via new Bash/PowerShell scripts and reused across runners; tests updated for Supabase cleanup.

Changes

Cohort / File(s)	Summary
Build & deploy trigger \.github/workflows/build_and_deploy.yml	Narrowed tag trigger to capgo-[0-9]*; normalized YAML quoting for environment/input values.
Release scope & bump flow \.github/workflows/bump_version.yml, scripts/release-scope.ts	Added changes job using scripts/release-scope.ts to compute per-scope should_release/release_as; made test and bump-version conditional; split capgo/cli bump/tag flows and conditional CLI docs generation; gated schema sync on has_migration_changes.
CLI publish workflow \.github/workflows/publish_cli.yml	New workflow for cli-[0-9]* tags: concurrency, Bun setup, build, AI changelog (mistricky/ccc + Anthropic), conditional npm publish (--tag next for -alpha), and GitHub release creation with prerelease flag for -alpha.
Tests & CI Bun provisioning \.github/workflows/tests.yml	Replaced oven-sh/setup-bun with repo scripts; added Windows PowerShell path for Bun setup; expanded changes path filters; normalized quoting; added pull-requests: read permission for reusable tests invocation.
Bun installers scripts/setup-bun.sh, scripts/setup-bun.ps1	Added Bash and PowerShell installers that download pinned Bun assets, verify SHA-256, install to user bin, update GITHUB_PATH/session PATH, and validate installation.
Tests cleanup helper change tests/statistics.test.ts	Replaced HTTP DELETE cleanup with Supabase helper deleteApikeyById using getSupabaseClient().from('apikeys').delete(), updating cleanup flows to await the helper.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer (push tag)
    participant GH as GitHub Actions
    participant Changes as changes job / release-scope.ts
    participant Git as Git History
    participant Tests as reusable tests workflow
    participant Bump as bump-version job
    participant Publish as publish_cli workflow
    participant AI as Anthropic
    participant NPM as npm Registry
    participant Release as GitHub Release

    Dev->>GH: push tag (e.g., `cli-...` or `capgo-...`)
    GH->>Changes: run changes job (compute should_release/release_as)
    Changes->>Git: query commits & changed files
    Git-->>Changes: commit list
    Changes->>Changes: filter commits by scope, determine max severity -> release_as
    Changes->>Tests: trigger tests with scope flags
    Tests->>Tests: run matrix (uses scripts/setup-bun.*)
    Tests-->>Bump: report results (if any scope true)
    Bump->>Bump: perform per-scope version bumps, tag handling, optional CLI docs
    alt `cli-*` tag pushed
      GH->>Publish: publish_cli runs
      Publish->>AI: generate changelog (Anthropic)
      Publish->>NPM: publish CLI package (use `next` for `-alpha`)
      Publish->>Release: create GitHub release with changelog (prerelease if `-alpha`)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(ci): allow reusable tests workflow PR read scope #1979 — Adds pull-requests: read permission changes in bump-version/test workflow calls (directly related to permissions adjustments).
• ci: update action pins for Node 24 compatibility #1971 — Overlaps CI/Bun setup and workflow modifications (related changes to build/tests workflows).

Poem

🐇 I hopped through tags with whiskers bright,
I sniffed the commits by day and night.
Capgo or CLI, I chose who must roll,
Built, bumped, released — I polished the hole. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description includes a clear summary and motivation for the changes. However, it is missing the required 'Test plan', 'Screenshots', and 'Checklist' sections from the template.	Add the missing template sections: explicitly fill in the 'Test plan' section with detailed steps, note whether screenshots are applicable, and complete the checklist by marking relevant boxes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective of splitting the monorepo release workflows into separate Capgo and CLI lanes, which is the core change across multiple workflow files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/split-monorepo-release-bumps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/split-monorepo-release-bumps (1464890) with main (5183a02)}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a7010af2a7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/bump_version.yml (2)

103-111: Tag retargeting after amend could leave stale tags on failure.

If git tag -f "$CURRENT_TAG" fails (e.g., due to permissions or invalid tag name), the workflow continues without error handling. Consider adding set -e at the script start or explicit error checks.

🛡️ Proposed fix to add error handling

       - name: Create version bumps
         env:
           RUN_CAPGO: ${{ needs.changes.outputs.run_capgo }}
           CAPGO_RELEASE_AS: ${{ needs.changes.outputs.capgo_release_as }}
           RUN_CLI: ${{ needs.changes.outputs.run_cli }}
           CLI_RELEASE_AS: ${{ needs.changes.outputs.cli_release_as }}
         run: |
+          set -e
           if [ "$RUN_CAPGO" = "true" ]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bump_version.yml around lines 103 - 111, The workflow
currently force-retags after a commit amend without handling failures from git
tag -f (see CURRENT_TAG and the git commit --amend block); modify the script to
fail-fast by enabling shell errexit (e.g., add set -e at the top of the script)
or explicitly check the exit status after git tag -f and exit non-zero on error
so the workflow stops and surfaces the failure, and ensure the logic around
CURRENT_TAG still preserves the existing behavior when tag is empty.

---

55-58: Consider simplifying the complex conditional.

The if condition on line 58 is quite long. While functionally correct, consider extracting repeated needs.changes.outputs checks to reduce verbosity and improve readability in future maintenance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bump_version.yml around lines 55 - 58, The conditional is
verbose due to repeated needs.changes.outputs checks; add a single boolean
output (e.g., run_any) to the changes job that computes run_any = run_capgo ||
run_cli, then simplify the bump-version job if to use
needs.changes.outputs.run_any == 'true' instead of checking run_capgo and
run_cli separately while preserving the existing head_commit message and
needs.test.result checks; update the changes job to emit the new output (combine
run_capgo and run_cli) and replace the long expression in the bump-version job
with the single needs.changes.outputs.run_any reference.

scripts/release-scope.ts (1)

112-139: Add a trailing newline to the file.

The file is missing a trailing newline at line 139, which can cause issues with some tools and is a common convention.

🔧 Proposed fix

 console.log(`should_release=${shouldRelease}`)
 console.log(`release_as=${shouldRelease ? toReleaseAs(highestSeverity) : 'patch'}`)
+

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/release-scope.ts` around lines 112 - 139, Add a trailing newline at
the end of the file so the final console.log lines (the
`console.log(\`should_release=${shouldRelease}\`)` /
`console.log(\`release_as=${shouldRelease ? toReleaseAs(highestSeverity) :
'patch'}\`)` block) are followed by a single newline character; simply ensure
the file ends with a newline character after the last line to satisfy tools and
POSIX conventions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bump_version.yml:
- Around line 125-126: The `git pull --rebase $remote_repo $CURRENT_BRANCH` step
can fail on divergent histories; update the workflow to handle that by adding a
safe fallback: try the rebase first (git pull --rebase $remote_repo
$CURRENT_BRANCH) and if it exits non‑zero fall back to a non‑rebase merge (git
pull --rebase=false $remote_repo $CURRENT_BRANCH) or a forced reset workflow
(git fetch $remote_repo $CURRENT_BRANCH && git reset --hard
$remote_repo/$CURRENT_BRANCH) before running the existing git push line; ensure
the fallback preserves the subsequent push command `git push $remote_repo
HEAD:$CURRENT_BRANCH --follow-tags --tags` and add explicit error checks so
failures are surfaced instead of causing unexpected rebase conflicts.

---

Nitpick comments:
In @.github/workflows/bump_version.yml:
- Around line 103-111: The workflow currently force-retags after a commit amend
without handling failures from git tag -f (see CURRENT_TAG and the git commit
--amend block); modify the script to fail-fast by enabling shell errexit (e.g.,
add set -e at the top of the script) or explicitly check the exit status after
git tag -f and exit non-zero on error so the workflow stops and surfaces the
failure, and ensure the logic around CURRENT_TAG still preserves the existing
behavior when tag is empty.
- Around line 55-58: The conditional is verbose due to repeated
needs.changes.outputs checks; add a single boolean output (e.g., run_any) to the
changes job that computes run_any = run_capgo || run_cli, then simplify the
bump-version job if to use needs.changes.outputs.run_any == 'true' instead of
checking run_capgo and run_cli separately while preserving the existing
head_commit message and needs.test.result checks; update the changes job to emit
the new output (combine run_capgo and run_cli) and replace the long expression
in the bump-version job with the single needs.changes.outputs.run_any reference.

In `@scripts/release-scope.ts`:
- Around line 112-139: Add a trailing newline at the end of the file so the
final console.log lines (the `console.log(\`should_release=${shouldRelease}\`)`
/ `console.log(\`release_as=${shouldRelease ? toReleaseAs(highestSeverity) :
'patch'}\`)` block) are followed by a single newline character; simply ensure
the file ends with a newline character after the last line to satisfy tools and
POSIX conventions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b61a551-fdd7-43ce-a168-51a4a86012ad

📥 Commits

Reviewing files that changed from the base of the PR and between 13aa717 and a7010af.

📒 Files selected for processing (4)

• .github/workflows/build_and_deploy.yml
• .github/workflows/bump_version.yml
• .github/workflows/publish_cli.yml
• scripts/release-scope.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 79a0f98d84

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish_cli.yml:
- Around line 41-43: The workflow exposes a long-lived secret via the
environment variable github_token set to ${{ secrets.PERSONAL_ACCESS_TOKEN }};
replace uses of secrets.PERSONAL_ACCESS_TOKEN with the short-lived ${{
github.token }} (e.g., set github_token: ${{ github.token }}) for the actions
that accept it (mistricky/ccc and softprops/action-gh-release) and ensure the
job’s permissions include contents: write so the default token has the necessary
scope.

In @.github/workflows/tests.yml:
- Line 157: The workflow currently runs "bash scripts/setup-bun.sh" (and the
PowerShell counterpart "scripts/setup-bun.ps1") in multiple jobs but those
script files aren’t included in the shared path-filter, allowing setup-only PRs
to skip CLI lanes; update the shared path-filter entries referenced by the jobs
that call the run steps (the ones containing "run: bash scripts/setup-bun.sh" /
"run: pwsh scripts/setup-bun.ps1") to include "scripts/setup-bun.sh" and
"scripts/setup-bun.ps1" so changes to those files will trigger the appropriate
CI lanes (apply this to all occurrences of the run steps in the workflow).

In `@scripts/setup-bun.ps1`:
- Line 3: The current line pipes remote content from Invoke-RestMethod into
Invoke-Expression (security risk); change it to explicitly download the install
script to a temporary file, validate it as needed, then execute that file with
an explicit script invocation (e.g., PowerShell -ExecutionPolicy Bypass -File or
Start-Process / & to run the saved script) and finally remove the temp file;
replace the use of Invoke-Expression and instead use the saved script path
(e.g., InstallScriptPath) when executing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 34697adc-d428-4f97-9cff-7fa6f014700e

📥 Commits

Reviewing files that changed from the base of the PR and between a7010af and 1b4d8bd.

📒 Files selected for processing (7)

• .github/workflows/build_and_deploy.yml
• .github/workflows/bump_version.yml
• .github/workflows/publish_cli.yml
• .github/workflows/tests.yml
• scripts/release-scope.ts
• scripts/setup-bun.ps1
• scripts/setup-bun.sh

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/build_and_deploy.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/release-scope.ts
• .github/workflows/bump_version.yml

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f92064ebf7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

scripts/release-scope.ts (1)

116-121: Usage text should reflect optional before/after arguments.

Lines 116-117 default before and after, but Line 120 shows them as required. Align help output to avoid operator confusion.

Suggested change

-if (componentArg !== 'capgo' && componentArg !== 'cli') {
-  console.error('Usage: bun scripts/release-scope.ts <capgo|cli> <before> <after>')
+if (componentArg !== 'capgo' && componentArg !== 'cli') {
+  console.error('Usage: bun scripts/release-scope.ts <capgo|cli> [before] [after]')
   process.exit(1)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/release-scope.ts` around lines 116 - 121, The usage text incorrectly
implies before/after are required; update the console.error usage message to
show they are optional (e.g. use square brackets or indicate defaults) and/or
include the default values from the before and after variables so it aligns with
the declarations of before = process.argv[3] ?? '' and after = process.argv[4]
?? 'HEAD'; modify the string in the branch that checks componentArg (the
console.error call that currently prints 'Usage: bun scripts/release-scope.ts
<capgo|cli> <before> <after>') to something like 'Usage: bun
scripts/release-scope.ts <capgo|cli> [before] [after] (defaults: before=""
after="HEAD")' so the help text matches the actual optional behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/release-scope.ts`:
- Line 40: The '^cli/skills/' matcher currently marks docs-only edits as
releases; update that matcher to exclude markdown files by replacing
'^cli/skills/' with a regex that ignores .md and .mdx (for example:
'^cli/skills/(?!.*\\.(md|mdx)$)'). Ensure the updated matcher is used where the
matcher list/array is defined so changes under cli/skills/*.md or *.mdx no
longer set should_release=true.

---

Nitpick comments:
In `@scripts/release-scope.ts`:
- Around line 116-121: The usage text incorrectly implies before/after are
required; update the console.error usage message to show they are optional (e.g.
use square brackets or indicate defaults) and/or include the default values from
the before and after variables so it aligns with the declarations of before =
process.argv[3] ?? '' and after = process.argv[4] ?? 'HEAD'; modify the string
in the branch that checks componentArg (the console.error call that currently
prints 'Usage: bun scripts/release-scope.ts <capgo|cli> <before> <after>') to
something like 'Usage: bun scripts/release-scope.ts <capgo|cli> [before] [after]
(defaults: before="" after="HEAD")' so the help text matches the actual optional
behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b85543a6-308c-48dd-873d-4f5c8801befc

📥 Commits

Reviewing files that changed from the base of the PR and between 1b4d8bd and f92064e.

📒 Files selected for processing (1)

• scripts/release-scope.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cb637f2485

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bump_version.yml:
- Around line 80-87: The workflow currently appends "|| true" to the git commit
step (the `git commit -m "docs(cli): update generated docs" || true` command in
the "Generate CLI docs" step), which masks real commit errors; remove the "||
true" and instead guard the commit by checking for staged changes first (e.g.,
use a staged-diff check such as `git diff --staged --quiet` / `git diff --cached
--exit-code`) and only run `git commit -m "docs(cli): update generated docs"`
when changes exist so genuine commit failures are allowed to fail the job while
the "nothing to commit" case is skipped.

In @.github/workflows/publish_cli.yml:
- Around line 8-10: The push tag trigger currently uses the broad pattern
"cli-*" which matches any cli- namespace tag; change the tag glob in the
workflow's push.tags entry from "cli-*" to the tighter "cli-v*" so the job only
runs for release tags beginning with "cli-v" (i.e., update the push.tags value
that currently reads "cli-*" to "cli-v*").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1792d317-a3be-4f49-b8b4-81946c746719

📥 Commits

Reviewing files that changed from the base of the PR and between f92064e and 9d45965.

📒 Files selected for processing (6)

• .github/workflows/bump_version.yml
• .github/workflows/publish_cli.yml
• .github/workflows/tests.yml
• scripts/release-scope.ts
• scripts/setup-bun.ps1
• scripts/setup-bun.sh

✅ Files skipped from review due to trivial changes (1)

• scripts/release-scope.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/setup-bun.sh
• scripts/setup-bun.ps1

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb8b7c18f3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/publish_cli.yml (1)

7-10: ⚠️ Potential issue | 🟠 Major

Use the cli-v* trigger here as well.

This is narrower than the old cli-* glob, but it still does not match the cli-v* namespace described in the PR. Once the producer side is fixed to emit cli-v… tags, this workflow will never fire.

Suggested fix

 on:
   push:
     tags:
-      - "cli-[0-9]*"
+      - "cli-v*"

#!/bin/bash
# Verify that the CLI publish trigger matches the tags produced by release workflows.
rg -n -C2 'cli-v\*|cli-\[0-9\]\*|tag-prefix cli-' .github/workflows

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish_cli.yml around lines 7 - 10, Update the push tag
trigger in the CI workflow so it matches the producer-side tag namespace:
replace the current on.push.tags pattern "cli-[0-9]*" with the "cli-v*" pattern
in the publish_cli.yml workflow (the on: push: tags: block) so the workflow will
fire for tags produced by the release workflow; ensure the new glob aligns with
the producer's tag format.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/statistics.test.ts`:
- Line 238: The test's cleanup call to
deleteApikeyById(nonAccessibleOrgSubkeyId) should be unconditional — wrap the
test body in a try/finally so deleteApikeyById(...) always runs; locate the test
that references nonAccessibleOrgSubkeyId (and the similar case at the other
occurrence) and move the cleanup calls into the finally block, ensuring any
resources created in the test are removed there; optionally switch the test from
it() to it.concurrent() if the test is safe for parallel execution and ensure
seed data is used for tests that modify shared resources.

---

Duplicate comments:
In @.github/workflows/publish_cli.yml:
- Around line 7-10: Update the push tag trigger in the CI workflow so it matches
the producer-side tag namespace: replace the current on.push.tags pattern
"cli-[0-9]*" with the "cli-v*" pattern in the publish_cli.yml workflow (the on:
push: tags: block) so the workflow will fire for tags produced by the release
workflow; ensure the new glob aligns with the producer's tag format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53e47d22-1e7b-4582-893f-c2e6b3d2e7c0

📥 Commits

Reviewing files that changed from the base of the PR and between 9d45965 and f887a82.

📒 Files selected for processing (4)

• .github/workflows/build_and_deploy.yml
• .github/workflows/bump_version.yml
• .github/workflows/publish_cli.yml
• tests/statistics.test.ts

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/build_and_deploy.yml

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud