ci: Add PR test workflow

[jayavenkatesh19]

• Adds Github Actions CI that runs on every pull request
• Closes the PR without running the tests if author has more than 10 open PRs.
• Two parallel test jobs: unit tests (JavaScript + TypeScript) and Docker-based sandbox E2E

Summary by CodeRabbit

• Chores
  • Added CI workflows for pull requests: one runs unit and isolated sandbox end-to-end pipelines with caching, concurrency control, and timeouts; another enforces a per-author open-PR limit by commenting and closing excess PRs.
• Tests
  • Coordinated multi-stage test execution with environment setup and isolated sandbox runs to improve CI coverage and reliability.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: be982603-4f3d-4b52-aff6-ada7775f0356

📥 Commits

Reviewing files that changed from the base of the PR and between 6fd1ffd and e22af20.

📒 Files selected for processing (1)

• .github/workflows/pr-limit.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr-limit.yaml

---

📝 Walkthrough

Walkthrough

Adds two new GitHub Actions workflows: .github/workflows/pr.yaml (runs unit and Docker-based sandbox E2E tests on pull_request events) and .github/workflows/pr-limit.yaml (uses the gh CLI on pull_request_target to enforce a per-author open-PR limit and close PRs when >10).

Changes

Cohort / File(s)	Summary
PR test workflow ​.github/workflows/pr.yaml	New workflow triggered on pull_request (opened, synchronize, reopened). Adds test-unit job (Node.js 22 setup, npm cache, install/build TypeScript plugin in nemoclaw, run root and nemoclaw unit tests) and test-e2e-sandbox job (builds Docker sandbox image from test/Dockerfile.sandbox, runs sandbox E2E tests). Includes permissions, concurrency, and per-job timeouts.
PR limit workflow ​.github/workflows/pr-limit.yaml	New workflow triggered on pull_request_target (opened, reopened). Uses gh CLI to count the PR author's open PRs, and if count > 10 posts a comment, closes the PR, and exits non-zero. Runs without checking out PR code and sets environment variables for token, author, PR number, and repo.

Sequence Diagram(s)

sequenceDiagram
    participant GH as "GitHub (PR event)"
    participant Actions as "GitHub Actions Runner"
    participant GHCLI as "gh CLI"
    participant Node as "Node.js / npm"
    participant Docker as "Docker Engine"
    participant Tests as "Test scripts"

    GH->>Actions: pull_request (opened/reopened/synchronize)
    Actions->>GHCLI: run pr-limit check (pull_request_target workflow)
    alt author has >10 open PRs
        GHCLI->>GH: post comment & close PR
        GHCLI-->>Actions: exit non-zero
    else author within limit
        Actions->>Node: setup Node 22, install deps, build plugin
        Node->>Tests: run root unit tests
        Node->>Tests: run nemoclaw unit tests
        Actions->>Docker: build sandbox image (test/Dockerfile.sandbox)
        Docker->>Tests: run sandbox E2E tests
        Tests-->>Actions: report results
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I counted PRs beneath the moonlit vine,
Ten little carrots, then draw the line.
I spin Node’s yarn and set Docker to hop,
Tests tumble in burrows until they stop.
CI carrots crunch — a tidy little crop.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'ci: Add PR test workflow' is partially related to the changeset. It references the CI workflow additions, but it's overly broad—the PR actually adds two distinct workflows (pr.yaml for testing and pr-limit.yaml for PR limiting logic), not just a generic 'PR test workflow'. The more significant change is splitting the PR-closer logic into a separate workflow.	Consider a more specific title that reflects both workflow additions, such as 'ci: Add PR test and limit workflows' or 'ci: Split PR validation into separate workflows'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pr.yaml (1)

27-31: Consider using environment variables for GitHub context values.

Direct interpolation of ${{ ... }} expressions into shell scripts can be a script injection vector. While GitHub restricts usernames to safe characters, using environment variables is the safer pattern for shell script inputs.

♻️ Suggested safer approach

       - name: Check open PR count for author
         env:
           GH_TOKEN: ${{ github.token }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
         run: |
-          AUTHOR="${{ github.event.pull_request.user.login }}"
-          PR_NUMBER="${{ github.event.pull_request.number }}"
-          REPO="${{ github.repository }}"
-
           OPEN_COUNT=$(gh pr list --repo "$REPO" --author "$AUTHOR" --state open --json number --jq 'length')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr.yaml around lines 27 - 31, The workflow currently
injects GitHub context expressions directly into the shell as AUTHOR, PR_NUMBER,
and REPO which can be an injection vector; instead define those values as step
or job environment variables (e.g., map github.event.pull_request.user.login,
github.event.pull_request.number, and github.repository into env: AUTHOR,
PR_NUMBER, REPO or use built‑in vars like GITHUB_ACTOR) and then reference the
safe env vars ($AUTHOR, $PR_NUMBER, $REPO) inside the run block so the shell
sees only environment values rather than raw `${{ ... }}` expressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/pr.yaml:
- Around line 27-31: The workflow currently injects GitHub context expressions
directly into the shell as AUTHOR, PR_NUMBER, and REPO which can be an injection
vector; instead define those values as step or job environment variables (e.g.,
map github.event.pull_request.user.login, github.event.pull_request.number, and
github.repository into env: AUTHOR, PR_NUMBER, REPO or use built‑in vars like
GITHUB_ACTOR) and then reference the safe env vars ($AUTHOR, $PR_NUMBER, $REPO)
inside the run block so the shell sees only environment values rather than raw
`${{ ... }}` expressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bd4de385-0c93-466a-b93d-49b9db95eeba

📥 Commits

Reviewing files that changed from the base of the PR and between 0d1d2d8 and 8b585c6.

📒 Files selected for processing (1)

• .github/workflows/pr.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr.yaml:
- Around line 10-13: Workflow-level permission pull-requests: write is overly
broad; remove or change the workflow-level pull-requests permission to read
(keep contents: read) and add a job-level permissions block to the single job
that needs PR mutation (the check-pr-limit job) granting pull-requests: write so
only that job gets write access; update both places called out in the review
(the top-level permissions block and the duplicate block at lines 19-23) so no
other jobs inherit write scope.
- Line 20: The workflow currently restricts the check to only the 'opened'
action; update the job/step with the name "check-pr-limit" to run for all
relevant PR events by replacing the single-action guard with a pull_request
check that includes opened, synchronize, and reopened (for example: if:
github.event_name == 'pull_request' && (github.event.action == 'opened' ||
github.event.action == 'synchronize' || github.event.action == 'reopened')) so
the PR-limit policy runs on updates as well.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 303adc3a-eb00-47eb-9f81-c4fd3631357c

📥 Commits

Reviewing files that changed from the base of the PR and between 8b585c6 and 87f6046.

📒 Files selected for processing (1)

• .github/workflows/pr.yaml

[jacobtomlinson]

Awesome! Can you split the PR closer into a separate workflow file?

[jayavenkatesh19]

Awesome! Can you split the PR closer into a separate workflow file?

@jacobtomlinson Done! Makes it easier for permission scoping too.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-limit.yaml:
- Around line 6-8: The workflow trigger uses "pull_request" which provides a
read-only GITHUB_TOKEN for forked PRs; change the trigger to
"pull_request_target" so actions that mutate PRs (the comment/close steps
referenced in the job that runs after the on: block) run with the repository's
write-scoped GITHUB_TOKEN; update any steps that checkout code (replace uses of
actions/checkout with ref handling to avoid executing untrusted code from the PR
head) and ensure permissions for contents: write and pull-requests: write are
set for the job that performs the comment/close operations (refer to the
workflow trigger and the job that creates PR comments/close actions).

In @.github/workflows/pr.yaml:
- Around line 17-58: The PR workflow starts tests immediately (jobs test-unit
and test-e2e-sandbox) but cannot depend on check-pr-limit because needs: only
works within the same workflow; move the limit check into this workflow or
convert the existing pr-limit.yaml into a reusable workflow and call it from
this workflow so tests can depend on it. Specifically, add a job named
check-pr-limit inside this file (or call the reusable workflow) and then update
test-unit and test-e2e-sandbox to declare needs: [check-pr-limit] so they wait
for the limit check to complete before running.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6668483a-dea3-4046-a0f9-ddda7fd28ac6

📥 Commits

Reviewing files that changed from the base of the PR and between ab72e1c and 6fd1ffd.

📒 Files selected for processing (2)

• .github/workflows/pr-limit.yaml
• .github/workflows/pr.yaml

[ericksoa]

LGTM — unit tests, sandbox E2E, and PR rate limit all look good.