Migrate to namespace-scoped RBAC and improve AI assessment workflow #130
Conversation
- Fix YAML format to use messages array instead of custom fields - Use openai/gpt-4o-mini model as per documentation - Simplify content to single line to avoid parsing issues - Include required testData and evaluators arrays 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove multiline formatting that may cause YAML parsing issues - Use simple single-line content field - Match exact documentation example format 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Change from 1-space to 2-space indentation to match exact documentation format - Use >+ multiline format exactly as shown in working example 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Use absolute minimal YAML format to isolate parsing issue - Remove all multiline content that could cause issues - Test with simplest possible valid format 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Replace custom prompts with official examples from github/ai-assessment-comment-labeler - Use bug-review.prompt.yml for bug assessment - Use well-formed.prompt.yml for feature assessment - Use spam-detection.prompt.yml for general assessment - These are guaranteed to work with the GitHub action 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Change from @main to @v1 for stable version - Remove ./ prefix from prompts_directory path - Use 'Prompts' instead of './Prompts' as per documentation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove feature-assessment.prompt.yml that was causing YAML parsing errors - Update labels_to_prompts_mapping to exclude enhancement/feature mapping - Test if bug and general assessment prompts work without the problematic file 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This reverts commit 24d48eb.
…nd RoleBinding - Convert backend ClusterRole to Role for namespace-scoped permissions - Convert backend ClusterRoleBinding to RoleBinding, remove namespace from subjects - Convert operator ClusterRole to Role, remove cluster-wide namespace permissions - Convert operator ClusterRoleBinding to RoleBinding, remove namespace from subjects This allows the RBAC resources to be deployed within a specific namespace rather than requiring cluster-wide permissions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: backend-api | ||
| roleRef: |
There was a problem hiding this comment.
[P0] Namespace omitted after converting backend RBAC to Role/RoleBinding
The backend RBAC was changed from cluster-scoped objects to Role/RoleBinding, but neither the role manifest nor this binding specifies metadata.namespace. When these manifests are applied, Kubernetes will create them in whichever namespace is active (usually default) while the backend-api ServiceAccount remains hard-coded to ambient-code (backend-sa.yaml). As a result, the binding never attaches to the service account and the backend pod loses all permissions to operate on rfeworkflows, leading to immediate authorization failures. Add metadata.namespace: ambient-code (and ensure the Role lives in the same namespace) so the binding can grant the intended permissions.
Useful? React with 👍 / 👎.
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| kind: RoleBinding | ||
| metadata: | ||
| name: agentic-operator | ||
| roleRef: |
There was a problem hiding this comment.
[P0] Operator RoleBinding is no longer namespaced
The operator RBAC resources were also converted to Role/RoleBinding, but this binding lacks metadata.namespace even though the referenced service account is created in the ambient-code namespace. Kubernetes will place the Role and RoleBinding in the default namespace, so the agentic-operator ServiceAccount never receives the listed permissions (jobs, PVCs, deployments, etc.), causing the operator to fail authorization when managing resources. Declare metadata.namespace: ambient-code on both the role and the binding so they are created alongside the service account.
Useful? React with 👍 / 👎.
1 participant
Summary
• Migrated ClusterRole and ClusterRoleBinding to namespace-scoped Role and RoleBinding for better security isolation
• Improved AI assessment comment labeler with revamped workflow configuration
• Fixed GitHub Action format issues in prompt files and YAML indentation
• Removed problematic feature-assessment prompt and updated mapping
Test plan
🤖 Generated with Claude Code