Skip to content

Avoid requesting features in CCR#3476

Merged
henrymercer merged 2 commits intomainfrom
henrymercer/retry-auth-errors
Feb 13, 2026
Merged

Avoid requesting features in CCR#3476
henrymercer merged 2 commits intomainfrom
henrymercer/retry-auth-errors

Conversation

@henrymercer
Copy link
Contributor

@henrymercer henrymercer commented Feb 12, 2026

CCR's auth token does not currently have enough permissions to access the features API, so it 403s. This PR skips the API request and uses the default values for all feature flags. This is less confusing in the logs, saves a bit of time, and reduces a bit of API load.

The drawback is we'll need to back this change out once we get round to updating CCR and the features flag API to work together.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

  • CCR - The changes impact analyses for Copilot Code Reviews.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@henrymercer henrymercer requested a review from a team as a code owner February 12, 2026 17:19
Copilot AI review requested due to automatic review settings February 12, 2026 17:19
@github-actions github-actions bot added the size/S Should be easy to review label Feb 12, 2026
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents Copilot Code Review (CCR) runs from calling the feature flags API (which currently 403s with CCR credentials), and instead always uses default feature flag values to avoid confusing logs and unnecessary API traffic.

Changes:

  • Skip the feature flags API request when running in CCR, falling back to default values.
  • Update debug messaging for non-dotcom environments to reflect “default values” behavior.
  • Extend unit tests to cover the CCR default-values behavior and adjust existing assertions.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/feature-flags.ts Adds CCR detection to bypass remote feature-flag fetching and updates debug messaging for non-dotcom.
src/feature-flags.test.ts Adds a CCR test case and refactors assertions to validate default-value behavior and expected logs.
lib/upload-sarif-action.js Generated build output reflecting the feature flag behavior changes.
lib/start-proxy-action.js Generated build output reflecting the CCR detection and feature flag behavior changes.
lib/setup-codeql-action.js Generated build output reflecting the CCR detection and feature flag behavior changes.
lib/init-action.js Generated build output reflecting the feature flag behavior changes.
lib/init-action-post.js Generated build output reflecting the feature flag behavior changes.
lib/autobuild-action.js Generated build output reflecting the CCR detection and feature flag behavior changes.
lib/analyze-action.js Generated build output reflecting the feature flag behavior changes.

@henrymercer
Apply suggestion from @Copilot
05bca54 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@mbg
Copy link
Member

mbg commented Feb 12, 2026

Approved so we can run a release if #3477 does not get reviewed before. If we merge this for the next release, we should then revert it afterwards in favour of #3477.

@henrymercer henrymercer merged commit 9658e23 into main Feb 13, 2026
250 checks passed
@henrymercer henrymercer deleted the henrymercer/retry-auth-errors branch February 13, 2026 11:11
This was referenced Feb 13, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbg mbg mbg approved these changes

Assignees

No one assigned

Labels

size/S Should be easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henrymercer @mbg