Skip to content

docs: add skip.authors and include.labels/authors to config reference #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alan-hacktron wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: add skip.authors and include.labels/authors to config reference #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion code-review/config.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ description: "Use .hacktron/config.yaml to control which pull and merge requests
Add a `.hacktron/config.yaml` file to your repository to control Hacktron's Code Review behavior:

- **Skip** specific pull and merge requests so they aren't scanned.
- **Include** specific pull and merge requests to be scanned.
- **Fail** the Hacktron check when a finding meets a severity threshold, so risky changes can't merge.

This is separate from [`.hacktron/rules.md`](/code-review/rules), which shapes the *quality* of a review. `config.yaml` controls *whether* a PR is scanned and *whether* its check passes.
Expand Down Expand Up @@ -47,6 +48,8 @@ skip:
paths:
- "vendor/**"
- "**/*.md"
authors:
- dependabot[bot]

# Fail the Hacktron check when a finding is at or above this severity.
fail_on:
Expand All @@ -63,9 +66,10 @@ Rules are evaluated in this order; the first match wins:

| Key | Matches when | Match style |
|---|---|---|
| `skip.labels` | the PR/MR carries one of these labels | exact, case-insensitive |
| `skip.labels` | the PR/MR carries one of these labels | case-insensitive |
| `skip.keywords` | the PR/MR **title** contains one of these strings | case-insensitive substring |
| `skip.paths` | **every** changed file matches one of these patterns | gitignore-style globs |
| `skip.authors` | the PR/MR was opened by one of these usernames | case-insensitive |

```yaml
skip:
Expand All @@ -76,6 +80,8 @@ skip:
paths:
- "docs/**" # skip when the PR only touches these paths
- "**/*.md"
authors:
- "dependabot[bot]" # skip all PRs opened by dependabot
```

<Note>
Expand All @@ -87,6 +93,32 @@ skip:

A manual `@hacktronai review` comment always runs a scan, even when a `skip` rule would otherwise match — use it to force a one-off review of an otherwise-skipped PR.

## Include scans

Use the include block to scan **only** pull and merge requests that match specific rules. Similarly, Hacktron records a skip check comment in your PRs/MRs.

```yaml
include:
labels:
- security-review # only scan PRs labelled "security-review"
authors:
- alice # always scan Alice's PRs
- bob
```

| Key | Matches when |
|---|---|
| `include.labels` | the PR/MR carries at least one of these labels (case-insensitive) |
| `include.authors` | the PR/MR was opened by one of these usernames (case-insensitive) |

Both `include.labels` and `include.authors` can be set at the same time. If a PR matches either, it is scanned.

<Warning>
`include` rules are **ignored when any `skip` rule is present** in your config.
Use one or the other. For example, if you need to exempt specific authors while
scanning everything else, use `skip.authors` on its own.
</Warning>

## Fail the check on findings

By default, the Hacktron check is green as long as the scan completes — findings are posted as inline comments but don't block the merge. Set `fail_on.severity` to turn the check **red** when a finding is found at or above a severity threshold.
Expand Down