ci: add silent-close shim to altimate-qa watchdog (migration item 12)

[dev-punia-altimate]

Summary

Cross-repo notification shim that fires repository_dispatch to AltimateAI/altimate-qa whenever a PR closes here, so the silent-close watchdog can react in seconds instead of waiting up to 5 minutes for its cron tick.

What this does

• Triggers on pull_request: closed events.
• Sends event_type=pr-closed with {repo, pr_number, closed_by, was_merged, title} payload to AltimateAI/altimate-qa.
• Self-disables (warning, exit 0) if AUTOPILOT_DISPATCH_TOKEN secret is not set on this repo. Never fails the PR.

Why

Reference incident: 2026-04-29 12:24 UTC silent bulk-close (47 PRs in 90s, 6 fix PRs lost). The watchdog already exists in altimate-qa but ran on a 5-min cron — up to 5 minutes of fix-PR loss before the reopener fired. This shim closes that gap to ~20s end-to-end.

The receiving end is altimate-qa PR #366 which adds the repository_dispatch trigger to silent-close-watchdog.yml and a --single-pr fast path to the reopener script. That PR should land before this one is wired up (until it does, the dispatch is a no-op on the receiving end).

Setup needed (after merge)

Add AUTOPILOT_DISPATCH_TOKEN secret to this repo's Actions settings:

github.com/AltimateAI/<this-repo>/settings/secrets/actions

Token must have repo scope on AltimateAI/altimate-qa so the dispatch endpoint accepts it. PAT or App token both work.

Test plan

• Merge altimate-qa Bump @types/node from 18.14.6 to 18.15.0 #366 first (receiving end)
• Add AUTOPILOT_DISPATCH_TOKEN secret here
• Force-close a test PR in this repo, observe a dispatch run on altimate-qa within ~20s
• Confirm the cron sweep on altimate-qa still runs (5-min schedule unchanged) so any partial rollout doesn't break detection

Reference

• Spec: templates/cross-repo-shims/README.md in altimate-qa
• altimate-qa receiving PR: AltimateAI/altimate-qa#366
• Migration item: 12 of the autopilot self-health epic

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Infrastructure improvements to enhance internal QA workflow automation and monitoring.

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow that monitors pull request closure events and dispatches a repository event to the AltimateAI/altimate-qa repository, transmitting PR metadata including source repository, PR number, closer information, merge status, and PR title when a dispatch token is available.

Changes

Cohort / File(s)	Summary
Silent Close Shim Workflow .github/workflows/silent-close-shim.yml	New workflow triggered on PR closure that constructs and sends a repository dispatch event to an external repository with PR context data; includes token validation, 2-minute timeout, and concurrency control keyed by PR number.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and detailed, covering the summary, implementation details, rationale, setup instructions, and test plan, but does not follow the repository's required template structure with Overview/Problem/Solution/Checklist sections.	Consider restructuring the description to match the repository template (Overview, Problem, Solution, Checklist) while preserving the detailed technical content already provided.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a silent-close shim workflow for cross-repo notification to the altimate-qa watchdog, with migration context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/silent-close-shim

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/silent-close-shim.yml:
- Around line 17-20: Change the workflow trigger from pull_request to
pull_request_target so repository secrets like AUTOPILOT_DISPATCH_TOKEN are
available for fork PRs; update the on: pull_request block (the event that
currently prevents secrets for fork-origin PRs) to on: pull_request_target and
keep the existing dispatch step that uses AUTOPILOT_DISPATCH_TOKEN unchanged so
the fast-close dispatch (the job that runs the dispatch using
AUTOPILOT_DISPATCH_TOKEN) will run for fork PRs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a08cfaec-6b51-4d4d-a1d0-bd5918546add

📥 Commits

Reviewing files that changed from the base of the PR and between e384e88 and 298f1aa.

📒 Files selected for processing (1)

• .github/workflows/silent-close-shim.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For GitHub Actions, are repository secrets available to workflows triggered by pull_requestfrom forks whentypes: [closed]is used, and doespull_request_target provide access to those secrets for the same event?

💡 Result:

No, repository secrets are not available to workflows triggered by pull_request from forks, even when types: [closed] is used. Yes, pull_request_target provides access to those secrets for the same event.

Citations:

• 1: https://docs.github.com/actions/security-guides/using-secrets-in-github-actions
• 2: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
• 3: https://stackoverflow.com/questions/76952023/how-to-make-github-actions-safely-access-secrets-for-prs-created-from-forks
• 4: https://www.paulserban.eu/blog/post/pullrequest-vs-pullrequesttarget-the-github-actions-trigger-hiding-a-security-nightmare/
• 5: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md

---

🏁 Script executed:

cat -n .github/workflows/silent-close-shim.yml

Repository: AltimateAI/vscode-dbt-power-user

Length of output: 3028

---

pull_request trigger disables the shim for fork PRs due to missing secrets

On line 17 and line 37, this workflow depends on a secret (AUTOPILOT_DISPATCH_TOKEN) during a pull_request event. For fork-origin PRs, repository secrets are unavailable, causing lines 44–47 to skip dispatch and lose the fast-close signal for those PRs.

Suggested change

-on:
-  pull_request:
-    types: [closed]
+on:
+  pull_request_target:
+    types: [closed]

Since this job does not checkout or execute PR code, pull_request_target is a low-risk way to restore coverage and ensure secrets are available for fork PRs.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	types: [closed]
	on:
	pull_request_target:
	types: [closed]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/silent-close-shim.yml around lines 17 - 20, Change the
workflow trigger from pull_request to pull_request_target so repository secrets
like AUTOPILOT_DISPATCH_TOKEN are available for fork PRs; update the on:
pull_request block (the event that currently prevents secrets for fork-origin
PRs) to on: pull_request_target and keep the existing dispatch step that uses
AUTOPILOT_DISPATCH_TOKEN unchanged so the fast-close dispatch (the job that runs
the dispatch using AUTOPILOT_DISPATCH_TOKEN) will run for fork PRs.

[github-actions]

Bundle Size Report

darwin-arm64: 74.2 MB

Category	Size	Compressed	Files
Webview JS bundles	36.3 MB	12.3 MB	346
Native: altimate-core	35.1 MB	14.0 MB	1
Media assets	29.6 MB	25.8 MB	91
Native: zeromq	20.5 MB	8.2 MB	15
Webview images	15.3 MB	12.2 MB	18
Extension backend (JS)	2.7 MB	0.6 MB	1
Python packages	2.0 MB	0.5 MB	95
Native: other node_modules	1.0 MB	0.2 MB	139
Webview CSS	0.8 MB	0.1 MB	2
Webview other	0.5 MB	0.1 MB	5
Other	0.1 MB	26 KB	15
Total	143.9 MB	74.0 MB	728

linux-x64: 75.9 MB

Category	Size	Compressed	Files
Native: altimate-core	41.8 MB	15.1 MB	1
Webview JS bundles	36.3 MB	12.3 MB	346
Media assets	29.6 MB	25.8 MB	91
Native: zeromq	21.9 MB	8.7 MB	16
Webview images	15.3 MB	12.2 MB	18
Extension backend (JS)	2.7 MB	0.6 MB	1
Python packages	2.0 MB	0.5 MB	95
Native: other node_modules	1.0 MB	0.2 MB	139
Webview CSS	0.8 MB	0.1 MB	2
Webview other	0.5 MB	0.1 MB	5
Other	0.1 MB	26 KB	15
Total	152.0 MB	75.7 MB	729

win32-x64: 76.8 MB

Category	Size	Compressed	Files
Native: altimate-core	50.3 MB	16.2 MB	1
Webview JS bundles	36.3 MB	12.3 MB	346
Media assets	29.6 MB	25.8 MB	91
Native: zeromq	20.0 MB	8.1 MB	15
Webview images	15.3 MB	12.2 MB	18
Extension backend (JS)	2.7 MB	0.6 MB	1
Native: other node_modules	2.3 MB	0.7 MB	147
Python packages	2.0 MB	0.5 MB	95
Webview CSS	0.8 MB	0.1 MB	2
Webview other	0.5 MB	0.1 MB	5
Other	0.1 MB	26 KB	15
Total	159.8 MB	76.6 MB	736

[dev-punia-altimate]

✅ Tests — All Passed

cc @dev-punia-altimate