ci(sinkra-review): PAT-checkout for PRIVATE action + harmonize provider to OpenAI gpt-4o-mini

[RBKunnela]

Problem statement (two issues addressed)

Issue 1 — PAT-checkout required

paybot-sdk is PUBLIC. RBKunnela/sinkra-action is PRIVATE. The currently-merged .github/workflows/sinkra-review.yml (#44) references the action via:

uses: RBKunnela/sinkra-action@af19709550dc6e9355f439a1900984e284bf3e89 # v0.1.3

GitHub Actions cannot resolve this from a public repo. The default GITHUB_TOKEN lacks read scope on the private action's repository, so the run aborts at job-setup with:

##[error]Unable to resolve action `rbkunnela/sinkra-action`, repository not found

Confirmed empirically on the paybot-core mirror PR run (same error mode).

Issue 2 — Provider drift

paybot-core and paybot-mcp were updated 2026-05-23 19:14 UTC to use OpenAI gpt-4o-mini:

zai-api-key: ${{ secrets.OPENAI_API_KEY }}
zai-base-url: 'https://api.openai.com/v1'
model: 'gpt-4o-mini'

paybot-sdk's workflow still references ZAI_API_KEY with no base-url/model overrides — it would run against the default glm-4.6 provider while its siblings run against OpenAI. The Sinkra verdict on paybot-sdk would therefore not be comparable to verdicts on the other two repos.

Solution

1. PAT-checkout pattern. Checkout the private action into a local path via a fine-grained PAT, then invoke it as uses: ./.sinkra-action. SHA pin and version comment preserved for supply-chain hygiene.
2. Harmonize provider config. Switch to OPENAI_API_KEY + zai-base-url: 'https://api.openai.com/v1' + model: 'gpt-4o-mini' to match paybot-core / paybot-mcp.

Diff: 1 file, +26/-4.

OPERATOR ACTION REQUIRED — TWO STEPS

This PR will not pass CI until BOTH operator actions below are complete.

Action 1 — Create SINKRA_ACTION_PAT secret

1. Open https://github.com/settings/personal-access-tokens/new
2. Set:
   • Token name: paybot-sdk-sinkra-action-read (or similar)
   • Resource owner: RBKunnela
   • Expiration: 90 days recommended
   • Repository access: Only select repositories → RBKunnela/sinkra-action
   • Repository permissions → Contents: Read-only
3. Generate the token. Copy the value once.
4. Add to this repo's secrets:

   gh secret set SINKRA_ACTION_PAT --repo RBKunnela/paybot-sdk
   

   Paste the token value when prompted.

(NOTE: If paybot-mcp PR #31 lands first, you can re-use the same PAT — fine-grained PATs may be scoped to the action's repo and used by any consuming repo. Set the same value as a secret on each consumer.)

Action 2 — Toggle Workflow permissions to Read and write

paybot-sdk has had Actions Workflow permissions set to Read repository contents (read-only). This is insufficient for the Sinkra Review check-run write step.

1. Open https://github.com/RBKunnela/paybot-sdk/settings/actions
2. Scroll to Workflow permissions
3. Select Read and write permissions
4. Save.

(This was flagged in earlier session investigation; paybot-core and paybot-mcp already have this enabled.)

Then — retrigger

Push an empty commit on this PR's head branch to retrigger the workflow:

git commit --allow-empty -m \"ci: retrigger after PAT + workflow-permissions set\"
git push

Verification plan

After both operator actions + workflow retriggered:

• Expect Sinkra Review / sinkra-action verdict check-run to progress past the action-resolution step.
• Expect 9-agent council verdict computed against OpenAI gpt-4o-mini (matching paybot-core / paybot-mcp).
• If pass: this PR is the canonical fix and may be merged by @devops per automated-pr-merge-authority.md.

Scope

• Single file: .github/workflows/sinkra-review.yml
• No code changes. No runtime changes. CI plumbing only.

SINKRA chain compliance

Per .claude/rules/automated-pr-merge-authority.md, this PR (opened by an automated session) requires:

• @sm story reference (chore-style CI wiring; no story file required per established convention)
• @po validation (out-of-scope for ci-only changes)
• @dev self-check (configuration not code; reasoning above)
• @qa PASS verdict — pending workflow run after operator actions complete
• @devops merge — only after operator action items above are complete

DO NOT MERGE until SINKRA_ACTION_PAT is set, Workflow permissions are set to Read and write, and a successful Sinkra Review run is recorded.

🤖 Generated with Claude Code

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@RBKunnela, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 57 minutes and 52 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9c5e6309-a7ac-4cbc-af21-0f566c9dc608

📥 Commits

Reviewing files that changed from the base of the PR and between d0fc820 and a0590e6.

📒 Files selected for processing (1)

• .github/workflows/sinkra-review.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sinkra-review-pat-checkout

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[RBKunnela]

Closing as obsolete: the public FriendlyAI Review wrapper has been merged to main and branch protection now requires the semantic friendlyai/review check.