feat: Inject AHOY_CMD and AHOY_COMMAND_NAME environment variables into subprocesses

[ocean]

Sets AHOY_CMD to the resolved path of the running ahoy binary and AHOY_COMMAND_NAME to the name of the invoked command, making both available to every subprocess ahoy runs.

Adds a testdata fixture and BATS integration tests to verify the behaviour.

This is a fix for #165

Summary by CodeRabbit

Release Notes

• New Features

  • Commands now get AHOY_COMMAND_NAME (current command name) and AHOY_CMD (binary path) in the execution environment.

• Improvements

  • Configuration parsing now more consistently follows the ahoy.yml schema.
  • Validation reports all detected command/config issues together (instead of stopping early).
  • Circular-import handling is more robust, with clearer detection.
  • Bash completion is generated consistently.

• Bug Fixes

  • Subprocess execution failures are now surfaced as proper command errors.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5204386d-5ee2-46d8-bc3a-ef9cd556e742

📥 Commits

Reviewing files that changed from the base of the PR and between 40cee88 and eee4425.

📒 Files selected for processing (1)

• ahoy_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• ahoy_test.go

---

Walkthrough

Adds AHOY_CMD and AHOY_COMMAND_NAME environment variable injection into executed subprocesses. Refactors circular import detection into a processImport helper using an importVisited map. Switches config validation to accumulate errors before a single fatal report, and command execution from Run to RunE for proper error propagation. GitHub Actions workflows are hardened with commit-pinned actions, per-job permissions, and a new zizmor security scan.

Changes

Environment variable injection, error handling, and circular import detection

Layer / File(s)	Summary
Config/Command struct YAML tags and package state ahoy.go	Config and Command struct fields gain explicit yaml:"..." tags. Package-level ahoyExecutable and importVisited variables are declared.
Circular import detection and normalizePath helper ahoy.go	normalizePath converts a path to a cleaned absolute form. processImport centralises include path expansion, checks importVisited to skip repeated imports, and logs "Circular import detected" when a cycle is found. getSubCommands delegates to processImport. setupApp initialises and seeds importVisited with the primary config path.
Configuration validation error accumulation ahoy.go	getCommands validation accumulates invalid-command reasons into a configErrors slice. After command construction all entries are logged and a single fatal message is issued.
Executable capture, env injection, and RunE error propagation ahoy.go	main() captures the binary path into ahoyExecutable. Each Cobra command switches from Run to RunE. AHOY_COMMAND_NAME and AHOY_CMD are appended to the subprocess environment. Subprocess errors propagate through RunE. Bash completion generation is made unconditional.
Test YAML and Bats tests for env variable injection testdata/ahoy-self-env.ahoy.yml, tests/environment-variables.bats	Test YAML defines commands that echo and validate AHOY_CMD and AHOY_COMMAND_NAME. Bats tests assert both variables are non-empty, resolve to the actual binary, point to an executable, and are accessible together in the same subprocess.
Unit tests for circular imports and state isolation ahoy_test.go	TestGetSubCommand resets importVisited to prevent test pollution. appRun capture logic is refactored with explicit pipe error handling and deferred stream restoration. TestMultiBranchAndCircularImports exercises multi-branch import merging and verifies "Circular import detected" appears in log output for circular configs.
missing-cmd.bats: regex assertions and circular import test tests/missing-cmd.bats	Existing fatal-output assertions switch from exact string matching to regex matching. A new test writes circular import YAML fixtures and asserts non-zero exit, no panic, and "Circular import detected" in output.

GitHub Actions hardening and linting configuration

Layer / File(s)	Summary
Build and test workflow action pinning and lint fix .github/workflows/build_and_test.yml	actions/checkout and actions/setup-go are pinned to newer commit SHAs. Lint step working-directory changes from hardcoded v2 to ${{ matrix.directory }}. Both upload-artifact steps are pinned to a newer SHA.
Release workflow permissions and tooling pinning .github/workflows/release.yml	Global permissions: {} replaced with per-job permissions. Actions and Syft are pinned by commit SHA (Syft from latest to v1.45.1). "Determine release mode" uses EVENT_NAME/DRY_RUN env variables. post-release adds REF_NAME env var.
CodeQL checkout pinning and zizmor security scan workflow .github/workflows/codeql.yml, .github/workflows/zizmor.yml	CodeQL workflow pins checkout to v6.0.2 commit SHA. New zizmor.yml runs security scanning on master pushes and all pull requests with least-privilege permissions and pinned action versions.
golangci-lint v2 configuration migration v2/.golangci.yml	Migrates to version: "2" schema, switches from disable-all to default: none, restructures exclusions under linters.exclusions with presets and path rules, and adds a formatters section for gofmt/goimports.

Sequence Diagram(s)

sequenceDiagram
  participant main
  participant osExec as os.Executable()
  participant setupApp
  participant processImport
  participant RunE as cobra RunE handler
  participant subprocess as exec.Command.Run()

  main->>osExec: capture binary path
  osExec-->>main: ahoyExecutable
  main->>setupApp: initialise importVisited, seed primary config path
  setupApp->>processImport: process each import path
  processImport->>processImport: check importVisited for cycle
  processImport-->>setupApp: merged command map or "Circular import detected" log
  setupApp->>RunE: build command with RunE
  RunE->>subprocess: os.Environ() + AHOY_COMMAND_NAME + AHOY_CMD
  subprocess-->>RunE: error or nil
  RunE-->>setupApp: return error to cobra

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hoppity-hop through the import tree,
No circles shall trap me, I run free!
AHOY_CMD set, my path made clear,
Errors collected, then logged — oh dear!
RunE returns what once just died,
This rabbit reviewed it, satisfied! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.65% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: injecting two environment variables (AHOY_CMD and AHOY_COMMAND_NAME) into subprocesses, which is the main feature delivered across ahoy.go, test fixtures, and integration tests.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ocean]

@coderabbitai There should be a configuration change to include you doing code reviews on the v3-candidate branch, please check your configuration

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@ocean, let me check the current CodeRabbit configuration for this repository to verify the branch settings.

---

🛠 Debug Information Gathered

---

@ocean — I've found the issue. The current configuration has base_branches set to an empty array, which means CodeRabbit only automatically reviews PRs targeting the default branch. The v3-candidate branch is not included.

To fix this, add v3-candidate to the base_branches list in your .coderabbit.yaml file:

reviews:
  auto_review:
    base_branches:
      - v3-candidate

This field accepts regex patterns too, so if you want to cover all non-default branches you could use .*, but scoping it to v3-candidate specifically is the more targeted approach.

Once that change is merged into the default branch, CodeRabbit will automatically review PRs that target v3-candidate as well.

[ocean]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai rate limit to show your current review rate limit status.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
• @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
• @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[ocean]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ocean]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@v2/ahoy.go`:
- Line 321: The current assignment to command.Env appends ahoyEnvVars before
envVars so user-provided environment entries can override injected values;
change the append order so envVars are appended first and ahoyEnvVars are
appended last (so injected AHOY_CMD / AHOY_COMMAND_NAME override any
duplicates), i.e., update the expression that builds command.Env which uses
command.Environ(), ahoyEnvVars and envVars to append envVars then ahoyEnvVars.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 850910d1-4739-42ea-8472-a116e8914154

📥 Commits

Reviewing files that changed from the base of the PR and between aa7f6e7 and 1f78216.

📒 Files selected for processing (3)

• v2/ahoy.go
• v2/testdata/ahoy-self-env.ahoy.yml
• v2/tests/environment-variables.bats

[coderabbitai]

❌ Failed to create PR with unit tests: AGENT_CHAT: Failed to open pull request

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ahoy.go (1)

385-387: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

RunE currently suppresses actionable execution errors.

With SilenceErrors=true, this path returns an error but only prints a blank line. Failures like “executable not found” can become effectively silent. Print the actual error (or at least non-exit errors) before returning.

Suggested fix

-                if err := command.Run(); err != nil {
-                    fmt.Fprintln(os.Stderr)
-                    return err
-                }
+                if err := command.Run(); err != nil {
+                    var exitErr *exec.ExitError
+                    if !errors.As(err, &exitErr) {
+                        fmt.Fprintln(os.Stderr, err.Error())
+                    }
+                    return err
+                }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ahoy.go` around lines 385 - 387, In the RunE function's error handling block
where command.Run() is checked, the current code prints only a blank line to
stderr instead of the actual error message. Replace the fmt.Fprintln(os.Stderr)
call with a proper error print statement that outputs the error content (e.g.,
using fmt.Fprintf or fmt.Fprintln with the err variable) to ensure actionable
execution errors like "executable not found" are visible to users before
returning the error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/zizmor.yml:
- Around line 14-20: The zizmor job currently grants only security-events: write
permission in its job-level permissions block, but the actions/checkout action
requires contents: read permission to access the repository. Since job-level
permissions override the workflow-level permissions rather than extending them,
add contents: read to the permissions block alongside the existing
security-events: write permission.

In `@ahoy.go`:
- Around line 188-196: The importVisited map persists as monotonic state across
the entire app run, causing files legitimately imported from different recursion
branches to be incorrectly flagged as circular imports. Replace this global
persistent map with stack-style tracking that marks imports as visited only for
the current recursion path: mark them as visited on function entry and unmark
them on function exit. Additionally, normalize all seeded and imported paths
consistently before checking or storing them in the tracking map to ensure
reliable comparison. This approach will prevent false positives for valid
multi-branch imports while still catching genuine circular dependencies within a
single path.

---

Outside diff comments:
In `@ahoy.go`:
- Around line 385-387: In the RunE function's error handling block where
command.Run() is checked, the current code prints only a blank line to stderr
instead of the actual error message. Replace the fmt.Fprintln(os.Stderr) call
with a proper error print statement that outputs the error content (e.g., using
fmt.Fprintf or fmt.Fprintln with the err variable) to ensure actionable
execution errors like "executable not found" are visible to users before
returning the error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 07aebd8e-3f65-41a9-bbe8-88437928ff27

📥 Commits

Reviewing files that changed from the base of the PR and between b13edf2 and 3861510.

📒 Files selected for processing (11)

• .circleci/config.yml
• .coderabbit.yaml
• .github/dependabot.yml
• .github/workflows/build_and_test.yml
• .github/workflows/codeql.yml
• .github/workflows/release.yml
• .github/workflows/zizmor.yml
• .golangci.yml
• ahoy.go
• ahoy_test.go
• tests/missing-cmd.bats

💤 Files with no reviewable changes (1)

• .circleci/config.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ahoy_test.go (1)

247-256: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Close pipe readers to avoid descriptor leaks in test helper.

r and rErr are not closed, so repeated appRun calls can leak file descriptors and destabilise long test runs.

Suggested patch

 r, w, pipeErr := os.Pipe()
 if pipeErr != nil {
 	return "", fmt.Errorf("failed to create stdout pipe: %w", pipeErr)
 }
+defer r.Close()
 rErr, wErr, pipeErr := os.Pipe()
 if pipeErr != nil {
 	w.Close()
 	r.Close()
 	return "", fmt.Errorf("failed to create stderr pipe: %w", pipeErr)
 }
+defer rErr.Close()

Also applies to: 292-295

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ahoy_test.go` around lines 247 - 256, The pipe readers r and rErr created by
os.Pipe() calls are never closed, causing file descriptor leaks in the appRun
test helper function when called repeatedly. Add cleanup code to close both r
and rErr before the function returns successfully. This should typically be done
via defer statements immediately after each os.Pipe() call, or by ensuring both
readers are closed in all code paths that lead to the function returning (both
success and error paths). The defer approach is preferred to guarantee cleanup
even if the function exits early through multiple return statements.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ahoy_test.go`:
- Around line 404-409: This test mutates global state including AhoyConf.srcDir
and the importVisited global variable without restoring them, which causes test
isolation issues. Save the original values of AhoyConf.srcDir, importVisited,
and any global logger output at the beginning of the test, then use defer or
t.Cleanup() to restore all these values after the test completes. Apply this
cleanup pattern to all locations in the test where these globals are modified,
ensuring that both the initial setup around line 404-409 and the modifications
around line 439-445 are properly cleaned up.

---

Outside diff comments:
In `@ahoy_test.go`:
- Around line 247-256: The pipe readers r and rErr created by os.Pipe() calls
are never closed, causing file descriptor leaks in the appRun test helper
function when called repeatedly. Add cleanup code to close both r and rErr
before the function returns successfully. This should typically be done via
defer statements immediately after each os.Pipe() call, or by ensuring both
readers are closed in all code paths that lead to the function returning (both
success and error paths). The defer approach is preferred to guarantee cleanup
even if the function exits early through multiple return statements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 62ab644e-801d-4cea-9e5f-5e265db1e099

📥 Commits

Reviewing files that changed from the base of the PR and between 3861510 and 40cee88.

📒 Files selected for processing (7)

• .github/workflows/build_and_test.yml
• .github/workflows/codeql.yml
• .github/workflows/release.yml
• .github/workflows/zizmor.yml
• ahoy.go
• ahoy_test.go
• v2/.golangci.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/zizmor.yml
• ahoy.go
• .github/workflows/release.yml