Antalya 26.3 Add 'PRs in Release' table to report

[strtgbb]

Changelog category (leave one):

• CI Fix or Improvement (changelog entry is not required)

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

[github-actions]

Workflow [PR], commit [e509565]

[strtgbb]

Should cicd PRs be included in the table?

[CarlosFelipeOR]

AI audit note: This review comment was generated by AI (gpt-5.3-codex).

Audit update for PR #1592 (add PRs in Release table + tabbed report UI):

Confirmed defects:

High: Stored HTML/script injection in PRs in Release report table
Impact: A merged PR title/label containing HTML can execute in the generated CI report page when maintainers open it.
Anchor: .github/actions/create_workflow_report/create_workflow_report.py / _enrich_prs_in_release_merge_prs, format_pr_labels_with_verification, format_results_as_html_table
Trigger: Any merged PR with title or label text like <img src=x onerror=alert(1)>.
Why defect: Untrusted PR metadata is inserted into table cells and rendered with escape=False; label text is also interpolated into raw HTML.
Fix direction (short): Escape pr_name/pr_labels (or use escape=True and only allow explicit safe HTML columns).
Regression test direction (short): Unit-test malicious PR title/label and assert rendered output is escaped text, not executable markup.

Low: Error-path fallback can render raw Python list ([]) instead of user-facing message
Impact: On recoverable data-collection failures, report quality degrades to confusing literal output instead of an explicit “nothing to report/error” state.
Anchor: .github/actions/create_workflow_report/create_workflow_report.py / create_workflow_report, format_results_as_html_table
Trigger: get_prs_in_release_dataframe exception on release report path.
Why defect: The exception path leaves prs_in_release as [], and formatter now returns non-DataFrame values unchanged.
Fix direction (short): Keep prs_in_release as an empty DataFrame or make formatter normalize non-DataFrames to a safe fallback HTML message.
Regression test direction (short): Simulate get_prs_in_release_dataframe failure and assert output does not contain literal [].

Coverage summary:

• Scope reviewed: full changed call graph in 2 files (create_workflow_report.py, ci_run_report.html.jinja), including release-only path, rendering path, and tab-navigation path.
• Categories failed: untrusted-data output encoding, error-path rendering contract.
• Categories passed: normal tab switching flow, PR-vs-release gating, preview gating, git/release-baseline fallback containment (exceptions are caught in report generation path).
• Assumptions/limits: static reasoning only (no live GH Actions/browser execution in this run); no C++/multithreaded/shared-state paths in scope.