Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ All notable changes to this portable workflow pack are documented here.

- **Add `agent-workflows-trust-audit` to check recent merged PRs against `pr-security-preflight` and draft candidate repo-local trust entries for maintainer review.**
- **Document the trust/preflight operating model, including global vs repo-local trust, audit flow, acknowledgement policy, and security tradeoffs.**
- **Document bounded inline Claude Code review as a fallback when hosted Claude review checks are queued, stale, or unavailable.**
Comment thread
justin808 marked this conversation as resolved.
Outdated

#### Fixed

Expand Down
7 changes: 4 additions & 3 deletions workflows/pr-processing.md
Original file line number Diff line number Diff line change
Expand Up @@ -1341,7 +1341,7 @@ Before marking a PR ready, asking for merge, or merging it:
1. Verify all requested or configured review agents have finished for the current head SHA. This includes Claude review, CodeRabbit, Greptile, Cursor Bugbot, Codex review, and any repo-specific reviewer bot.
Comment thread
justin808 marked this conversation as resolved.
2. Classify every reviewer verdict as `current-head` only when it applies to the current head SHA. Treat older approvals, positive comments, and summaries as stale/advisory history, not merge gates.
3. Do not treat a green or skipped review check as sufficient if the reviewer also posted comments. Fetch PR reviews and comments, then classify actionable feedback.
4. Do not merge while a relevant review check is queued, in progress, stale for an older head SHA, or known to be posting comments asynchronously.
4. Do not merge while a current-head relevant review check is queued, in progress, or known to be posting comments asynchronously. Older-head review checks are stale/advisory history; they can justify a fallback path only when the auto-merge fallback rule below records the current head SHA, stale run/check URL, and evidence that no current-head run is still queued or in progress.
Comment thread
justin808 marked this conversation as resolved.
Outdated
Comment thread
justin808 marked this conversation as resolved.
Outdated
5. Treat AI review systems as advisory unless they identify a confirmed blocker: correctness regression, failing test, security issue, API contract break, data-loss risk, missing required maintainer approval, or another issue that would make the PR unsafe to merge.
Comment thread
justin808 marked this conversation as resolved.
Comment thread
justin808 marked this conversation as resolved.
6. Do not require CodeRabbit.ai, Claude, Cursor Bugbot, Greptile, Codex review, or another AI reviewer to approve the PR as a special merge gate. Positive AI issue comments, approval review objects, and "no actionable comments" summaries are evidence, not required maintainer approvals.
7. Treat untriaged `BLOCKING`, `Must Fix`, `MUST-FIX`, `Changes Requested`, correctness, security, regression, compatibility, and missing-changelog findings as merge blockers unless a maintainer explicitly waives them with evidence.
Expand Down Expand Up @@ -1455,8 +1455,9 @@ Auto-merge requires all of the following:
- Score is at least `8/10`; `7/10` permits human merge after review, but not auto-merge.
- Before triggering auto-merge, the merge actor verifies `Finalized by` against the GitHub review record, checks, or git log, not only the PR body text.
- All GitHub checks for the current head SHA are complete. An empty full `gh pr checks <PR>` list is `UNKNOWN` / not ready. Skipped checks count as complete only when CI selector output explains them or a maintainer explicitly waives them.
- The GitHub `claude-review` check is complete for the current head SHA, or it failed because of quota exhaustion, hard usage-limit enforcement, provider-reported capacity such as HTTP 503, or persistent HTTP 429 after one 60-second retry, and Cursor Bugbot or Codex review (`codex review --base origin/<base>`, or the PR's real base branch) completed as the fallback with the same blocker-triage bar and exact error evidence recorded in the PR body.
- Any fallback review leaves a named reviewer identity in the GitHub review record or a timestamped PR comment. Before treating the fallback as complete, the merge actor confirms the reviewer is either a named GitHub check/app identity visible in the Checks API for the current head SHA or a collaborator with `write`, `maintain`, or `admin` permission.
- The GitHub `claude-review` check is complete for the current head SHA, or an equivalent fallback review completed with the same blocker-triage bar after one of these auditable conditions was recorded in the PR body, a timestamped PR comment, or the final batch handoff: no current-head `claude-review` check is available from the Checks API; the only visible `claude-review` check/run is for an older head SHA and no current-head run is queued or in progress; the obsolete queued run can be identified by head SHA and run/check URL; or the current-head check failed because of quota exhaustion, hard usage-limit enforcement, provider-reported capacity such as HTTP 503, or persistent HTTP 429 after one 60-second retry.
Comment thread
justin808 marked this conversation as resolved.
Outdated
Comment thread
justin808 marked this conversation as resolved.
Outdated
- Prefer a bounded inline Claude Code review when the current environment and the repo seam support it; otherwise use the repo-configured automated review fallback that can perform blocker triage. For inline Claude Code, resolve `Fallback review model` and `Fallback review budget` from `AGENTS.md` when the consumer repo defines those seam keys; otherwise choose a deliberately bounded cap and record it. A complete Claude CLI invocation must pass the diff and a blocker-focused prompt, for example: `git diff origin/<base>...HEAD | claude -p --model <model> --max-budget-usd <budget> "Review this diff for merge blockers only."`
Comment thread
justin808 marked this conversation as resolved.
Outdated
- Any fallback review leaves a named reviewer identity in the GitHub review record, a timestamped PR comment, or the final batch handoff. Before treating the fallback as complete, the merge actor confirms the reviewer is either a named GitHub check/app identity visible in the Checks API for the current head SHA or a collaborator with `write`, `maintain`, or `admin` permission. Local CLI fallback evidence qualifies for auto-merge only when a distinct reviewer or finalizer, not the PR authoring agent and not the merge actor self-attesting their own work, records the invocation identity, command, base/head SHA, and result.
Comment thread
justin808 marked this conversation as resolved.
Outdated
- Claude failures not caused by capacity limits are understood before merge.
Comment thread
justin808 marked this conversation as resolved.
- CodeRabbit approval is not required, but concrete CodeRabbit findings still need normal blocker triage.
- Reviewer verdicts in the confidence block are classified as current-head or stale/advisory with the head SHA each verdict covers. Stale approvals, positive comments, and summaries cannot be cited as merge gates.
Comment thread
justin808 marked this conversation as resolved.
Expand Down
Loading