feat: add /review-dep-pr skill for dependency update PR review

[Aureliolo]

Summary

• Add new /review-dep-pr skill that provides comprehensive review of dependency update PRs (Dependabot, Renovate, manual)
• Covers all ecosystems: GitHub Actions, Python packages, Docker images, npm
• 7-phase pipeline: parse PR → determine usage scope → fetch/analyze changelog → cross-reference config → present findings → user decision → execute
• Every dependency update gets full changelog analysis between old and new versions, cross-referenced against our actual usage

Key Features

• Multi-PR batch processing (space-separated PR numbers)
• Changelog fetching via PR body, GitHub releases, WebFetch, and WebSearch fallback
• Change categorization: BREAKING, DEPRECATION, NEW FEATURE, IMPROVEMENT, BUGFIX, SECURITY
• Cross-references each change against actual codebase usage (config, imports, workflows)
• Docs dependency builds verified via mkdocs build --strict
• Actionable recommendations grouped by timing (before/with/after merge)
• Interactive user decisions with merge/improve/investigate/close options

Test plan

• Run /review-dep-pr <number> on a real Dependabot PR
• Test with multiple PR numbers
• Test with a docs-dependency PR to verify Phase 4 build step
• Test with a major version bump to verify migration guide fetching

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a powerful new skill to automate and standardize the review process for dependency update pull requests. It aims to significantly streamline dependency management by providing a detailed, context-aware analysis of changes, identifying potential impacts, and guiding users through a structured decision-making workflow. This enhancement will reduce manual effort, improve the reliability of dependency updates, and ensure that our codebase remains up-to-date and secure across all supported ecosystems.

Highlights

• New Skill Added: Introduced a new /review-dep-pr skill designed for comprehensive review of dependency update pull requests, covering various ecosystems like GitHub Actions, Python, Docker, and npm.
• 7-Phase Review Pipeline: Implemented a structured 7-phase pipeline for PR analysis: parsing, usage scope determination, changelog fetching/analysis, config cross-referencing, findings presentation, user decision, and execution.
• Changelog Analysis: Enabled full changelog analysis between old and new dependency versions, categorizing changes as BREAKING, DEPRECATION, NEW FEATURE, IMPROVEMENT, BUGFIX, or SECURITY, and cross-referencing them against actual codebase usage.
• Actionable Recommendations & User Decisions: Provided actionable recommendations grouped by timing (before/with/after merge) and integrated interactive user decision options (e.g., 'Merge as-is', 'Improve and merge', 'Investigate first', 'Close / Skip').
• Docs Dependency Verification: Included a phase to build the documentation site for docs-related dependencies using mkdocs build --strict to verify no breaking changes are introduced.

Activity

• Introduced a new skill for automated dependency PR review.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4e1ed7d8-8d2a-4023-9a1b-4843aaa81909

📥 Commits

Reviewing files that changed from the base of the PR and between b7e5936 and 39b730c.

📒 Files selected for processing (1)

• .claude/skills/review-dep-pr/SKILL.md

---

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added a comprehensive, multi‑phase workflow for reviewing dependency update PRs: usage‑scope discovery, changelog analysis, CI-aware decision flows, reporting formats, and per‑PR or batched action paths.
  • Clarified reviewer guidance with an explicit prompt to review automated dependency PRs before merging and added notes on input validation, parallel processing, merge safeguards, and post‑merge cleanup prompts.

Walkthrough

Adds a new skill documentation file .claude/skills/review-dep-pr/SKILL.md describing a multi-phase workflow for reviewing dependency-update PRs, and a small edit to CLAUDE.md appending a Dependabot review directive.

Changes

Cohort / File(s)	Summary
Dependency Review Skill Documentation .claude/skills/review-dep-pr/SKILL.md	Added a comprehensive, multi-phase skill document for reviewing dependency-update PRs covering argument parsing, PR metadata & CI gathering, usage-scope discovery, changelog retrieval/analysis (Dependabot/Renovate and releases), cross-referencing with internal config, optional docs builds, structured reporting, decision prompts, and merge/close/fix workflows and safeguards.
Repository docs update CLAUDE.md	Small addition: appended a directive to review Dependabot PRs before merging using /review-dep-pr.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a new /review-dep-pr skill for dependency update PR review, which aligns with the primary purpose of the changeset.
Description check	✅ Passed	The description is well-detailed and directly related to the changeset, explaining the skill's purpose, features, phases, and test plan for dependency update PR reviews.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/review-dep-pr-skill

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/review-dep-pr-skill

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

[gemini-code-assist]

Code Review

This pull request introduces a new and very detailed skill, /review-dep-pr, for reviewing dependency update PRs. The plan is comprehensive and well-structured, covering everything from fetching PR data to executing user decisions. I've provided a few suggestions to improve the robustness and correctness of the implementation plan, particularly around version comparison and interacting with git and CI systems.

[gemini-code-assist]

The jq filter for version comparison uses string-based operators (>=, <=), which is not reliable for semantic versioning. For example, a string comparison would incorrectly treat "v10.0.0" as less than "v2.0.0". This could cause the agent to miss important changelogs. The filtering should be performed in a subsequent step using a tool that properly handles semver.

Suggested change

	# For GitHub-hosted deps, fetch releases in the version range
	gh api repos/<owner>/<repo>/releases --paginate --jq '.[] | select(.tag_name >= "v<from>" and .tag_name <= "v<to>") | {tag: .tag_name, body: .body}'
	# For GitHub-hosted deps, fetch all releases. Version filtering must be done in a later step using a proper semver library, as string comparison in jq is unreliable.
	gh api repos/<owner>/<repo>/releases --paginate --jq '.[] | {tag: .tag_name, body: .body}'

[gemini-code-assist]

The process for checking out the PR branch can be simplified and made more robust by using the gh CLI. The gh pr checkout <number> command is the canonical way to do this, as it handles fetching and switching to the correct branch in one step.

Suggested change

	# Checkout the PR branch
	git fetch origin <pr-branch>
	git checkout <pr-branch>
	# Checkout the PR branch
	gh pr checkout <number>

[gemini-code-assist]

The instruction "Verify CI passes" is ambiguous for an automated agent. To make this step more explicit and reliable, the plan should specify using a command like gh pr checks <number> --watch to monitor the CI status until it completes. This same logic should be applied to the "Wait for CI" step in the "Fix CI and merge" section.

Suggested change

	5. Verify CI passes
	5. Wait for CI to pass using `gh pr checks <number> --watch`.

[greptile-apps]

Greptile Summary

This PR introduces a new /review-dep-pr skill that provides a structured, 7-phase pipeline for reviewing Dependabot, Renovate, and manual dependency update PRs — covering changelog analysis, usage cross-referencing, optional docs-build verification, and interactive merge decisions. It also adds a one-line pointer to the skill in CLAUDE.md. The skill has clearly gone through multiple revision rounds (previous threads show jq semver comparison, Renovate parsing, --watch timeout, and replacement-PR tracking were all fixed), and the overall design is solid.

Two new issues remain:

• Phase 7 CI re-verification (line 258): the jq filter select(.conclusion != "success" and .conclusion != "skipped") incorrectly matches checks whose conclusion is null (still running). This silently routes to "Fix CI and merge" whenever CI is in-progress rather than truly failed.
• Phase 4 uv sync --group docs (line 174): missing --frozen flag may cause uv to update uv.lock on the checked-out Dependabot branch, leaving a dirty lock file even after git checkout restores the code.

Confidence Score: 3/5

• Safe to merge after fixing the in-progress CI check false-positive and the missing --frozen flag in Phase 4
• The skill logic is well-thought-out and most previously flagged bugs have been fixed. The remaining in-progress-check issue is a real logic bug that will cause incorrect user-facing behaviour (spurious "Fix CI" prompts) in normal usage. The uv sync issue is lower severity but could leave a dirty working tree as an unintended side effect.
• .claude/skills/review-dep-pr/SKILL.md — Phase 7 CI verification logic and Phase 4 uv sync call

Important Files Changed

Filename	Overview
.claude/skills/review-dep-pr/SKILL.md	New skill with a well-structured 7-phase pipeline. Previous rounds of review addressed many issues (jq version comparison, Renovate format, --watch timeout, replacement PR tracking, batch CI gate). Two new issues remain: the Phase 7 CI re-verification filter treats in-progress checks (null conclusion) as failures, and Phase 4's uv sync --group docs lacks --frozen, risking unintended lock-file modifications on the checked-out branch.
CLAUDE.md	Minor documentation update adding a pointer to /review-dep-pr on the Dependabot line. No issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Phase 0: Parse & validate PR numbers\ngh pr view + gh pr checks"] --> B["Phase 1: Determine usage scope\n(Actions / Python / Docker / npm)"]
    B --> C["Phase 2: Fetch changelog\nPR body → GH releases → WebFetch → WebSearch"]
    C --> D["Phase 3: Cross-reference with config\nBREAKING / DEPRECATION / NEW FEATURE / BUGFIX / SECURITY"]
    D --> E{"Docs dependency?"}
    E -- "Yes" --> F["Phase 4: Build docs\ngh pr checkout → uv sync → mkdocs build --strict"]
    E -- "No" --> G
    F --> G["Phase 5: Present findings\nStructured report per PR"]
    G --> H["Phase 6: AskUserQuestion\nPer-PR or batched if all clean + CI passing"]
    H --> I{"User decision"}
    I -- "Merge as-is" --> J["Re-verify CI\n⚠ null conclusion = in-progress\ntreated as failure (bug)"]
    J -- "All passed" --> K["gh pr merge --squash --auto"]
    J -- "Failing" --> L["Fix CI and merge flow"]
    I -- "Improve and merge" --> M["gh pr checkout\nmake changes, commit, push"]
    M -- "Push fails" --> N["Open replacement PR\nuse new PR number"]
    M -- "Push succeeds" --> O["gh pr checks --watch --timeout 600"]
    N --> O
    O --> K
    I -- "Fix CI and merge" --> L
    L --> M
    I -- "Close / Skip" --> P["gh pr close --comment reason"]
    K --> Q["Remind: run /post-merge-cleanup"]
    P --> Q

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .claude/skills/review-dep-pr/SKILL.md
Line: 258-264

Comment:
**In-progress checks incorrectly flagged as failed**

The jq filter treats checks with a `null` conclusion (still running) as failures. In jq, `null != "success"` evaluates to `true`, so any in-progress check will be selected and the skill will tell the user to "switch to the Fix CI and merge flow" when CI is simply still running — not broken.

This means a fast execution of Phase 7 (right after a push or rebase triggered new CI runs) would always incorrectly redirect to a remediation path that doesn't apply.

The filter should require the check to be completed before evaluating its conclusion:

```suggestion
   ```bash
   gh pr checks <number> --json name,status,conclusion --jq '.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")'
   ```

   If any completed checks have not passed, inform the user and switch to the "Fix CI and merge" flow instead. If checks are still in-progress, wait for them to complete before deciding.
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .claude/skills/review-dep-pr/SKILL.md
Line: 174-175

Comment:
**`uv sync` without `--frozen` may modify the lock file**

`uv sync --group docs` without `--frozen` allows uv to update `uv.lock` if it determines the current lock is out of sync. Running this on a checked-out Dependabot branch risks creating uncommitted lock-file changes that linger in the working tree even after `git checkout "$original_ref"` restores the code — because `uv sync` modifies `uv.lock` as a side effect, and `git checkout` won't revert that change unless it was itself part of the checkout.

Using `--frozen` ensures the lock file is treated as the source of truth and never modified:

```suggestion
  uv sync --group docs --frozen
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 39b730c}

[Copilot]

Pull request overview

Adds a new Claude skill (/review-dep-pr) to guide a structured, multi-phase review workflow for dependency update PRs across multiple ecosystems (GitHub Actions, Python, Docker, npm), with changelog analysis and decision/execute steps.

Changes:

• Introduces a new /review-dep-pr skill definition with a 7-phase dependency-update PR review pipeline.
• Documents strategies for usage discovery, changelog/migration guide retrieval, and actionable recommendations.
• Adds an (optional) docs-dependency validation phase that builds MkDocs with uv.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The jq filter compares tag_name lexicographically (string compare), which will produce incorrect version ranges for tags like v2.10.0 vs v2.9.0, and won’t handle non-semver tags. Recommend fetching tags/bodies then doing semver-aware sorting/range filtering (e.g., sort -V on stripped v prefix or a small semver parser) before selecting releases in-range.

Suggested change

	# For GitHub-hosted deps, fetch releases in the version range
	gh api repos/<owner>/<repo>/releases --paginate --jq '.[] | select(.tag_name >= "v<from>" and .tag_name <= "v<to>") | {tag: .tag_name, body: .body}'
	# For GitHub-hosted deps, fetch releases and sort by version (semver-aware)
	gh api repos/<owner>/<repo>/releases --paginate --jq '.[] | {tag: .tag_name, body: .body}' \
	| jq -r '.tag + "\t" + (.body // "")' \
	| sort -t$'\t' -k1,1V

[Copilot]

These checkout steps assume the PR branch exists on the origin remote. That’s not true for fork-based PRs (and the skill claims to support manual PRs), so docs-build validation can fail. Prefer gh pr checkout <number> (or fetching refs/pull/<number>/head) and capture/restore the previous branch explicitly.

[Copilot]

Phase 0 says to "Collect info for all PRs in parallel", but allowed-tools doesn’t include the Task tool that other skills use for parallelization. Either add Task to allowed-tools or adjust the instructions to be explicitly sequential to avoid an impossible/ambiguous step.

Suggested change

	- Agent
	- Agent
	- Task

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/review-dep-pr/SKILL.md:
- Around line 52-56: The markdown has lint failures: ensure each heading (e.g.,
"GitHub Actions dependencies" and other headings in
.claude/skills/review-dep-pr/SKILL.md) is surrounded by a blank line above and
below, ensure all fenced code blocks in the noted ranges (around lines 84-88,
151-160, 193-210, 223-245) have a blank line before/after the fence, and add
explicit language markers (e.g., ```bash, ```yaml, or ```text) to the fenced
examples currently missing language (reported at lines ~160, ~193, ~209); apply
these fixes consistently across the file so markdownlint passes.
- Around line 40-44: Update the step that infers "Bump type" from semver in the
PR body extraction logic so non-semver schemes (Docker tags, GitHub Action tags,
timestamps, commit SHAs, or any tag that fails semver parsing) are detected and
labeled explicitly (e.g., "non-semver" or "unknown") rather than guessed as
major/minor/patch; change the description under the bulleted list (the "Bump
type" line) to state that the system will attempt semver parsing and otherwise
mark the bump as non-semver, and add guidance that non-semver entries will not
trigger semver-specific flows (like the "major bump" migration guide) and should
be handled by alternate paths.
- Around line 85-88: The jq filter currently compares tag_name strings
lexicographically (select(.tag_name >= "v<from>" and .tag_name <= "v<to>")),
which fails for multi-digit semver parts; update the selection to be
semver-aware by stripping any leading "v" from .tag_name and .tag_name bounds,
splitting on "." and converting each part to numbers, then compare the numeric
arrays (e.g., compare major, minor, patch in order) to determine if a release
falls between the from/to range; reference .tag_name and the gh api releases
pagination in the command so the filter uses numeric component-wise comparison
instead of string comparison.
- Around line 138-153: The docs build step can fail and leave the workspace on
the PR branch because the current flow only runs git checkout - after the build;
change the script so you save the current branch/ref into a variable (before
running uv sync/uv run mkdocs build) and install an exit handler (trap) that
always restores that saved ref on EXIT; replace the final git checkout - with
restoring the saved ref via the exit handler so the original branch is restored
even when uv run mkdocs build or uv sync fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 850f5abb-0f67-411f-a959-38a5da50f4d0

📥 Commits

Reviewing files that changed from the base of the PR and between 67a3fe6 and 89ab7e9.

📒 Files selected for processing (1)

• .claude/skills/review-dep-pr/SKILL.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: Greptile Review

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Fix all valid code issues found by review agents — never skip or defer issues, including pre-existing issues in surrounding code and suggestions adjacent to PR changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to .github/workflows/**/*.yml : CI: Lint (ruff) + type-check (mypy) + test (pytest + coverage 80% min) run in parallel; ci-pass is gate; Pages workflow builds Astro + MkDocs, merges, deploys to GitHub Pages on main push; PR Preview builds on PRs and deploys to Cloudflare Pages

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

🪛 LanguageTool

.claude/skills/review-dep-pr/SKILL.md

[uncategorized] ~57-~57: The official name of this software platform is spelled with a capital “H”.
Context: ...es to the action ``` Use Grep to search .github/workflows/ for the action name. Note w...

(GITHUB)

---

[grammar] ~96-~96: Ensure spelling is correct
Context: ...ially for major bumps) ### Strategy 4: WebSearch (fallback) If release notes are incompl...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~103-~103: Please add a punctuation mark at the end of paragraph.
Context: ... document - Any "what's new in vN" blog post ### Analysis For each version in the ...

(PUNCTUATION_PARAGRAPH_END)

---

[style] ~130-~130: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...ow be removed. 6. SECURITY: Does it affect our usage? What's the severity? ## Pha...

(EN_REPEATEDWORDS_AFFECT)

---

[style] ~148-~148: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...ey're likely from breaking changes that need fixing. After checking, return to the ...

(EN_REPEATEDWORDS_NEED)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...t control runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Re...

(ELLIPSIS)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...rol runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommen...

(ELLIPSIS)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...nner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendation...

(ELLIPSIS)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...ode | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations Lis...

(ELLIPSIS)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations List conc...

(ELLIPSIS)

---

[style] ~175-~175: Consider using the typographical ellipsis character here instead.
Context: ...eeded | | ... | ... | ... | ... | ... | ... | ### Recommendations List concrete a...

(ELLIPSIS)

---

[style] ~200-~200: Consider a different adjective to strengthen your wording.
Context: ..."Investigate first"** — Something needs deeper review before deciding (specify what) -...

(DEEP_PROFOUND)

---

[grammar] ~233-~233: Please add a punctuation mark at the end of paragraph.
Context: ...to the PR branch 5. Verify CI passes 6. Merge ### Fix CI and merge 1. Check out the ...

(PUNCTUATION_PARAGRAPH_END)

---

[style] ~255-~255: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...ew versions. - Be specific about what affects us — don't just list changelog items,...

(EN_REPEATEDWORDS_AFFECT)

🪛 markdownlint-cli2 (0.21.0)

.claude/skills/review-dep-pr/SKILL.md

[warning] 52-52: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 54-54: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 56-56: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 59-59: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 66-66: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 69-69: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 81-81: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 84-84: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 85-85: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 90-90: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 96-96: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 99-99: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 151-151: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 159-159: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 160-160: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 160-160: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 193-193: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 209-209: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 209-209: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 222-222: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 223-223: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

---

[warning] 227-227: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 235-235: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 243-243: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

---

[warning] 244-244: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
tags = ["v1.9.0", "v1.10.0", "v1.11.0"]
from_v = "v1.9.0"
to_v = "v1.11.0"

selected = [t for t in tags if t >= from_v and t <= to_v]
print("lexicographic selection:", selected)
print("expected semver-aware selection:", tags)
PY

Repository: Aureliolo/synthorg

Length of output: 155

---

Replace lexicographic tag filtering with semver-aware selection.

Line 87 compares tag_name strings directly using lexicographic comparison. Version strings like v1.10.0 sort before v1.9.0 lexicographically ('0' < '9'), causing the filter to select zero releases when the version range contains mixed digit widths. Use semantic versioning comparison instead.

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 85-85: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/review-dep-pr/SKILL.md around lines 85 - 88, The jq filter
currently compares tag_name strings lexicographically (select(.tag_name >=
"v<from>" and .tag_name <= "v<to>")), which fails for multi-digit semver parts;
update the selection to be semver-aware by stripping any leading "v" from
.tag_name and .tag_name bounds, splitting on "." and converting each part to
numbers, then compare the numeric arrays (e.g., compare major, minor, patch in
order) to determine if a release falls between the from/to range; reference
.tag_name and the gh api releases pagination in the command so the filter uses
numeric component-wise comparison instead of string comparison.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/review-dep-pr/SKILL.md:
- Around line 157-164: The current check uses `if [ -n "$(git status
--porcelain)" ]; then ... exit 1` which aborts the entire skill when the working
tree is dirty; change it to only skip the docs-build phase by returning/skipping
that step instead of exiting the whole script — locate the `git status
--porcelain` check and replace the `exit 1` behavior with a non-fatal skip
(e.g., log a warning and continue to subsequent phases or return from the
docs-build function) so other review-dep-pr stages still run.
- Around line 267-271: Update the Dependabot fallback instructions so they don't
claim you can repoint an existing PR's head: replace step 4's guidance to
"create a new branch from the Dependabot branch, push there, and update the PR
base" with instructions to create a new branch from the Dependabot branch, push
it, open a replacement PR from that new branch, and then link and close the
original Dependabot PR (or comment that it's replaced); similarly update the
"Fix CI and merge" flow to instruct opening a replacement PR rather than
attempting to change the PR head.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 809bda12-1a99-4800-b8f0-1f67415d4f88

📥 Commits

Reviewing files that changed from the base of the PR and between 89ab7e9 and ef129d7.

📒 Files selected for processing (2)

• .claude/skills/review-dep-pr/SKILL.md
• CLAUDE.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to docker/** : Docker images: build context from repo root (single `.dockerignore`), tagged with version from `pyproject.toml` + semver + SHA; pushed to GHCR; signed with cosign; only pushed after Trivy (CRITICAL = hard fail, HIGH = warn) + Grype scans pass; CVE triage via `.github/.trivyignore.yaml` and `.github/.grype.yaml`

Applied to files:

• CLAUDE.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to .github/workflows/**/*.yml : Security scanning: gitleaks workflow on push/PR + weekly schedule; zizmor static analysis of GitHub Actions workflows on push to main and PRs (SARIF upload to Security tab on push only)

Applied to files:

• CLAUDE.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to .github/workflows/**/*.yml : CI: Lint (ruff) + type-check (mypy) + test (pytest + coverage 80% min) run in parallel; ci-pass is gate; Pages workflow builds Astro + MkDocs, merges, deploys to GitHub Pages on main push; PR Preview builds on PRs and deploys to Cloudflare Pages

Applied to files:

• CLAUDE.md
• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to .github/workflows/**/*.yml : Release workflow: Release Please auto-creates release PR on main pushes; merging creates git tag (`vX.Y.Z`) + GitHub Release with changelog; tag push triggers Docker workflow for version-tagged images

Applied to files:

• CLAUDE.md
• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to docker/Dockerfile* : Dockerfile: 3-stage build (builder → setup → distroless runtime), Chainguard Python base, non-root (UID 65532), CIS-hardened; web uses `nginxinc/nginx-unprivileged` for SPA routing and API/WebSocket proxy

Applied to files:

• CLAUDE.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Never create a PR directly with `gh pr create` — use `/pre-pr-review` instead

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Fix all valid code issues found by review agents — never skip or defer issues, including pre-existing issues in surrounding code and suggestions adjacent to PR changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

🪛 LanguageTool

.claude/skills/review-dep-pr/SKILL.md

[uncategorized] ~48-~48: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...ase notes sections. Renovate uses a markdown table with `| Package | Type | Update |...

(MARKDOWN_NNP)

---

[uncategorized] ~67-~67: The official name of this software platform is spelled with a capital “H”.
Context: ...thub/workflows/ ``` Use Grep to search .github/workflows/ for the action name. Note w...

(GITHUB)

---

[grammar] ~122-~122: Please add a punctuation mark at the end of paragraph.
Context: ... document - Any "what's new in vN" blog post ### Analysis For each version in the ...

(PUNCTUATION_PARAGRAPH_END)

---

[style] ~149-~149: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...ow be removed. 6. SECURITY: Does it affect our usage? What's the severity? ## Pha...

(EN_REPEATEDWORDS_AFFECT)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...t control runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Re...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...rol runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommen...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...nner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendation...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...ode | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations Lis...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations List conc...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...eeded | | ... | ... | ... | ... | ... | ... | ### Recommendations List concrete a...

(ELLIPSIS)

---

[style] ~230-~230: Consider a different adjective to strengthen your wording.
Context: ..."Investigate first"** — Something needs deeper review before deciding (specify what) -...

(DEEP_PROFOUND)

---

[grammar] ~272-~272: Please add a punctuation mark at the end of paragraph.
Context: ...sing gh pr checks <number> --watch 6. Merge ### Fix CI and merge 1. Check out the...

(PUNCTUATION_PARAGRAPH_END)

🪛 markdownlint-cli2 (0.21.0)

.claude/skills/review-dep-pr/SKILL.md

[warning] 94-94: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The example grep -r "<action-owner>/<action-name>" .github/workflows/ won’t produce line numbers (needed later for the usage summary) and treats the pattern as a regex, which can cause false matches (e.g., . in owner/name). Consider using a fixed-string search with line numbers (and ideally recursive) so the output is directly usable.

Suggested change

	grep -r "<action-owner>/<action-name>" .github/workflows/
	grep -RFn "<action-owner>/<action-name>" .github/workflows/

[Copilot]

In the docs-build snippet, original_ref="$(git rev-parse --abbrev-ref HEAD)" will be HEAD when the user starts in a detached HEAD state, so the cleanup checkout won’t reliably restore the original state. Also, the trap is cleared before the final git checkout, so if that checkout fails the session may be left on the PR branch with no EXIT cleanup. Consider capturing a symbolic ref (or commit SHA) and only clearing the trap after a successful restore checkout.

[Copilot]

Phase 0 explicitly supports non-semver/unknown bumps and grouped updates, but the Phase 5 header template only allows (<major/minor/patch>) and a single **Package**: <name>. This can make the report format inconsistent for non-semver tags/digests or grouped PRs; consider updating the template to reflect non-semver/unknown and allow multiple packages in the header when applicable.

Suggested change

	**Package**: <name> | **Ecosystem**: <type> | **Bump**: <from> → <to> (<major/minor/patch>)
	**Package(s)**: <name or comma-separated names> | **Ecosystem**: <type> | **Bump**: <from> → <to> (<major/minor/patch/non-semver/unknown or mixed>)

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/skills/review-dep-pr/SKILL.md:
- Around line 94-95: Add a blank line immediately after the Markdown heading
"### Strategy 1: PR body" so the heading is followed by an empty line (i.e.,
insert one newline between the heading line and the subsequent paragraph) to
satisfy markdownlint and prevent the lint failure.
- Around line 165-178: Change how original_ref is captured and restored: instead
of using git rev-parse --abbrev-ref HEAD directly, set original_ref using a
symbolic-ref fallback (e.g. use git symbolic-ref -q --short HEAD || git
rev-parse --verify HEAD) so you get a branch name when available or the commit
SHA otherwise; keep the trap 'git checkout "$original_ref"' but make the restore
conditional so you don't try to checkout the literal "HEAD" (ensure the cleanup
only runs when original_ref is non-empty and not the string "HEAD"). Update the
places referencing original_ref, the initial assignment and the trap/checkout
logic, so functions/variables from the diff (original_ref, trap, git checkout)
behave correctly in detached HEAD CI environments.
- Around line 279-280: Update both the "Respond to maintainer feedback" and "Fix
CI and merge" workflows so that after creating a replacement PR you switch
subsequent steps to operate on the replacement PR (not the original PR number)
and ensure the replacement PR is created via the /pre-pr-review command;
specifically, change the post-fallback steps that currently continue to
watch/merge the original <number> to instead capture the new replacement PR
ID/URL returned by the /pre-pr-review flow and use that for gh pr checks,
merging, and any follow-up actions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1442c41b-79af-4da6-95af-1a2639c70adf

📥 Commits

Reviewing files that changed from the base of the PR and between ef129d7 and b7e5936.

📒 Files selected for processing (1)

• .claude/skills/review-dep-pr/SKILL.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: Greptile Review

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Use `/pre-pr-review` to create PRs (runs automated checks + review agents + fixes before creating PR); use `/pre-pr-review quick` for trivial/docs-only changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Never create a PR directly with `gh pr create` — use `/pre-pr-review` instead

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Fix all valid code issues found by review agents — never skip or defer issues, including pre-existing issues in surrounding code and suggestions adjacent to PR changes

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Applies to .github/workflows/**/*.yml : CI: Lint (ruff) + type-check (mypy) + test (pytest + coverage 80% min) run in parallel; ci-pass is gate; Pages workflow builds Astro + MkDocs, merges, deploys to GitHub Pages on main push; PR Preview builds on PRs and deploys to Cloudflare Pages

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

📚 Learning: 2026-03-11T22:22:01.831Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T22:22:01.831Z
Learning: Preserve existing `Closes `#NNN`` references in PR issue references — never remove unless explicitly asked

Applied to files:

• .claude/skills/review-dep-pr/SKILL.md

🪛 LanguageTool

.claude/skills/review-dep-pr/SKILL.md

[uncategorized] ~48-~48: Did you mean the formatting language “Markdown” (= proper noun)?
Context: ...ase notes sections. Renovate uses a markdown table with `| Package | Type | Update |...

(MARKDOWN_NNP)

---

[uncategorized] ~67-~67: The official name of this software platform is spelled with a capital “H”.
Context: ...thub/workflows/ ``` Use Grep to search .github/workflows/ for the action name. Note w...

(GITHUB)

---

[grammar] ~122-~122: Please add a punctuation mark at the end of paragraph.
Context: ... document - Any "what's new in vN" blog post ### Analysis For each version in the ...

(PUNCTUATION_PARAGRAPH_END)

---

[style] ~149-~149: This word has been used in one of the immediately preceding sentences. Using a synonym could make your text more interesting to read, unless the repetition is intentional.
Context: ...ow be removed. 6. SECURITY: Does it affect our usage? What's the severity? ## Pha...

(EN_REPEATEDWORDS_AFFECT)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...t control runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Re...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...rol runner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommen...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...nner Node | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendation...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...ode | None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations Lis...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...None needed | | ... | ... | ... | ... | ... | ... | ### Recommendations List conc...

(ELLIPSIS)

---

[style] ~205-~205: Consider using the typographical ellipsis character here instead.
Context: ...eeded | | ... | ... | ... | ... | ... | ... | ### Recommendations List concrete a...

(ELLIPSIS)

---

[style] ~230-~230: Consider a different adjective to strengthen your wording.
Context: ..."Investigate first"** — Something needs deeper review before deciding (specify what) -...

(DEEP_PROFOUND)

---

[style] ~279-~279: This sentence is over 40 words long. Consider splitting it up, as shorter sentences make the text easier to read.
Context: ...t pushes depending on repo permissions. If push fails, create a new branch with your changes, push that branch, open a replacement PR targeting the original base branch, link to the original PR in the description, and close the original Dependabot PR with a comment pointing to the replacement. 5. Wait for CI to pass using `gh pr che...

(TOO_LONG_SENTENCE)

---

[grammar] ~281-~281: Please add a punctuation mark at the end of paragraph.
Context: ...ed rather than hanging indefinitely) 6. Merge ### Fix CI and merge 1. Check out the...

(PUNCTUATION_PARAGRAPH_END)

🪛 markdownlint-cli2 (0.21.0)

.claude/skills/review-dep-pr/SKILL.md

[warning] 94-94: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🔇 Additional comments (1)

.claude/skills/review-dep-pr/SKILL.md (1)

257-263: Use valid gh pr checks fields; conclusion and status don't exist in this command.

The original code and suggested fix both reference non-existent fields. gh pr checks --json supports bucket, state, name, and others—not conclusion or status. Use the bucket field (which already groups checks as pass, fail, pending, skipping, cancel):

Corrected approach

gh pr checks <number> --json name,bucket --jq '.[] | select(.bucket == "fail")'

To wait for pending checks instead of treating them as failures:

gh pr checks <number> --json name,bucket --jq '.[] | select(.bucket != "pass" and .bucket != "skipping")'

			> Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .claude/skills/review-dep-pr/SKILL.md | sed -n '275,295p'

Repository: Aureliolo/synthorg

Length of output: 1524

---

Switch the workflow to the replacement PR after the Dependabot fallback, and use /pre-pr-review for replacement PR creation.

Steps 5–6 cannot continue watching and merging using the original <number> once step 4 creates a replacement PR—that reference becomes invalid. Additionally, the replacement PR must be created via /pre-pr-review, not a direct command, per repo requirements.

The fix applies to both fallback paths: the "Respond to maintainer feedback" workflow (lines 279–281) and the "Fix CI and merge" workflow (lines 288–289).

Suggested updates

Lines 279–281:

-4. Push to the PR branch. **Note:** Dependabot branches may reject pushes depending on repo permissions. If push fails, create a new branch with your changes, push that branch, open a replacement PR targeting the original base branch, link to the original PR in the description, and close the original Dependabot PR with a comment pointing to the replacement.
-5. Wait for CI to pass using `gh pr checks <number> --watch --timeout 600` (10-minute timeout — if it expires, warn the user that CI may be stuck and ask how to proceed rather than hanging indefinitely)
-6. Merge
+4. Push to the PR branch. **Note:** Dependabot branches may reject pushes depending on repo permissions. If push fails, create a new branch with your changes, use `/pre-pr-review` to open a replacement PR targeting the original base branch, link to the original PR in the description, close the original Dependabot PR with a comment pointing to the replacement, and use the replacement PR for all remaining steps.
+5. Wait for CI to pass on the replacement PR using `gh pr checks <replacement-pr-number> --watch --timeout 600` (10-minute timeout — if it expires, warn the user that CI may be stuck and ask how to proceed rather than hanging indefinitely)
+6. Merge the replacement PR

Lines 288–289:

-4. Commit and push (same Dependabot fallback applies — if push fails, open a replacement PR)
-5. Wait for CI to pass using `gh pr checks <number> --watch --timeout 600` (10-minute timeout — if it expires, warn the user that CI may be stuck and ask how to proceed rather than hanging indefinitely)
+4. Commit and push (same Dependabot fallback applies — if push fails, use `/pre-pr-review` to open a replacement PR, and use the replacement PR for all remaining steps)
+5. Wait for CI to pass on the active PR using `gh pr checks <active-pr-number> --watch --timeout 600` (10-minute timeout — if it expires, warn the user that CI may be stuck and ask how to proceed rather than hanging indefinitely)

🧰 Tools

🪛 LanguageTool

[style] ~279-~279: This sentence is over 40 words long. Consider splitting it up, as shorter sentences make the text easier to read.
Context: ...t pushes depending on repo permissions. If push fails, create a new branch with your changes, push that branch, open a replacement PR targeting the original base branch, link to the original PR in the description, and close the original Dependabot PR with a comment pointing to the replacement. 5. Wait for CI to pass using `gh pr che...

(TOO_LONG_SENTENCE)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/skills/review-dep-pr/SKILL.md around lines 279 - 280, Update both
the "Respond to maintainer feedback" and "Fix CI and merge" workflows so that
after creating a replacement PR you switch subsequent steps to operate on the
replacement PR (not the original PR number) and ensure the replacement PR is
created via the /pre-pr-review command; specifically, change the post-fallback
steps that currently continue to watch/merge the original <number> to instead
capture the new replacement PR ID/URL returned by the /pre-pr-review flow and
use that for gh pr checks, merging, and any follow-up actions.

[greptile-apps]

In-progress checks incorrectly flagged as failed

The jq filter treats checks with a null conclusion (still running) as failures. In jq, null != "success" evaluates to true, so any in-progress check will be selected and the skill will tell the user to "switch to the Fix CI and merge flow" when CI is simply still running — not broken.

This means a fast execution of Phase 7 (right after a push or rebase triggered new CI runs) would always incorrectly redirect to a remediation path that doesn't apply.

The filter should require the check to be completed before evaluating its conclusion:

Suggested change

	1. Re-verify CI is passing right before merge (time may have passed since Phase 5):
	```bash
	gh pr checks <number> --json name,conclusion --jq '.[] | select(.conclusion != "success" and .conclusion != "skipped")'
	```
	If any checks are not passing, inform the user and switch to the "Fix CI and merge" flow instead.
	```bash
	gh pr checks <number> --json name,status,conclusion --jq '.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")'

If any completed checks have not passed, inform the user and switch to the "Fix CI and merge" flow instead. If checks are still in-progress, wait for them to complete before deciding.

<details><summary>Prompt To Fix With AI</summary>

`````markdown
This is a comment left during a code review.
Path: .claude/skills/review-dep-pr/SKILL.md
Line: 258-264

Comment:
**In-progress checks incorrectly flagged as failed**

The jq filter treats checks with a `null` conclusion (still running) as failures. In jq, `null != "success"` evaluates to `true`, so any in-progress check will be selected and the skill will tell the user to "switch to the Fix CI and merge flow" when CI is simply still running — not broken.

This means a fast execution of Phase 7 (right after a push or rebase triggered new CI runs) would always incorrectly redirect to a remediation path that doesn't apply.

The filter should require the check to be completed before evaluating its conclusion:

```suggestion
   ```bash
   gh pr checks <number> --json name,status,conclusion --jq '.[] | select(.status == "completed" and .conclusion != "success" and .conclusion != "skipped")'

If any completed checks have not passed, inform the user and switch to the "Fix CI and merge" flow instead. If checks are still in-progress, wait for them to complete before deciding.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

uv sync without --frozen may modify the lock file

uv sync --group docs without --frozen allows uv to update uv.lock if it determines the current lock is out of sync. Running this on a checked-out Dependabot branch risks creating uncommitted lock-file changes that linger in the working tree even after git checkout "$original_ref" restores the code — because uv sync modifies uv.lock as a side effect, and git checkout won't revert that change unless it was itself part of the checkout.

Using --frozen ensures the lock file is treated as the source of truth and never modified:

Suggested change

	uv sync --group docs
	uv run mkdocs build --strict 2>&1
	uv sync --group docs --frozen

Prompt To Fix With AI

This is a comment left during a code review.
Path: .claude/skills/review-dep-pr/SKILL.md
Line: 174-175

Comment:
**`uv sync` without `--frozen` may modify the lock file**

`uv sync --group docs` without `--frozen` allows uv to update `uv.lock` if it determines the current lock is out of sync. Running this on a checked-out Dependabot branch risks creating uncommitted lock-file changes that linger in the working tree even after `git checkout "$original_ref"` restores the code — because `uv sync` modifies `uv.lock` as a side effect, and `git checkout` won't revert that change unless it was itself part of the checkout.

Using `--frozen` ensures the lock file is treated as the source of truth and never modified:

```suggestion
  uv sync --group docs --frozen
```

How can I resolve this? If you propose a fix, please make it concise.