fix: resolve PR review comments on property naming and permissions#251
Merged
Conversation
24 tasks
…orkflow permissions Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add automated PR maintenance script with security validation
fix: resolve PR review comments on property naming and permissions
Dec 22, 2025
rjmurillo
approved these changes
Dec 22, 2025
| if ($pr.mergeable -eq 'CONFLICTING') { | ||
| Write-Log "PR #$($pr.number) has merge conflicts - attempting resolution" -Level ACTION | ||
| $resolved = Resolve-PRConflicts -Owner $Owner -Repo $Repo -PRNumber $pr.number -BranchName $pr.headRefName -DryRun:$DryRun | ||
| $resolved = Resolve-PRConflicts -Owner $Owner -Repo $Repo -PRNumber $pr.number -BranchName $pr.head -DryRun:$DryRun |
There was a problem hiding this comment.
Property $pr.head doesn't exist, jq transform never applied
The change from $pr.headRefName to $pr.head is based on an incorrect assumption. While a $jq variable at line 366 defines a transformation that would rename headRefName to head, this variable is never actually used—the gh pr list command doesn't include --jq "$jq" and line 374 just converts the raw JSON directly. The PR objects still have headRefName as the property name, so $pr.head will be $null, causing Resolve-PRConflicts to receive an empty branch name.
rjmurillo
added a commit
that referenced
this pull request
Dec 23, 2025
…(ADR-015) (#249) * docs: add session 64 log (PR #242 review) Session log for PR review response workflow. Completed: - Improved .gitattributes documentation (commit 6a1cc7c) - Replied to all 4 rjmurillo comments Pending: - Token algorithm decision (awaiting response) - Pester tests implementation Session-Type: PR-Review PR: #242 * docs(devops): comprehensive PR automation script review and workflow design - Conducted full operationalization review of scripts/Invoke-PRMaintenance.ps1 - Analyzed scheduling, CI/CD integration, monitoring, logging, security - Designed GitHub Actions workflow for hourly PR maintenance - Identified critical P0 recommendations (concurrency, rate limits, alerts) - Created .github/workflows/pr-maintenance.yml with production-ready config - Documented performance targets, 12-factor compliance, operational runbook - Session 64: DevOps review deliverables Review artifacts: - .agents/devops/pr-automation-script-review.md (comprehensive review) - .github/workflows/pr-maintenance.yml (hourly automation workflow) - .agents/sessions/2025-12-22-session-64-pr-automation-devops-review.md Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(session): update session 64 with canonical checklist format - Add canonical Session End checklist per SESSION-PROTOCOL.md - Document all deliverables and evidence - Mark N/A items with justification (no feature code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(qa): validate PR maintenance workflow pre-deployment - Infrastructure QA: YAML syntax, security, error handling validation - Validates GitHub Actions workflow before deployment - Documents 4-phase test plan (syntax, dry-run, live, scheduled) - All criteria PASS: SHA pins, permissions, concurrency, cleanup - Update session 64 log with QA report reference QA artifacts: - .agents/qa/pr-automation-workflow-validation.md (comprehensive validation) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: add .agents/logs to .gitignore - PR maintenance script creates runtime logs in .agents/logs/ - Logs are artifacts and should not be committed - Consistent with other agent scratch directories Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(automation): add PR maintenance script and tests - Hourly PR automation: acknowledge bot comments, resolve conflicts, close superseded PRs - Safety features: dry-run mode, protected branch check, worktree isolation - Comprehensive error handling and logging - Pester test suite for reliability validation Script capabilities: - Acknowledge unacknowledged bot comments (eyes reaction) - Auto-resolve HANDOFF.md merge conflicts - Close PRs superseded by merged PRs - Report blocked PRs (CHANGES_REQUESTED) Exit codes: - 0: Success - 1: Partial (some blocked) - 2: Error Related artifacts: - .agents/devops/pr-automation-script-review.md (operationalization review) - .github/workflows/pr-maintenance.yml (GitHub Actions workflow) - .agents/qa/pr-automation-workflow-validation.md (QA validation) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(session): update session 64 final commit SHA - Update commit SHA to 8652a3f (PR automation script + tests) - All session artifacts committed and validated Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(session): mark validation PASSED for session 64 - Session end validation completed successfully (exit 0) - All protocol requirements met - All artifacts committed and verified Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(security): implement P0 security fixes for PR automation script (ADR-015) Addresses 6 critical security issues identified by multi-agent review: P0 Fixes Implemented: 1. Branch name validation - prevents command injection via Test-SafeBranchName 2. Worktree path validation - prevents path traversal via Get-SafeWorktreePath 3. Concurrency lock - prevents race conditions via Enter-ScriptLock/Exit-ScriptLock 4. Int64 CommentId - fixes overflow bug (GitHub IDs exceed Int32.MaxValue) 5. Workflow concurrency - already implemented (concurrency: group: pr-maintenance) 6. Rate limit pre-flight - prevents API exhaustion via Test-RateLimitSafe Agent Review Summary: - Architect: Created ADR-015 reconciling 5 agent reviews (roadmap, critic, security, devops, qa) - High-Level-Advisor: Challenged timeline (1 week -> 2 weeks), promoted rate limit to P0 - Critic: APPROVED all 6 P0 fixes after implementation review Files: - scripts/Invoke-PRMaintenance.ps1: +170 lines (security validation region) - .agents/architecture/ADR-015-pr-automation-reconciliation.md: Phase 1/2/3 prioritization - .agents/sessions/2025-12-22-session-65-adr-015-reconciliation.md: Session log 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test(adr-015): add 68 Pester tests for security validation functions Phase 1B - Add comprehensive Pester tests for ADR-015 P0 security fixes: Test-SafeBranchName (47 tests): - Empty/whitespace validation (5 tests) - Hyphen prefix prevention (6 tests) - Path traversal prevention (5 tests) - Control character detection (6 tests) - Git special character detection (8 tests) - Shell metacharacter detection (11 tests) - Valid branch name acceptance (7 tests) Get-SafeWorktreePath (7 tests): - Input validation (5 tests) - Path traversal prevention (2 tests) Enter-ScriptLock/Exit-ScriptLock (5 tests): - Lock acquisition and release - Stale lock detection (>15 min) - Concurrent execution prevention Test-RateLimitSafe (6 tests): - API response handling - Fail-open behavior on errors - Default minimum threshold Add-CommentReaction Int64 (2 tests): - Large comment ID support (exceeds Int32.MaxValue) Also adds dot-source guard to prevent script execution during testing. ADR-015 Phase 1B confirmation criteria progress: - [x] Pester tests pass for validation functions (68 tests, all PASS) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(adr-015): fix bugs and add rollback procedure Fixes: - Use $pr.headRefName instead of $pr.head (field name mismatch) - Replace empty strings in Write-Log with "---" separators Docs: - Add comprehensive rollback procedure for PR maintenance automation - Document 5 rollback levels from workflow disable to full removal - Include recovery procedures for specific failure scenarios ADR-015 Phase 1B complete: - [x] Pester tests pass (68 tests) - [x] Security agent approval - [x] Rollback procedure documented - [x] Integration test with DryRun (4.5s, exit 1 for blocked PRs) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * docs(adr-015): update Phase 1 completion status Mark completed Phase 1 criteria: - [x] All 6 fixes implemented (Session 65) - [x] Pester tests pass (68 tests, Session 66) - [x] Integration test passed (4.5s, Session 66) - [x] Security agent approval (Session 66) - [x] Rollback procedure documented (Session 66) Remaining: - [ ] 24-hour DryRun deployment monitoring 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: resolve PR review comments on property naming and permissions (#251) * Initial plan * fix: address PR review comments - property naming, comment clarity, workflow permissions Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * Address PR #249 review feedback: restructure ADR, fix rate limiting, slim workflow (#253) * Initial plan * refactor: restructure ADR-015 into focused architectural decisions + supporting documents - Extract true architectural decisions into streamlined ADR-015 - Move security analysis to SR-002 security review - Move implementation plan to planning directory - Update workflow: DryRun=true default, BOT_PAT, remove ephemeral cleanup - Increase timeout to 45min (realistic for PRs with many comments) - Remove version/date footers (git tracks this) - Add proper markdown links between documents Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * feat: implement multi-resource rate limiting with resource-specific thresholds - Update Test-RateLimitSafe to check core, search, code_search, and graphql resources - Set resource-specific thresholds: search=15 (50% of 30), code_search=5 (50% of 10) - Update workflow rate limit check to display table of all resources - Address feedback: static 200 threshold inappropriate for resources with limits <30 - Implements ADR-015 Decision 2: Multi-Resource Rate Limiting Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * docs(analysis): comprehensive PR #249 review comment analysis Analyzed 59 review comments (corrected from initial 47 estimate) across 4 reviewers with priority categorization and implementation strategy. Priority Breakdown: - P0 (Critical): 3 cursor[bot] HIGH severity bugs (BLOCKING) - Hardcoded main branch in conflict resolution - Scheduled runs bypass DryRun safety mode - Protected branch check blocks automation - P1 (High): 4 critical bugs requiring immediate fix - P2 (Medium): 47 comments (selective addressing) - P3 (Low): 5 gemini code quality (defer to follow-up) Key Insights: - All 6 cursor[bot] comments verified as real bugs (100% actionability) - ~15 of 42 rjmurillo comments are @copilot-directed (not for us) - P0 issues violate ADR-015 requirements and break automation - Estimated 2 hours for P0-P1 fixes Analysis artifacts saved to .agents/pr-comments/PR-249/ (gitignored): - analysis.md: Comprehensive analysis with grouped issues - analyzed-comments.json: Structured data for automation - analyze-comments.py: Reusable analysis script - raw-comments.json: Full comment data Session: .agents/sessions/2025-12-22-session-68-pr-249-comment-analysis.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: address P0-P1 cursor[bot] review comments on PR #249 P0 Critical Fixes (BLOCKING MERGE): - Use PR target branch (baseRefName) instead of hardcoded 'main' in Resolve-PRConflicts to support non-main base branches - Default dry_run to true for scheduled runs (ADR-015 safety requirement) - Allow protected branch check to pass in CI environment (GITHUB_ACTIONS) P1 High Priority Fixes: - Add GH_TOKEN env var to workflow summary step for rate_limit API call - Capture and log rate limit reset time for smarter scheduling - Check $LASTEXITCODE after git push to detect failures - Fix Test-RateLimitSafe tests to use correct multi-resource API format Test improvements: - Update rate limit tests to match actual function signature (no -MinimumRemaining param, uses $ResourceThresholds hashtable) - Fix try/finally regex test to handle multiline content 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: update session 67 log with PR #249 fix implementation - Document all 7 P0-P1 fixes implemented in commit 52ce873 - Record all 7 in-thread replies posted to cursor[bot] comments - Note pre-existing test failures (unrelated to changes) - Add learnings about PowerShell scope qualifiers and Pester patterns 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs(session): add session 69 - PR #249 P2 review analysis Analyzed 4 targeted P2 review comments for PR #249: - Permission inconsistency: NOT A BUG (workflow has contents: write) - Property naming (headRefName vs pr.head): NOT A BUG (intentional jq alias) - File-based lock vs ADR-015: VALID (redundant, recommend follow-up cleanup) - Escape character typo: NOT A BUG (valid PowerShell escape sequence) Posted 5 clarifying replies to PR review threads. No code changes required. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Refactor PR maintenance to reuse GitHub skill PowerShell and drop auto-close (#256) * Initial plan * feat: address PR #249 review feedback - DRY PowerShell, GitHub runner detection, drop auto-close - Add reusable GitHub skill scripts: New-Issue.ps1, Post-PRComment.ps1, Close-PR.ps1 - Update workflow to use PowerShell scripts for issue creation (DRY principle) - Add missing GH_TOKEN env var to "Post summary" step for rate limit check - Update footer text to use PR Maintenance link format - Detect GitHub Actions runner environment to skip worktree isolation - Replace superseded PR auto-close with informational logging (like CodeRabbit) - Document retention period alignment with operational logs - Fix PowerShell string interpolation for rate limit violations - Add note about bot comment logic referencing agent config files Addresses comments: - 2641261115, 2641274255: Footer text updates - 2641270041: Add GH_TOKEN, DRY rate limit check - 2641272016, 2641277796: Reuse PowerShell for issue creation - 2641276732: Document retention period COGS alignment - 2641284272: Detect GitHub runner, skip worktree when not needed - 2641287744: Use GitHub PowerShell for git operations - 2641294198: Drop auto-close, log similar PRs instead - 2641294760, 2641295117: Use GitHub PowerShell for PR operations - 2641298930: Add note about agent config reference Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * test: update Invoke-PRMaintenance.Tests.ps1 for new function signatures - Replace Test-PRSuperseded/Close-SupersededPR tests with Get-SimilarPRs tests - Add Test-IsGitHubRunner function tests - Update Test-RateLimitSafe tests for multi-resource thresholds - Note: Some pre-existing test failures remain (LASTEXITCODE mock issues) Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix: remove duplicate Post-PRComment, use existing Post-PRCommentReply in Close-PR - Remove .claude/skills/github/scripts/pr/Post-PRComment.ps1 (duplicate of Post-PRCommentReply.ps1) - Update Close-PR.ps1 to use existing Post-PRCommentReply.ps1 instead of inline gh pr comment - Improve documentation in Get-PRComments and Get-UnacknowledgedComments to clarify workflow cohesion Addresses review comments: - 2641380365: Use existing PowerShell for posting comments - 2641388267: Remove duplicate, use Post-PRCommentReply.ps1 - 2641392312: Document cohesion of PR comment functions Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix: use explicit variable interpolation syntax in Close-PR.ps1 - Use ${Variable} syntax instead of $Variable for PR numbers and repo paths - Consistent with Resolve-PRReviewThread.ps1 pattern - More explicit and avoids potential parsing ambiguity Addresses review comment 2641382083 Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> * fix: correct issue number regex pattern in New-Issue.ps1 Fixes cursor[bot] HIGH severity bug (comment 2641394603): - Changed regex from '#(\d+)' to 'issues/(\d+)' - Matches actual gh CLI output format (URL: https://github.com/owner/repo/issues/123) - Prevents exit code 3 failures in workflow alert/notification steps Also adds session 70 log documenting: - Merge conflict resolution (feat/dash-script into copilot/sub-pr-249) - Verification of Copilot's work on 4 rjmurillo comments (all ✅) - cursor[bot] bug fix (this commit) Addresses: PR #256 review comment 2641394603 Part of: Session 70 Option A (resolve conflicts + verify work) --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: rjmurillo-bot <rjmurillo-bot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com> * chore: PR #249 session 71 - complete comment acknowledgment Session 71 work: - Added eyes reactions to all 67 top-level comments (Phase 2 BLOCKING GATE satisfied) - Verified sessions 67-69 addressed all bot feedback - pr-comment-responder workflow complete; human review approval pending Evidence: - 67/67 top-level comments acknowledged - Sessions 67-69: 12 replies posted, 7 P0-P1 fixes implemented - Review state: CHANGES_REQUESTED from human reviewer 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs(retrospective): comprehensive PR #249 review analysis Root Cause Analysis: - Identified 4 patterns causing P0-P1 misses (cross-cutting concerns, fail-safe logic, test-implementation drift, logging gaps) - All 7 P0-P1 issues were cursor[bot] findings (100% actionability) Reviewer Statistics Updated: - cursor[bot]: 28/30 verified (95%+), approaching skip-analysis threshold - Copilot: 21% actionability on PR #249 (declining from 35%) - gemini-code-assist[bot]: 20% actionability (stable) Skills Extracted: - Skill-PR-249-001: Scheduled workflow fail-safe default - Skill-PR-249-002: PowerShell LASTEXITCODE check pattern - Skill-PR-249-003: CI environment detection - Skill-PR-249-004: Workflow step environment propagation - Skill-PR-249-005: Parameterize branch references Memory Updates: - cursor-bot-review-patterns: Added PR #249 patterns 8-9 - copilot-pr-review-patterns: Added PR #249 analysis - pr-comment-responder-skills: Updated cumulative statistics - skills-pr-validation-gates: NEW pre-PR checklist template Refs: PR #249, Session 72 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore(skillbook): validate PR #249 skills and update reviewer stats - Validated 5 skills from PR #249 retrospective (avg atomicity 94.8%) - Updated cursor[bot] stats: 28/28 verified (100%, 93% to skip-analysis) - Updated Copilot trend: declining to 21% actionability - Updated pr-comment-responder cumulative stats - Added pattern 10 to cursor-bot-review-patterns - Zero duplicates found across skill memories 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(pr-maintenance): address cursor[bot] and ADR-015 compliance issues - Add LASTEXITCODE reset in test mocks for Get-OpenPRs (cursor[bot] #2641455674) - Add LASTEXITCODE check in Get-SimilarPRs to handle API errors (cursor[bot] #2641455676) - Convert Enter-ScriptLock and Exit-ScriptLock to no-ops per ADR-015 Decision 1 - Fix PowerShell variable parsing for PR number in error messages - Update tests to reflect ADR-015 no-op lock behavior Addresses review comments from PR #249 session 74. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * docs: add session 74 log for PR #249 new comments Documents review of 8 new comments added since session 71: - 2 cursor[bot] P0 issues (fixed) - 1 human ADR compliance request (fixed) - 5 Copilot P2 documentation suggestions (deferred) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: rjmurillo-bot <rjmurillo-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: rjmurillo <6811113+rjmurillo@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses three issues from bot review of PR #249:
Property reference inconsistency
$pr.headRefNamebut jq transformation at line 366 renames it tohead$pr.headfor consistency with actual JSON structureWorkflow permissions insufficient
contents: readcontents: writeto enable automated conflict resolutionTest comment clarity
\a` is PowerShell escape sequence for bell character (0x07)💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.