fix: resolve failing checks (security/CI)#519
Conversation
The conflict-resolution path of pr-review-autofix.yml failed run 29183204869 with "No merge is in progress after the base merge; refusing to push." when merging the base into the head returned "Already up to date." (no MERGE_HEAD, no conflicted files). That happens when the PR stopped being conflicted between scheduler dispatch and worker execution, e.g. after a head refresh — there is nothing to resolve and nothing to push, so it must be a no-op success, not a failure. Add an explicit branch right after the base merge: if MERGE_HEAD is absent AND there are no conflicted files, no staged or unstaged changes, and no untracked files, log the reason and exit 0. If MERGE_HEAD is absent but the tree is not clean, keep failing closed with an explicit error plus git status output. The existing fail-closed guards (conflict-marker scan, MERGE_HEAD check before push, live-head comparison) are unchanged. Verified: full pytest suite (386 passed) including the pr-review-autofix contract pins, YAML parse, and a local git simulation of both the already-up-to-date no-op and the diverged-base merge-in-progress paths. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Hw6V6hgwiNNe74eSCFymtP
OpenCode Review Overview
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: pr-review-autofix.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: pr-review-autofix.yml"]
R1 --> V1["actionlint plus required checks"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
Adversarial validation
{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The no-op success path may incorrectly exit when there are untracked files or staged changes.","attack_or_counterexample":"Simulate a scenario with untracked files or staged changes.","evidence":"The code checks for a clean working tree (`git diff --quiet`, `git diff --cached --quiet`, and `git ls-files --others --exclude-standard`) before exiting as a no-op.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The error path may not catch all cases where the working tree is not clean.","attack_or_counterexample":"Simulate a scenario with unstaged changes.","evidence":"The code explicitly checks for unstaged changes (`git diff --quiet`) and staged changes (`git diff --cached --quiet`) before proceeding.","outcome":"falsified"}],"residual_risk":"The change is robust and handles edge cases effectively. No residual risks were identified."}- Result: APPROVE
- Reason: The PR resolves a security/CI issue by adding a no-op success path for conflict resolution when the base is already merged into the head.
- Head SHA:
848e180d8e5d7b62aba8ab74e491316f8ab06e57 - Workflow run: 29230268159
- Workflow attempt: 1
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
Adversarial validation
{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The no-op success path might incorrectly exit when there are unresolved conflicts.","attack_or_counterexample":"Simulate a scenario where the base branch is already merged but conflicts exist.","evidence":"The code checks for `MERGE_HEAD` and verifies the working tree is clean before exiting as a no-op, ensuring no unresolved conflicts are missed.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The error path for a dirty working tree might not be triggered correctly.","attack_or_counterexample":"Simulate a scenario where the working tree is dirty after a merge.","evidence":"The code explicitly checks for a dirty working tree and exits with an error, ensuring the workflow fails as expected.","outcome":"falsified"}],"residual_risk":"Low; the changes are well-tested and the adversarial probes confirmed the expected behavior."}- Result: APPROVE
- Reason: No blocking issues found in the current-head evidence.
- Head SHA:
715cdd97238ec361172ecf0691e80a55050ae1e1 - Workflow run: 29231633757
- Workflow attempt: 1
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
Adversarial validation
{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"New no-op path might incorrectly handle dirty working trees","attack_or_counterexample":"Simulated dirty working tree","evidence":"Verified error handling path triggers correctly","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"Merge conflict resolution might miss edge cases","attack_or_counterexample":"Verified conflict marker handling","evidence":"Properly handles conflict markers","outcome":"falsified"}],"residual_risk":"Low - workflow changes are well-contained and tested"}- Result: APPROVE
- Reason: Well-contained workflow fix with proper error handling
- Head SHA:
09ebc8ec2e19347b706e069746a356c1fcefd791 - Workflow run: 29231983659
- Workflow attempt: 1
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
Adversarial validation
{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The conflict resolution path fails when there is nothing to resolve.","attack_or_counterexample":"Simulate a scenario where the base branch is already merged into the head, leaving no conflicts.","evidence":"The added logic checks for a clean working tree and exits cleanly if no conflicts are present.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The workflow does not handle edge cases where the working tree is not clean after a no-op merge.","attack_or_counterexample":"Simulate a scenario where the working tree is not clean despite no conflicts.","evidence":"The workflow explicitly checks for a clean working tree and exits with an error if it is not clean.","outcome":"falsified"}],"residual_risk":"No residual risks identified after adversarial validation."}- Result: APPROVE
- Reason: No blocking issues found in the current-head evidence.
- Head SHA:
358e4e2f85d5dd733d7ed1e9d76c7c2dd7502201 - Workflow run: 29232491442
- Workflow attempt: 1
Root cause 1: pr-review-autofix conflict-resolution path fails as a hard error when there is nothing to resolve
Failing run: 29183204869 (latest completed
PR Review Autofixrun onmain,workflow_dispatchwithRESOLVE_CONFLICT=truetargeting ContextualWisdomLab/pg-erd-cloud PR #507).What happened: merging base
main(d319c039) into head 1d1fd969 returnedAlready up to date.withConflicted files: <none>. No merge was in progress, so the fail-closed guard hit##[error]No merge is in progress after the base merge; refusing to push.and the job exited 1. This is the inherent race between scheduler dispatch and worker execution: the PR stopped being conflicted (e.g. the head was refreshed) before the worker ran, which is a success condition, not a failure.Fix: in
.github/workflows/pr-review-autofix.yml, immediately after the base merge, add an explicit branch:MERGE_HEADabsent AND no conflicted files AND no staged/unstaged/untracked changes → log the reason (Base <ref> (<sha>) is already merged into head <sha>; no conflict resolution needed. Exiting as a no-op.) and exit 0.MERGE_HEADabsent but the tree is NOT clean → still fail closed, now with an explicit error message plusgit status --shortoutput.All existing fail-closed guards are unchanged: the conflict-marker scan before push, the
MERGE_HEADcheck before commit/push, and the live-head-SHA comparison.Verification:
test_autofix_worker_resolves_merge_conflicts_fail_closedcontract pins on this workflow).Root causes intentionally NOT duplicated here (in-flight PRs)
The org-wide required
opencode-reviewcheck failing withMODEL_OUTPUT_UNAVAILABLE/ model-pool exhaustion (blocking PR #515 and others) is already addressed by open PRs #511 (early-kill hung runs on fatal provider errors), #514 (canonicalize finding field drift), #517, and #518. #516 (dispatch status token 403) has already merged. No approved PR is blocked solely by being behind its base, so no branch refreshes were needed.Note: open PR #506 reduces OpenCode review timeouts/budgets in
opencode-review.yml(e.g.timeout-minutes20→12,OPENCODE_RUN_TIMEOUT_SECONDS300→180), which conflicts with org policy against reducing review budgets; flagged for maintainer decision, not acted on here.Generated by Claude Code