Skip to content

fix: resolve failing checks (security/CI)#519

Merged
seonghobae merged 5 commits into
mainfrom
claude/contextualwisdomlab-security-fixes-1t7m9t
Jul 13, 2026
Merged

fix: resolve failing checks (security/CI)#519
seonghobae merged 5 commits into
mainfrom
claude/contextualwisdomlab-security-fixes-1t7m9t

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Root cause 1: pr-review-autofix conflict-resolution path fails as a hard error when there is nothing to resolve

Failing run: 29183204869 (latest completed PR Review Autofix run on main, workflow_dispatch with RESOLVE_CONFLICT=true targeting ContextualWisdomLab/pg-erd-cloud PR #507).

What happened: merging base main (d319c039) into head 1d1fd969 returned Already up to date. with Conflicted files: <none>. No merge was in progress, so the fail-closed guard hit ##[error]No merge is in progress after the base merge; refusing to push. and the job exited 1. This is the inherent race between scheduler dispatch and worker execution: the PR stopped being conflicted (e.g. the head was refreshed) before the worker ran, which is a success condition, not a failure.

Fix: in .github/workflows/pr-review-autofix.yml, immediately after the base merge, add an explicit branch:

  • MERGE_HEAD absent AND no conflicted files AND no staged/unstaged/untracked changes → log the reason (Base <ref> (<sha>) is already merged into head <sha>; no conflict resolution needed. Exiting as a no-op.) and exit 0.
  • MERGE_HEAD absent but the tree is NOT clean → still fail closed, now with an explicit error message plus git status --short output.

All existing fail-closed guards are unchanged: the conflict-marker scan before push, the MERGE_HEAD check before commit/push, and the live-head-SHA comparison.

Verification:

  • Full test suite: 386 passed (includes the test_autofix_worker_resolves_merge_conflicts_fail_closed contract pins on this workflow).
  • Workflow parses as valid YAML.
  • Local git simulation of both paths: an already-up-to-date base merge now exits 0 with the logged no-op reason; a diverged base still enters the merge-in-progress path and reaches the fail-closed push guards.

Root causes intentionally NOT duplicated here (in-flight PRs)

The org-wide required opencode-review check failing with MODEL_OUTPUT_UNAVAILABLE / model-pool exhaustion (blocking PR #515 and others) is already addressed by open PRs #511 (early-kill hung runs on fatal provider errors), #514 (canonicalize finding field drift), #517, and #518. #516 (dispatch status token 403) has already merged. No approved PR is blocked solely by being behind its base, so no branch refreshes were needed.

Note: open PR #506 reduces OpenCode review timeouts/budgets in opencode-review.yml (e.g. timeout-minutes 20→12, OPENCODE_RUN_TIMEOUT_SECONDS 300→180), which conflicts with org policy against reducing review budgets; flagged for maintainer decision, not acted on here.


Generated by Claude Code

The conflict-resolution path of pr-review-autofix.yml failed run
29183204869 with "No merge is in progress after the base merge;
refusing to push." when merging the base into the head returned
"Already up to date." (no MERGE_HEAD, no conflicted files). That
happens when the PR stopped being conflicted between scheduler
dispatch and worker execution, e.g. after a head refresh — there is
nothing to resolve and nothing to push, so it must be a no-op success,
not a failure.

Add an explicit branch right after the base merge: if MERGE_HEAD is
absent AND there are no conflicted files, no staged or unstaged
changes, and no untracked files, log the reason and exit 0. If
MERGE_HEAD is absent but the tree is not clean, keep failing closed
with an explicit error plus git status output. The existing
fail-closed guards (conflict-marker scan, MERGE_HEAD check before
push, live-head comparison) are unchanged.

Verified: full pytest suite (386 passed) including the
pr-review-autofix contract pins, YAML parse, and a local git
simulation of both the already-up-to-date no-op and the diverged-base
merge-in-progress paths.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Hw6V6hgwiNNe74eSCFymtP
@opencode-agent

opencode-agent Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: 358e4e2f85d5dd733d7ed1e9d76c7c2dd7502201
  • Workflow run: 29232491442
  • Workflow attempt: 1
  • Gate result: APPROVE (exit 0)

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: pr-review-autofix.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: pr-review-autofix.yml"]
  R1 --> V1["actionlint plus required checks"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

Adversarial validation

{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The no-op success path may incorrectly exit when there are untracked files or staged changes.","attack_or_counterexample":"Simulate a scenario with untracked files or staged changes.","evidence":"The code checks for a clean working tree (`git diff --quiet`, `git diff --cached --quiet`, and `git ls-files --others --exclude-standard`) before exiting as a no-op.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The error path may not catch all cases where the working tree is not clean.","attack_or_counterexample":"Simulate a scenario with unstaged changes.","evidence":"The code explicitly checks for unstaged changes (`git diff --quiet`) and staged changes (`git diff --cached --quiet`) before proceeding.","outcome":"falsified"}],"residual_risk":"The change is robust and handles edge cases effectively. No residual risks were identified."}
  • Result: APPROVE
  • Reason: The PR resolves a security/CI issue by adding a no-op success path for conflict resolution when the base is already merged into the head.
  • Head SHA: 848e180d8e5d7b62aba8ab74e491316f8ab06e57
  • Workflow run: 29230268159
  • Workflow attempt: 1

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

Adversarial validation

{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The no-op success path might incorrectly exit when there are unresolved conflicts.","attack_or_counterexample":"Simulate a scenario where the base branch is already merged but conflicts exist.","evidence":"The code checks for `MERGE_HEAD` and verifies the working tree is clean before exiting as a no-op, ensuring no unresolved conflicts are missed.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The error path for a dirty working tree might not be triggered correctly.","attack_or_counterexample":"Simulate a scenario where the working tree is dirty after a merge.","evidence":"The code explicitly checks for a dirty working tree and exits with an error, ensuring the workflow fails as expected.","outcome":"falsified"}],"residual_risk":"Low; the changes are well-tested and the adversarial probes confirmed the expected behavior."}
  • Result: APPROVE
  • Reason: No blocking issues found in the current-head evidence.
  • Head SHA: 715cdd97238ec361172ecf0691e80a55050ae1e1
  • Workflow run: 29231633757
  • Workflow attempt: 1

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

Adversarial validation

{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"New no-op path might incorrectly handle dirty working trees","attack_or_counterexample":"Simulated dirty working tree","evidence":"Verified error handling path triggers correctly","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"Merge conflict resolution might miss edge cases","attack_or_counterexample":"Verified conflict marker handling","evidence":"Properly handles conflict markers","outcome":"falsified"}],"residual_risk":"Low - workflow changes are well-contained and tested"}
  • Result: APPROVE
  • Reason: Well-contained workflow fix with proper error handling
  • Head SHA: 09ebc8ec2e19347b706e069746a356c1fcefd791
  • Workflow run: 29231983659
  • Workflow attempt: 1

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-autofix.yml.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-autofix.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

Adversarial validation

{"status":"passed","probes":[{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The conflict resolution path fails when there is nothing to resolve.","attack_or_counterexample":"Simulate a scenario where the base branch is already merged into the head, leaving no conflicts.","evidence":"The added logic checks for a clean working tree and exits cleanly if no conflicts are present.","outcome":"falsified"},{"path":".github/workflows/pr-review-autofix.yml","line":463,"hypothesis":"The workflow does not handle edge cases where the working tree is not clean after a no-op merge.","attack_or_counterexample":"Simulate a scenario where the working tree is not clean despite no conflicts.","evidence":"The workflow explicitly checks for a clean working tree and exits with an error if it is not clean.","outcome":"falsified"}],"residual_risk":"No residual risks identified after adversarial validation."}
  • Result: APPROVE
  • Reason: No blocking issues found in the current-head evidence.
  • Head SHA: 358e4e2f85d5dd733d7ed1e9d76c7c2dd7502201
  • Workflow run: 29232491442
  • Workflow attempt: 1

@seonghobae seonghobae enabled auto-merge July 13, 2026 07:37
@seonghobae seonghobae merged commit 4d3fbc5 into main Jul 13, 2026
51 checks passed
@seonghobae seonghobae deleted the claude/contextualwisdomlab-security-fixes-1t7m9t branch July 13, 2026 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants