Skip to content

ci: fix harness drift — Claude review, L4 trigger, Go 1.25.12#136

Merged
fullstackjam merged 3 commits into
mainfrom
ci/harness-hygiene
Jul 9, 2026
Merged

ci: fix harness drift — Claude review, L4 trigger, Go 1.25.12#136
fullstackjam merged 3 commits into
mainfrom
ci/harness-hygiene

Conversation

@fullstackjam

Copy link
Copy Markdown
Member

What does this PR do?

Fixes three harness/CI drifts surfaced while shipping #134: the Claude review bot never posts, L4 doesn't actually run on PRs, and the Go toolchain carries a known stdlib CVE.

Why?

Three independent, evidence-backed fixes (one commit each):

1. ci: grant Claude review workflow write the Claude Code Review workflow completes successfully on every PR but posts nothing. Run logs show the job's GITHUB_TOKEN had PullRequests: read; the action generates a review then silently drops it (No buffered inline comments). Bumping pull-requests/issues to write lets inline + summary comments post. Auth (claude_code_oauth_token) and the /code-review plugin prompt are left untouched — the logs show both already work, so this is the minimal fix.

2. ci: run L4 vm-e2e on every PR to main CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but vm-e2e-spike.yml only triggered on push to test/vm-e2e-speed + manual dispatch. Adds a pull_request trigger (matching test.yml / harness.yml) so reality matches the doc. Stays non-blocking — not in .github/required-checks.txt.

3. chore(deps): bump Go toolchain to 1.25.12 resolves GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls), which govulncheck's drift sensor flags as Found in: crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12. All CI reads go-version-file: go.mod.

Testing

  • go vet ./... passes / make build OK after the Go bump
  • Both workflow YAMLs validated (yaml.safe_load)
  • go mod tidy is a no-op (no toolchain line added)
  • Self-verifying: this PR exercises its own fixes — pull_request events use the PR-branch workflow files, so the Claude review here runs with the new write perms (fix Upload snapshot #1 verified if a review appears), the new L4 trigger fires on this PR (fix 🎉 Share your OpenBoot config! #2), and the harness govulncheck job should stop reporting GO-2026-5856 (fix Dotfiles and Shell Setup Not Happening #3).

Cross-repo checklist

  • Does this need a docs/content update in openboot.dev? — No
  • Does this change the CLI ↔ server API contract? — No

Notes for reviewer

  • Purely in-YAML + go.mod; no repo settings, secrets, or branch-protection changes.
  • Fix Upload snapshot #1's write escalation only takes effect if the repo/org allows the workflow token to request write — that's the standard default; the review run on this PR is the empirical check.
  • Cost note on fix 🎉 Share your OpenBoot config! #2: L4 is a ~60-min macOS job (10× minute multiplier) and will now run on every PR. It's non-blocking; if the macOS minutes bite, dial it back with a paths filter or drop the trigger.

https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo

Resolves GO-2026-5856 (Encrypted Client Hello privacy leak in
crypto/tls), which govulncheck's drift sensor flags as "Found in:
crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12". All CI uses
go-version-file: go.mod, so bumping the go directive upgrades the
toolchain everywhere. No toolchain line needed; `go mod tidy` is a no-op.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
The Claude Code Review workflow completed successfully on every PR but
never posted anything — the run's GITHUB_TOKEN had PullRequests: read, so
the action generated a review then silently dropped it ("No buffered
inline comments"). Bump pull-requests and issues to write so inline
comments and the summary comment can actually be posted back to the PR.

Auth (claude_code_oauth_token) and the /code-review plugin prompt are
left unchanged — the run logs show both already work.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but
the workflow only triggered on push to test/vm-e2e-speed and manual
dispatch. Add a pull_request trigger (matching test.yml / harness.yml)
so reality matches the documented intent. It stays non-blocking — it's
not in .github/required-checks.txt — so it reports without gating merges.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
@github-actions github-actions Bot added the ci CI/CD changes label Jul 9, 2026
@fullstackjam fullstackjam merged commit 8615525 into main Jul 9, 2026
14 checks passed
@fullstackjam fullstackjam deleted the ci/harness-hygiene branch July 9, 2026 01:21
fullstackjam added a commit that referenced this pull request Jul 10, 2026
The review workflow ran to success but never posted. #136 granted
pull-requests/issues write, which moved it from "0 tool denials, posts
nothing" to "1 denial, posts nothing" — the /code-review plugin now tries
mcp__github_inline_comment__create_inline_comment but the action's default
allowlist blocks it, so the review buffers and is dropped ("No buffered
inline comments").

Allowlist that tool plus the gh commands the review reads context with.
Auth and the plugin prompt are unchanged — both already work.

Note: this can't self-verify — claude-code-action skips its run on any PR
that edits its own workflow file (anti-tamper). It activates on the next
PR that doesn't touch the workflow.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
fullstackjam added a commit that referenced this pull request Jul 10, 2026
The review workflow ran to success but never posted. #136 granted
pull-requests/issues write, which moved it from "0 tool denials, posts
nothing" to "1 denial, posts nothing" — the /code-review plugin now tries
mcp__github_inline_comment__create_inline_comment but the action's default
allowlist blocks it, so the review buffers and is dropped ("No buffered
inline comments").

Allowlist that tool plus the gh commands the review reads context with.
Auth and the plugin prompt are unchanged — both already work.

Note: this can't self-verify — claude-code-action skips its run on any PR
that edits its own workflow file (anti-tamper). It activates on the next
PR that doesn't touch the workflow.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dotfiles and Shell Setup Not Happening Upload snapshot

1 participant