Skip to content

chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#8

Merged
GitCmurf merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-python-6.2.0
May 13, 2026
Merged

chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#8
GitCmurf merged 1 commit into
mainfrom
dependabot/github_actions/actions/setup-python-6.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-python from 5.6.0 to 6.2.0.

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

Dependency and Documentation updates:

New Contributors

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

... (truncated)

Commits
  • a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
  • bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
  • 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
  • 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
  • bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
  • 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
  • 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
  • cfd55ca graalpy: add graalpy early-access and windows builds (#880)
  • bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
  • 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Greptile Summary

This PR bumps actions/setup-python from v5.6.0 to v6.2.0 across both CI and release workflows. The change is a major-version jump (5 → 6); v6.0.0 upgraded the action's runtime from Node 20 to Node 24 and requires the GitHub Actions runner to be on v2.327.1 or later.

  • Both ci.yml and release.yml are updated consistently, with the full commit SHA pinned and the version comment correctly reflecting v6.2.0.
  • Because both workflows use ubuntu-latest (a GitHub-hosted runner), GitHub guarantees the runner is kept up to date, so the Node 24 runtime requirement should be met automatically.

Confidence Score: 5/5

Safe to merge — a routine Dependabot version bump with no logic changes and correct SHA pinning in both workflow files.

The only change is the actions/setup-python SHA and version comment in two workflow files. Both files are updated consistently, SHA pinning is correct, and both workflows run on ubuntu-latest so the Node 24 runner requirement introduced in v6.0.0 is satisfied automatically.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Bumps actions/setup-python from pinned SHA for v5.6.0 to pinned SHA for v6.2.0; SHA comment updated correctly.
.github/workflows/release.yml Same setup-python version bump as ci.yml; SHA pinning and version comment both updated consistently.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR event] --> B[actions/checkout v4.2.2]
    B --> C["actions/setup-python **v6.2.0** ⬆\n(was v5.6.0, Node 20 → Node 24)"]
    C --> D[Install dependencies]
    D --> E{Workflow}
    E -->|ci.yml| F[Test · Lint · Type-check\nDocOps · Whitespace · Secret scan · Pre-commit]
    E -->|release.yml| G[Test · Build dist · SBOM\nAttest provenance · Upload & Publish release]
Loading

Reviews (1): Last reviewed commit: "chore(deps): bump actions/setup-python f..." | Re-trigger Greptile

Note

Bump actions/setup-python from v5.6.0 to v6.2.0 in CI and release workflows

Updates the pinned commit hash for actions/setup-python in both ci.yml and release.yml. No changes to Python version configuration or other workflow steps.

Macroscope summarized 1c00061.

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...a309ff8)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
dependabot Bot requested a review from GitCmurf as a code owner May 11, 2026 07:32
@GitCmurf
GitCmurf merged commit 3d4b10b into main May 13, 2026
3 checks passed
@dependabot
dependabot Bot deleted the dependabot/github_actions/actions/setup-python-6.2.0 branch May 13, 2026 12:28
GitCmurf added a commit that referenced this pull request Jun 23, 2026
* docs: next phase planning docs

* docs: iteration r1

* docs: CC revision, adding CI env-var awareness

* docs: CC revision r3

* docs: CC revision r4

* docs: CC revision r5

* docs: CC revision r6

* docs: CC revision r7

* feat(t0): v0.5.0 fixture catalogue + PLAN-005 governance (REVREM-PLAN-005 T0)

Stand up the shared inputs every v0.5.0 read-only consumer (revrem report,
the GitHub Action) reads from a finished run directory.

- Register PLAN-005 in the governed planning tree: move
  docs/next-steps-v0.5.0.md -> docs/05-planning/plan-005-next-steps-v0.5.0.md
  (meminit check green; document_id REVREM-PLAN-005 preserved).
- Assemble a finished-run fixture catalogue under tests/fixtures/runs/<scenario>/
  co-locating summary.json + events.jsonl for 8 terminal-state scenarios:
  clear, findings_remediated, findings_remaining, timeout, check_failure,
  cost_ceiling, cancelled, all_suppressed. These did not exist as combined
  run dirs before (summary/events fixtures were split across two trees with
  mismatched names); the four scenarios that had no summary are authored to
  summary-v1 shape with final_status/stopped_reason matching their events.
- Add tests/support/run_fixtures.py::load_run(name) so downstream tests
  address a scenario by stable name.
- Add tests/test_run_fixtures.py: meta-test asserting every scenario has
  both files and that summary validates against summary-v1 and events
  against events-v1 (25 cases, reusing the _compat_jsonschema validator).
- Update REVREM-TEST-001: reference the catalogue and record the v0.5.0
  report + Action success metrics.

Gate: pytest (1300+ pass; 1 pre-existing env failure unrelated to T0 —
test_cli_config_commands shells out to bare 'python' absent in WSL),
ruff clean, mypy clean, lint-imports green (9 contracts), meminit check
green (only a pre-existing FRONTMATTER_MISSING on an unrelated handoff doc),
git diff --check clean. All fixture files verified LF-clean (no CRLF) for
golden determinism.

* feat(t1): revrem report subcommand — static HTML + JSON index (REVREM-PLAN-005 T1)

Add a read-only subcommand that renders a finished run's summary.json +
events.jsonl into a single self-contained HTML file, or a machine-readable
JSON index. Never invokes a model or touches the network (gate G5).

- src/code_review_loop/report_html.py: pure render_report(summary, events,
  *, redact=True) -> str and build_report_index(...) -> dict. Plain HTML5 +
  inline <style>, no JS/external assets, html.escape on all interpolation.
  Redaction on by default for anything leaving the run dir (gate G7).
  Deterministic: timestamps read from inputs (never now()), filesystem paths
  normalized via PurePosixPath so os.sep never leaks (Contract #9).
- src/code_review_loop/cli/commands/report.py: command handler mirroring
  replay.py + bundle.py redaction-pair enforcement (--no-redact requires
  --i-understand-the-risks, exit 4). HTML writes via write_text_artifact
  (atomic); --format json prints canonical JSON to stdout (--output ignored).
  Truncated/malformed events render what is available + warn + exit 0 (the
  report is diagnostic).
- cli/args.py: parse_report_args (run_dir, --output/-o, --format {html,json},
  --no-redact, --i-understand-the-risks). registry.py: register 'report'.
- docs/52-api/schemas/report-index-v1.schema.json + _history baseline: the
  frozen cross-boundary contract (Contract #8) describing the index's fields
  and nullability (cost_usd null for fake harness; top_findings [] when none;
  artifact_paths {} when unavailable). Auto-covered by the schema-parity test.
- Tests: test_report_html.py (render over all 8 fixtures, determinism, no-CRLF,
  self-containment, redaction default, CLI exit codes, truncated tolerance,
  index required-keys + nullability); test_report_json.py (every index
  validates vs schema, --format json to stdout, --output ignored, golden
  snapshot of the clear-run index). test_cli_dispatch.py updated for the new
  subcommand.
- Docs: DEVEX-001 'Static HTML report' subsection + version history;
  README Key Features bullet.

Gate: 1371 passed (1 pre-existing env failure in test_cli_config_commands
unrelated to T1); ruff, mypy, lint-imports (9 contracts), meminit check
(only a pre-existing unrelated FRONTMATTER_MISSING), git diff --check all clean.

* feat(t2): report body sections + golden HTML + determinism guards (REVREM-PLAN-005 T2)

Fill the report body with the substance a reviewer wants and lock it with
byte-stable golden files.

- report_html.py: add four body sections rendered honestly from summary/events
  data (or 'unavailable' when absent):
  * Findings & triage: configured findings (severity, path, summary, f1:
    fingerprint) from status_classification events; suppressed findings with
    provenance; pointer to triage-N.json when present.
  * Checks: command/status/message/iteration from check_result events.
  * Cost & budget: tokens, USD, charge events, ceiling breach. Unreported
    costs render 'not reported', never a fabricated 0 (renders null honestly).
  * Diff stats: only from in-artifact data; absent -> 'diff stats unavailable
    for this run'. The report NEVER shells out to git. Also render tokens dict
    as key=value pairs instead of a raw repr.
- tests/golden/report/: committed golden HTML for 6 fixtures (clear,
  findings_remediated, findings_remaining, check_failure, cost_ceiling,
  all_suppressed), byte-stable across runs and platforms.
- test_report_html.py: golden comparison with REVREM_UPDATE_SNAPSHOTS=1
  regeneration affordance; cross-platform guards asserting the committed goldens
  contain no CRLF and no backslash path separators (durable on the golden, not
  just the live render); content assertions for each terminal state
  (remediated shows the passing check + clear; all_suppressed shows the stop
  reason; cost_ceiling shows the breach + error badge; null cost renders
  'not reported' not 0; diff stats 'unavailable' path).
- DEVEX-001: expand the report subsection with a description of each body
  section in order, plus the determinism/stability note (HTML layout not a
  stable contract until 0.9.0; only report-index-v1 fields are versioned).

Gate: 1388 passed (1 pre-existing env failure unrelated to T2); ruff, mypy,
lint-imports (9 contracts), git diff --check all clean.

* feat(t3): headless/CI output hardening — --no-tty + CI=true (REVREM-PLAN-005 T3)

A CI run must produce ANSI-free stderr with no flags beyond what the provider
sets automatically. Add a single suppression gate, progress.force_terminal(),
that fires on either --no-tty or the CI env var (set automatically by GitHub
Actions and most other providers).

- progress.py: force_terminal(no_tty) helper returning
  isatty and not CI and not no_tty. Thread no_tty into both Console sites
  (_console_and_text, rich_live_progress); rich_live_progress now accepts an
  optional no_tty kwarg (backward compatible).
- adapters/terminal.py: terminal_title_supported now returns False when
  config.no_tty or CI is set. This guards the /dev/tty write path, which a
  stderr-capture test would miss because /dev/tty exists on many CI runners
  regardless of isatty().
- Threading (additive throughout): OutputConfig.no_tty (routing_types) +
  OUTPUT_KEYS 'no_tty' (profiles) + LoopConfig.no_tty (config) +
  config_builder pick(args.no_tty, profile.output.no_tty, False) +
  args.py --no-tty flag (store_true) + runner.py passes config.no_tty into
  rich_live_progress. Also exposed as an additive profile key
  [output] no_tty.
- tests/test_headless_output.py (19 cases): force_terminal unit tests
  (--no-tty, any CI value, isatty baseline); terminal_title_supported gate
  tests; rich_live_progress ANSI-free-under-no_tty; end-to-end test driving a
  real loop (rich progress + no_tty) asserting zero CSI bytes on captured
  stderr; documented exit-code mapping stability (0/2/3/4/5).
- DEVEX-001: headless/CI guidance + recommended invocation
  (--progress-style compact --no-tty --summary-format json) + always-write-
  before-exit note; version history.

Gate: 1407 passed (1 pre-existing env failure unrelated to T3); ruff, mypy,
lint-imports (9 contracts), devex-doc version check all clean.

* feat(t4): reference GitHub Action + idempotent PR comment (REVREM-PLAN-005 T4)

A composite Action that runs a revrem profile on a PR, uploads a redacted HTML
report, and posts a single updatable PR comment. Depends on T2 (report) + T3
(headless stability).

- action.yml: composite action. Inputs: base, profile, max-iterations,
  max-wall-seconds, max-usd, max-tokens, checks (newline list), comment,
  upload-artifacts, raw-artifacts, fail-on-findings, install-mode (pypi|local),
  revrem-version. Does NOT checkout (caller must, fetch-depth:0); verifies base
  ref (exit 4 if absent). Runs revrem headless
  (--no-tty --progress-style compact --summary-format json); splits 'checks'
  via a bash while-read into repeated --check flags (never interpolates the
  joined string = injection vector). Two-stage guard: parse JSON stdout first,
  then read artifact_dir (never glob .revrem/runs/); fast-fail exit 4 if revrem
  crashed pre-summary. Always render/upload/comment when RUN_DIR discovered
  regardless of exit; maps exit code LAST (0 pass; 2 fail-on-findings gate;
  3 budget; 4/5 error). Fork-PR safe: comment step gated on
  head.repo.fork != 'true' (never pull_request_target). Comment script invoked
  via ${{ github.action_path }} prefix for external users.
- scripts/ci/post_pr_comment.py (stdlib only): pure build_comment_body(index)
  separated from the HTTP layer. Reads the already-redacted revrem-report.json
  via json.load; marker <!-- revrem-report --> update-or-create; body bounded
  (top 5 findings, fixed summary rows); never embeds raw model output/stderr;
  degraded generic comment when report unreadable.
- .github/workflows/revrem-pr.yml: dogfood workflow (local install, dogfood
  profile), least-privilege (contents:read, pull-requests:write).
- tests/support/fake_github_api.py: http.server stub for GET comments + POST/
  PATCH comment (records requests, no network).
- tests/test_post_pr_comment.py (13 cases): pure body builder (marker, status,
  findings, cost n/a when null, run url, never-embeds-secrets-by-design);
  posting vs stub (create-then-update idempotency, marker is the key, unrelated
  comment untouched, comment-before-fail ordering, main reads report + posts,
  degraded on unreadable, requires credentials).
- tests/test_action_yaml.py (10 cases): action.yml + workflow parse; structural
  contract (composite runs, required inputs, pypi/local modes, headless json
  invocation, artifact_dir discovery not globbing, checks splitting, fork gate,
  exit mapping is last step, action_path prefix, dogfood local install).
- README + DEVEX-001: Hands-off CI section (usage, least-privilege, fork model,
  redacted upload, generic-provider path); version history.

Gate: 1430 passed (1 pre-existing env failure unrelated to T4); ruff, mypy,
lint-imports (9 contracts), devex-doc version check all clean. action.yml +
revrem-pr.yml parse as valid YAML (10 structural tests).

* release(t13): cut v0.5.0 (REVREM-PLAN-005 T13)

The 'showcase & hands-off adoption' release: Tier 1 (Pillars A+B) of
REVREM-PLAN-005 — static HTML report, headless/CI hardening, and the reference
GitHub Action. Pillars C (expert profiles) and D (DevEx) deferred to v0.5.x;
T12 (TUI real runs) deferred to v0.6.0 per the plan's decision gate.

- Version 0.4.0 -> 0.5.0 in pyproject.toml AND src/code_review_loop/__init__.py
  (release.yml validates the tag against __init__.__version__).
- action.yml default revrem-version -> 0.5.0.
- CHANGELOG [0.5.0]: Added (report, report-index-v1 schema, GitHub Action,
  --no-tty + CI detection, run fixture catalogue); Changed (recommended CI
  invocation); Stability (frozen schemas + summary/events; Preview report HTML
  layout + expert-profile surface); Deferred (Pillar C/D to v0.5.x, T12 to
  v0.6.0).
- Fix: the golden-HTML test compared against tests/golden/report/ but the path
  resolved to a stray top-level golden/, so the comparison was a no-op (always
  re-wrote and passed). Correct _GOLDEN_DIR to tests/golden/report/; regenerate
  the committed goldens so they now genuinely pin the render (and embed 0.5.0).

Remaining (manual, before tagging): dry-run release.yml; >=1 live dogfood run
(revrem --profile dogfood) with revrem report rendering it; live observation
that the Action posts a single idempotent PR comment within ~5 min on a real
PR. These are recorded in the CHANGELOG and cannot be automated here.

Gate: 1430+ passed (1 pre-existing env failure in test_cli_config_commands);
ruff, mypy, lint-imports (9 contracts), meminit check (only a pre-existing
unrelated FRONTMATTER_MISSING), git diff --check all clean.

* fix(c1): render findings from triage-N.json::confirmed_findings (P0-1)

The headline defect from peer review: the renderer derived findings from
status_classification events whose payload was assumed to be severity-keyed
lists. That shape does not exist in the engine — real status_classification
payload is {message, summary} (verified across .revrem/runs/). Real confirmed
findings live in triage-N.json::confirmed_findings. Result before this fix:
findings section, finding_counts, and top_findings were empty on every real
run, and the PR comment reported 0 findings. Tests were green only because the
T0 fixtures were hand-authored to match the renderer's assumptions, not the
engine's contract (self-confirming goldens).

- report_html.py: add triage_findings param to render_report and
  build_report_index. Source confirmed/suppressed findings from parsed
  triage payloads (_flatten_confirmed_findings / _flatten_suppressed_findings).
  finding_counts and top_findings now derive from triage confirmed_findings
  (severity, affected_paths, summary, fingerprint, rationale), not the
  status_classification event. The renderer stays pure — it receives parsed
  triage, never reads disk.
- cli/commands/report.py: _load_triage_findings loads triage-N.json from
  summary.artifact_paths.triage (relative to run dir; highest N authoritative),
  threads parsed findings into both render paths. Missing/unreadable triage is
  skipped gracefully.
- Red gate: tests/test_report_real_findings.py + a real-shaped
  findings_with_triage fixture (status_classification payload {message,summary}
  — no severities; triage-1.json with one confirmed medium finding). Was red
  before this commit for exactly the right reason; now green. Registered as a
  standing gate in REVREM-TEST-001 (C5).
- Fixtures made representative: all_suppressed + findings_remaining now carry
  triage-1.json with confirmed/suppressed findings (findings_remaining had a
  triage-less summary despite its name). findings_with_triage is a new fixture
  whose status_classification matches the real engine shape.
- Regenerated goldens: findings_remaining.html now shows the finding
  (fingerprint + summary), not 'No configured findings recorded'.

Verified against ground truth: real status_classification payloads across
.revrem/runs/ carry only {message, summary}; real findings live in
triage-N.json with keys confirmed_findings/rejected_findings/needs_more_info/
suppressed_findings, each finding {severity, summary, affected_paths,
fingerprint, rationale}.

Gate: 1433 passed (1 pre-existing env failure unrelated); ruff, mypy,
lint-imports (9 contracts) clean.

* fix(c2): remove dead phase_config section (P0-2)

_phase_config_rows read summary.phase_config, but summary-v1 has no such key
(0 matches in the schema; verified). The section returned '' on every run —
dead code that faithfully implemented a plan referencing a nonexistent field.
The header already shows the real top-level summary.harness.

- report_html.py: delete _phase_config_rows and its call in render_report.
- test_report_html.py: assert the header renders summary.harness and that no
  'Phase configuration' section appears.
- Regenerated goldens (section removed).

Gate: ruff, mypy clean; report tests green.

* fix(c3): wire github-token input for the PR comment (P0-3)

The comment step read GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}, but GITHUB_TOKEN
is not a default env var for composite actions and the dogfood workflow never
set it. So env.GITHUB_TOKEN resolved empty -> post_pr_comment.py hit its
'required' guard and exited 1; no comment was ever posted. The test suite
missed this because test_post_pr_comment.py called post_or_update_comment
directly, bypassing action.yml's wiring.

- action.yml: add a github-token input defaulting to ${{ github.token }}
  (composite actions can't read secrets, so the caller passes it in). The
  comment step now reads GITHUB_TOKEN: ${{ inputs.github-token }}. The dogfood
  workflow needs no extra secret wiring (defaults to the automatic token).
- test_action_yaml.py: assert the github-token input exists and defaults to
  github.token; assert the comment step's GITHUB_TOKEN comes from
  inputs.github-token, NOT env.GITHUB_TOKEN (the original bug).

Live verification (a comment actually posts on a PR) is a manual gate
recorded in C7 and the CHANGELOG.

* fix(c4): render checks from summary.iterations[].checks[] (engine real source)

The checks section previously read only check_result events. The engine's
authoritative check record is summary.iterations[].checks[] ({command, status,
artifact}) — verified across real .revrem/runs/. Now source from the summary,
falling back to check_result events for older runs that carry none.

- report_html.py: _checks_section takes summary, iterates
  iterations[].checks[] (command/status/artifact link/iteration), falling back
  to check_result events. Column renamed Message->Artifact (the real field).
- findings_with_triage fixture: add a real-shaped summary check (ruff check .,
  passed, check-1-1.txt artifact) so C4 is exercised.
- test_report_real_findings.py: assert the summary-sourced check renders and
  the empty placeholder does not appear.
- Regenerated goldens.

Gate: ruff, mypy, lint-imports clean; 116 report/fixture tests green.

* docs(c5): register real-findings render gate in REVREM-TEST-001

Add a standing success-metric row for tests/test_report_real_findings.py — the
anti-self-confirming-fixture gate introduced by the C1 corrective. It asserts
findings surface from triage-N.json::confirmed_findings (and checks from
summary.iterations[].checks[]) on a real-engine-shaped fixture, and fails if
that ever stops happening. Document why the gate exists (T0 fixtures were
hand-authored against the renderer's assumptions, not the engine's contract).

Fixture representativeness for the P0-relevant scenarios (findings_remaining,
all_suppressed, findings_with_triage) was restored in C1/C4 — they now carry
real triage and checks. Full regeneration of every fixture from .revrem/runs/
(including the 5 secondary schema keys the review noted: external_review_coverage,
invocation, phase_failures, phase_observations, triage_diagnostics) is tracked
as a follow-up; it does not gate the showcase features.

REVREM-TEST-001 bumped 1.7 -> 1.8.

* fix(c6): deep-link the report artifact in the PR comment (secondary)

The comment always linked the workflow run URL, never the uploaded report
artifact. The plan specified capturing actions/upload-artifact's artifact-url
output with the run URL as fallback.

- action.yml: give the upload-report step an id; add an Export-artifact-URL
  step that writes the artifact-url output to REVREM_ARTIFACT_URL env; pass it
  into the comment step env.
- post_pr_comment.py: main() prefers REVREM_ARTIFACT_URL over GITHUB_RUN_URL.
- test: assert the posted body links the artifact URL and not the run URL.

Gate: ruff clean; 25 comment/action tests green.

* docs(c7): document corrective fixes + release hygiene (P0 series)

No v0.5.0 tag was ever created (git tag -l 'v0.5*' is empty) — the release(t13)
commit bumped the version in source but never tagged. So there is no premature
tag to revert; 0.5.0 remains unreleased as intended.

CHANGELOG [0.5.0] gains a Fixed (corrective) section documenting P0-1/P0-2/P0-3
plus the checks-source, artifact-deep-link, and real-findings-gate fixes.

Remaining manual gates before tagging v0.5.0 (cannot be automated here, recorded
in the CHANGELOG):
- A live dogfood revrem --profile dogfood run with revrem report rendering it.
- A live observation that the Action posts a single idempotent PR comment on a
  real PR (validates the C3 github-token wiring end-to-end).

Gate: 1437 passed (1 pre-existing env failure unrelated); ruff, mypy,
lint-imports (9 contracts) clean.

* fix(c8): document phase_config in summary-v1 schema (P0-B root cause)

phase_config is written on every run by reporting.add_summary_contract_fields
(present on 106/156 local runs, all recent ones) but was undocumented in
summary-v1.schema.json. additionalProperties was already true, so validation
never caught the drift — which is exactly why the earlier P0-2 wrongly concluded
the key did not exist and deleted the report's phase-config section.

Additive, non-breaking (v1 is additive-only; 5 other optional keys already use
this convention). _history byte-equality baseline updated to match.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c9): make findings_with_triage fixture representative (P0-B)

The hand-authored fixtures omitted every key a real run carries, which is what
let the self-confirming-fixture failure mode persist. Make the anchor fixture
representative of a real run:

- summary.json: real-shaped phase_config (review/triage/remediation/
  commit_message with harness/model/effort; plus the non-model checks/runtime
  blocks) and the five previously-omitted keys (external_review_coverage,
  invocation, phase_failures, phase_observations, triage_diagnostics).
- triage-1.json: a rejected_finding and a needs_more_info entry so the renderer
  is exercised against the full triage outcome, not confirmed-only.

Inert until the renderer reads it (next commit); suite stays green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c10): restore phase-config section + render full triage outcome (P0-A, C1)

Reverts the wrong P0-2 deletion and completes the C1 findings contract.

- Restore the "Phase configuration" section, sourced from summary.phase_config
  (real data on every modern run). Filter to the model-bearing phases
  (review/triage/remediation/commit_message); checks/runtime carry no
  harness/model and are skipped, not emitted as blank rows. Now also surfaces
  reasoning-effort, timeout, and sandbox.
- Render triage rejected_findings and needs_more_info, which were silently
  dropped (only confirmed/suppressed rendered before).
- Surface per-iteration iterations[].review_status in the outcome section (the
  _findings_section docstring already promised this; it is now true).

Goldens regenerated: the sole delta is the inserted Review status row (verified
by word-diff). New gate assertions in test_report_real_findings.py cover the
phase-config table + filter, rejected/needs-info, and review_status.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c11): fix the inert fork-PR guard in the Action (Sec-1)

`github.event.pull_request.head.repo.fork != 'true'` always evaluated true
under GitHub Actions' type coercion (boolean true -> 1, string 'true' -> NaN,
1 != NaN), so the comment step never actually skipped on fork PRs — where the
token is read-only and the post would 403 and fail the job. Compare to the
boolean `false` instead.

Static fix; requires live verification on a real fork PR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c12): label the comment artifact link [Report], not [Run] (Sec-3)

build_comment_body linked the uploaded report artifact (REVREM_ARTIFACT_URL)
but labelled it [Run]. Pass report_url and run_url separately: deep-link the
artifact as [Report] when captured, fall back to the workflow run as [Run]
otherwise. Comment stays confirmed-findings-only by design (the actionable
"what remains" summary); rejected/needs-info live in the full HTML report.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* docs(c13): record second corrective iteration + extend the render gate

- CHANGELOG: correct the stale P0-2 entry (it described the now-reverted
  deletion) and document the second corrective iteration (phase-config restore,
  schema drift, fork gate, rejected/needs-info, comment label, fixture).
- REVREM-TEST-001: extend the real-findings gate entry to cover the new
  regression guards (phase-config table + filter, rejected/needs-info,
  review_status) and the fixture's representativeness.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c14): preserve array-valued artifact paths + redact index paths (GPT #3, #7)

build_report_index normalised every artifact_paths value with _normalize_path,
flattening list entries (triage, reviews, ...) to repr strings like
"['triage-1.json']" — even though report-index-v1 allows arrays and the PR
comment / consumers rely on the real shape. Preserve lists as lists of
normalised strings, and redact each path element when redact=True (an absolute
local run dir under $HOME is a real leak vector; redact_text scrubs it to
[REDACTED:home]). Also tighten the review-status gate to assert the rendered
value, not just the label.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c15): sanitize PR comment markdown table cells (GPT #6)

A model-derived finding title containing a pipe, newline, or backtick could add
columns, split the table row, or open an unterminated code span in the comment.
Route severity/file/title through an _md_cell escaper (escape `|`, collapse line
breaks, neutralise backticks) before interpolating into the table.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c16): harden the Action — injection, token fallback, raw-artifact accuracy (GPT #1, #2, #4, #5)

- #1 Script injection: every workflow input is now passed through `env:` and
  read as a shell variable ("$BASE", "$CHECKS", ...), never interpolated as
  `${{ inputs.x }}` into a run script (GitHub expands those into the script text
  before bash parses it). Added numeric validation for the budget inputs and a
  test asserting no `${{ inputs.* }}` appears in any run script.
- #2 Token: the comment step reads `${{ inputs.github-token || github.token }}`
  so the token resolves even if expression evaluation inside the input default
  is not honoured.
- #4 Raw upload: `raw-artifacts` is documented as uploading the run directory
  VERBATIM and UNREDACTED (raw prompts/model output/paths) — the prior
  "still-redacted" wording was false. DevEx doc updated to match.
- #5 Doc drift: DevEx doc now documents the corrected `head.repo.fork == false`
  fork guard; added a test asserting doc/action agreement.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* docs(c17): record external-review security & robustness fixes

Document the GPT-review corrective iteration (script-injection hardening, token
fallback, raw-artifact honesty, array-path preservation + redaction, comment
cell escaping) in the Unreleased corrective section.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix(c18): make github-token default empty so the token fallback works (GPT re-review)

The c16 fallback `${{ inputs.github-token || github.token }}` was defeated by the
input default `${{ github.token }}`: if GitHub does not evaluate the expression
in the default, inputs.github-token becomes the literal non-empty string
"${{ github.token }}" — which is truthy, so `||` short-circuits to it and the
action sends a bad token. Exactly the failure mode the fallback was meant to
prevent.

Set the default to "" (empty, not an expression). When the caller omits the
input, inputs.github-token is falsy and the fallback resolves github.token in
the step context, where expressions are honoured. Test asserts the default is
empty; CHANGELOG/docs corrected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TMtj14Nxj7teRfW7xz6mtE

* fix: PR review comments (GLM)

* fix: PR review comments 2 (GLM/CC)

* fix: PR review comments 3 (CC)

* fix: CI gate (CC)

* fix: PR review comments 4 (CC)

* fix: make action metadata load in GitHub

* fix: keep action scratch files outside checkout

* fix: bootstrap codex in dogfood action

* fix: install dogfood check tools in action workflow

* fix: make dogfood action codex-only in CI

* docs: added tech debt note

* fix: PR review comments 5 (CC)

* fix: configure git author for dogfood commits

* fix: bound dogfood action runtime

* fix: resolve dogfood report findings

* fix: sanitize stop reason in PR comment

* fix: report latest triage artifact only

* fix: emit summaries for typed CLI failures

* fix: surface phase failures in dogfood reports

* fix: include provider excerpts in failure diagnostics

* fix: classify codex quota exhaustion

* fix: surface quota exhaustion in ci

* fix: use portable action diagnostics lookup [skip ci]

* fix: address review feedback on report action safety [skip ci]

* fix: normalize windows report paths [skip ci]

* test: add no-provider action smoke workflow

* fix: address report and dogfood review comments

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant