Skip to content

feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback#451

Merged
opencode-agent[bot] merged 2 commits into
mainfrom
claude/cwl-checks-governance-apcbup
Jul 11, 2026
Merged

feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback#451
opencode-agent[bot] merged 2 commits into
mainfrom
claude/cwl-checks-governance-apcbup

Conversation

@seonghobae

@seonghobae seonghobae commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Two central-governance fixes that together unblock the "approved but not merged" backlog and the two-reviewer deadlock.

1. Hourly org-wide approved-PR queue sweep + stale-queue hygiene

Live audit found ~30 PRs across 12 repositories OpenCode-APPROVED on their exact current head with all checks green, yet unmerged. Root cause: target repositories only get merge-scheduler runs on PR events / review completion / protected-branch pushes. A PR that becomes mergeable after its last event has no later trigger and sits approved-but-unmerged. Only .github has a cron.

  • Add an org-queue-sweep job to pr-review-merge-scheduler.yml: runs hourly (17 * * * *) only in .github (or workflow_dispatch org_sweep=true); the single-repo scan-pr-queue skips those triggers so nothing double-runs.
  • Re-runs the trusted scheduler against every non-archived org repo through the same guarded merge/update contract; each repo prints its per-PR decision log so every unmerged PR has a concrete logged reason at most one hour old.
  • Requires a cross-repo mutation credential (PR_REVIEW_MERGE_TOKENOPENCODE_APPROVE_TOKEN → OpenCode app token) and fails with a visible ::error instead of silently no-opping on the repo-scoped github.token.
  • Queue hygiene: cancels runs still queued after ORG_SWEEP_STALE_QUEUE_HOURS (default 24h), logging run id, workflow, head branch, and age.

2. Noema second-reviewer NOEMA_REVIEW_TOKEN PAT fallback

The two-reviewer rule needs a second approving-review identity beyond OpenCode. Today it only works if the Noema Worker is deployed and NOEMA_TOKEN_EXCHANGE_URL is set — so no PR gets a second review and .github's classic 2-review protection blocks every .github PR (including approved+green #443/#449 and this one).

  • noema-review.yml now prefers a NOEMA_REVIEW_TOKEN secret as the reviewer identity, skipping the OIDC exchange; the review step prefers it over the exchanged app token. The secret is never emitted as a step output.
  • When neither the secret nor the exchange URL is set, the step still emits the unconfigured notice and skips (green-by-skip), not a failure.
  • noema_review_gate.py already refuses to review as a primary review actor (opencode-agent/github-actions), so the fallback can't manufacture a fake second review.
  • Pairs with the PydanticAI reviewer agent in feat(reviewer): PydanticAI second-reviewer agent plane (noema#9) noema#14 (noema#9) that produces the verdict this identity publishes.

Verification

  • python3 -m pytest -q308 passed (adds test_org_queue_sweep_covers_target_repositories_on_a_heartbeat and test_noema_review_supports_review_token_pat_fallback).
  • YAML parse OK for both workflows.

Operator notes (admin actions this PR cannot perform)

  • .github@main classic protection requires 2 approving reviews while org ruleset normalization set required_approving_review_count=0 — this deadlocks every .github PR. Activate the Noema second reviewer (set NOEMA_REVIEW_TOKEN + NOEMA_LLM_*) or reconcile the classic protection with the ruleset.
  • bandscope@develop classic protection requires 9 status contexts current workflows don't emit → 9 of 9 required status checks are expected. []. Normalize into the ruleset or drop stale contexts.
  • The org sweep needs PR_REVIEW_MERGE_TOKEN (or OPENCODE_APPROVE_TOKEN) for cross-repo mutations; until set it fails loudly each hour with the fix instruction in the log.

🤖 Generated with Claude Code

https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z

@opencode-agent

opencode-agent Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: b7c7b9a29e3cae80718c7eb52b20db04cc39554b
  • Workflow run: 29149549810
  • Workflow attempt: 1
  • Gate result: APPROVE (approval step)

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/noema-review.yml, .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/noema-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in current-head evidence
  • Head SHA: b7c7b9a29e3cae80718c7eb52b20db04cc39554b
  • Workflow run: 29149549810
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow (2 files)"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow (2 files)"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Docs: org-required-workflow-rollout.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
  R2 --> V2["docs review"]
  Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
  S3 --> I3["regression suite"]
  I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
  R3 --> V3["targeted test run"]
Loading

opencode-agent[bot]
opencode-agent Bot previously approved these changes Jul 11, 2026

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/pr-review-merge-scheduler.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: PR adds an hourly org-wide sweep for approved PRs with secure token handling and tests.
  • Head SHA: c9317151733bd548f3ad9653136669f4bb924a22
  • Workflow run: 29145640407
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow: pr-review-merge-scheduler.yml"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow: pr-review-merge-scheduler.yml"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Docs: org-required-workflow-rollout.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
  R2 --> V2["docs review"]
  Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
  S3 --> I3["regression suite"]
  I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
  R3 --> V3["targeted test run"]
Loading

@opencode-agent opencode-agent Bot enabled auto-merge (squash) July 11, 2026 08:13
@seonghobae seonghobae changed the title feat(scheduler): hourly org-wide approved-PR queue sweep + stale-queue hygiene feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback Jul 11, 2026

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/noema-review.yml, .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/noema-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: Changes are well-tested, secure, and improve the PR merge process
  • Head SHA: e7bd74fc6cbeeef17a8211b5555ae443ad35b647
  • Workflow run: 29147888235
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow (2 files)"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow (2 files)"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Docs: org-required-workflow-rollout.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
  R2 --> V2["docs review"]
  Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
  S3 --> I3["regression suite"]
  I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
  R3 --> V3["targeted test run"]
Loading

Copy link
Copy Markdown
Contributor Author

Confirmed .github-only 2-reviewer merge deadlock (admin action required).

Empirically verified just now: a direct squash-merge of the approved+all-green #449 returns

405 At least 2 approving reviews are required by reviewers with write access.

This is .github-specific. The read endpoints under-report it — GET /repos/…/.github/rules/branches/main shows required_approving_review_count: 0 and classic protection shows None — but the merge gate enforces 2. Every other org repo requires only 1: today, with a single OpenCode approval + green checks, codec-carver#233, newsdom-api#329, ContextualWisdomLab.github.io#73, aFIPC#128, gyeot#9/#10, html4tree#148, clearfolio#141, nonnest2#44/#45 all merged cleanly, and keyverse#10/#14 + naruon#1034/#1039 merged via the scheduler. Only .github PRs (#443, #449, this #451 — all approved-on-current-head + green) stay blocked.

This is the exact deadlock the second reviewer targets, and it's chicken-and-egg: the PRs that wire the Noema second reviewer can't merge until a second reviewer exists.

Resolution (any one, admin):

  1. Provide the second approving review on docs: add CLAUDE.md guidance for AI assistants #443Fix OpenCode review cadence and placeholder scan #449feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback #451 manually (bootstraps the mechanism; after feat(governance): org-wide approved-PR queue sweep + Noema second-reviewer PAT fallback #451 merges the hourly org sweep runs), or
  2. Set org/repo secrets NOEMA_REVIEW_TOKEN (a distinct write-access token) + NOEMA_LLM_MODEL/NOEMA_LLM_API_URL/NOEMA_LLM_API_KEY so the Noema reviewer (feat(reviewer): PydanticAI second-reviewer agent plane (noema#9) noema#14, merged code) submits the second review, or
  3. Reconcile the hidden .github 2-review rule with the org ruleset decision (required_approving_review_count 0/1) if 2 was unintended.

Recommend (1) to unblock immediately, then (2) so it self-sustains.


Generated by Claude Code

claude added 2 commits July 11, 2026 10:33
Event-driven scheduler runs in target repositories stop retrying once
their triggering event is consumed, so a PR that becomes mergeable AFTER
its last event (approval published after the scheduler pass, merge-preview
checks landing late, a temporary base-branch policy blocker clearing) has
no later trigger and accumulates as approved-but-unmerged. Live evidence:
bandscope #600/#604/#606/#627, html4tree #139-#148, clearfolio #136-#141,
codec-carver #226-#232, appguardrail #278-#283, keyverse #10/#14,
gyeot #9/#10, aFIPC #127/#128, nonnest2 #42/#44/#45, naruon #1034.

Add an org-queue-sweep job to the central scheduler workflow:
- runs hourly (cron 17 * * * *) only in ContextualWisdomLab/.github, or on
  workflow_dispatch with org_sweep=true; the single-repository scan skips
  those triggers so nothing double-runs
- re-runs the trusted scheduler script against every non-archived org
  repository through the same guarded merge/update/review contract
- requires a cross-repository mutation credential (PR_REVIEW_MERGE_TOKEN,
  OPENCODE_APPROVE_TOKEN, or the exchanged OpenCode app token) and fails
  with a visible ::error reason instead of silently no-opping on the
  repository-scoped github.token
- prints each repository's per-PR decision log so every unmerged PR has a
  concrete logged reason at most one hour old
- queue hygiene: cancels workflow runs still queued after
  ORG_SWEEP_STALE_QUEUE_HOURS (default 24h), logging run id, workflow,
  head branch, and age, so the Actions queue only holds current-head work

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
…viewer

The two-reviewer merge rule needs a second approving-review identity beyond
OpenCode. Today it only works if the Noema Worker is deployed and
NOEMA_TOKEN_EXCHANGE_URL is set, so no PR gets a second review and .github's
classic 2-review protection blocks every .github PR.

Add a NOEMA_REVIEW_TOKEN secret fallback: when present it is used directly as
the reviewer identity and the OIDC app-token exchange is skipped; the review
step prefers it over the exchanged app token. The secret is never emitted as a
step output. When neither the secret nor the exchange URL is configured, the
step still emits the unconfigured notice and skips (green-by-skip), not a
failure. noema_review_gate.py already refuses to review as a primary review
actor, so the fallback cannot manufacture a fake second review from the
github-actions/opencode identity.

Pairs with the noema PydanticAI reviewer agent (ContextualWisdomLab/noema#9)
that produces the verdict this identity publishes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
@opencode-agent opencode-agent Bot force-pushed the claude/cwl-checks-governance-apcbup branch from e7bd74f to b7c7b9a Compare July 11, 2026 10:34

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/noema-review.yml, .github/workflows/pr-review-merge-scheduler.yml, docs/org-required-workflow-rollout.md, tests/test_required_workflow_queue_contract.py.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/noema-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in current-head evidence
  • Head SHA: b7c7b9a29e3cae80718c7eb52b20db04cc39554b
  • Workflow run: 29149549810
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow (2 files)"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow (2 files)"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Docs: org-required-workflow-rollout.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: org-required-workflow-rollout.md"]
  R2 --> V2["docs review"]
  Evidence --> S3["Test: test_required_workflow_queue_contract.py"]
  S3 --> I3["regression suite"]
  I3 --> R3["Review risk: Test: test_required_workflow_queue_contract.py"]
  R3 --> V3["targeted test run"]
Loading

@opencode-agent opencode-agent Bot merged commit 9adc829 into main Jul 11, 2026
46 checks passed
seonghobae pushed a commit that referenced this pull request Jul 11, 2026
The first live org-queue-sweep run (dispatched after #451 merged) failed every
repository with '--project-flow is required': pr_review_merge_scheduler.py
requires --project-flow, and the sweep loop — unlike the single-repository
scan-pr-queue job — never derived or passed it.

Derive project_flow per target the same way the single-repository job does
(main/master -> github-flow, develop -> git-flow, else github-flow) and pass
--project-flow. Add a contract-test assertion so the sweep can never regress to
the missing-flag state.

The credential path and per-repo iteration already worked in that run; the
HTTP 403 lines were the non-fatal stale-queue cancel fallback, not this failure.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z
opencode-agent Bot added a commit that referenced this pull request Jul 11, 2026
The first live org-queue-sweep run (dispatched after #451 merged) failed every
repository with '--project-flow is required': pr_review_merge_scheduler.py
requires --project-flow, and the sweep loop — unlike the single-repository
scan-pr-queue job — never derived or passed it.

Derive project_flow per target the same way the single-repository job does
(main/master -> github-flow, develop -> git-flow, else github-flow) and pass
--project-flow. Add a contract-test assertion so the sweep can never regress to
the missing-flag state.

The credential path and per-repo iteration already worked in that run; the
HTTP 403 lines were the non-fatal stale-queue cancel fallback, not this failure.


Claude-Session: https://claude.ai/code/session_018Fxd76REwJfmQcXCJjLi6Z

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: opencode-agent[bot] <219766164+opencode-agent[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants