Skip to content

Fix 4 unresolved bugs from PR #32: COMMITS.md, vouch-check.yml, stale.yml #44

Description

@fullsend-ai-retro

What happened

PR #32 (#32) added CLAUDE.md, COMMITS.md, CONTRIBUTING.md, LICENSE, stale.yml, and vouch-check.yml. Two review bots (fullsend-ai-review and qodo-code-review) identified multiple functional bugs. The human reviewer (ifireball) approved with no comment body, and the author (ralphbean) merged with zero findings addressed. The following bugs are now in the codebase:

  1. COMMITS.md line 115: Uses the term "important-severity" which is not a valid severity level per schemas/review-result.schema.json (valid values: critical, high, medium, low, info). Review agents following this instruction will produce output that fails schema validation.

  2. vouch-check.yml: Missing issues: write permission. The workflow calls github.rest.issues.createComment() to post an explanatory comment when closing unvouched PRs, but its permissions block only grants contents: read and pull-requests: write. The comment step will fail at runtime, leaving closed PRs with no explanation. (Identified by qodo-code-review, missed by fullsend-ai-review.)

  3. vouch-check.yml line 53: Fail-closed on infrastructure errors. If the vouched branch or VOUCHED.td file is missing/renamed, the catch block logs the error and continues with vouched = false, silently closing all external contributor PRs with a misleading "not vouched" message.

  4. stale.yml line 8: actions: write permission is unnecessary. The actions/stale action only needs issues: write, pull-requests: write, and contents: write (for delete-branch). actions: write grants unneeded capabilities like cancelling workflow runs.

What could go better

These bugs should have been caught before merge. The review agents identified them correctly, but the non-blocking review state (COMMENTED) combined with a human approval that didn't engage with findings allowed the bugs to ship.

Confidence: High for bugs 1, 2, and 4 — these are deterministic issues verifiable from the code. Medium-high for bug 3 — the fail-closed behavior is intentional for the vouch-not-found case but incorrect for infrastructure failures (API outages, branch renames).

Proposed change

Fix the 4 identified bugs:

  1. In COMMITS.md line 115, replace "important-severity" with "high-severity" (or just "high").

  2. In .github/workflows/vouch-check.yml, add issues: write to the permissions block (needed for createComment API call).

  3. In .github/workflows/vouch-check.yml, modify the VOUCHED.td catch block to distinguish 404 errors (file/branch not found → continue with vouched=false) from other errors (API failures → fail the workflow step with core.setFailed() so the check shows as failed rather than silently closing PRs).

  4. In .github/workflows/stale.yml, remove actions: write from the permissions block.

Optionally also:

Validation criteria

  1. grep -n 'important-severity' COMMITS.md returns no results.
  2. .github/workflows/vouch-check.yml permissions block includes issues: write.
  3. In .github/workflows/vouch-check.yml, a non-404 error reading VOUCHED.td causes the step to fail (verify by inspecting the catch block logic).
  4. .github/workflows/stale.yml permissions block does not include actions: write.
  5. All existing CI checks pass after the fix.

Generated by retro agent from #32

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions