What happened
PR #32 (#32) added CLAUDE.md, COMMITS.md, CONTRIBUTING.md, LICENSE, stale.yml, and vouch-check.yml. Two review bots (fullsend-ai-review and qodo-code-review) identified multiple functional bugs. The human reviewer (ifireball) approved with no comment body, and the author (ralphbean) merged with zero findings addressed. The following bugs are now in the codebase:
-
COMMITS.md line 115: Uses the term "important-severity" which is not a valid severity level per schemas/review-result.schema.json (valid values: critical, high, medium, low, info). Review agents following this instruction will produce output that fails schema validation.
-
vouch-check.yml: Missing issues: write permission. The workflow calls github.rest.issues.createComment() to post an explanatory comment when closing unvouched PRs, but its permissions block only grants contents: read and pull-requests: write. The comment step will fail at runtime, leaving closed PRs with no explanation. (Identified by qodo-code-review, missed by fullsend-ai-review.)
-
vouch-check.yml line 53: Fail-closed on infrastructure errors. If the vouched branch or VOUCHED.td file is missing/renamed, the catch block logs the error and continues with vouched = false, silently closing all external contributor PRs with a misleading "not vouched" message.
-
stale.yml line 8: actions: write permission is unnecessary. The actions/stale action only needs issues: write, pull-requests: write, and contents: write (for delete-branch). actions: write grants unneeded capabilities like cancelling workflow runs.
What could go better
These bugs should have been caught before merge. The review agents identified them correctly, but the non-blocking review state (COMMENTED) combined with a human approval that didn't engage with findings allowed the bugs to ship.
Confidence: High for bugs 1, 2, and 4 — these are deterministic issues verifiable from the code. Medium-high for bug 3 — the fail-closed behavior is intentional for the vouch-not-found case but incorrect for infrastructure failures (API outages, branch renames).
Proposed change
Fix the 4 identified bugs:
-
In COMMITS.md line 115, replace "important-severity" with "high-severity" (or just "high").
-
In .github/workflows/vouch-check.yml, add issues: write to the permissions block (needed for createComment API call).
-
In .github/workflows/vouch-check.yml, modify the VOUCHED.td catch block to distinguish 404 errors (file/branch not found → continue with vouched=false) from other errors (API failures → fail the workflow step with core.setFailed() so the check shows as failed rather than silently closing PRs).
-
In .github/workflows/stale.yml, remove actions: write from the permissions block.
Optionally also:
Validation criteria
grep -n 'important-severity' COMMITS.md returns no results.
.github/workflows/vouch-check.yml permissions block includes issues: write.
- In
.github/workflows/vouch-check.yml, a non-404 error reading VOUCHED.td causes the step to fail (verify by inspecting the catch block logic).
.github/workflows/stale.yml permissions block does not include actions: write.
- All existing CI checks pass after the fix.
Generated by retro agent from #32
What happened
PR #32 (#32) added CLAUDE.md, COMMITS.md, CONTRIBUTING.md, LICENSE, stale.yml, and vouch-check.yml. Two review bots (fullsend-ai-review and qodo-code-review) identified multiple functional bugs. The human reviewer (ifireball) approved with no comment body, and the author (ralphbean) merged with zero findings addressed. The following bugs are now in the codebase:
COMMITS.md line 115: Uses the term "important-severity" which is not a valid severity level per
schemas/review-result.schema.json(valid values: critical, high, medium, low, info). Review agents following this instruction will produce output that fails schema validation.vouch-check.yml: Missing
issues: writepermission. The workflow callsgithub.rest.issues.createComment()to post an explanatory comment when closing unvouched PRs, but its permissions block only grantscontents: readandpull-requests: write. The comment step will fail at runtime, leaving closed PRs with no explanation. (Identified by qodo-code-review, missed by fullsend-ai-review.)vouch-check.yml line 53: Fail-closed on infrastructure errors. If the
vouchedbranch or VOUCHED.td file is missing/renamed, the catch block logs the error and continues withvouched = false, silently closing all external contributor PRs with a misleading "not vouched" message.stale.yml line 8:
actions: writepermission is unnecessary. Theactions/staleaction only needsissues: write,pull-requests: write, andcontents: write(for delete-branch).actions: writegrants unneeded capabilities like cancelling workflow runs.What could go better
These bugs should have been caught before merge. The review agents identified them correctly, but the non-blocking review state (COMMENTED) combined with a human approval that didn't engage with findings allowed the bugs to ship.
Confidence: High for bugs 1, 2, and 4 — these are deterministic issues verifiable from the code. Medium-high for bug 3 — the fail-closed behavior is intentional for the vouch-not-found case but incorrect for infrastructure failures (API outages, branch renames).
Proposed change
Fix the 4 identified bugs:
In
COMMITS.mdline 115, replace "important-severity" with "high-severity" (or just "high").In
.github/workflows/vouch-check.yml, addissues: writeto the permissions block (needed forcreateCommentAPI call).In
.github/workflows/vouch-check.yml, modify the VOUCHED.td catch block to distinguish 404 errors (file/branch not found → continue with vouched=false) from other errors (API failures → fail the workflow step withcore.setFailed()so the check shows as failed rather than silently closing PRs).In
.github/workflows/stale.yml, removeactions: writefrom the permissions block.Optionally also:
Validation criteria
grep -n 'important-severity' COMMITS.mdreturns no results..github/workflows/vouch-check.ymlpermissions block includesissues: write..github/workflows/vouch-check.yml, a non-404 error reading VOUCHED.td causes the step to fail (verify by inspecting the catch block logic)..github/workflows/stale.ymlpermissions block does not includeactions: write.Generated by retro agent from #32