Merge branch 'main' into worktree-feedback-replies

derekmisler · web-flow · commit 8046f94a581f · 2026-03-03T10:31:58.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -75,7 +75,8 @@ jobs:
           done
 
           echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "New version: $NEW_VERSION"
+          echo "previous=${LATEST_TAG}" >> $GITHUB_OUTPUT
+          echo "New version: $NEW_VERSION (previous: ${LATEST_TAG:-none})"
 
       # CI cannot push commits to main (branch protection). Instead, we create
       # a detached release commit with pinned refs, reachable only via tags.
@@ -128,8 +129,14 @@ jobs:
       - name: Create GitHub Release
         env:
           VERSION: ${{ steps.version.outputs.version }}
+          PREVIOUS: ${{ steps.version.outputs.previous }}
           GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-        run: gh release create "$VERSION" --generate-notes --latest
+        run: |
+          ARGS=(--generate-notes --latest)
+          if [ -n "$PREVIOUS" ]; then
+            ARGS+=(--notes-start-tag "$PREVIOUS")
+          fi
+          gh release create "$VERSION" "${ARGS[@]}"
 
       - name: Update latest tag
         env:
diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
@@ -194,7 +194,7 @@ jobs:
   manual-review:
     if: |
       github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/review') &&
+      startsWith(github.event.comment.body, '/review') &&
       (github.event.comment.user.type != 'Bot' || github.event.comment.user.login == 'docker-agent[bot]')
     runs-on: ubuntu-latest
     env:
diff --git a/.github/workflows/self-review-pr.yml b/.github/workflows/self-review-pr.yml
@@ -105,7 +105,7 @@ jobs:
   # Triggers when someone comments /review on a PR
   # ==========================================================================
   manual-review:
-    if: github.event.issue.pull_request && contains(github.event.comment.body, '/review')
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/review')
     runs-on: ubuntu-latest
     env:
       HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
diff --git a/action.yml b/action.yml
@@ -475,7 +475,6 @@ runs:
           exit 1
         fi
         echo "verbose-log-file=$VERBOSE_LOG_FILE" >> $GITHUB_OUTPUT
-        echo "verbose-log-timestamp=$(date +%s%N)" >> $GITHUB_OUTPUT
         echo "Verbose log file: $VERBOSE_LOG_FILE"
 
         # Build command arguments array (SECURE: no eval!)
@@ -702,7 +701,7 @@ runs:
       if: always() && steps.run-agent.outputs.verbose-log-file != ''
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
-        name: cagent-verbose-log-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.run-agent.outputs.verbose-log-timestamp }}
+        name: cagent-verbose-log-${{ github.run_id }}-${{ github.run_attempt }}-${{ github.job }}
         path: ${{ steps.run-agent.outputs.verbose-log-file }}
         retention-days: 14
         if-no-files-found: ignore
diff --git a/review-pr/README.md b/review-pr/README.md
@@ -125,7 +125,7 @@ permissions:
 
 jobs:
   review:
-    if: github.event.issue.pull_request && contains(github.event.comment.body, '/review')
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/review')
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/review-pr/agents/pr-review.yaml b/review-pr/agents/pr-review.yaml
@@ -126,6 +126,8 @@ agents:
       You MUST always deliver a review, even if no issues were found.
 
       - **GitHub posting mode**: Post via `gh api` (see Posting format below).
+        ALWAYS use the `COMMENT` event — never `APPROVE` or `REQUEST_CHANGES`.
+        This ensures the bot never grants merge authority or blocks merging.
       - **Console output mode**: Output markdown (see Console format below). Never call `gh api`.
 
       ## Verify Line Numbers (REQUIRED)
@@ -134,33 +136,44 @@ agents:
       If grep returns a different number than the drafter, use grep's. If the file is not
       found on disk, use diff hunk headers instead. Never read the same file more than twice.
 
+      ## IMPORTANT: Comment-Only Reviews
+
+      This action MUST NEVER use `APPROVE` or `REQUEST_CHANGES` events.
+      ALWAYS use the `COMMENT` event when posting reviews via `gh api`.
+      Some repositories lack branch protection rules — using `APPROVE` would let PRs
+      merge without human review, and `REQUEST_CHANGES` would block merging without
+      human ability to dismiss. The bot provides feedback only, never merge authority.
+
       ## Decision Rules (MANDATORY — strict lookup, not a judgment call)
 
       1. **Filter**: Remove findings where `in_changed_code == false` or `in_diff == false`
-      2. **Decide** based ONLY on the highest remaining severity. Do NOT override:
-         - ANY high severity CONFIRMED/LIKELY → `REQUEST_CHANGES`
-         - ANY medium severity CONFIRMED/LIKELY (but NO high) → `COMMENT`
-         - Only low/DISMISSED or no findings → `APPROVE`
-
-      **Example**: 5 medium-severity CONFIRMED findings → `COMMENT` (NOT REQUEST_CHANGES).
-      The number of findings does not matter. Only use REQUEST_CHANGES if at least one
-      finding has severity "high". Do NOT escalate based on quantity or your own judgment.
+      2. **Classify** (for informational labeling in the review summary):
+         - CRITICAL = high severity CONFIRMED/LIKELY
+         - NOTABLE = medium severity CONFIRMED/LIKELY
+         - MINOR = everything else
+      3. **Label the assessment** (informational only — does NOT change the event type):
+         - ANY CRITICAL findings → label as "🔴 CRITICAL" in the summary
+         - ANY NOTABLE findings (no CRITICAL) → label as "🟡 NEEDS_ATTENTION"
+         - Only MINOR or no findings → label as "🟢 APPROVE"
+      4. **Post the review**: The GitHub review event is ALWAYS `COMMENT`,
+         regardless of the assessment label. Never use `APPROVE` or `REQUEST_CHANGES`.
 
       ## Posting Format (GitHub posting mode)
 
       Convert each CONFIRMED/LIKELY finding to an inline comment:
       ```json
       {"path": "file.go", "line": 123, "body": "**ISSUE**\n\nDETAILS\n\n<!-- cagent-review -->"}
       ```
-      Post: `echo '{"body":"## Review Summary\n\n...","event":"EVENT","comments":[...]}' | gh api repos/{owner}/{repo}/pulls/{pr}/reviews --input -`
+      Post: `echo '{"body":"## Review Summary\n\n...","event":"COMMENT","comments":[...]}' | gh api repos/{owner}/{repo}/pulls/{pr}/reviews --input -`
 
       The `<!-- cagent-review -->` marker MUST be on its own line, separated by a blank line
       from the content. Do NOT include it in console output mode.
 
       ## Console Format
 
       ```
-      ## Review: [APPROVE|COMMENT|REQUEST_CHANGES]
+      ## Review: COMMENT
+      ### Assessment: [🟢 APPROVE|🟡 NEEDS_ATTENTION|🔴 CRITICAL]
       ### Summary
       <assessment>
       ### Findings
