docker · xenoscopic · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -4,8 +4,8 @@ on:
   workflow_dispatch:
     inputs:
       pull_request_number:
-        description: "Optional pull request number to review"
-        required: false
+        description: "Pull request number to review"
+        required: true
         default: ""
       agent:
         description: "Optional reviewer agent (claude or codex)."
@@ -402,11 +402,13 @@ jobs:
               # Review succeeded - determine conclusion from labels.
               conclusion=$(determine_conclusion "$labels_path")
 
-              # Build summary text.
+              # Build summary text with beta preamble.
+              beta_notice=$'**⚠️ Beta Feature:** This automated security review is designed to aid human assessment and may contain spurious findings. Please use your judgment when evaluating the results.\n\n'
+
               if [ "$review_type" = "differential" ]; then
-                summary="Differential review completed (${base_commit:0:7}...${head_commit:0:7})"
+                summary="${beta_notice}Differential review completed (${base_commit:0:7}...${head_commit:0:7})"
               else
-                summary="Full code review completed at ${head_commit:0:7}"
+                summary="${beta_notice}Full code review completed at ${head_commit:0:7}"
               fi
 
               # Read labels for summary.
@@ -416,26 +418,18 @@ jobs:
               fi
 
               # Read report and truncate if necessary.
-              beta_preamble=$'**⚠️ Beta Feature:** This automated security review is designed to aid human assessment and may contain spurious findings. Please use your judgment when evaluating the results.\n\n---\n\n'
-
               if [ -s "$report_path" ]; then
                 report_text=$(cat "$report_path")
                 report_size=${#report_text}
 
-                # Account for preamble size.
-                preamble_size=${#beta_preamble}
-                max_report_size=$((max_check_output_size - preamble_size))
-
-                if [ "$report_size" -gt "$max_report_size" ]; then
+                if [ "$report_size" -gt "$max_check_output_size" ]; then
                   # Truncate and add notice.
-                  truncate_at=$((max_report_size - 200))
+                  truncate_at=$((max_check_output_size - 200))
                   report_text="${report_text:0:$truncate_at}"
                   report_text=$''"${report_text}"$'\n\n---\n\n**Note:** Report truncated due to size limits. Full report available in workflow artifacts.'
                 fi
-
-                report_text="${beta_preamble}${report_text}"
               else
-                report_text="${beta_preamble}No report generated."
+                report_text="No report generated."
               fi
 
               # Update check with results.

@@ -147,12 +147,6 @@ jobs:
               fi
             fi
 
-            # Check PR limit for new branches only.
-            if [ "$branch_exists" = false ] && [ -n "$new_pr_limit" ] && [ "$new_pr_count" -ge "$new_pr_limit" ]; then
-              echo "New PR quota reached ($new_pr_limit); skipping $server."
-              continue
-            fi
-
             # Apply the patch onto a fresh branch for this server.
             git checkout -B "$branch" origin/main
             if ! git apply "$patch"; then
@@ -182,6 +176,12 @@ jobs:
                 failed_servers+=("$server (update)")
               fi
             else
+              # Check PR limit before creating new PR.
+              if [ -n "$new_pr_limit" ] && [ "$new_pr_count" -ge "$new_pr_limit" ]; then
+                echo "New PR quota reached ($new_pr_limit); skipping $server."
+                continue
+              fi
+
               if gh pr create \
                 --title "chore: update pin for ${server}" \
                 --body "Automated commit pin update for ${server}." \