Skip to content

feat(composer-update): refresh open vuln PR in place (unblock remediation, stop daily comments)#37

Merged
oxyc merged 1 commit into
masterfrom
feat/vuln-pr-refresh-in-place
May 29, 2026
Merged

feat(composer-update): refresh open vuln PR in place (unblock remediation, stop daily comments)#37
oxyc merged 1 commit into
masterfrom
feat/vuln-pr-refresh-in-place

Conversation

@oxyc
Copy link
Copy Markdown
Member

@oxyc oxyc commented May 29, 2026

Addresses two operational problems with the vuln auto-update flow, plus test coverage.

Problem

Dedup was label-only: if any vuln-update PR was open, the action set skip=true and skipped both the update and PR-create steps, only posting a comment when findings differed. That meant:

  1. A single un-merged PR froze all future auto-remediation. New vulnerabilities were never composed into any branch — just mentioned in a comment on the stale PR. The fix for them didn't exist anywhere until that PR was merged/closed.
  2. Daily duplicate comments. The "differs?" check compared the new set against the marker in the PR body, which never updated. So once the set drifted (AA,B), every nightly run saw "differs" and re-posted the same comment — every day until resolved.

Change

One rolling PR per label with three modes (decided in lib.sh, unit-tested):

Mode When Action
create no open PR open one (as before)
skip open PR already records this exact set do nothing (silent)
update open PR, set changed refresh in place

update force-pushes base + current fix to the existing PR's head branch, rewrites the body (so the set marker tracks the latest findings), and drops one timeline comment. Rewriting the marker is what makes a subsequently-unchanged set hit skip next run — which kills the daily-comment loop (#3). Unfixable new findings (no lock change) still refresh body/comment so they surface, without a force-push.

Net: the open PR always reflects the current full fix set; remediation no longer stalls behind an un-merged PR.

Tests (#6)

Extracted the decision logic to lib.shextract_pr_set() and decide_pr_action() — and added unit tests in lib-functions.test.sh (create / skip / update / set-grew / set-shrank / no-marker / marker extraction). The dedup path previously had zero coverage. Full suite: 5 files, 0 failures.

Notes

  • The gh/git calls (force-push, pr edit, pr comment) stay integration-level as before; the extracted decision logic is the unit-tested core.
  • Force-push clobbers manual edits to the auto-generated branch — acceptable for a bot-owned PR, and the goal is "always reflect current fix."
  • Out of scope by request: red-job semantics and auto-merge.

Takes effect downstream once v2 is moved to the merge commit.

🤖 Generated with Claude Code

@claude
feat(composer-update): refresh the open vuln PR in place instead of j…
0b13376 
…ust commenting

Before: dedup was label-only — if any vuln-update PR was open, the action
skipped both the update and PR-create steps and (when findings differed)
posted a comment. Consequences:
  - a single un-merged PR froze ALL future auto-remediation: new vulns
    were never composed into any branch, only mentioned in a comment;
  - the diff comparison was against the PR *body* marker, which never
    updated, so a drifted finding set re-posted the same comment every
    day until the PR was dealt with.

Now: one rolling PR per label with create / skip / update modes.
  - create: no open PR -> open one (unchanged).
  - skip:   open PR already records this exact set -> do nothing.
  - update: set changed -> refresh the existing PR in place: force-push
    base+current-fix to its head branch, rewrite the body (so the marker
    tracks the latest findings), and drop one timeline comment.

Rewriting the body marker is what makes a subsequently-unchanged set hit
'skip' next run — killing the daily-duplicate-comment loop. Unfixable new
findings (no lock change) still refresh the body/comment so they surface,
without a force-push.

Decision logic (extract_pr_set, decide_pr_action) extracted to lib.sh and
unit-tested (tests/lib-functions.test.sh) — previously the dedup path had
no coverage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@oxyc oxyc merged commit 703512c into master May 29, 2026
1 check passed
@oxyc oxyc deleted the feat/vuln-pr-refresh-in-place branch May 29, 2026 14:08
@oxyc oxyc mentioned this pull request May 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oxyc