docs: refresh consumer-facing README for Phase 5+ container-pinned workflows#222
docs: refresh consumer-facing README for Phase 5+ container-pinned workflows#222cbeaulieu-gt merged 2 commits intomainfrom
Conversation
…rkflows (#219) 1. Intro: remove stale "two actions" count; list all five capabilities 2. Auth line: clarify CLAUDE_CODE_OAUTH_TOKEN is universal; APP_ID+APP_PRIVATE_KEY required for write-capable actions 3. Actions table: add apply-fix row 4. Permissions Reference: add packages: read to all four existing rows; add Apply Fix row; add container-pull warning paragraph citing #192 5. CI Failure quick-start: replace ci-failure.yaml@v2 with claude-ci-failure.yml@v2; add packages: read 6. Lint Fix quick-start: replace claude-lint-fix.yml@v2 with claude-lint-failure.yml@v2; add packages: read 7. Apply Fix manual trigger: replace apply-fix.yml with claude-apply-fix.yml in gh CLI example 8. New section: GHCR package access for org-wide consumers — covers Internal visibility for intra-org, per-repo grant for cross-org, and why packages: read is always required Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Claude finished @cbeaulieu-gt's task in 2m 16s —— View job PR Review CompleteI've reviewed PR #222 which refreshes the consumer-facing README for Phase 5+ container-pinned workflows. The PR successfully addresses most of the stated objectives, but I found two critical inconsistencies in the quick-start examples that need fixing before merge. What's Working Well ✅Accurate updates (6/8 changes):
The new GHCR section is particularly well-written. The distinction between "necessary condition" (visibility setting) and "also necessary" ( Critical Issues Found 🚨The permissions table (lines 28-29) correctly lists 1. PR Review quick-start (lines 52-54)Current: permissions:
contents: read
pull-requests: writeShould be (per permissions table line 28): permissions:
contents: read
pull-requests: write
packages: read2. Tag Claude quick-start (lines 85-88)Current: permissions:
contents: write
issues: write
pull-requests: writeShould be (per permissions table line 29): permissions:
contents: write
issues: write
pull-requests: write
packages: readImpact: Consumers who copy-paste these examples will hit the Why this matters: The PR correctly updates the CI Failure, Lint Fix, and Apply Fix examples (changes #5, #6, #7), but misses the two most commonly used workflows. This creates an inconsistency where the permissions table says one thing but the examples show another. Recommendations
Test Plan StatusFrom the PR body test plan:
SummaryStrong PR that addresses the Phase 5 documentation gap and the #192 trap. The permissions table, GHCR section, and 3/5 quick-start examples are excellent. The two missing Recommended action: Add Tasks
|
…Tag Claude quick-starts The bot reviewer flagged two Critical inconsistencies: the permissions table correctly required packages: read for every container-pinned workflow, but the PR Review and Tag Claude quick-start YAML blocks (the first two examples consumers see) were missing it. Adding now so the examples match the table and consumers don't hit the #192 manifest-unknown trap. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Claude finished @cbeaulieu-gt's task in 51s —— View job PR Review: Incremental Changes ✅Reviewed the latest push (bed91dd → 8d9a133). Both critical issues from the previous review have been addressed. Tasks
What ChangedThe author added
Review AssessmentStatus: Ready to merge 🎉 The incremental changes are minimal, focused, and correct. They directly address the two critical inconsistencies identified in the previous review:
No Issues Found
The PR now achieves its stated goal: "refresh consumer-facing README for Phase 5+ container-pinned workflows" with accurate examples that prevent the #192 trap. Recommendation: Merge when CI passes. |
* feat: add shadow-mode quality gate (#185 Phase 2) Adds a structured-marker parser to pr-review/action.yml that runs alongside the existing prose-regex gate. Parses the HTML-comment claude-pr-review-summary-v1 block emitted by the Phase 1 persona, derives a verdict from the per-severity counts, and posts an advisory claude-pr-review/quality-gate-shadow commit status with an agree/disagree/marker_missing label. Ships: - pr-review/lib/parse-marker.sh — sourceable parser, single source of truth - pr-review/tests/marker-cases/ — 5-fixture corpus including PR #222's pre-marker review body (the #223 false-negative regression case) - pr-review/tests/run-marker-cases.sh — test driver, modeled on claude-command-router/tests/run-cases.sh - .github/workflows/test.yml — runs the marker corpus on every PR - .github/workflows/marker-emission-aggregate.yml — weekly cron that surfaces marker_missing events as a deduped GitHub issue, providing the data source for verifying the Phase 3 cutover criterion The shadow status is advisory only and must NOT be added to branch protection. The existing claude-pr-review/quality-gate remains authoritative until #185 Phase 3 cutover. Refs #185 #183 #223 #227 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * review: address actionlint shellcheck warnings on aggregator workflow - SC2016 (3 blocks): suppress at run: block level via shellcheck disable comment (repo convention for jq queries inside single quotes) - SC2034: remove unused `state` variable - SC2129: combine consecutive >> $GITHUB_ENV redirects into a single block-redirect No functional change. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * review: move shellcheck disable directives inside run: script bodies The YAML-comment-above-run approach did not suppress shellcheck warnings in workflow files (only works for composite actions). Moving the disable comment to the first line of the embedded bash script body is the correct form for workflow run: blocks. No other change. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * review: add per-statement shellcheck disable before each jq/printf block SC2016 requires per-statement disable directives when the affected lines are not the first statement in the script — a single disable at the top only covers the immediately following statement (set -uo pipefail), not subsequent ones. Add # shellcheck disable=SC2016 immediately before each multi-line jq/printf command that contains $ in single-quoted strings. No functional change. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Auto-Fix <claude-autofix@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
1 participant
Summary
Closes #219.
Refreshes
README.mdso the consumer-facing surface reflects the Phase 5+ container-pinned reality. Audit (triggered by user wiring two intra-org consumer repos onto the system) found drift in 3 quick-start examples and a missingpackages: readstory that maps directly to the #192 trap.Changes (8)
@claudementions, lint-failure, CI-failure, apply-fix.CLAUDE_CODE_OAUTH_TOKENis universal; notedAPP_ID+APP_PRIVATE_KEYare additionally required for every write-capable action.apply-fixrow.packages: readto every container-pinned row, added an "Apply Fix" row, added a paragraph explaining why the implicitdocker pull(which runs before any step) requires the permission. Cites bug: 5 container-pinned workflows missing packages:read; all Claude CI jobs blocked #192.ci-failure.yaml@v2→claude-ci-failure.yml@v2; addedpackages: read.claude-lint-fix.yml@v2→claude-lint-failure.yml@v2; addedpackages: read.apply-fix.yml→claude-apply-fix.ymlin the CLI example.packages: readon the caller workflow.Test plan
packages: readfor every container-pinned rowissue-219-readme-onboarding, notmain.github/workflows/lint.ymlOut of scope (follow-ups)
examples/directory with drop-in caller workflowsdocs/consumer-onboarding.mdend-to-end walkthrough🤖 Generated by Claude Code on behalf of @cbeaulieu-gt