Skip to content

ci: fix harness drift — Claude review, L4 trigger, Go 1.25.12#136

Merged
fullstackjam merged 3 commits into
mainfrom
ci/harness-hygiene
Jul 9, 2026
Merged

ci: fix harness drift — Claude review, L4 trigger, Go 1.25.12#136
fullstackjam merged 3 commits into
mainfrom
ci/harness-hygiene

Conversation

@fullstackjam

Copy link
Copy Markdown
Member

What does this PR do?

Fixes three harness/CI drifts surfaced while shipping #134: the Claude review bot never posts, L4 doesn't actually run on PRs, and the Go toolchain carries a known stdlib CVE.

Why?

Three independent, evidence-backed fixes (one commit each):

1. ci: grant Claude review workflow write the Claude Code Review workflow completes successfully on every PR but posts nothing. Run logs show the job's GITHUB_TOKEN had PullRequests: read; the action generates a review then silently drops it (No buffered inline comments). Bumping pull-requests/issues to write lets inline + summary comments post. Auth (claude_code_oauth_token) and the /code-review plugin prompt are left untouched — the logs show both already work, so this is the minimal fix.

2. ci: run L4 vm-e2e on every PR to main CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but vm-e2e-spike.yml only triggered on push to test/vm-e2e-speed + manual dispatch. Adds a pull_request trigger (matching test.yml / harness.yml) so reality matches the doc. Stays non-blocking — not in .github/required-checks.txt.

3. chore(deps): bump Go toolchain to 1.25.12 resolves GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls), which govulncheck's drift sensor flags as Found in: crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12. All CI reads go-version-file: go.mod.

Testing

  • go vet ./... passes / make build OK after the Go bump
  • Both workflow YAMLs validated (yaml.safe_load)
  • go mod tidy is a no-op (no toolchain line added)
  • Self-verifying: this PR exercises its own fixes — pull_request events use the PR-branch workflow files, so the Claude review here runs with the new write perms (fix Upload snapshot #1 verified if a review appears), the new L4 trigger fires on this PR (fix 🎉 Share your OpenBoot config! #2), and the harness govulncheck job should stop reporting GO-2026-5856 (fix Dotfiles and Shell Setup Not Happening #3).

Cross-repo checklist

  • Does this need a docs/content update in openboot.dev? — No
  • Does this change the CLI ↔ server API contract? — No

Notes for reviewer

  • Purely in-YAML + go.mod; no repo settings, secrets, or branch-protection changes.
  • Fix Upload snapshot #1's write escalation only takes effect if the repo/org allows the workflow token to request write — that's the standard default; the review run on this PR is the empirical check.
  • Cost note on fix 🎉 Share your OpenBoot config! #2: L4 is a ~60-min macOS job (10× minute multiplier) and will now run on every PR. It's non-blocking; if the macOS minutes bite, dial it back with a paths filter or drop the trigger.

https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo

Resolves GO-2026-5856 (Encrypted Client Hello privacy leak in
crypto/tls), which govulncheck's drift sensor flags as "Found in:
crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12". All CI uses
go-version-file: go.mod, so bumping the go directive upgrades the
toolchain everywhere. No toolchain line needed; `go mod tidy` is a no-op.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
The Claude Code Review workflow completed successfully on every PR but
never posted anything — the run's GITHUB_TOKEN had PullRequests: read, so
the action generated a review then silently dropped it ("No buffered
inline comments"). Bump pull-requests and issues to write so inline
comments and the summary comment can actually be posted back to the PR.

Auth (claude_code_oauth_token) and the /code-review plugin prompt are
left unchanged — the run logs show both already work.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but
the workflow only triggered on push to test/vm-e2e-speed and manual
dispatch. Add a pull_request trigger (matching test.yml / harness.yml)
so reality matches the documented intent. It stays non-blocking — it's
not in .github/required-checks.txt — so it reports without gating merges.

Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
@github-actions github-actions Bot added the ci CI/CD changes label Jul 9, 2026
@fullstackjam fullstackjam merged commit 8615525 into main Jul 9, 2026
14 checks passed
@fullstackjam fullstackjam deleted the ci/harness-hygiene branch July 9, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Dotfiles and Shell Setup Not Happening Upload snapshot

1 participant