ci: fix harness drift — Claude review, L4 trigger, Go 1.25.12#136
Merged
Conversation
Resolves GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls), which govulncheck's drift sensor flags as "Found in: crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12". All CI uses go-version-file: go.mod, so bumping the go directive upgrades the toolchain everywhere. No toolchain line needed; `go mod tidy` is a no-op. Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
The Claude Code Review workflow completed successfully on every PR but
never posted anything — the run's GITHUB_TOKEN had PullRequests: read, so
the action generated a review then silently dropped it ("No buffered
inline comments"). Bump pull-requests and issues to write so inline
comments and the summary comment can actually be posted back to the PR.
Auth (claude_code_oauth_token) and the /code-review plugin prompt are
left unchanged — the run logs show both already work.
Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but the workflow only triggered on push to test/vm-e2e-speed and manual dispatch. Add a pull_request trigger (matching test.yml / harness.yml) so reality matches the documented intent. It stays non-blocking — it's not in .github/required-checks.txt — so it reports without gating merges. Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes three harness/CI drifts surfaced while shipping #134: the Claude review bot never posts, L4 doesn't actually run on PRs, and the Go toolchain carries a known stdlib CVE.
Why?
Three independent, evidence-backed fixes (one commit each):
1.
ci: grant Claude review workflow write— theClaude Code Reviewworkflow completes successfully on every PR but posts nothing. Run logs show the job'sGITHUB_TOKENhadPullRequests: read; the action generates a review then silently drops it (No buffered inline comments). Bumpingpull-requests/issuestowritelets inline + summary comments post. Auth (claude_code_oauth_token) and the/code-reviewplugin prompt are left untouched — the logs show both already work, so this is the minimal fix.2.
ci: run L4 vm-e2e on every PR to main— CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", butvm-e2e-spike.ymlonly triggered on push totest/vm-e2e-speed+ manual dispatch. Adds apull_requesttrigger (matchingtest.yml/harness.yml) so reality matches the doc. Stays non-blocking — not in.github/required-checks.txt.3.
chore(deps): bump Go toolchain to 1.25.12— resolves GO-2026-5856 (Encrypted Client Hello privacy leak incrypto/tls), which govulncheck's drift sensor flags asFound in: crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12. All CI readsgo-version-file: go.mod.Testing
go vet ./...passes /make buildOK after the Go bumpyaml.safe_load)go mod tidyis a no-op (no toolchain line added)pull_requestevents use the PR-branch workflow files, so the Claude review here runs with the newwriteperms (fix Upload snapshot #1 verified if a review appears), the new L4 trigger fires on this PR (fix 🎉 Share your OpenBoot config! #2), and the harnessgovulncheckjob should stop reporting GO-2026-5856 (fix Dotfiles and Shell Setup Not Happening #3).Cross-repo checklist
openboot.dev? — NoNotes for reviewer
pathsfilter or drop the trigger.https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo