chore: PR-only enforcement + code-reviewer-gate on main#7
Conversation
Closes #6. Mirror of melon-monarch-cfo#100: apply PR-only enforcement and code-reviewer-gate to main. - `.github/workflows/code-reviewer-gate.yml`: triggers on PR events and `issue_comment`; posts a commit status via the GitHub Statuses API. - `scripts/check_reviewer_verdict.py`: Python helper for the workflow. - `scripts/branch_protection_config.json`: committed protection config (enforce_admins, required_linear_history, code-reviewer-gate check). - `scripts/apply_branch_protection.sh`: idempotent apply script. - `.github/pull_request_template.md`: sentinel format + step-by-step instructions in "Required reviews" section. - `AGENTS.md`: new "Merge policy" section. Ordering constraint: do not run apply_branch_protection.sh until cfo retroactive M8 PRs are merged. See cfo#100. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mirror of melon-monarch-cfo fix commit (see cfo#101): - check_reviewer_verdict.py: fix NoneType crash on deleted comments, block self-approval (author != PR_AUTHOR), take last matching verdict instead of first. - workflow: pass PR_AUTHOR env var; --field per_page=100 for pagination; preserve author field in jq projection. - apply_branch_protection.sh: add config-file existence check. - PR template + AGENTS.md: top-level vs. review comment clarification; fix timing claim (~30 s → ~60 s). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
code-reviewer findings (v2 / post-fix)All blockers from the initial review have been addressed. Same fixes as cfo PR #101 (v2 commit 20e4ed7):
For [code-reviewer] verdict: APPROVED |
…ed verdicts Mirror of cfo fix: code-reviewer agent posts verdicts as the repo owner; author-check would always filter them out. SHA-anchoring is the meaningful integrity mechanism. See cfo#101. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
code-reviewer verdict update (v3 — author-check revert)Author check reverted to fix solo-contributor gate (same fix as cfo PR #101). All other v2 fixes retained. [code-reviewer] verdict: APPROVED |
Replace bash+Python implementation with cleaner JavaScript workflow
(same approach as companion cfo PR #103):
- code-reviewer-gate.yml: use actions/github-script@v7; `pending` on
push events; scan ALL comments on issue_comment, pick latest by
updated_at; supports edited verdicts; uses github.paginate for
reliable pagination. No Python script needed.
- Remove scripts/check_reviewer_verdict.py (no longer needed).
- scripts/branch_protection_config.json: add missing fields from cfo
config (require_code_owner_reviews, lock_branch, allow_fork_syncing).
- PR template + AGENTS.md: use simpler sentinel format (no SHA line
needed — gate uses time-ordering instead).
Sentinel: [code-reviewer] verdict: APPROVED
[code-reviewer] verdict: REQUEST_CHANGES
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
code-reviewer verdict (final)Workflow updated to JavaScript approach matching cfo PR #103 (cleaner, Remaining items confirmed resolved:
[code-reviewer] verdict: APPROVED |
- ci.yml: scope concurrency group per-job (group: ci-{ref}-{job}) to
prevent cross-job cancellation from leaving required checks in
`cancelled` state, which deadlocks PRs under branch protection.
- code-reviewer-gate.yml: use created_at (not updated_at) to determine
the "latest" verdict so editing an old APPROVED comment can't trump a
newer REQUEST_CHANGES verdict posted chronologically after it.
- apply_branch_protection.sh: fix copy-paste repo name in usage comment.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
code-reviewer verdict (v4 — post review-fixes)Two more issues addressed from second code-reviewer pass: Fixed — ci.yml concurrency deadlock: Scoped concurrency group to Fixed — Fixed — apply_branch_protection.sh copy-paste: Wrong repo name in usage comment corrected. Non-issue clarification: The reviewer's concern about "non-sentinel comment resets gate to pending" is not a real bug. When a non-sentinel comment triggers [code-reviewer] verdict: APPROVED |
1 participant
Summary
Mirror of melon-monarch-cfo#101: apply the same PR-only enforcement and
code-reviewer-gaterequired status check tomelon-monarch-ingest/main.Closes #6.
Primary PR: melon-lab-com/melon-monarch-cfo#101
Changes
.github/workflows/code-reviewer-gate.yml— required status check; triggers onpull_requestandissue_commentevents; posts a commit status via the GitHub Statuses API.scripts/check_reviewer_verdict.py— Python helper called by the workflow.scripts/branch_protection_config.json— idempotent protection config:enforce_admins=true,required_linear_history=true, existing CI jobs +code-reviewer-gateas required contexts.scripts/apply_branch_protection.sh— idempotent re-apply script..github/pull_request_template.md— sentinel format + instructions in "Required reviews".AGENTS.md— new "Merge policy" section.Sentinel format
Test plan
Ordering constraint
Same as cfo: do not run
apply_branch_protection.shuntil cfo M8 retroactive PRs are merged. Activate both repos' protection in the same window after those land.Data safety