chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133#406
Merged
petry-projects-dependabot-automrg[bot] merged 1 commit intoMay 28, 2026
Conversation
Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2c7fc09
into
main
24 of 25 checks passed
don-petry
pushed a commit
that referenced
this pull request
Jun 4, 2026
…33 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 4, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
pushed a commit
that referenced
this pull request
Jun 4, 2026
…33 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 7, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 7, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 7, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 8, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 8, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 8, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 8, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 12, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 12, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 13, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 13, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 14, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 14, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 14, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 15, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 18, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 18, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
This was referenced Jun 18, 2026
don-petry
added a commit
that referenced
this pull request
Jun 21, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 23, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add debug logging to PR enumeration (simplified) Focus only on the enumerate step where the bug likely occurs. Log: PR_URL_OVERRIDE value, which path is taken, and candidate pool. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix: remove trailing whitespace from workflow files * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: donpetry-bot <donpetry-bot@users.noreply.github.com>
don-petry
added a commit
that referenced
this pull request
Jun 25, 2026
* chore: add CLAUDE.md with AGENTS.md reference * fix(reviews): address PR #152 review feedback - Add groups bundling to dependabot.yml for GitHub Actions updates - Add prompts/ and frameworks/ directories to CLAUDE.md Repository Purpose - Correct inaccurate "non-stub" claim; clarify which workflows are thin callers - Add Commands section with shellcheck lint command Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: Add fallback-model opus to CI Failure Analyst (#378) Enables automatic fallback to Opus when Sonnet is rate-limited, ensuring analyst continues functioning across rate limit boundaries. * test(dev-lead): runtime-build PEM markers in writer redaction test (#377) * test(dev-lead): runtime-build PEM markers in writer redaction test The previous form embedded the literal `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` directly in the stub script body, which trips gitleaks's `private-key` rule on any PR that re-touches the surrounding lines. Build the markers from a `dashes="-----"` variable inside a non-quoted heredoc so the source no longer contains the matching literal, matching the pattern already used by the post_no_changes PEM tests in test_fix_reviews.bats. No behaviour change — `bats tests/dev-lead/unit/test_engine_writer.bats` still 33/33 green. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * test(dev-lead): loosen negative greps to catch dash-trimmed PEM leaks Per Copilot review on #377: the previous revision tightened the negative assertions to `grep -F "$begin"` (full `-----BEGIN/END RSA PRIVATE KEY-----` form). That misses leaks where the wrapping dashes are altered or stripped but the key body / phrase still slips through. Revert the assertions to substring-only (`BEGIN RSA PRIVATE KEY` / `END RSA PRIVATE KEY`). The runtime-built stub markers stay — they're what keeps gitleaks happy. The substring on its own does not satisfy gitleaks's `private-key` rule (`-----BEGIN ... -----` is required), so this stays green on the secret scan while making the leak detection stricter. `bats tests/dev-lead/unit/test_engine_writer.bats` — 33/33 pass. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(dev-lead): centralize git identity setup; apply to fix-ci & fix-reviews (#379) `dev-lead-fix-issue.sh` defined a `setup_git_identity` helper locally and called it before `git commit`. The sibling scripts `dev-lead-fix-ci.sh` and `dev-lead-fix-reviews.sh` did not — so when triggered by `check_run` / `pull_request_review` / `issue_comment` events, they hit: fatal: empty ident name (for <(null)>) not allowed ##[error]git commit failed — check git identity configuration on the runner Observed in bmad-bgreat-suite#203 dev-lead runs (2026-05-23). The earlier fix in petry-projects/.github-private PR #326 only addressed the issue intent path; the review and CI intents kept silently failing. Refactor: - Move `setup_git_identity` to a shared lib at `scripts/lib/git-identity.sh`. - Source it from all three dev-lead entry-point scripts. - Call it before any `git commit` (was previously missing in fix-ci & fix-reviews). - Drop the inline duplicate in fix-issue. The helper itself is unchanged in behaviour. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dev-lead): expose GEMINI_API_KEY so gemini fallback actually works (#381) When Claude is rate-limited (e.g. monthly cap exhausted), engine.sh falls back to invoking the gemini CLI. The CLI fails immediately: Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA The workflow already exposes `GOOGLE_API_KEY` (the org secret) but the gemini CLI specifically looks for `GEMINI_API_KEY`. Alias one to the other in every env: block that calls a dev-lead script, so the fallback path actually has credentials when invoked. Observed during 2026-05-23 compliance blitz: Claude monthly limit hit (resets May 26), gemini fallback errored with the message above, every queued dev-lead run failed → no PRs created for ~33 cycled compliance issues. Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(engine): in-Claude model fallback before cross-provider switch (#380) * feat(engine): in-Claude model fallback before cross-provider switch When a Claude model hits a per-model rate limit, walk an in-engine model chain (e.g. sonnet → opus) before failing over to gemini/copilot. Each Claude model has its own TPM/RPM bucket, so swapping models within Claude often recovers without leaving the provider. Addresses the rate-limit gap referenced in issues #195 and #206. - Adds CLAUDE_TRIAGE/DEEP/AUDIT/ACTION/SINGLE_MODEL_CHAIN env vars, defaulted in engine.sh's claude branch (sonnet→opus for write/deep, opus→sonnet for audit/single, haiku→sonnet for triage; haiku is intentionally excluded from the write tier). - New _claude_chain_invoke helper walks the chain, detects rate-limit on each attempt, propagates non-rate-limit failures immediately, and returns 2 only when every model in the chain is rate-limited. - run_writer / run_agentic / run_triage (claude branches only) now route through the helper. Gemini and Copilot paths are unchanged. - Note: in-engine fallback only helps with per-model bucket limits; the shared daily subscription cap still requires the proactive guard tracked in issue #206. Tests: 11 new bats cases covering success-on-first, fallback-on-rl, exhaustion-on-all-rl, non-rl propagation, whitespace tolerance, per-tier chain selection, env override, and gemini-unchanged. All 191 existing unit tests still pass (the 2 pre-existing fix-issue rate-limit failures are unrelated to this change). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(review-comments): file-based RL detection, mktemp leak, workflow gate Addresses three gemini-code-assist findings on scripts/engine.sh and one pre-existing dev-lead.yml gating bug that surfaced as a failing dispatch job on this PR. engine.sh: - Split is_rate_limited into a regex helper (_rate_limit_pattern) plus two callers: the existing text-based is_rate_limited and a new is_rate_limited_files that runs grep directly on tmp files. Avoids loading multi-MB agent output into $(cat ...) shell substitutions. - Same treatment for parse_reset_time: extracted _emit_reset_iso and added parse_reset_time_files. - _claude_chain_invoke now uses both file-aware variants and cleans up partial mktemp output before degrading to passthrough on mktemp failure (previous code could leak stdout_tmp if stderr_tmp failed). dev-lead.yml: - The enable-auto-merge step's own env block sets INTENT_TYPE, which was in scope for the step's `if:` gate and made the gate always true whenever the step was reached, regardless of the upstream intent. Switched the gate to steps.intent.outputs.intent_type (step outputs are not shadowed by step env) and added the INTENT_PR_NUMBER guard already present in dev-lead-reusable.yml. This was the cause of the "PR_NUMBER is required" failures appearing under "Enable auto-merge on bot approval" on bot-approval events. tests: - test_fix_issue.bats: rewrote the gh stubs in the two rate-limit scenarios to dispatch on the gh subcommand ($1) instead of pattern matching against $*. The prompt body contains literal "gh api .../issues/..." example text from the prompt template, which made the api branch match before the copilot branch and masked the rate-limit path. Both tests were pre-existing failures on main. - test_engine_chain.bats: 5 new cases covering the file-aware helpers. Test plan: - bats tests/dev-lead/unit/*.bats tests/test_batch_fallback.bats tests/test_validate_engines.bats tests/fleet_report.bats → 241/241 - shellcheck scripts/engine.sh → no new findings - yamllint .github/workflows/dev-lead.yml → no new findings Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * fix(engine): address Codex review findings on chain semantics Codex flagged five behavioral bugs in the in-Claude chain logic. All addressed with regression tests (test_engine_chain.bats now at 22/22). P1 — Throttled-warning text triggered false rate-limit classification: The chain emitted `::warning::[claude] model X rate-limited (rc=N) ...` to stderr after each rate-limited attempt. Downstream callers that scan our stderr/stdout with is_rate_limited (e.g. review-one-pr.sh:346–350 on triage stderr; run_writer via `2>&1 | tee _tmp` then is_rate_limited_files _tmp) would then misclassify a SUCCESSFUL chain fallback as a provider rate-limit and force cross-provider switch (or, worse, remap a non-RL hard failure in a later attempt to exit 2). Reworded the warning to "throttled (rc=N) — trying next in chain" — none of the words match _rate_limit_pattern. Added a unit test asserting the warning string does not match is_rate_limited. P2 — Empty/whitespace-only chain was returning rate-limited exit code: `final_rc` was initialized to 2; if `chain_csv` parsed to zero valid models, the function returned 2, indistinguishable from a true rate-limit. Switched init to 0, and added an explicit "no valid model entries" guard that returns 1 (config error) when `attempted == 0`. P2 — run_agentic / run_writer ignored caller's explicit `model` argument: Previously the chain unconditionally replaced the caller-supplied model for any recognized tier, breaking the documented `[model]` parameter and any emergency model-pin use case. Now: if the caller passes the tier's default ENGINE_*_MODEL, the chain expands as before; if the caller passes any other model, treat it as an explicit pin (single-element chain). Verified with two new tests (one per function) plus a regression guard that confirms default behavior still expands the chain on rate-limit. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * fix(dev-lead): set git identity before commit in commit_and_push (#369) * fix(dev-lead): set git identity before commit in commit_and_push actions/checkout only sets local git config for the repo it checks out (.github-private). When the script operates on a cloned target repo in a separate workspace, user.name and user.email are unset, causing git commit to fail on all non-.github-private repos. Fixes #368 Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * style: improve git-identity.sh comments and conditionals - Add context about GitHub runner's missing git identity - Use Bash [[ ]] conditional instead of POSIX [ ] for consistency - Resolves CodeRabbit style suggestions Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> * chore(deps): bump anthropics/claude-code-action from 1.0.128 to 1.0.133 (#406) Bumps [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) from 1.0.128 to 1.0.133. - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@20c8abf...787c5a0) --- updated-dependencies: - dependency-name: anthropics/claude-code-action dependency-version: 1.0.133 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: simplify PR_URL_OVERRIDE logic to resolve enumeration bug ## Root Cause PR #403 was not reviewed despite the workflow running successfully. Investigation revealed that PR_URL_OVERRIDE was evaluating to an empty string for pull_request synchronize events, causing the workflow to skip enumeration entirely (or fall back to list-prs.sh and silently return no candidates). The bug occurred because: 1. The original YAML boolean expression used complex && operators within || chains: (github.event_name == 'pull_request' && github.event.pull_request.html_url) 2. For some event payloads, github.event.pull_request.html_url was null 3. OR the YAML expression evaluation has precedence/scoping issues with the && operator This caused PR_URL_OVERRIDE to fall through to the empty string default. ## Solution Simplify the expression to directly access github.event.pull_request.html_url without boolean event_name checks. This field is: - Populated for both 'pull_request' and 'pull_request_review' events - Null/falsy for other event types, which causes safe fallthrough to the next || clause - Already successfully used this way in the concurrency group logic ## Result - pull_request (synchronize, ready_for_review, reopened): PR_URL_OVERRIDE is set directly - pull_request_review (submitted, dismissed): PR_URL_OVERRIDE is set directly - check_suite: PR_URL_OVERRIDE is null, falls through to CHECK_SUITE_PRS logic - All other events: PR_URL_OVERRIDE is null, falls through to list-prs.sh Fixes #403 not being reviewed. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(dev-lead): resolve outdated comments in both applied and no-changes paths (#411) * fix: pin GitHub Actions to specific commit SHAs per compliance standard * fix(dev-lead): resolve outdated comments in both applied and no-changes paths The resolve_actor_outdated_threads() safety net was only called when the agent made no code changes. When the agent successfully addressed comments and pushed changes, outdated review threads were never resolved. Move resolve_actor_outdated_threads() outside the if/else block for: - fix-reviews intent - fix-bot-comment intent - review-changes intent This ensures outdated threads from the triggering reviewer are marked as resolved regardless of whether code changes were pushed or not. Tests: All 36 unit tests pass, including new tests validating that resolve_actor_outdated_threads is called in the applied path (dry-run). Resolves: PR #403 comment resolution issue Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * fix(ci): correct invalid GitHub Actions cache SHA in daily-pr-review-health.yml The actions/cache@v5.0.5 SHA was pinned to an invalid commit hash (0c45773b...) that doesn't exist in the actions/cache repository. Updated to the correct SHA (27d5ce7f...) used elsewhere in the repo. This fixes the health check workflow which would fail on scheduled runs. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: claude-code[bot] <claude-code[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Gemini CLI <gemini-cli@example.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps anthropics/claude-code-action from 1.0.128 to 1.0.133.
Release notes
Sourced from anthropics/claude-code-action's releases.
Commits
787c5a0chore: bump Claude Code to 2.1.150 and Agent SDK to 0.3.1504257c8eUse workload identity federation for Claude auth in CI workflows (#1344)bbfaf8echore: bump Claude Code to 2.1.149 and Agent SDK to 0.3.1494481e6dchore: bump Claude Code to 2.1.148 and Agent SDK to 0.3.148661a6feAdd Workload Identity Federation (OIDC) authentication support (#1338)c9d66afchore: bump Claude Code to 2.1.147 and Agent SDK to 0.3.147Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)