feat(compliance): migrate dev-lead trigger label claude→dev-lead + re-trigger persistent findings#400
Conversation
… audits The weekly compliance audit creates issues with the `claude` label so the dev-lead agent (which listens on issues:labeled) picks them up and opens a fix PR. But dev-lead fires only once per label application: when a finding persists to the next audit, the issue is already open and already labeled, so the existing code's `--add-label claude` was a no-op that emitted no event — the finding sat unaddressed until the separate daily compliance-retrigger sweep happened to catch it. Now, when the audit finds an issue still open, it re-engages dev-lead directly by cycling the `claude` label (remove + re-add), which re-fires issues:labeled. It skips issues dev-lead is already working (open dev-lead/issue-<n> PR or `in-progress` label) so active work is never interrupted or duplicated. Chose label-cycling over a new repository_dispatch type: dev-lead already handles issues:labeled natively, so no changes to its event surface or intent classifier are needed, and it matches the proven mechanism the daily compliance-retrigger already uses. - Extract the shared primitives (dl_dev_lead_active, dl_cycle_trigger_label) into scripts/lib/dev-lead-retrigger.sh, sourced by both compliance-audit.sh and compliance-retrigger.sh so they stay in sync with dev-lead's branch naming. This also fixes a latent prefix-collision bug: the old has_open_pr matched "dev-lead/issue-12-..." for issue 1 (now requires the trailing "-"). - Add an `in-progress` label guard (previously only open-PR was checked). - Surface a new `retriggered` count in issue-counts.json, the audit step summary, the analyze job's data, and the Phase 6 report table. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 42 minutes and 35 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR completes a migration from legacy ChangesDev-lead migration and retrigger system
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces a shared helper library scripts/lib/dev-lead-retrigger.sh to centralize the logic for re-engaging the dev-lead agent on persistent or stale compliance issues by cycling their trigger labels. Both scripts/compliance-audit.sh and scripts/compliance-retrigger.sh are updated to source this library, ensuring consistency and tracking re-triggered counts. The review feedback highlights important improvements: robustly handling null values in jq when querying open PRs, avoiding redundant label additions when the agent is already active, checking the return status of the label-cycling operation to prevent incorrect metrics, and using a more idiomatic jq filter for checking the in-progress status.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bb2602afc8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR improves the org compliance automation by reliably re-triggering the dev-lead agent when a compliance finding persists across audit runs, using a shared helper library to keep the weekly audit and daily retrigger sweep consistent.
Changes:
- Introduces a shared Bash library to detect “dev-lead already active” and to cycle the trigger label (remove → re-add) to re-fire
issues:labeled. - Updates both the weekly audit and daily retrigger scripts to use the shared logic and to skip issues already in progress (open PR or
in-progresslabel). - Adds a new
retriggeredmetric toissue-counts.jsonand surfaces it through workflow outputs and reporting tables.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/lib/dev-lead-retrigger.sh | New shared helpers for detecting active dev-lead work and cycling the trigger label. |
| scripts/compliance-retrigger.sh | Switches stale-issue retriggering to the shared helpers and adds in-progress guarding. |
| scripts/compliance-audit.sh | Re-triggers dev-lead for persistent findings by cycling claude, while avoiding active issues, and tracks ISSUES_RETRIGGERED. |
| .github/workflows/compliance-audit-and-improvement.yml | Plumbs the new issues_retriggered count into job outputs and reporting. |
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a714f5f0e3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…v-lead` Removes all live uses of the legacy `claude` issue-trigger label in favour of the canonical `dev-lead` label. dev-lead already accepts the `dev-lead` label; `claude` was only kept as backward-compat from the retired claude.yml workflow (deprecated 2026-05). Keeping both meant compliance findings were tagged with a legacy label that overlapped a deprecated agent. Code/workflow changes (the audit now creates, applies, and cycles `dev-lead`): - compliance-audit.sh: ensure_audit_label creates `dev-lead`; issue creation and the persistent-finding re-trigger use `dev-lead`. - compliance-retrigger.sh: TRIGGER_LABEL default is now `dev-lead`. - compliance-audit-and-improvement.yml: the analyze prompt instructs Claude to create/label issues with `dev-lead`. - Left untouched (not the trigger label): required-status-check drift logic that matches check NAMES like `claude-code / claude`, the deprecated claude.yml checks, CLAUDE.md checks, and the historical claude.yml reference docs. Runtime migration tooling: - New scripts/migrate-claude-label.sh — one-time, idempotent, DRY_RUN-default migration that, per repo carrying a `claude` label: ensures `dev-lead` exists, adds `dev-lead` to every open `claude`-labelled issue (skipping those that already have it, so no duplicate triggers), then deletes the `claude` label. Dry-run across the org: 8 repos, 131 open issues (87 already on `dev-lead`), 44 to re-label, 8 label objects to delete. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0b62668d85
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@dev-lead please review and address the outstanding review comments on this PR. The unresolved, still-current items are all in
The earlier review threads on |
|
@dev-lead the three review comments on 1. P2 — paginate open-issue lookup ( 2. P1 — don't delete the old label if any re-label failed ( 3. P2 — scan all repos ( Then resolve these three threads and the already-fixed (outdated) threads on |
Dev-Lead — on-mention (applied)Changes committed and pushed. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 592a793660
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Dev-Lead — on-mention (applied)Changes committed and pushed. |
|
Dev-Lead — fix-reviews (no-changes)Agent reasoning |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@donpetry-bot this PR is clean and ready for review — all CI checks are green, all review threads are resolved, and the bot review comments (codex/copilot/coderabbit) have been addressed across several rounds. Please do a fresh review and, if it looks good, approve. |
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 14d80d24f982d9c27bf5187dd385f98b1a21812d
Review mode: triage-approved (single reviewer)
Summary
Migrates the claude issue-trigger label to dev-lead across compliance automation and adds a re-engagement mechanism so dev-lead is re-triggered on findings that persist across weekly audits. Introduces a shared helper library (scripts/lib/dev-lead-retrigger.sh) used by both the weekly audit and the daily retrigger sweep so they stay in sync on dev-lead's branch-naming convention. The migration script is DRY_RUN-default and skips repos where one or more re-labels failed (preserving the legacy label so issues are not orphaned).
Linked issue analysis
No Closes #N references — this is direct refactor/migration work owned by the repo owner. Scope is well-described in the PR body (re-trigger mechanism + label migration + companion .github-private PR for the dev-lead intent script).
Findings
No blocking issues. The triage tier classified this as low-risk; on confirmation:
- Changes are scoped to compliance automation: label name rename in workflow prompts, a shared bash library with pagination + URL encoding + fail-closed API error handling, and an idempotent migration script.
- Safety nets observed: PR lookup pagination,
IN_PROGRESS_MAX_HOURScap on stalein-progressclaims (with stale-claim cleanup),repo_failedgate that preserves the old label if any re-label failed, fail-closed behavior on API errors to avoid duplicate dev-lead work. - shellcheck + actionlint clean; SonarCloud, CodeQL, ShellCheck, Lint, Agent Security Scan, and gitleaks all green.
- All 22 prior review threads (gemini, copilot, codex, coderabbit) are resolved after iterative dev-lead fix cycles. No unresolved human or bot concerns remain.
- No secrets, auth, crypto, schema, or CI-permission changes. GHA workflow edits are limited to label names in agent prompts and a new
issues_retriggeredoutput/summary row.
CI status
All required checks passing: Lint, ShellCheck, SonarCloud, CodeQL, Analyze (actions), Agent Security Scan, Secret scan (gitleaks), pr-auto-review check-and-dispatch. Audits skipped for ecosystems not present (npm/pnpm/cargo/pip/govulncheck). mergeStateStatus is BLOCKED only because review approval is required — which this review provides.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-trigger persistent findings (#400) * feat(compliance): re-trigger dev-lead on findings that persist across audits The weekly compliance audit creates issues with the `claude` label so the dev-lead agent (which listens on issues:labeled) picks them up and opens a fix PR. But dev-lead fires only once per label application: when a finding persists to the next audit, the issue is already open and already labeled, so the existing code's `--add-label claude` was a no-op that emitted no event — the finding sat unaddressed until the separate daily compliance-retrigger sweep happened to catch it. Now, when the audit finds an issue still open, it re-engages dev-lead directly by cycling the `claude` label (remove + re-add), which re-fires issues:labeled. It skips issues dev-lead is already working (open dev-lead/issue-<n> PR or `in-progress` label) so active work is never interrupted or duplicated. Chose label-cycling over a new repository_dispatch type: dev-lead already handles issues:labeled natively, so no changes to its event surface or intent classifier are needed, and it matches the proven mechanism the daily compliance-retrigger already uses. - Extract the shared primitives (dl_dev_lead_active, dl_cycle_trigger_label) into scripts/lib/dev-lead-retrigger.sh, sourced by both compliance-audit.sh and compliance-retrigger.sh so they stay in sync with dev-lead's branch naming. This also fixes a latent prefix-collision bug: the old has_open_pr matched "dev-lead/issue-12-..." for issue 1 (now requires the trailing "-"). - Add an `in-progress` label guard (previously only open-PR was checked). - Surface a new `retriggered` count in issue-counts.json, the audit step summary, the analyze job's data, and the Phase 6 report table. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * feat(compliance): migrate dev-lead trigger label from `claude` to `dev-lead` Removes all live uses of the legacy `claude` issue-trigger label in favour of the canonical `dev-lead` label. dev-lead already accepts the `dev-lead` label; `claude` was only kept as backward-compat from the retired claude.yml workflow (deprecated 2026-05). Keeping both meant compliance findings were tagged with a legacy label that overlapped a deprecated agent. Code/workflow changes (the audit now creates, applies, and cycles `dev-lead`): - compliance-audit.sh: ensure_audit_label creates `dev-lead`; issue creation and the persistent-finding re-trigger use `dev-lead`. - compliance-retrigger.sh: TRIGGER_LABEL default is now `dev-lead`. - compliance-audit-and-improvement.yml: the analyze prompt instructs Claude to create/label issues with `dev-lead`. - Left untouched (not the trigger label): required-status-check drift logic that matches check NAMES like `claude-code / claude`, the deprecated claude.yml checks, CLAUDE.md checks, and the historical claude.yml reference docs. Runtime migration tooling: - New scripts/migrate-claude-label.sh — one-time, idempotent, DRY_RUN-default migration that, per repo carrying a `claude` label: ensures `dev-lead` exists, adds `dev-lead` to every open `claude`-labelled issue (skipping those that already have it, so no duplicate triggers), then deletes the `claude` label. Dry-run across the org: 8 repos, 131 open issues (87 already on `dev-lead`), 44 to re-label, 8 label objects to delete. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] * chore: apply manual instructions [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dev-lead historically accepted both `dev-lead` and `claude` labels on issues:labeled, with `claude` kept as backward-compat from the retired claude.yml workflow. We are removing the `claude` label org-wide, so the classifier now routes only the `dev-lead` label to the `issue` intent; a `claude`-labeled issue is skipped like any other non-trigger label. - dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`. - test_intent_issue.bats: the backward-compat test now asserts `claude` → skip. - spec.md: issue intent triggers on `dev-lead` only. Companion to petry-projects/.github#400, which migrates the compliance audit to create/cycle the `dev-lead` label and ships the one-time runtime migration (re-label existing `claude` issues, then delete the `claude` label). Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this change is only about the issue *label*. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…kflow (#445) The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the standalone dev-lead.yml default and the unit tests (test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and expect it. Because the reusable's default is what actually runs and vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every codex review with intent=skip reason=untrusted-reviewer. Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across every repo — codex review comments were only ever actioned when a trusted human re-issued them via an @dev-lead mention (on-mention intent). Observed on petry-projects/.github#400, where codex's review-driven dev-lead runs (27066366290 / 27066366309) both classified skip/untrusted-reviewer. Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow and the existing tests. codex's event login is `chatgpt-codex-connector[bot]` (type Bot), so the exact-match check now succeeds. Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>



Summary
Two tightly-coupled changes to the org compliance automation:
Re-trigger dev-lead on findings that persist across audits. The weekly audit creates issues labeled for dev-lead pickup, but
issues:labeledfires only once per label application — so a finding that persists to the next audit (issue already open + labeled) never re-engaged dev-lead. The audit now cycles the trigger label (remove + re-add) on persistent findings, skipping issues dev-lead is already working (opendev-lead/issue-<n>PR or freshin-progresslabel).Migrate the trigger label
claude→dev-lead. Removes all live uses of the legacyclaudeissue-trigger label. dev-lead already acceptsdev-lead;claudewas backward-compat from the retiredclaude.yml(deprecated 2026-05). The audit now creates, applies, and cyclesdev-lead.Changes
scripts/lib/dev-lead-retrigger.sh(new) — shareddl_dev_lead_active()+dl_cycle_trigger_label(), used by both the weekly audit and the daily retrigger. Includes pagination, a stale-in-progresscap (IN_PROGRESS_MAX_HOURS, default 4h), and URL-encoded label paths.scripts/compliance-audit.sh— re-trigger persistent findings; create/label/cycle withdev-lead.scripts/compliance-retrigger.sh—TRIGGER_LABELdefault nowdev-lead; restores the label if a cycle half-fails..github/workflows/compliance-audit-and-improvement.yml— newissues_retriggeredoutput/summary; analyze prompt instructsdev-leadlabels.scripts/migrate-claude-label.sh(new) — one-time, idempotent, DRY_RUN-default runtime migration: per repo with aclaudelabel, ensuredev-leadexists, adddev-leadto every openclaudeissue (skip those already labeled), then delete theclaudelabel object.Deliberately left untouched (not the trigger label)
Required-status-check drift logic matching check names like
claude-code / claude; deprecatedclaude.ymlchecks;CLAUDE.mdchecks; historicalclaude.ymlreference docs;claude-code-action/ OAuth token.Runtime migration scope (dry-run)
8 repos, 131 open
claudeissues (87 already ondev-lead→ skipped), 44 to re-label, 8 label objects to delete. The live re-label+delete runs separately with the org token after merge.Verification
shellcheck clean (4 scripts), actionlint clean, unit-tested the shared lib with a mocked
gh(7/7), migration dry-run validated.🤖 Generated with Claude Code
Summary by CodeRabbit
Release Notes
New Features
Chores