Skip to content

feat(compliance): migrate dev-lead trigger label claude→dev-lead + re-trigger persistent findings#400

Merged
don-petry merged 13 commits into
mainfrom
feat/compliance-audit-retrigger-dev-lead
Jun 6, 2026
Merged

feat(compliance): migrate dev-lead trigger label claude→dev-lead + re-trigger persistent findings#400
don-petry merged 13 commits into
mainfrom
feat/compliance-audit-retrigger-dev-lead

Conversation

@don-petry

@don-petry don-petry commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Two tightly-coupled changes to the org compliance automation:

  1. Re-trigger dev-lead on findings that persist across audits. The weekly audit creates issues labeled for dev-lead pickup, but issues:labeled fires only once per label application — so a finding that persists to the next audit (issue already open + labeled) never re-engaged dev-lead. The audit now cycles the trigger label (remove + re-add) on persistent findings, skipping issues dev-lead is already working (open dev-lead/issue-<n> PR or fresh in-progress label).

  2. Migrate the trigger label claudedev-lead. Removes all live uses of the legacy claude issue-trigger label. dev-lead already accepts dev-lead; claude was backward-compat from the retired claude.yml (deprecated 2026-05). The audit now creates, applies, and cycles dev-lead.

Changes

  • scripts/lib/dev-lead-retrigger.sh (new) — shared dl_dev_lead_active() + dl_cycle_trigger_label(), used by both the weekly audit and the daily retrigger. Includes pagination, a stale-in-progress cap (IN_PROGRESS_MAX_HOURS, default 4h), and URL-encoded label paths.
  • scripts/compliance-audit.sh — re-trigger persistent findings; create/label/cycle with dev-lead.
  • scripts/compliance-retrigger.shTRIGGER_LABEL default now dev-lead; restores the label if a cycle half-fails.
  • .github/workflows/compliance-audit-and-improvement.yml — new issues_retriggered output/summary; analyze prompt instructs dev-lead labels.
  • scripts/migrate-claude-label.sh (new) — one-time, idempotent, DRY_RUN-default runtime migration: per repo with a claude label, ensure dev-lead exists, add dev-lead to every open claude issue (skip those already labeled), then delete the claude label object.

Deliberately left untouched (not the trigger label)

Required-status-check drift logic matching check names like claude-code / claude; deprecated claude.yml checks; CLAUDE.md checks; historical claude.yml reference docs; claude-code-action / OAuth token.

Runtime migration scope (dry-run)

8 repos, 131 open claude issues (87 already on dev-lead → skipped), 44 to re-label, 8 label objects to delete. The live re-label+delete runs separately with the org token after merge.

Companion PR in .github-private removes the claude branch from dev-lead-intent.sh and updates the spec.

Verification

shellcheck clean (4 scripts), actionlint clean, unit-tested the shared lib with a mocked gh (7/7), migration dry-run validated.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

    • Added automated label re-engagement capability for agent task assignment.
    • Introduced new migration tooling to consolidate agent labeling across the organization.
  • Chores

    • Updated compliance audit workflows to use the new agent labeling standard.
    • Migrated from legacy agent label to current labeling convention throughout automation systems.

… audits

The weekly compliance audit creates issues with the `claude` label so the
dev-lead agent (which listens on issues:labeled) picks them up and opens a fix
PR. But dev-lead fires only once per label application: when a finding persists
to the next audit, the issue is already open and already labeled, so the
existing code's `--add-label claude` was a no-op that emitted no event — the
finding sat unaddressed until the separate daily compliance-retrigger sweep
happened to catch it.

Now, when the audit finds an issue still open, it re-engages dev-lead directly
by cycling the `claude` label (remove + re-add), which re-fires issues:labeled.
It skips issues dev-lead is already working (open dev-lead/issue-<n> PR or
`in-progress` label) so active work is never interrupted or duplicated.

Chose label-cycling over a new repository_dispatch type: dev-lead already
handles issues:labeled natively, so no changes to its event surface or intent
classifier are needed, and it matches the proven mechanism the daily
compliance-retrigger already uses.

- Extract the shared primitives (dl_dev_lead_active, dl_cycle_trigger_label)
  into scripts/lib/dev-lead-retrigger.sh, sourced by both compliance-audit.sh
  and compliance-retrigger.sh so they stay in sync with dev-lead's branch
  naming. This also fixes a latent prefix-collision bug: the old has_open_pr
  matched "dev-lead/issue-12-..." for issue 1 (now requires the trailing "-").
- Add an `in-progress` label guard (previously only open-PR was checked).
- Surface a new `retriggered` count in issue-counts.json, the audit step
  summary, the analyze job's data, and the Phase 6 report table.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 6, 2026 13:12
@don-petry don-petry requested a review from a team as a code owner June 6, 2026 13:12
@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 35 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dd71bc0f-1523-4638-a748-1c32de57a584

📥 Commits

Reviewing files that changed from the base of the PR and between f7f5fd1 and 14d80d2.

📒 Files selected for processing (3)
  • scripts/compliance-retrigger.sh
  • scripts/lib/dev-lead-retrigger.sh
  • scripts/migrate-claude-label.sh
📝 Walkthrough

Walkthrough

This PR completes a migration from legacy claude issue labeling to canonical dev-lead labeling across compliance workflows. It introduces a shared library for detecting dev-lead activity and re-triggering label events, updates the workflow and audit/retrigger scripts to use these primitives, and adds a one-time migration utility.

Changes

Dev-lead migration and retrigger system

Layer / File(s) Summary
Shared dev-lead retrigger library
scripts/lib/dev-lead-retrigger.sh
New library exports dl_dev_lead_active (checks GitHub for open dev-lead PRs and non-stale in-progress label) and dl_cycle_trigger_label (removes and re-adds a label to trigger webhook re-engagement).
Workflow metric and label updates
.github/workflows/compliance-audit-and-improvement.yml
All issue labels changed from claude to dev-lead in prompt instructions, label-creation rules, and issue-edit commands. Workflow now parses and exports issues_retriggered metric, passes it to Claude prompt, and displays it in Phase 6 summary.
Audit script library integration and label handling
scripts/compliance-audit.sh
Sources shared library; adds ISSUES_RETRIGGERED counter. Existing issues now use dl_dev_lead_active check + dl_cycle_trigger_label re-trigger (with fallback to ensure label) instead of unconditional label edits. New/umbrella issues use dev-lead label. JSON and markdown reporting extended with retriggered count.
Retrigger script library adoption and legacy migration pass
scripts/compliance-retrigger.sh
Delegates dev-lead logic to shared library via dl_dev_lead_active and dl_cycle_trigger_label; removes local helpers. Introduces TRIGGER_LABEL (dev-lead) and LEGACY_TRIGGER_LABEL (claude) for transition. Stale-issue loop updated with library functions and skip/retrigger/fallback handling. Adds second pass to find legacy-labeled issues and promote them with TRIGGER_LABEL.
One-time org-wide label migration script
scripts/migrate-claude-label.sh
New utility uses dl_dev_lead_active to safely migrate all open issues from claude to dev-lead label across non-archived repos, skipping active dev-lead work, optionally deleting old label, and reporting metrics.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • petry-projects/.github#13: Introduced the original claude labeling in compliance audit workflow that this PR replaces with dev-lead.
  • petry-projects/.github#12: Introduced the compliance audit script (scripts/compliance-audit.sh) logic that this PR extends with dev-lead retrigger integration.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the two main objectives: migrating the trigger label from claude to dev-lead and implementing re-triggering logic for persistent findings.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/compliance-audit-retrigger-dev-lead

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a shared helper library scripts/lib/dev-lead-retrigger.sh to centralize the logic for re-engaging the dev-lead agent on persistent or stale compliance issues by cycling their trigger labels. Both scripts/compliance-audit.sh and scripts/compliance-retrigger.sh are updated to source this library, ensuring consistency and tracking re-triggered counts. The review feedback highlights important improvements: robustly handling null values in jq when querying open PRs, avoiding redundant label additions when the agent is already active, checking the return status of the label-cycling operation to prevent incorrect metrics, and using a more idiomatic jq filter for checking the in-progress status.

Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
Comment thread scripts/compliance-audit.sh
Comment thread scripts/compliance-retrigger.sh Outdated
Comment thread scripts/lib/dev-lead-retrigger.sh Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bb2602afc8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the org compliance automation by reliably re-triggering the dev-lead agent when a compliance finding persists across audit runs, using a shared helper library to keep the weekly audit and daily retrigger sweep consistent.

Changes:

  • Introduces a shared Bash library to detect “dev-lead already active” and to cycle the trigger label (remove → re-add) to re-fire issues:labeled.
  • Updates both the weekly audit and daily retrigger scripts to use the shared logic and to skip issues already in progress (open PR or in-progress label).
  • Adds a new retriggered metric to issue-counts.json and surfaces it through workflow outputs and reporting tables.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
scripts/lib/dev-lead-retrigger.sh New shared helpers for detecting active dev-lead work and cycling the trigger label.
scripts/compliance-retrigger.sh Switches stale-issue retriggering to the shared helpers and adds in-progress guarding.
scripts/compliance-audit.sh Re-triggers dev-lead for persistent findings by cycling claude, while avoiding active issues, and tracks ISSUES_RETRIGGERED.
.github/workflows/compliance-audit-and-improvement.yml Plumbs the new issues_retriggered count into job outputs and reporting.

Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
Comment thread scripts/compliance-retrigger.sh Outdated
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a714f5f0e3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
Comment thread scripts/lib/dev-lead-retrigger.sh Outdated
…v-lead`

Removes all live uses of the legacy `claude` issue-trigger label in favour of
the canonical `dev-lead` label. dev-lead already accepts the `dev-lead` label;
`claude` was only kept as backward-compat from the retired claude.yml workflow
(deprecated 2026-05). Keeping both meant compliance findings were tagged with a
legacy label that overlapped a deprecated agent.

Code/workflow changes (the audit now creates, applies, and cycles `dev-lead`):
- compliance-audit.sh: ensure_audit_label creates `dev-lead`; issue creation and
  the persistent-finding re-trigger use `dev-lead`.
- compliance-retrigger.sh: TRIGGER_LABEL default is now `dev-lead`.
- compliance-audit-and-improvement.yml: the analyze prompt instructs Claude to
  create/label issues with `dev-lead`.
- Left untouched (not the trigger label): required-status-check drift logic that
  matches check NAMES like `claude-code / claude`, the deprecated claude.yml
  checks, CLAUDE.md checks, and the historical claude.yml reference docs.

Runtime migration tooling:
- New scripts/migrate-claude-label.sh — one-time, idempotent, DRY_RUN-default
  migration that, per repo carrying a `claude` label: ensures `dev-lead` exists,
  adds `dev-lead` to every open `claude`-labelled issue (skipping those that
  already have it, so no duplicate triggers), then deletes the `claude` label.
  Dry-run across the org: 8 repos, 131 open issues (87 already on `dev-lead`),
  44 to re-label, 8 label objects to delete.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry don-petry changed the title feat(compliance): re-trigger dev-lead on findings that persist across audits feat(compliance): migrate dev-lead trigger label claude→dev-lead + re-trigger persistent findings Jun 6, 2026
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (applied)

Changes committed and pushed.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0b62668d85

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/migrate-claude-label.sh Outdated
Comment thread scripts/migrate-claude-label.sh
Comment thread scripts/migrate-claude-label.sh Outdated
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 6, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead please review and address the outstanding review comments on this PR. The unresolved, still-current items are all in scripts/migrate-claude-label.sh:

  • P1 (line ~114): Preserve the old label when re-labeling fails — do not delete the claude label in a repo if adding dev-lead to any of its open issues failed, to avoid losing the trigger label on an unmigrated issue.
  • P2 (line ~88): Paginate the open-issue lookup (gh issue list defaults can miss issues beyond the first page / --limit); ensure all open claude-labeled issues are migrated.
  • P2 (line ~124): Ensure the repo scan covers all org repos (the --limit may truncate large orgs).

The earlier review threads on dev-lead-retrigger.sh and compliance-retrigger.sh are already addressed by your prior commits (they're marked outdated) — please resolve those threads. Keep shellcheck clean.

@don-petry

Copy link
Copy Markdown
Contributor Author

@dev-lead the three review comments on scripts/migrate-claude-label.sh are still open and need code changes. Please apply these exact fixes and keep shellcheck clean:

1. P2 — paginate open-issue lookup (migrate_repo, ~line 85): gh issue list defaults to 30 results. Add an explicit high limit so all open issues are migrated:

issues=$(gh issue list --repo "$ORG/$repo" --label "$OLD_LABEL" --state open \
  --limit 1000 --json number -q '.[].number' 2>/dev/null || echo "")

2. P1 — don't delete the old label if any re-label failed (migrate_repo, ~line 87–114): Track per-repo failures and guard the delete. In the add branch, on failure set repo_failed=1 (declare local repo_failed=0 before the loop). Then gate step 3:

if [ "$DELETE_OLD_LABEL" = "true" ] && [ "$repo_failed" -eq 0 ]; then
  ... delete ...
elif [ "$repo_failed" -ne 0 ]; then
  warn "  keeping '$OLD_LABEL' on $repo — one or more re-labels failed"
fi

3. P2 — scan all repos (main, ~line 124): gh repo list --limit 200 can truncate large orgs. Either raise the limit (e.g. --limit 1000) or paginate. Raising to --limit 1000 is fine.

Then resolve these three threads and the already-fixed (outdated) threads on dev-lead-retrigger.sh / compliance-retrigger.sh.

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — on-mention (applied)

Changes committed and pushed.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 592a793660

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/migrate-claude-label.sh
Comment thread scripts/compliance-retrigger.sh
@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — on-mention (applied)

Changes committed and pushed.

@sonarqubecloud

sonarqubecloud Bot commented Jun 6, 2026

Copy link
Copy Markdown

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-reviews (no-changes)

Agent reasoning
Addressed 0 threads:
(no open threads — all 20 review threads are already resolved)
Tier 1 blocker check:
- CI: No failures; 2 checks IN_PROGRESS (CodeQL, SonarCloud), all others SUCCESS/SKIPPED
- Reviews: coderabbitai latest state = DISMISSED (CHANGES_REQUESTED was superseded by subsequent reviews)
- Review decision: REVIEW_REQUIRED (no approver yet — not a Tier 1 blocker)
Test verification: N/A — no code changes made
Files changed: none
```

@don-petry

Copy link
Copy Markdown
Contributor Author

Dev-Lead — fix-bot-comment (no-changes)

Agent reasoning
Issues addressed: 0
Files changed: none
Skipped (informational): 0
```
No action required — zero Tier 1 blockers exist. The PR is ready for merge.

don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 6, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@don-petry

Copy link
Copy Markdown
Contributor Author

@donpetry-bot this PR is clean and ready for review — all CI checks are green, all review threads are resolved, and the bot review comments (codex/copilot/coderabbit) have been addressed across several rounds. Please do a fresh review and, if it looks good, approve.

@donpetry-bot

Copy link
Copy Markdown
Contributor

@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 14d80d24f982d9c27bf5187dd385f98b1a21812d
Review mode: triage-approved (single reviewer)

Summary

Migrates the claude issue-trigger label to dev-lead across compliance automation and adds a re-engagement mechanism so dev-lead is re-triggered on findings that persist across weekly audits. Introduces a shared helper library (scripts/lib/dev-lead-retrigger.sh) used by both the weekly audit and the daily retrigger sweep so they stay in sync on dev-lead's branch-naming convention. The migration script is DRY_RUN-default and skips repos where one or more re-labels failed (preserving the legacy label so issues are not orphaned).

Linked issue analysis

No Closes #N references — this is direct refactor/migration work owned by the repo owner. Scope is well-described in the PR body (re-trigger mechanism + label migration + companion .github-private PR for the dev-lead intent script).

Findings

No blocking issues. The triage tier classified this as low-risk; on confirmation:

  • Changes are scoped to compliance automation: label name rename in workflow prompts, a shared bash library with pagination + URL encoding + fail-closed API error handling, and an idempotent migration script.
  • Safety nets observed: PR lookup pagination, IN_PROGRESS_MAX_HOURS cap on stale in-progress claims (with stale-claim cleanup), repo_failed gate that preserves the old label if any re-label failed, fail-closed behavior on API errors to avoid duplicate dev-lead work.
  • shellcheck + actionlint clean; SonarCloud, CodeQL, ShellCheck, Lint, Agent Security Scan, and gitleaks all green.
  • All 22 prior review threads (gemini, copilot, codex, coderabbit) are resolved after iterative dev-lead fix cycles. No unresolved human or bot concerns remain.
  • No secrets, auth, crypto, schema, or CI-permission changes. GHA workflow edits are limited to label names in agent prompts and a new issues_retriggered output/summary row.

CI status

All required checks passing: Lint, ShellCheck, SonarCloud, CodeQL, Analyze (actions), Agent Security Scan, Secret scan (gitleaks), pr-auto-review check-and-dispatch. Audits skipped for ecosystems not present (npm/pnpm/cargo/pip/govulncheck). mergeStateStatus is BLOCKED only because review approval is required — which this review provides.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@don-petry don-petry merged commit e1f6b5d into main Jun 6, 2026
21 checks passed
@don-petry don-petry deleted the feat/compliance-audit-retrigger-dev-lead branch June 6, 2026 17:20
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 7, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 7, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 7, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 7, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 8, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 8, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…-trigger persistent findings (#400)

* feat(compliance): re-trigger dev-lead on findings that persist across audits

The weekly compliance audit creates issues with the `claude` label so the
dev-lead agent (which listens on issues:labeled) picks them up and opens a fix
PR. But dev-lead fires only once per label application: when a finding persists
to the next audit, the issue is already open and already labeled, so the
existing code's `--add-label claude` was a no-op that emitted no event — the
finding sat unaddressed until the separate daily compliance-retrigger sweep
happened to catch it.

Now, when the audit finds an issue still open, it re-engages dev-lead directly
by cycling the `claude` label (remove + re-add), which re-fires issues:labeled.
It skips issues dev-lead is already working (open dev-lead/issue-<n> PR or
`in-progress` label) so active work is never interrupted or duplicated.

Chose label-cycling over a new repository_dispatch type: dev-lead already
handles issues:labeled natively, so no changes to its event surface or intent
classifier are needed, and it matches the proven mechanism the daily
compliance-retrigger already uses.

- Extract the shared primitives (dl_dev_lead_active, dl_cycle_trigger_label)
  into scripts/lib/dev-lead-retrigger.sh, sourced by both compliance-audit.sh
  and compliance-retrigger.sh so they stay in sync with dev-lead's branch
  naming. This also fixes a latent prefix-collision bug: the old has_open_pr
  matched "dev-lead/issue-12-..." for issue 1 (now requires the trailing "-").
- Add an `in-progress` label guard (previously only open-PR was checked).
- Surface a new `retriggered` count in issue-counts.json, the audit step
  summary, the analyze job's data, and the Phase 6 report table.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(reviews): address review comments [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* feat(compliance): migrate dev-lead trigger label from `claude` to `dev-lead`

Removes all live uses of the legacy `claude` issue-trigger label in favour of
the canonical `dev-lead` label. dev-lead already accepts the `dev-lead` label;
`claude` was only kept as backward-compat from the retired claude.yml workflow
(deprecated 2026-05). Keeping both meant compliance findings were tagged with a
legacy label that overlapped a deprecated agent.

Code/workflow changes (the audit now creates, applies, and cycles `dev-lead`):
- compliance-audit.sh: ensure_audit_label creates `dev-lead`; issue creation and
  the persistent-finding re-trigger use `dev-lead`.
- compliance-retrigger.sh: TRIGGER_LABEL default is now `dev-lead`.
- compliance-audit-and-improvement.yml: the analyze prompt instructs Claude to
  create/label issues with `dev-lead`.
- Left untouched (not the trigger label): required-status-check drift logic that
  matches check NAMES like `claude-code / claude`, the deprecated claude.yml
  checks, CLAUDE.md checks, and the historical claude.yml reference docs.

Runtime migration tooling:
- New scripts/migrate-claude-label.sh — one-time, idempotent, DRY_RUN-default
  migration that, per repo carrying a `claude` label: ensures `dev-lead` exists,
  adds `dev-lead` to every open `claude`-labelled issue (skipping those that
  already have it, so no duplicate triggers), then deletes the `claude` label.
  Dry-run across the org: 8 repos, 131 open issues (87 already on `dev-lead`),
  44 to re-label, 8 label objects to delete.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* fix(reviews): address review comments [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

* chore: apply manual instructions [skip ci-relay]

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 12, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 12, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 14, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 14, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 18, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 18, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
dev-lead historically accepted both `dev-lead` and `claude` labels on
issues:labeled, with `claude` kept as backward-compat from the retired
claude.yml workflow. We are removing the `claude` label org-wide, so the
classifier now routes only the `dev-lead` label to the `issue` intent; a
`claude`-labeled issue is skipped like any other non-trigger label.

- dev-lead-intent.sh: `dev-lead|claude)` → `dev-lead)`.
- test_intent_issue.bats: the backward-compat test now asserts `claude` → skip.
- spec.md: issue intent triggers on `dev-lead` only.

Companion to petry-projects/.github#400, which migrates the compliance audit
to create/cycle the `dev-lead` label and ships the one-time runtime migration
(re-label existing `claude` issues, then delete the `claude` label).

Note: the `@claude` trigger *phrase* (TRIGGER_PHRASES) is unaffected — this
change is only about the issue *label*.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
don-petry added a commit to petry-projects/.github-private that referenced this pull request Jun 25, 2026
…kflow (#445)

The dev-lead reusable workflow (used fleet-wide via per-repo stubs) had a
TRUSTED_BOTS default that omitted chatgpt-codex-connector[bot], while the
standalone dev-lead.yml default and the unit tests
(test_intent_reviews.bats: "codex COMMENTED → fix-reviews") both include and
expect it. Because the reusable's default is what actually runs and
vars.TRUSTED_BOTS is unset, the intent classifier matched codex against a list
that excluded it (is_trusted_bot uses exact `grep -qxF`) and skipped every
codex review with intent=skip reason=untrusted-reviewer.

Effect: dev-lead silently ignored all chatgpt-codex-connector reviews across
every repo — codex review comments were only ever actioned when a trusted human
re-issued them via an @dev-lead mention (on-mention intent). Observed on
petry-projects/.github#400, where codex's review-driven dev-lead runs
(27066366290 / 27066366309) both classified skip/untrusted-reviewer.

Fix: add chatgpt-codex-connector[bot] to the TRUSTED_BOTS default in both
dev-lead-reusable.yml and dev-lead-intent.sh, matching the standalone workflow
and the existing tests. codex's event login is `chatgpt-codex-connector[bot]`
(type Bot), so the exact-match check now succeeds.

Co-authored-by: donpetry-bot <{}+donpetry-bot@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants