Guard OpenCode approval with commit check-runs#271
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens the OpenCode approval gate by augmenting PR statusCheckRollup evidence with a fallback query to the head commit’s check-runs API, ensuring approval fails closed (or waits) when current-head peer checks are still pending even if the PR rollup is lagging.
Changes:
- Add
collect_current_head_commit_check_runs()to queryrepos/:owner/:repo/commits/:sha/check-runsand surface failed/pending check-runs. - Merge commit check-run evidence with existing PR rollup and Strix workflow-run evidence before deciding whether to approve.
- Extend the Strix quick-gate contract test to assert the new fallback behavior is wired in.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| scripts/ci/test_strix_quick_gate.sh | Adds contract assertions requiring the workflow to collect current-head commit check-runs evidence. |
| .github/workflows/opencode-review.yml | Implements commit check-runs collection and merges it into failed/pending peer-check gating evidence. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head bounded evidence and found no blocking issues. FindingsNo blocking findings. SummaryApproval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: opencode-review.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: opencode-review.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["CI script: test_strix_quick_gate.sh"]
S2 --> I2["review and security gate shell path"]
I2 --> R2["Review risk: CI script: test_strix_quick_gate.sh"]
R2 --> V2["bash -n plus Strix self-test"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including .github/workflows/opencode-review.yml, scripts/ci/test_strix_quick_gate.sh.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports test coverage as not applicable because no supported changed source files or package manifests were found.
Docstring coverage: coverage execution evidence reports docstring coverage as not applicable because no supported changed source files or package manifests were found.
DAG: CodeGraph/source-backed behavior map connects .github/workflows/opencode-review.yml to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: Workflow improvements with test coverage
- Head SHA:
fe2437feca8d7516fdaee2a666616aa7bc9b5e77 - Workflow run: 28499078689
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: opencode-review.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: opencode-review.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["CI script: test_strix_quick_gate.sh"]
S2 --> I2["review and security gate shell path"]
I2 --> R2["Review risk: CI script: test_strix_quick_gate.sh"]
R2 --> V2["bash -n plus Strix self-test"]
Tried to create or update workflow without `workflows` permission
Summary
Why
OpenCode produced an APPROVE overview for ContextualWisdomLab/scopeweave#204 while
strixwas still visible as in_progress on the head commit check-runs API, but no formal APPROVED review was created and the PR remained blocked. The approval gate should fail closed or wait whenever current-head peer checks are still pending, even if PR statusCheckRollup lags.Verification
py -m pytest tests/test_pr_review_merge_scheduler.py tests/test_opencode_agent_contract.py tests/test_opencode_review_normalize_output.pyC:\Program Files\Git\bin\bash.exe -n scripts/ci/test_strix_quick_gate.shNote: full
test_strix_quick_gate.shunder Git Bash on this Windows workstation still fails in an existing normalizer fixture before this new assertion path; Linux CI remains authoritative for that shell suite.