You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The claude-pr-review/quality-gate commit-status check in pr-review/action.yml posted state: success with description "No Critical or High-Priority findings" on PR #222 even though the bot's review body contains:
A literal markdown heading ### Critical Issues Found 🚨
The phrase "two critical inconsistencies"
Two distinct issues labeled with sub-headings under the Critical heading
An explicit "Recommended action: ... before merge"
The gate's grep-based marker scan apparently doesn't match the heading style + phrasing this review used, so the gate fails open silently — exactly the trap milestone #8 was created to harden against.
Head OID:bed91dda0a2e4c3dad6aa8fe00d968f0eb33a805 (initial commit; review fired against this SHA)
Review: github-actions[bot] issue-comment id 4392784955, posted 2026-05-06T22:52:53Z
Status payload:gh api repos/glitchwerks/github-actions/commits/bed91dda0a2e4c3dad6aa8fe00d968f0eb33a805/status returns the claude-pr-review/quality-gate context with state: success, description: \"No Critical or High-Priority findings\"
The full review body is preserved on PR #222's conversation tab and contains an unambiguous "two critical issues" callout that the operator caught manually but the gate did not.
Why this matters
The gate is intended as a branch-protection ruleset requirement (#176). A false-success here means that under branch-protection enforcement, this PR would have been mergeable despite a real reviewer-flagged blocker. The whole point of the gate is to make Critical findings load-bearing on merge eligibility — a false-success is a complete failure of the contract, not a partial one.
The two findings on PR #222 happen to be small (missing packages: read lines in two YAML blocks), but the failure mode is independent of severity: any future review that uses similar heading/phrasing would also slip past the gate.
Hypothesis
The marker scan in pr-review/action.yml looks for some specific token set (likely literal strings like BLOCKING, CRITICAL, MAJOR, **Critical**). This review used:
### Critical Issues Found 🚨 (markdown H3 heading with emoji)
**two critical inconsistencies** (bold lowercase)
#### 1. PR Review quick-start / #### 2. Tag Claude quick-start (sub-headings, no severity tokens)
If the scan is case-sensitive on Critical only when bracketed by specific delimiters (e.g. **Critical** or [CRITICAL]), the lowercase + heading form would slip through.
Summary
The
claude-pr-review/quality-gatecommit-status check inpr-review/action.ymlpostedstate: successwith description "No Critical or High-Priority findings" on PR #222 even though the bot's review body contains:### Critical Issues Found 🚨The gate's grep-based marker scan apparently doesn't match the heading style + phrasing this review used, so the gate fails open silently — exactly the trap milestone #8 was created to harden against.
Reproducer
bed91dda0a2e4c3dad6aa8fe00d968f0eb33a805(initial commit; review fired against this SHA)4392784955, posted 2026-05-06T22:52:53Zgh api repos/glitchwerks/github-actions/commits/bed91dda0a2e4c3dad6aa8fe00d968f0eb33a805/statusreturns theclaude-pr-review/quality-gatecontext withstate: success,description: \"No Critical or High-Priority findings\"The full review body is preserved on PR #222's conversation tab and contains an unambiguous "two critical issues" callout that the operator caught manually but the gate did not.
Why this matters
The gate is intended as a branch-protection ruleset requirement (#176). A false-success here means that under branch-protection enforcement, this PR would have been mergeable despite a real reviewer-flagged blocker. The whole point of the gate is to make Critical findings load-bearing on merge eligibility — a false-success is a complete failure of the contract, not a partial one.
The two findings on PR #222 happen to be small (missing
packages: readlines in two YAML blocks), but the failure mode is independent of severity: any future review that uses similar heading/phrasing would also slip past the gate.Hypothesis
The marker scan in
pr-review/action.ymllooks for some specific token set (likely literal strings likeBLOCKING,CRITICAL,MAJOR,**Critical**). This review used:### Critical Issues Found 🚨(markdown H3 heading with emoji)**two critical inconsistencies**(bold lowercase)#### 1. PR Review quick-start/#### 2. Tag Claude quick-start(sub-headings, no severity tokens)If the scan is case-sensitive on
Criticalonly when bracketed by specific delimiters (e.g.**Critical**or[CRITICAL]), the lowercase + heading form would slip through.Relationship to existing issues
BLOCKER:the persona is instructed to use) would obviate this class of failure entirely. This issue is the concrete reproducer Adopt structured marker contract for quality-gate (replace grep) #185 has been missing.anthropics/claude-code-actionactual output #183 ("Validate quality-gate severity-marker regex againstanthropics/claude-code-actionactual output") — adjacent. Validate quality-gate severity-marker regex againstanthropics/claude-code-actionactual output #183 is about validating the regex against real output; this issue provides a real piece of output the regex demonstrably mishandles.gh apifailure #182 ("Quality-gate fails open on transientgh apifailure") — different failure mode (API error vs marker miss), but same shape of "gate fails open silently."Acceptance criteria
failurestate, notsuccess.pr-review/README.mdso future reviewer-persona changes don't drift away from it.Out of scope
8d9a133onissue-219-readme-onboarding.🤖 Generated by Claude Code on behalf of @cbeaulieu-gt