Projects: closeOnStatus enforcement + auto-add issues (projects-006)#32
Projects: closeOnStatus enforcement + auto-add issues (projects-006)#32jaeyunha wants to merge 1 commit into
Conversation
Constraint: projects-006 QA/fix lane with .env.test, system Chrome, and per-worktree Cargo cache.\nRejected: weakening browser acceptance by skipping controls | kept accessible button-name, dead-link, desktop, and mobile coverage while removing unstable CSS :visible enumeration.\nConfidence: high\nScope-risk: moderate\nDirective: Keep project automation permission-scoped; repository-origin auto-add must not add items to projects the actor cannot write.\nTested: make doctor; env-loaded make check; project_workflow contract tests (5 passed); project_automation_invocation contract test (1 passed); system-Chrome projects-workflows Playwright (2 passed).\nNot-tested: broad make test-e2e suite beyond focused projects-006 workflow smoke.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 58d8e03a1f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| SET state = 'closed', | ||
| closed_by_user_id = $2, | ||
| closed_at = COALESCE(closed_at, now()), | ||
| updated_at = now() | ||
| WHERE id = $1 AND state <> 'closed' |
There was a problem hiding this comment.
When a project writer adds an issue they can only read (allowed by add_project_item_for_actor via ensure_repository_readable) to a project with closeOnStatus enabled, this direct update closes that repository issue without the RepositoryRole::Write check that update_issue_state enforces. That lets project automation mutate issues in public/read-only repos the actor could not close through the issues API.
Useful? React with 👍 / 👎.
| ) | ||
| .await?; | ||
| notify_issue_assignees(pool, &issue, actor_user_id, &assignee_user_ids).await?; | ||
| run_project_repository_item_added_automation( |
There was a problem hiding this comment.
When an item-added workflow sets status to Done with closeOnStatus, this call can close the issue row created above, but create_issue still indexes and returns the pre-automation Issue value. In that scenario the POST /issues response and search metadata report state: open even though the database row is already closed.
Useful? React with 👍 / 👎.
1 participant
Workflow automation: auto-add new issues to projects on item_added, and closeOnStatus closes the linked issue when status hits done.
—
Preserved from QA-worktree cleanup on 2026-06-16. Web QA: biome lint clean; vitest green where unit tests exist. Rust build/test not run locally (would regenerate large target dirs). Opened against
stagingfor review.🤖 Generated with Claude Code