Skip to content

fix(review): add PR type triage for non-application PRs#645

Open
gregario wants to merge 2 commits intogarrytan:mainfrom
gregario:fix/review-pr-type-triage
Open

fix(review): add PR type triage for non-application PRs#645
gregario wants to merge 2 commits intogarrytan:mainfrom
gregario:fix/review-pr-type-triage

Conversation

@gregario
Copy link
Copy Markdown
Contributor

@gregario gregario commented Mar 30, 2026

Summary

Fixes #356/review blindspot on non-application code PRs.

  • PR type triage (Step 3.5): Classifies PRs by type (application, CI/infra, scripts, config, docs, tests, mixed) based on diff stat, then guides which checklist categories to prioritize vs skip. Application PRs behave exactly as before.
  • 3 new Pass 2 checklist categories:
    • Script & Shell Quality — shell options, shebangs, unquoted variables, portability
    • Platform & Convention Consistency — toolchain matching, naming conventions, CI platform mismatches
    • Configuration & Infrastructure Safety — hardcoded secrets, pull_request_target without SHA pinning, chmod 777, Docker tag pinning
  • E2E test (gate tier): Plants 3 security issues in a CI workflow (pull_request_target, hardcoded token, chmod 777 on Windows runner) and verifies the review catches at least 2/3.

Test plan

  • bun test passes (Tier 1 static validation)
  • E2E test registered in touchfiles as review-ci-blindspot (gate tier)
  • bun run gen:skill-docs regenerates cleanly
  • E2E eval: EVALS=1 bun test test/skill-e2e-review.test.ts (requires API key)

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

gregario and others added 2 commits March 30, 2026 01:56
@gregario @claude
feat(review): add PR type triage and non-application review categories
b5231d7 
Add Step 3.5 to classify PRs by type (application, CI/infra, scripts,
config, docs, tests, mixed) and guide which review categories to
prioritize. Prevents false-confidence N/A results on non-application PRs.

Add three new Pass 2 checklist categories:
- Script & Shell Quality: shell options, shebangs, quoting, portability
- Platform & Convention Consistency: toolchain matching, naming conventions
- Configuration & Infrastructure Safety: hardcoded secrets, CI triggers

Closes garrytan#356

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@gregario @claude
test(review): add E2E test for CI/infra PR blindspot detection
63b078f 
Plants 3 issues in a CI workflow (pull_request_target without SHA
pinning, hardcoded token, chmod 777 on Windows runner) and verifies
the review catches at least 2 of 3.

Registered as gate tier — CI security issues should always be caught.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

/review blindspot on non-application code PRs

1 participant

@gregario