fix(workflows): critical and high priority workflow optimizations (#3228)

claude · claude · commit edc2ac7332a2 · 2026-01-08T21:14:04.000Z
Implements critical and high priority fixes from issue #3228 workflow optimization report. ## Critical Fixes 1. **Race condition prevention in spec merging** - Added concurrency control to spec-create.yml merge job - Uses group 'spec-merge-main' with cancel-in-progress: false - Queues merge operations instead of running in parallel - Prevents git merge conflicts when multiple specs approved simultaneously 2. **Squash-merge file loss prevention** - Added pre-merge validation in impl-merge.yml - Checks both implementation and metadata files exist on PR branch - Blocks merge if implementation file missing (only metadata present) - Closes PR with descriptive error message if incomplete 3. **Atomic commits for implementation and metadata** - Modified impl-generate.yml to commit files together - Changed from separate metadata commit to single atomic commit - Verifies implementation file is staged before committing - Prevents partial PRs with metadata but no implementation ## High Priority Fixes 4. **Label propagation after manual merges** - Created new sync-labels.yml workflow - Automatically syncs labels when PRs merged manually - Handles both spec and impl label states - Adds spec-ready, impl:{library}:done labels when missing - Removes spec-request, generate:{library} labels when appropriate 5. **Early verdict labeling with retry logic** - Added preliminary verdict labeling in impl-review.yml - Labels added immediately after score extraction - Includes retry logic for failed label operations - Made later verdict step idempotent (checks existing labels) - Prevents PRs from being stuck without clear status ## Expected Impact - Eliminates race condition failures in spec merging - Prevents file loss from incomplete squash merges - Fixes label state after manual PR merges - Ensures verdict labels always set even if workflow times out - Reduces manual interventions from 12 to <3 per batch Related: #3228
diff --git a/.github/workflows/impl-generate.yml b/.github/workflows/impl-generate.yml
@@ -526,14 +526,27 @@ jobs:
               yaml.dump(data, f, default_flow_style=False, sort_keys=False, allow_unicode=True)
           "
 
-          # Commit and push
+          # Commit and push (ATOMIC: both implementation AND metadata together)
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add "$METADATA_FILE"
-          git commit -m "chore(${LIBRARY}): add metadata for ${SPEC_ID}"
+
+          IMPL_FILE="plots/${SPEC_ID}/implementations/${LIBRARY}.py"
+
+          # Add both files in a single commit to prevent partial merges
+          git add "$METADATA_FILE" "$IMPL_FILE"
+
+          # Verify both files are staged
+          if ! git diff --cached --name-only | grep -q "${LIBRARY}.py"; then
+            echo "::error::Implementation file not staged - cannot commit"
+            echo "::error::This indicates the implementation file is missing or not modified"
+            exit 1
+          fi
+
+          git commit -m "feat(${LIBRARY}): implement ${SPEC_ID} with metadata"
           git push origin "$BRANCH"
 
           echo "::notice::Created metadata file: $METADATA_FILE (py${PYTHON_VERSION}, ${LIBRARY}==${LIBRARY_VERSION})"
+          echo "::notice::Committed implementation and metadata atomically"
 
       # ========================================================================
       # Process images: optimize + thumbnail
diff --git a/.github/workflows/impl-merge.yml b/.github/workflows/impl-merge.yml
@@ -82,6 +82,40 @@ jobs:
           echo "specification_id=$SPEC_ID" >> $GITHUB_OUTPUT
           echo "library=$LIBRARY" >> $GITHUB_OUTPUT
 
+      - name: Validate PR completeness before merge
+        if: steps.check.outputs.should_run == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SPEC_ID: ${{ steps.extract.outputs.specification_id }}
+          LIBRARY: ${{ steps.extract.outputs.library }}
+          BRANCH: ${{ steps.check.outputs.branch }}
+          PR_NUM: ${{ steps.check.outputs.pr_number }}
+        run: |
+          # Fetch the PR branch to check its contents
+          git fetch origin "$BRANCH"
+
+          IMPL_FILE="plots/${SPEC_ID}/implementations/${LIBRARY}.py"
+          META_FILE="plots/${SPEC_ID}/metadata/${LIBRARY}.yaml"
+
+          # Check if implementation file exists on the PR branch
+          if ! git show "origin/${BRANCH}:${IMPL_FILE}" &>/dev/null; then
+            echo "::error::Implementation file missing on branch: ${IMPL_FILE}"
+            echo "::error::This indicates an incomplete generation - metadata exists but implementation is missing"
+            echo "::error::Closing PR to prevent partial merge"
+
+            gh pr close "$PR_NUM" --comment "**Merge blocked:** Implementation file \`${IMPL_FILE}\` is missing from this PR branch. Only metadata was found. This indicates an incomplete code generation. Please regenerate using \`generate:${LIBRARY}\` label."
+
+            exit 1
+          fi
+
+          # Check if metadata file exists
+          if ! git show "origin/${BRANCH}:${META_FILE}" &>/dev/null; then
+            echo "::warning::Metadata file missing on branch: ${META_FILE}"
+            echo "::warning::This is unusual but not blocking - metadata will be created on next review"
+          fi
+
+          echo "::notice::PR completeness validated: both implementation and metadata present"
+
       - name: Get parent issue from PR body
         if: steps.check.outputs.should_run == 'true'
         id: issue
diff --git a/.github/workflows/impl-review.yml b/.github/workflows/impl-review.yml
@@ -294,6 +294,44 @@ jobs:
           gh label create "$LABEL" --color "0e8a16" --description "Quality score ${SCORE}/100" 2>/dev/null || true
           gh pr edit "$PR_NUM" --add-label "$LABEL"
 
+      - name: Add preliminary verdict label (early)
+        if: steps.review.conclusion == 'success' && steps.score.outputs.score != '0'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUM: ${{ steps.pr.outputs.pr_number }}
+          SCORE: ${{ steps.score.outputs.score }}
+          ATTEMPT_COUNT: ${{ steps.attempts.outputs.count }}
+        run: |
+          # Add verdict label early to ensure it's set even if later steps fail
+          # This is idempotent - re-running won't cause issues
+
+          if [ "$SCORE" -ge 90 ]; then
+            echo "::notice::Adding ai-approved label (score >= 90)"
+            gh pr edit "$PR_NUM" --add-label "ai-approved" 2>/dev/null || {
+              echo "::warning::Failed to add ai-approved label, retrying..."
+              sleep 2
+              gh pr edit "$PR_NUM" --add-label "ai-approved"
+            }
+          elif [ "$ATTEMPT_COUNT" -eq 3 ] && [ "$SCORE" -ge 50 ]; then
+            echo "::notice::Adding ai-approved label (attempt 4, score >= 50)"
+            gh pr edit "$PR_NUM" --add-label "ai-approved" 2>/dev/null || {
+              echo "::warning::Failed to add ai-approved label, retrying..."
+              sleep 2
+              gh pr edit "$PR_NUM" --add-label "ai-approved"
+            }
+          else
+            echo "::notice::Adding ai-rejected label (score < 90)"
+            gh pr edit "$PR_NUM" --add-label "ai-rejected" 2>/dev/null || {
+              echo "::warning::Failed to add ai-rejected label, retrying..."
+              sleep 2
+              gh pr edit "$PR_NUM" --add-label "ai-rejected"
+            }
+
+            if [ "$SCORE" -lt 50 ]; then
+              gh pr edit "$PR_NUM" --add-label "quality-poor" 2>/dev/null || true
+            fi
+          fi
+
       - name: Install Python dependencies for metadata update
         if: steps.review.conclusion == 'success' && steps.score.outputs.score != '0'
         run: pip install pyyaml
@@ -512,9 +550,30 @@ jobs:
           # < 90: Rejected (repair loop, up to 3 attempts)
           # After 3 attempts: >= 50 = merge, < 50 = close PR
 
+          # Check if verdict label was already added by earlier step
+          CURRENT_LABELS=$(gh pr view "$PR_NUM" --json labels -q '.labels[].name' 2>/dev/null || echo "")
+
+          if echo "$CURRENT_LABELS" | grep -q "ai-approved"; then
+            echo "::notice::ai-approved label already set, triggering merge"
+            gh workflow run impl-merge.yml -f pr_number="$PR_NUM"
+            exit 0
+          fi
+
+          if echo "$CURRENT_LABELS" | grep -q "ai-rejected"; then
+            echo "::notice::ai-rejected label already set, triggering repair"
+            gh pr edit "$PR_NUM" --add-label "ai-attempt-${ATTEMPT}" 2>/dev/null || true
+            gh workflow run impl-repair.yml \
+              -f pr_number="$PR_NUM" \
+              -f specification_id="$SPEC_ID" \
+              -f library="$LIBRARY" \
+              -f attempt="$ATTEMPT"
+            exit 0
+          fi
+
+          # Fallback: Add verdict labels if not already set (shouldn't happen but ensures robustness)
           if [ "$SCORE" -ge 90 ]; then
             # Approved - merge immediately
-            gh pr edit "$PR_NUM" --add-label "ai-approved"
+            gh pr edit "$PR_NUM" --add-label "ai-approved" 2>/dev/null || true
             echo "::notice::Added ai-approved label (score $SCORE >= 90)"
             echo "Triggering impl-merge.yml for approved PR"
             gh workflow run impl-merge.yml -f pr_number="$PR_NUM"
@@ -523,7 +582,7 @@ jobs:
             # This is the 4th review (after 3 repair attempts)
             if [ "$SCORE" -ge 50 ]; then
               # Score 50-89 after 3 attempts: acceptable, merge to repo
-              gh pr edit "$PR_NUM" --add-label "ai-approved"
+              gh pr edit "$PR_NUM" --add-label "ai-approved" 2>/dev/null || true
 
               gh pr comment "$PR_NUM" --body "## AI Review - Final Status
 
diff --git a/.github/workflows/spec-create.yml b/.github/workflows/spec-create.yml
@@ -363,6 +363,11 @@ jobs:
       pull-requests: write
       issues: write
 
+    # Prevent race conditions when multiple specs are approved simultaneously
+    concurrency:
+      group: spec-merge-main
+      cancel-in-progress: false  # Queue merges instead of canceling
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -0,0 +1,153 @@
+name: "Sync: Labels"
+run-name: "Sync labels after push to main"
+
+# Runs after any push to main to ensure labels match repository state
+# This fixes label propagation issues when PRs are merged manually
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  sync-spec-labels:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 2  # Need to see what changed
+
+      - name: Install yq for YAML parsing
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Detect new specifications merged to main
+        id: detect
+        run: |
+          # Get list of specifications added/modified in this push
+          CHANGED_SPECS=$(git diff --name-only HEAD~1 HEAD | \
+            grep -oP 'plots/\K[^/]+(?=/specification\.(md|yaml))' | \
+            sort -u)
+
+          if [ -z "$CHANGED_SPECS" ]; then
+            echo "::notice::No specification changes detected"
+            echo "specs=" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "specs<<EOF" >> $GITHUB_OUTPUT
+          echo "$CHANGED_SPECS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Sync labels for merged specifications
+        if: steps.detect.outputs.specs != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "${{ steps.detect.outputs.specs }}" | while read SPEC_ID; do
+            [ -z "$SPEC_ID" ] && continue
+
+            # Extract issue number from specification.yaml
+            SPEC_YAML="plots/${SPEC_ID}/specification.yaml"
+            if [ ! -f "$SPEC_YAML" ]; then
+              echo "::warning::No specification.yaml for ${SPEC_ID}"
+              continue
+            fi
+
+            ISSUE=$(yq '.issue' "$SPEC_YAML" 2>/dev/null || echo "")
+            if [ -z "$ISSUE" ] || [ "$ISSUE" == "null" ]; then
+              echo "::warning::No issue number in ${SPEC_YAML}"
+              continue
+            fi
+
+            echo "::notice::Syncing labels for spec ${SPEC_ID} (issue #${ISSUE})"
+
+            # Get current labels
+            CURRENT_LABELS=$(gh issue view "$ISSUE" --json labels -q '.labels[].name' 2>/dev/null || echo "")
+
+            # If specification is in main, ensure correct labels
+            if echo "$CURRENT_LABELS" | grep -q "spec-request"; then
+              echo "::notice::Removing spec-request label from #${ISSUE}"
+              gh issue edit "$ISSUE" --remove-label "spec-request" 2>/dev/null || true
+            fi
+
+            if ! echo "$CURRENT_LABELS" | grep -q "spec-ready"; then
+              echo "::notice::Adding spec-ready label to #${ISSUE}"
+              gh issue edit "$ISSUE" --add-label "spec-ready" 2>/dev/null || true
+            fi
+          done
+
+  sync-impl-labels:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 2
+
+      - name: Install yq for YAML parsing
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Detect new implementations merged to main
+        id: detect
+        run: |
+          # Get list of implementations added/modified in this push
+          CHANGED_IMPLS=$(git diff --name-only HEAD~1 HEAD | \
+            grep -P 'plots/[^/]+/implementations/[^/]+\.py$')
+
+          if [ -z "$CHANGED_IMPLS" ]; then
+            echo "::notice::No implementation changes detected"
+            echo "impls=" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "impls<<EOF" >> $GITHUB_OUTPUT
+          echo "$CHANGED_IMPLS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Sync labels for merged implementations
+        if: steps.detect.outputs.impls != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "${{ steps.detect.outputs.impls }}" | while read IMPL_PATH; do
+            [ -z "$IMPL_PATH" ] && continue
+
+            # Extract spec-id and library from path: plots/{spec-id}/implementations/{library}.py
+            SPEC_ID=$(echo "$IMPL_PATH" | cut -d'/' -f2)
+            LIBRARY=$(echo "$IMPL_PATH" | cut -d'/' -f4 | sed 's/\.py$//')
+
+            # Get issue number
+            SPEC_YAML="plots/${SPEC_ID}/specification.yaml"
+            ISSUE=$(yq '.issue' "$SPEC_YAML" 2>/dev/null || echo "")
+
+            if [ -z "$ISSUE" ] || [ "$ISSUE" == "null" ]; then
+              echo "::warning::No issue for ${SPEC_ID}/${LIBRARY}"
+              continue
+            fi
+
+            echo "::notice::Syncing labels for ${SPEC_ID}/${LIBRARY} (issue #${ISSUE})"
+
+            # Remove trigger and pending labels
+            gh issue edit "$ISSUE" --remove-label "generate:${LIBRARY}" 2>/dev/null || true
+            gh issue edit "$ISSUE" --remove-label "impl:${LIBRARY}:pending" 2>/dev/null || true
+
+            # Create and add done label
+            gh label create "impl:${LIBRARY}:done" --color "0e8a16" \
+              --description "${LIBRARY} implementation merged" 2>/dev/null || true
+            gh issue edit "$ISSUE" --add-label "impl:${LIBRARY}:done" 2>/dev/null || true
+
+            echo "::notice::✓ Labels synced for ${SPEC_ID}/${LIBRARY}"
+          done
