Skip to content

Commit 3ba5348

Browse files
docs(claude-md): 2 lessons from v7.3.1 release sequence (#559)
- Advisory CI workflows can post a PR comment with error text while exiting 0 — judge blocking-ness by `gh pr checks` bucket, NOT comment body text. Hit on PR #556 where the security-scan.yml advisory job posted a "Could not extract JSON from CLI output" comment despite both the required `security` check and `Run Security Scanner` being green. - Admin-merge dance: run as separate commands or `;`-separated, never `&&`-chained. From a sub-worktree the merge step reliably exits 1 (per the existing sub-worktree lesson) so an `&&` chain stops the protection-restore from running. Hit on both #556 and #558. Both pair with existing lessons (Copilot Autofix family for the first, sub-worktree merge-error family for the second). Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
1 parent b7ee1f3 commit 3ba5348

1 file changed

Lines changed: 66 additions & 0 deletions

File tree

.claude/CLAUDE.md

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6933,3 +6933,69 @@ attune_redis/ # attune-redis plugin (pip install attune-redis)
69336933
is usually one root-cause test" lesson — same
69346934
shape (one root cause, looks like N independent
69356935
bugs); this one names the prevention.
6936+
6937+
- **Advisory CI workflows can post a PR comment with error
6938+
text while exiting 0 — judge blocking-ness by `gh pr
6939+
checks` bucket, NOT comment body text**: hit 2026-06-02
6940+
on PR #556 during the v7.3.1 release prep. The
6941+
`.github/workflows/security-scan.yml` job runs
6942+
`attune workflow run security-audit --json` and tries
6943+
to extract the final JSON object from the mixed CLI
6944+
output. When the underlying SDK call fails (budget
6945+
cap, quota, rate limit — same class the
6946+
sdk-error-message-fidelity spec hardens), no JSON
6947+
emits and the post-processing script writes a
6948+
placeholder `{"findings": [], "error": "Could not
6949+
extract JSON from CLI output"}` then exits 0. A
6950+
follow-up step posts a PR comment titled "🔒
6951+
Security Scan Results" with the error text. User
6952+
reading the PR sees an alarming comment and asks
6953+
"did the security scan fail?" — but the GH Actions
6954+
check (`Run Security Scanner`) is green AND the
6955+
required `security` check is green. Merge is
6956+
unaffected. **Diagnostic shortcut**: when a comment
6957+
on a PR looks like a failure, cross-check with
6958+
`gh pr checks <pr> --json name,bucket | jq \'.[] |
6959+
select(.bucket != "pass" and .bucket != "skipping")\'`
6960+
— if the bucket query is empty, no checks are
6961+
blocking and the comment is advisory noise. Apply
6962+
this BEFORE diving into what the comment claims is
6963+
wrong. Generalizes to any CI workflow that posts
6964+
cosmetic comments via `actions/github-script` or
6965+
similar — the comment body and the check
6966+
conclusion are independent surfaces. Pairs with the
6967+
existing "GitHub Copilot Autofix pushes commits
6968+
directly to PR branches" lesson — same family
6969+
(background CI activity that surfaces in the PR UI
6970+
but isn\'t a merge-blocking failure).
6971+
6972+
- **Admin-merge dance: run as separate commands or
6973+
`;`-separated, never `&&`-chained — the merge
6974+
step reliably exits 1 from a sub-worktree (per the
6975+
existing sub-worktree lesson) and an `&&` chain
6976+
stops the protection-restore from running**: hit
6977+
2026-06-02 on PRs #556 and #558 during the v7.3.1
6978+
release sequence. Wrote the dance as
6979+
`gh api .../required_approving_review_count=0 &&
6980+
gh pr merge --squash --admin --delete-branch &&
6981+
gh api .../required_approving_review_count=1`.
6982+
Run from a sub-worktree, step 2 exited 1 because
6983+
the parent worktree owns `main` so the post-merge
6984+
local checkout step couldn\'t run (per the existing
6985+
"gh pr merge --squash --admin from a sub-worktree
6986+
exits non-zero" lesson) — but the REMOTE merge
6987+
succeeded. The `&&` chain short-circuited and
6988+
step 3 never ran, leaving
6989+
`required_approving_review_count=0` on main. Had
6990+
to manually re-issue step 3 to restore protection.
6991+
**Fix**: use `;` (run regardless) or three
6992+
independent commands. The protection-restore must
6993+
run even when the merge command exits non-zero
6994+
because that exit code does NOT mean the merge
6995+
failed when running from a sub-worktree. From the
6996+
parent worktree (where `main` is owned), the
6997+
merge step exits 0 and `&&` works — but be
6998+
defensive across both surfaces. Pairs with the
6999+
existing sub-worktree-merge-error lesson — that
7000+
one names the cause; this one names the dance-
7001+
specific consequence.

0 commit comments

Comments
 (0)