ci(town-crier): producer workflow (announce + resolve on close)

[jasperboerhof]

Adds the town-crier producer workflow — announce on the Agent Review Requested label, resolve on PR close (merged/closed).

The bus's resolve-by-pr_url endpoint is deployed (script-development/town-crier#14) and this repo's TOWN_CRIER_URL var + TOWN_CRIER_TOKEN secret are already provisioned, so it's ready to merge. Part of the producer rollout — keeps merged PRs from sitting open on the bus.

🤖 Generated with Claude Code

[Goosterhof]

Agent Review — COMMENT (no blockers)

Actions-security headline: clean. The injection vector this rollout had to get right — PR-author-controlled title reaching a run: shell — is handled correctly: every event field is passed through env: and consumed via jq -n --arg, never interpolated into the shell. Trigger is plain pull_request (no pull_request_target), no PR code is checked out, and the token comes from ${{ secrets.TOWN_CRIER_TOKEN }}. Nothing to pin — there are no third-party uses: actions, just curl.

Counts: 0 blockers, 2 concerns, 0 nits.

Findings index

• Concern — no permissions: block; both jobs inherit the repo-default GITHUB_TOKEN scope a pure-egress producer never uses (announce-pr.yml:20).
• Concern — curl -fsS hard-fails the run on any bus non-2xx; the bus is fail-open by design, so a Fly hiccup reddens every labeled/closed PR in the repo (announce-pr.yml:34).

Both are inline. Neither blocks merge.

Automated war-room agent review — posted because this PR carries the Agent Review Requested label.

[Goosterhof]

Round 2 — since e225f9e: 2 addressed, 0 new, 0 still open

APPROVE — both standing concerns from the prior round are fixed and the Actions-security surface is unchanged-clean.

Delta:

• Addressed — permissions: {} is now declared at the workflow top level (announce-pr.yml:16). A pure-egress producer that never touches GITHUB_TOKEN now grants it nothing. Correct least-privilege.
• Addressed — both jobs carry continue-on-error: true (announce-pr.yml:24, announce-pr.yml:54). curl -fsS still fails the step on a bus non-2xx, but continue-on-error keeps the job green, so a Fly hiccup no longer reds every labeled/closed PR in the repo. Fail-open is preserved at the job boundary, which is the right level for it.

Unchanged-clean (no re-litigation): title and other PR-author fields reach the script through env: + jq -n --arg, never interpolated into the shell — no injection vector. Trigger is plain pull_request (no pull_request_target), no PR head code is checked out, token from ${{ secrets.TOWN_CRIER_TOKEN }}, no third-party uses: to pin.

Counts: 0 blockers, 0 concerns, 0 nits. CI green (check (8.4), check (8.5)).

The header comment's promise — "permissions are dropped" and "continue-on-error + a curl --max-time" — now matches the YAML. Description claims the TOWN_CRIER_URL var + TOWN_CRIER_TOKEN secret are provisioned in this repo; that's the one thing unverifiable from outside, and if either is missing the producer 401s/no-ops silently rather than failing loudly (acceptable given the fail-open design, but worth a one-time post-merge confirmation that a labeled PR actually lands on the bus).

Automated war-room agent review — posted because this PR carries the Agent Review Requested label.

[Goosterhof]

Round 3 — since 3535b3b: config-error-loud / bus-open split — correct

APPROVE — the new guard implements the loud-vs-open split the right way round, and the Actions-security surface is unchanged-clean. No blockers, no concerns, no nits.

Verdict: approve-worthy · Blockers 0 · Concerns 0 · Nits 0

Delta of interest (the only thing new this round): the missing-provisioning guard. A config error (absent TOWN_CRIER_URL/TOWN_CRIER_TOKEN) now exit 1s loud and red; a transient bus error (5xx / timeout / refused, secret present) still degrades to a ::warning:: and keeps the check green. The two are not conflated — see inline.

Standing concerns from prior rounds — confirmed still resolved:

• permissions: {} at the workflow level (line 16) — both jobs run with no GITHUB_TOKEN scope. Correct; they auth to the bus with TOWN_CRIER_TOKEN, not the repo token.
• Fail-open-on-bus-hiccup preserved (|| echo "::warning::..." on both curls).

Actions-security headline: clean. title is env:-passed and consumed through jq -n --arg (no shell interpolation of PR-author data); trigger is plain pull_request with no head checkout; token from secrets.; no third-party uses: to SHA-pin.

Automated war-room agent review — posted because this PR carries the Agent Review Requested label.

[jasperboerhof]

Review Loop · 9/10 · PASS — 🟡 1

phpstan-warroom-rules #36 · AC anchor: PR description: town-crier producer workflow (announce on label, resolve on close) · head 2f80889857

Tip

Reviewed the new announce-pr.yml producer workflow against its stated intent (announce-on-label, resolve-on-close) — the two failure modes are correctly split (provisioning missing → fail loud exit 1; bus hiccup → fail-open warning), permissions are dropped to {}, and jq builds the payload so a quoted title can't break it; no rule-set/contract change so no consumer ripple. Clean, with one soft completeness edge on the un-label-then-close path.

1 finding(s) posted inline:

• 🟡 MINOR · .github/workflows/announce-pr.yml:60 — resolve never fires if the label is removed before the PR closes, leaving the bus thread open forever

Action

merge-ready