feat(agent-docs-audit): diff-scoped sticky PR comments for L1 findings#3299
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fd6317e056
βΉοΈ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| execFileSync('gh', ['api', '-X', 'PATCH', `/repos/${REPO}/issues/comments/${String(existing)}`, '--input', tmpFile], { stdio: 'inherit' }); | ||
| console.log(`Updated comment ${existing}`); | ||
| } else { | ||
| execFileSync('gh', ['api', '-X', 'POST', `/repos/${REPO}/issues/${PR}/comments`, '--input', tmpFile], { stdio: 'inherit' }); |
There was a problem hiding this comment.
For fork PRs (where the GITHUB_TOKEN is read-only despite requested write permissions), a comment write returns 403, but these execFileSync calls inherit stderr so the API error text is printed, not captured in err.message; the catch below usually sees only Command failed: gh api ... and rethrows instead of taking the intended graceful path. This makes the warning-only audit fail on fork PRs that have L1 findings.
Useful? React with πΒ / π.
| const out = execFileSync('gh', ['api', `/repos/${REPO}/issues/${PR}/comments`, '--paginate'], { encoding: 'utf-8' }); | ||
| const comments = JSON.parse(out); |
There was a problem hiding this comment.
On PRs with more than one page of issue comments, gh api --paginate emits separate JSON documents per page; the GitHub CLI docs call out --slurp as the option that returns one array of all pages. Parsing this output as a single JSON value throws, so getExistingCommentId() returns null and the sticky comment can be duplicated or left stale instead of updated.
Useful? React with πΒ / π.
1 participant
Surfaces deterministic agent-doc findings on the PR that introduced them, instead of burying them in workflow artifacts. Reviewers see findings only for files the PR touched.
<!-- agent-docs-audit -->; updated in place.computeFlags) and pair-level findings (linked-inverted,unexpected-duplicate). Skipssingle-side pairs since fresh packages with one side are normal.pull-requests: writeis sufficient; same pattern asvisual-test.ymlposting sticky comments via the Issues comments API.Warning-only. The detector is heuristic; blocking CI would create false-positive friction. Surface first, then decide whether delta-only hard gates are justified after observing noise on real PRs.