fix(ci): add synchronize trigger to PR Review workflow#1323
fix(ci): add synchronize trigger to PR Review workflow#1323WilliamBerryiii merged 3 commits intomainfrom
Conversation
- add synchronize event type to pull_request triggers in pr-review.md - recompile lock file with gh-aw v0.67.1 Fixes #1322 🐛 - Generated by Copilot
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1323 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory review, this PR is from a maintainer. Findings are informational only.
Overview
This is a clean, well-scoped PR. The core change — adding synchronize to the pull_request.types trigger in pr-review.md — directly addresses the primary objective from #1322. The lock file was properly recompiled, the PR description is thorough, and the existing cancel-in-progress: true concurrency group was already in place to handle rapid successive pushes safely.
Issue Alignment
✅ Core objective met: synchronize added to pull_request.types.
ℹ️ The label_command: re-review item from #1322 was not implemented. The PR explicitly documents the gh-aw compiler constraint preventing its coexistence with non-label pull_request event types. This is a sound and transparent explanation — the PR title and scope are appropriately narrowed to what was actually feasible.
PR Template Compliance
✅ All required sections filled in and accurate. Type of Change checkboxes (Bug fix, GitHub Actions workflow) correctly reflect the changes. Testing steps are concrete and verifiable.
Coding Standards
✅ The single-line pr-review.md change is compliant with workflow instructions and conventions.
ℹ️ Version annotation discrepancy in auto-generated lock file (inline comments added): The gh-aw v0.67.1 compiler updated version comment annotations for actions/checkout (v4.2.2 → v6.0.2) and actions/upload-artifact (v4.4.3 → v7) while leaving their SHAs unchanged. Since the SHA is the authoritative security pin, there is no security regression. The annotations appear to reflect updated internal metadata in the new compiler — but the version labels look unusual and may be worth raising with the gh-aw team if confirmed inaccurate.
Code Quality
✅ Minimal and correct. The trace-id infrastructure and job-name input added by the updated compiler are non-functional improvements that improve observability of agentic workflow runs. No logic regressions introduced.
Action Items
None blocking. All findings above are informational. This PR is ready for human review and merge.
chaosdinosaur
left a comment
chaosdinosaur
left a comment
There was a problem hiding this comment.
Thanks for fixing this!
There was a problem hiding this comment.
Advisory review, this PR is from a maintainer. Findings are informational only.
Review Summary
This is a focused, well-described fix that correctly addresses the core ask from issue #1322. The change is minimal and purposeful.
✅ Issue Alignment
Issue #1322 requested two changes:
- ✅ Add
synchronizetopull_request.types— implemented ⚠️ Addlabel_command: re-review— not implemented (compiler constraint documented in PR description)
The partial implementation is acceptable. The PR description clearly explains the label_command constraint and offers the Actions UI re-run as a manual fallback. Worth tracking in the issue for a future compiler version that relaxes this constraint.
✅ PR Template Compliance
All required sections are filled in correctly. Checkboxes are accurate for the change type (Bug fix + GitHub Actions workflow). The automated checks section is intentionally unchecked (CI runs these). No issues.
✅ Coding Standards
Workflow instructions compliance:
- Dependency pinning: All actions pinned to full SHAs with semantic version comments ✅
- Permissions: Inherited from the existing compiled structure ✅
- Runners:
ubuntu-latest✅ persist-credentials: falseretained on all checkout steps ✅
💡 Advisory Observation — Version Label Drift in Auto-Generated File
In pr-review.lock.yml, the gh-aw compiler updated version comment labels for two actions whose SHAs did not change:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd— comment changed from# v4.2.2→# v6.0.2actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f— comment changed from# v4.4.3→# v7
The same SHA cannot correspond to two different semantic versions. Since this file is auto-generated (DO NOT EDIT), this is a compiler-side labeling issue rather than a PR defect — the pinned SHA is what matters for execution, not the comment. No action required from the PR author, but it may be worth raising with the gh-aw compiler maintainers to ensure comment labels are consistent with pinned SHAs.
✅ Code Quality and Security
- The
synchronizeevent addition is the correct solution for the described problem. - The existing
concurrencygroup withcancel-in-progress: trueappropriately handles rapid successive pushes — no changes needed there. - The new
github/gh-aw-actions/[email protected]dependency is properly pinned to SHA80471a493be8c528dd27daf73cd644242a7965e0in bothactions-lock.jsonand the lock file. - No secrets exposure, no unsafe input handling, no logic errors observed.
No blocking issues. The PR is in good shape.
- correct 6 version comments from `# v7` to `# v7.0.0` 🔧 - Generated by Copilot
There was a problem hiding this comment.
Advisory review, this PR is from a maintainer. Findings are informational only.
PR Review: fix/1322-pr-review-triggers
Overview
This PR is a clean, well-scoped fix that adds the synchronize event type to the PR Review workflow trigger, ensuring the automated review runs on new commits pushed to an open PR — not just on opened and ready_for_review. The follow-up annotation cleanup commit (correcting # v7 → # v7.0.0) improves comment accuracy with no functional impact.
✅ Issue Alignment
Fixes #1322. The linked issue requests that the PR Review workflow fire on new pushes to open PRs, which was broken because synchronize was absent from the trigger list. The one-line change to pr-review.md directly and correctly resolves this. No scope creep, no missing requirements.
✅ PR Template Compliance
The PR description includes a clear description, a valid issue reference (Fixes #1322), an appropriate type of change, and testing notes (recompile verified). The commit messages follow conventional commit format with proper scope and emoji footer per repository conventions. No template violations found.
✅ Coding Standards — GitHub Actions Workflow Conventions
All requirements from the workflow instructions file are satisfied:
| Requirement | Status |
|---|---|
| Third-party actions pinned to full commit SHA | ✅ All 4 actions use full SHAs |
Top-level permissions: block declared |
✅ permissions: {} at line 56 of lock file |
| Job-level permissions declared | ✅ All jobs define explicit permissions |
| SHA comments include semantic version | ✅ e.g., # v7.0.0, # v0.67.1 |
SHA in lock file matches actions-lock.json |
✅ 80471a493be8c528dd27daf73cd644242a7965e0 consistent |
concurrency: block prevents duplicate runs |
✅ Present with cancel-in-progress: true |
The ubuntu-slim runner in the auto-generated lock file is a gh-aw platform-managed runner — not a violation of the ubuntu-latest convention, which applies to manually authored workflows.
✅ Code Quality
pr-review.md (source of truth): Single-line addition of synchronize to the event types array. Correct and minimal.
pr-review.lock.yml recompile: The net changes reflect the gh-aw v0.65.6 → v0.67.1 compiler upgrade. The compiled output correctly includes synchronize in the trigger list and uses the pinned SHA for github/gh-aw-actions/[email protected].
actions-lock.json: The new entry for github/gh-aw-actions/[email protected] matches the SHA used in the lock file exactly — no drift between the two tracking files.
Annotation fix commit: Correcting # v7 to # v7.0.0 is a worthwhile accuracy improvement; the SHA itself is unchanged so the security posture is unaffected.
Summary
No issues found. The PR correctly fixes the missing synchronize trigger, keeps the auto-generated lock file in sync with the source definition, and leaves all security-relevant SHA pins intact.
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
5 participants
Description
Add
synchronizeto thepull_request.typestrigger array in the PR Review agentic workflow so the review bot re-runs automatically when new commits are pushed to an open PR. Previously, the workflow only triggered onopenedandready_for_review, requiring a manual Actions UI re-run after pushing follow-up commits.The lock file was recompiled with gh-aw v0.67.1 (upgraded from v0.65.6), which also bumps AWF v0.25.11→v0.25.13, MCPG v0.2.11→v0.2.14, and introduces
report_incompleteandsetup-trace-idinfrastructure.Related Issue(s)
Fixes #1322
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
gh aw compile pr-review— 0 errors, 0 warningsgh aw validate pr-review— 0 errors, 0 warningssynchronizepresent in compiled lock file trigger typescancel-in-progress: trueremain intactChecklist
Required Checks
AI Artifact Contributions
N/A — no AI artifacts changed.
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generatenpm run docs:testSecurity Considerations
The only new dependency pin is
github/gh-aw-actions/[email protected]with SHA80471a493be8c528dd27daf73cd644242a7965e0, auto-generated by the gh-aw compiler.Additional Notes
The
label_command: re-reviewoption was investigated but cannot coexist withpull_requesttriggers that include non-label event types (opened,ready_for_review,synchronize) due to a gh-aw compiler constraint. Manual re-trigger remains available via the Actions UI re-run button.