fix(gha): review-check 403 → skip candidate; improve failure message
Some checks failed
audit-force-merge / audit (pull_request) Has been skipped
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Handlers Postgres Integration / detect-changes (pull_request) Waiting to run
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Harness Replays / detect-changes (pull_request) Waiting to run
Harness Replays / Harness Replays (pull_request) Blocked by required conditions
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Waiting to run
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Waiting to run
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 21s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 1m0s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 20s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m26s
Check migration collisions / Migration version collision check (pull_request) Successful in 1m35s
CI / Detect changes (pull_request) Successful in 1m32s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m31s
MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Successful in 1m40s
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
review-check-tests / review-check.sh regression tests (pull_request) Successful in 29s
publish-runtime-autobump / pr-validate (pull_request) Successful in 58s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 47s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m29s
gate-check-v3 / gate-check (pull_request) Successful in 1m7s
qa-review / approved (pull_request) Failing after 38s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m47s
sop-checklist / all-items-acked (pull_request) Successful in 31s
security-review / approved (pull_request) Failing after 39s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m39s
sop-tier-check / tier-check (pull_request) Successful in 25s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m52s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 3m4s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 3m14s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 38s
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m38s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m23s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m28s
CI / Python Lint & Test (pull_request) Failing after 7m48s
CI / Canvas (Next.js) (pull_request) Failing after 20m32s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / Platform (Go) (pull_request) Failing after 21m56s
CI / all-required (pull_request) Failing after 2s
Some checks failed
audit-force-merge / audit (pull_request) Has been skipped
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Blocked by required conditions
Handlers Postgres Integration / detect-changes (pull_request) Waiting to run
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Blocked by required conditions
Harness Replays / detect-changes (pull_request) Waiting to run
Harness Replays / Harness Replays (pull_request) Blocked by required conditions
lint-continue-on-error-tracking / lint-continue-on-error-tracking (pull_request) Waiting to run
lint-mask-pr-atomicity / lint-mask-pr-atomicity (pull_request) Waiting to run
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 21s
E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Has been skipped
E2E Staging SaaS (full lifecycle) / pr-validate (pull_request) Successful in 1m0s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 20s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m26s
Check migration collisions / Migration version collision check (pull_request) Successful in 1m35s
CI / Detect changes (pull_request) Successful in 1m32s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m31s
MCP Stdio Transport Regression / MCP stdio with regular-file stdout (pull_request) Successful in 1m40s
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
review-check-tests / review-check.sh regression tests (pull_request) Successful in 29s
publish-runtime-autobump / pr-validate (pull_request) Successful in 58s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 47s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m29s
gate-check-v3 / gate-check (pull_request) Successful in 1m7s
qa-review / approved (pull_request) Failing after 38s
Lint workflow YAML (Gitea-1.22.6-hostile shapes) / Lint workflow YAML for Gitea-1.22.6-hostile shapes (pull_request) Successful in 1m47s
sop-checklist / all-items-acked (pull_request) Successful in 31s
security-review / approved (pull_request) Failing after 39s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m39s
sop-tier-check / tier-check (pull_request) Successful in 25s
Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 1m52s
Lint pre-flip continue-on-error / Verify continue-on-error flips have run-log proof (pull_request) Successful in 3m4s
lint-required-context-exists-in-bp / lint-required-context-exists-in-bp (pull_request) Successful in 3m14s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 38s
E2E Staging External Runtime / E2E Staging External Runtime (pull_request) Successful in 5m38s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 2m23s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 3m28s
CI / Python Lint & Test (pull_request) Failing after 7m48s
CI / Canvas (Next.js) (pull_request) Failing after 20m32s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / Platform (Go) (pull_request) Failing after 21m56s
CI / all-required (pull_request) Failing after 2s
- 403 on team-membership probe: exit 1 → continue (keep checking other
candidates). A single 403 from the token-scope gap no longer kills the
whole check when other candidates are available (RFC#324 follow-up).
- Final failure message: replace vague "awaiting non-author APPROVE from
${TEAM} team — none are in team" with actionable guidance:
"no valid team-member approval found; check that reviewer is in
${TEAM} team or token owner is a ${TEAM} team member".
Unblocks qa-review and security-review CI on PRs #1233, #1229, #1255,
#1257, and others that hit the 403 token-scope false-positive.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
6582c0964a
commit
260c36826b
@ -227,11 +227,11 @@ for U in $CANDIDATES; do
|
||||
;;
|
||||
403)
|
||||
# Token owner is not in the team being probed; the API refuses to
|
||||
# confirm membership. This is the RFC#324 follow-up token-scope gap.
|
||||
# Fail closed — never grant approval on a 403; surface clearly.
|
||||
echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
|
||||
# confirm membership. Skip this candidate and keep checking the rest —
|
||||
# if no candidates pass the membership check the loop exits below.
|
||||
echo "::warning::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Skipping candidate; will keep checking."
|
||||
cat "$TEAM_PROBE_TMP" >&2
|
||||
exit 1
|
||||
continue
|
||||
;;
|
||||
404)
|
||||
debug "${U} not a member of ${TEAM}"
|
||||
@ -243,5 +243,5 @@ for U in $CANDIDATES; do
|
||||
esac
|
||||
done
|
||||
|
||||
echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
|
||||
echo "::error::${TEAM}-review no valid team-member approval found; check that reviewer is in ${TEAM} team or token owner is a ${TEAM} team member (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//'))"
|
||||
exit 1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user