release.yml: composer audit gate parity (v0.1.0 prep)#3
Conversation
PR Reviewer · claimed
|
PR Reviewer · 9/10 · PASS — 🟡 1kendo-report-tool #3 · AC anchor: none 🟡 MINOR
why + fixPlan-less mode, universal heuristics. The FeedbackController example declares Fix: Add Actionmerge-ready |
jasperboerhof
left a comment
There was a problem hiding this comment.
Auto-approved — review verdict is PASS, CI is green, and no human blocker is outstanding. See the verdict comment for the breakdown.
Goosterhof
left a comment
There was a problem hiding this comment.
✅ Approve-worthy
0 blockers · 0 concerns · 2 nits · 2 praise
Three-file docs + release-prep PR: replaces the stale "lands in the first client release" Usage blockquote (and its broken Agent-OS PLAN.md link) with a real submit() Usage section, cuts a ## [0.1.0] CHANGELOG heading, and backfills the missing composer audit step in release.yml. No src/ changes. Every doc claim I spot-checked matches source — this is mergeable.
Verification
- Signature — README's documented
submit(string $title, string $description, ?string $authorName = null, array $files = []): ?arraymatchessrc/KendoReports.php:51character-for-character. - Contract — the
201→ decoded body, non-201/transport-failure →ReportSubmissionException,REPORT_TOOL_SWALLOW=true→ log +nullclaims all matchKendoReports.php:59-64and:132-137;config/report-tool.php:80confirms theREPORT_TOOL_SWALLOWenv key. - Gate parity —
release.ymlverifynow reads install → audit → format:check → phpstan → test, exactly mirroringci.yml:27-39. The asymmetry the PR body claims to close is real and now closed. - Release-notes extraction —
release.yml's awk keys on/^## \[/matching the tag version, printing until the next## [boundary. The new heading## [0.1.0] - 2026-06-08satisfies the\[0.1.0\]match, and the### Addedbody sits between it and EOF, sov0.1.0tag-time extraction will capture the right block.
Nits
-
README.md— theFeedbackControllersnippet declarespublic function store(...): RedirectResponsebut itsuseblock imports onlyIlluminate\Http\RequestandKendoReports, notIlluminate\Http\RedirectResponse. Illustrative-only, won't bite a reader, but a complete copy-paste snippet would import every referenced type. -
CHANGELOG.md—### Addednow lives under## [0.1.0], leaving## [Unreleased]with no body. That's correct Keep-a-Changelog form for a cut release, but the next contributor will need to re-add a### Added(or similar) stub under[Unreleased]; harmless, just flagging the empty section is intentional.
Praise
- The CHANGELOG heading text was deliberately kept as exactly
## [0.1.0]to satisfy therelease.ymlawk extractor — that coupling between heading format and the tag-time notes generator is load-bearing and the PR body called it out explicitly rather than leaving it implicit. - Killing the broken
github.com/script-development/PLAN.mdlink (an Agent-OS internal reference that would 404 for any consumer) rather than just patching it — the right call for a public packagist package's front door.
Automated war-room agent review — posted because this PR carries the Agent Review Requested label.
PR Merger · claimed
|
PR Merger · needs-human
|
README Usage: replace the unbuilt-scaffold blockquote (and its broken Agent-OS PLAN.md link) with a real Usage section for the shipped KendoReports::submit() transport — signature, return/throw contract, swallow mode, and a backend-relay controller snippet. CHANGELOG: cut a [0.1.0] - 2026-06-08 heading (empty [Unreleased] kept above it) with the shipped submit() transport under Added; release.yml awk keys on the exact "## [0.1.0]" heading. release.yml: add the missing "Audit dependencies" / composer audit step to the verify job so the tag-time gate set matches ci.yml (install → audit → format:check → phpstan → test). Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
249f1e0 to
4e4808a
Compare
Goosterhof
left a comment
There was a problem hiding this comment.
✅ Approve-worthy
0 blockers · 0 concerns · 0 nits · 1 praise
A 3-line CI-parity chore: inserts the missing composer audit step into release.yml's verify job so a v0.1.0 tag is gated to the same standard as a PR. The diff is minimal, correctly placed, and every claim in the PR body checks out against main.
Verification
- Parity target is real —
ci.yml:29runs anAudit dependencies/composer auditstep;release.ymlonmainskipped straight fromInstall dependenciestoFormat check(release.yml:36→40). The audit gap was genuine. - Exact placement match — the new step lands between Install and Format check with the identical step name and
run:command as CI. Tag-time gate set now reads install → audit → format:check → phpstan → test, mirroring CI'sname:sequence (ci.yml:26,29,32,35,38). - Scope-note claim holds —
mainalready carries## [0.1.0] — 2026-06-08and thesubmit()surface inCHANGELOG.md:9,17(PR #2). The README/CHANGELOG edits this branch originally carried were correctly superseded on rebase; the diff is nowsrc/-free and touches only the workflow.
Praise
- Right instinct to gate the tag at PR-equivalent rigor — an audit step that only fires on PRs but not at release lets a vulnerable transitive slip into a published
v0.1.0. Closing that asymmetry before the first tag is the correct sequencing.
Automated war-room agent review — posted because this PR carries the Agent Review Requested label.
PR Reviewer · claimed
|
PR Reviewer · 9/10 · PASSkendo-report-tool #3 · AC anchor: none No findings — all reviewers clean. Actionmerge-ready |
jasperboerhof
left a comment
There was a problem hiding this comment.
Auto-approved — review verdict is PASS, CI is green, and no human blocker is outstanding. See the verdict comment for the breakdown.
What
Brings the tag-time release gate to parity with CI so a
v0.1.0tag is verified to the same standard as a PR.Audit dependencies/composer auditstep to theverifyjob, between Install and Format check, matchingci.yml. Tag-time gate set now matches CI: install → audit → format:check → phpstan → test.No
src/changes.Scope note (rebased 2026-06-09)
This PR originally also reworked the README Usage section and cut the
## [0.1.0]CHANGELOG heading. PR #2 landed equivalent (richer) README + CHANGELOG content intomainfirst, so on rebase those edits were superseded and dropped —mainalready documents the builtsubmit()surface and the0.1.0release. The branch now carries only thecomposer auditrelease-gate step, whichmainstill lacked.Why
Adjutant M1 first-contact finding F-ADJ-02 (release.yml audit-gap). The docs finding F-ADJ-01 is already closed on
mainvia PR #2.Follow-up
Merge → tag
v0.1.0is the Commander's follow-up — that is what makes the package stably installable viacomposer requireunderminimum-stability: stable. This PR cannot self-merge (protectedmain, code-owner review required).🤖 Generated with Claude Code