ci(town-crier): resolve on unlabel — de-announce when the review label is removed#5
Merged
Merged
Conversation
…l is removed The producer only de-announced on close, and that close-resolve required the "Agent Review Requested" label to still be present — so unlabel-then-merge left the request stranded "open" on the town-crier bus forever (no GitHub->bus merge sync). Now removing the label fires /resolve immediately (the bus no-ops an unknown pr_url, so it's always safe). Announce side unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Claude-Session: https://claude.ai/code/session_01NzAm5CqhSQTzD3PBuZHyfY
Goosterhof
approved these changes
Jun 20, 2026
Goosterhof
left a comment
Contributor
There was a problem hiding this comment.
Clean follow-on. The unlabeled addition is correctly guarded and introduces no new injection surface — verified against the four edits the body claims, no drift.
- Unlabel guard is correct. The
resolveif:keys the unlabel branch ongithub.event.label.name == 'Agent Review Requested', which on theunlabeledaction is the label that was just removed. Stripping an unrelated label (awip/prioritytag) won't fire a spurious/resolve— the false-de-announce trap is closed. - Triggers preserved.
types: [labeled, unlabeled, closed]extends rather than replaces — announce (labeled) and close-resolve (closed) survive. - No new injection vector. The added
ACTIONenv isgithub.event.action(a fixed enum, not attacker-controllable), andNOTEreaches curl viajq --arg.github.event.label.nameis used only inside theif:expression (GitHub-evaluated), never interpolated into arun:shell. - Spine intact.
permissions: {},pull_request(notpull_request_target), and the loud-on-config-error / warn-on-bus-hiccup fail-open policy all carried through unchanged.
No findings. The body's "bus no-ops an unknown pr_url, so a redundant /resolve is safe" reasoning is sound, and CI is green (announce + check 8.4/8.5 pass; resolve correctly skips on this event).
Automated war-room agent review — posted because this PR carries the Agent Review Requested label.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make the town-crier producer workflow (
.github/workflows/announce-pr.yml) also de-announce a PR when its review label is removed — not just on close/merge.Four edits:
on.pull_request.typesgainsunlabeled.resolve:jobif:fires on eitherclosed(with the label still present) orunlabeledofAgent Review Requested.resolvestep gains anACTIONenv var and computesNOTEacross three cases (review label removed/merged/closed without merge).Why
The producer only de-announced on close, and that close-resolve required the
Agent Review Requestedlabel to still be present. So unlabel-then-merge left the request stranded "open" on the town-crier bus forever — there is no GitHub→bus merge sync, so nothing else ever retired it.Removing the label now immediately POSTs
/resolve. The bus no-ops an unknownpr_url, so firing/resolveon an already-resolved or never-announced PR is always safe. The announce side is unchanged.Verification
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/announce-pr.yml'))"→YAML OK.grep -rilE 'actionlint|yamllint|shellcheck' .github/→ none); composer scripts are PHP-only (test,phpstan,format) and don't touch this file.🤖 Generated with Claude Code
https://claude.ai/code/session_01NzAm5CqhSQTzD3PBuZHyfY