fix(review): exempt the owner/admin/automation-bot from the manual-review freeze#3490
Conversation
…view freeze The maintainer-gated freeze (#3461) reused the last published AI review for any PR carrying the manual-review label, with no author exemption. Confirmed live on PR #3476: pushing genuine follow-up commits to the owner's own held PR kept replaying the ORIGINAL, now-stale AI verdict instead of evaluating the new commits, because github_app.ai_review_frozen_reuse fired on every push. The anti-gaming concern the freeze exists for is specific to a contributor iterating pushes against the bot; it never applies to the repo owner, an ADMIN_GITHUB_LOGINS fleet operator, or a protected automation bot, matching the exemption this codebase already grants those authors everywhere else (auto-close, review-nag, contributor caps). Root-caused via the live audit_events trail on the self-host VPS, which showed ai_review_frozen_reuse firing on every one of #3476's own follow-up commits despite the PR being owner-authored.
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3490 +/- ##
=======================================
Coverage 93.04% 93.04%
=======================================
Files 299 299
Lines 31210 31211 +1
Branches 11388 11389 +1
=======================================
+ Hits 29038 29039 +1
Misses 1517 1517
Partials 655 655
🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-05 10:18:09 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 4 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Summary
Fixes a real incident on PR #3476, root-caused via the live
audit_eventstrail on the self-host VPS.The maintainer-gated freeze (#3461) reuses the last published AI review for any PR carrying the
manual-reviewlabel, so a repeat push doesn't buy a fresh, expensive AI call while a PR is held. It had no author exemption. On PR #3476 (owner-authored, held only on this repo's "must link an issue" policy), pushing genuine follow-up commits kept replaying the original, now-stale AI verdict pass after pass —github_app.ai_review_frozen_reusefired on every one of that PR's own follow-up commits — hiding the owner's own fix from the review meant to evaluate it. The review comment kept quoting code that no longer existed in the file, which is what surfaced this.The anti-gaming concern the freeze exists for is specific to a contributor iterating pushes against the bot; it was never meant to apply to the repo owner's own PRs. This adds the same owner/
ADMIN_GITHUB_LOGINS/automation-bot exemption this codebase already grants those authors everywhere else (auto-close, review-nag, contributor caps) to the freeze check.Investigated by SSHing into the self-host VPS and querying the live Postgres
audit_eventstable directly fortarget_key = 'JSONbored/gittensory#3476', which showedgithub_app.ai_review_frozen_reusecompleting on every push, confirming the freeze — not a review-engine caching bug — was the cause.No linked issue — direct fix for a live incident found via VPS audit-log investigation, not a pre-filed issue.
Scope
type(scope): short summaryConventional Commit format.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run typechecknpx vitest run test/unit/queue.test.ts— full file, 560 passed, including 3 new regression tests reproducing the exact incident (owner, admin, and automation-bot exemptions) plus the 9 pre-existing freeze tests confirming the contributor-facing freeze behavior is unchangednpm audit --audit-level=moderate— 0 vulnerabilitiesnpm run actionlint/test:workers/build:mcp/test:mcp-pack/ui:*(not re-run — no workflow, workers, MCP, or UI files touched)If any required check was skipped, explain why:
src/queue/processors.ts) plus its test file; workers/MCP/UI suites are unaffected by this diff.Safety
UI Evidencesection. (N/A — no UI changes.)