Fix scheduler token fallback

[seonghobae]

Summary

• let the PR review merge scheduler use the repository GITHUB_TOKEN when OPENCODE_APPROVE_TOKEN is absent
• grant the scheduler only the write scopes it already needs for PR comments, branch updates, and normal merges
• add a regression test for the fallback contract

Tests

• actionlint .github/workflows/pr-review-merge-scheduler.yml
• python3 scripts/checks/verify_supply_chain.py
• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q

Security Notes

• Untrusted inputs: the scheduler still reads GitHub PR metadata only; it does not checkout or execute PR code.
• Trust boundary: fallback uses the repository-scoped GITHUB_TOKEN on the protected default-branch workflow instead of requiring a long-lived secret for every pass.
• Safe failure: the workflow still exits if no GitHub token is present and still relies on branch rules/checks for merges.
• Logging/privacy: it logs token source only, never token values.
• Test points: actionlint, supply-chain verification, and the new scheduler fallback test.

[github-actions]

Pull request overview

OpenCode found current-head GitHub Check failures and could not approve until they are mapped to source-backed fixes.

Findings

Line-specific fallback findings:

No deterministic missing-string markers or Strix report locations were recognized. Use the failed-check evidence below to map each failed check to exact local source lines before approving.

Verification

• Review source: independent OpenCode failed-check diagnosis using current-head check evidence.
• Result: REQUEST_CHANGES
• Reason: one or more GitHub Checks failed on current head 002d0f818764fe1ed5eb8b895e4f8de3a24c2aea.

Gate evidence

• Head SHA: 002d0f818764fe1ed5eb8b895e4f8de3a24c2aea
• Workflow run: 27815472569
• Workflow attempt: 1

Failed checks:

• ci/ci / build-and-test: FAILURE (https://github.com/ContextualWisdomLab/bandscope/actions/runs/27815472568/job/82315471179)
• release/release-preflight: FAILURE (https://github.com/ContextualWisdomLab/bandscope/actions/runs/27815472590/job/82315471019)
• Scorecard: FAILURE (https://github.com/ContextualWisdomLab/bandscope/runs/82315546887)

Failed check evidence for line-specific fixes:

Failed GitHub Check Evidence

• PR: #353
• Head SHA: 002d0f818764fe1ed5eb8b895e4f8de3a24c2aea
• Repository: ContextualWisdomLab/bandscope

Line-specific repair contract

• Treat the check logs and annotations below as diagnostic evidence, not as a complete review.

• For each actionable failed check, inspect the local source or diff and identify the exact file line that must change.

• OpenCode REQUEST_CHANGES findings must include path, line, root_cause, fix_direction, regression_test_direction, and suggested_diff.

• Do not request changes with only a GitHub Actions URL or a generic check name.

• When Strix logs contain multiple Vulnerability Report or Model ... Vulnerabilities ... sections, include every model-reported vulnerability in the review evidence and findings, including model name, title, severity, endpoint, and Code Locations/path:line evidence when present.

• Create one OpenCode finding per Strix model vulnerability report; do not satisfy two model reports with one combined finding, even when titles or locations match.

Failed check: ci/ci / build-and-test

• Type: check_run
• Conclusion: FAILURE
• Details URL: https://github.com/ContextualWisdomLab/bandscope/actions/runs/27815472568/job/82315471179
• Workflow run id: 27815472568
• Check run id: 82315471179

Failed job steps

• step 7: Run quickcheck (failure)

Check annotations

• .github:72-72 [failure] Process completed with exit code 1.

Failed log excerpt

The failed job log could not be collected with gh run view --log-failed.

run 27815472568 is still in progress; logs will be available when it is complete

Failed check: release/release-preflight

• Type: check_run
• Conclusion: FAILURE
• Details URL: https://github.com/ContextualWisdomLab/bandscope/actions/runs/27815472590/job/82315471019
• Workflow run id: 27815472590
• Check run id: 82315471019

Failed job steps

• step 9: Run harness verification (failure)

Check annotations

• .github:78-78 [failure] Process completed with exit code 1.

Failed log signal summary

release-preflight	Run harness verification	2026-06-19T08:46:25.1387124Z ##[error]Process completed with exit code 1.

Failed log excerpt

release-preflight	Run harness verification	2026-06-19T08:46:19.3226844Z ##[group]Run ./scripts/harness/quickcheck.sh
release-preflight	Run harness verification	2026-06-19T08:46:19.3227229Z ^[[36;1m./scripts/harness/quickcheck.sh^[[0m
release-preflight	Run harness verification	2026-06-19T08:46:19.3262394Z shell: /usr/bin/bash -e {0}
release-preflight	Run harness verification	2026-06-19T08:46:19.3262664Z env:
release-preflight	Run harness verification	2026-06-19T08:46:19.3262873Z   GIT_CONFIG_COUNT: 1
release-preflight	Run harness verification	2026-06-19T08:46:19.3263121Z   GIT_CONFIG_KEY_0: init.defaultBranch
release-preflight	Run harness verification	2026-06-19T08:46:19.3263414Z   GIT_CONFIG_VALUE_0: develop
release-preflight	Run harness verification	2026-06-19T08:46:19.3263743Z   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
release-preflight	Run harness verification	2026-06-19T08:46:19.3264176Z   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
release-preflight	Run harness verification	2026-06-19T08:46:19.3264598Z   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
release-preflight	Run harness verification	2026-06-19T08:46:19.3264981Z   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
release-preflight	Run harness verification	2026-06-19T08:46:19.3265369Z   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
release-preflight	Run harness verification	2026-06-19T08:46:19.3265749Z   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
release-preflight	Run harness verification	2026-06-19T08:46:19.3266150Z   UV_PYTHON_INSTALL_DIR: /home/runner/work/_temp/uv-python-dir
release-preflight	Run harness verification	2026-06-19T08:46:19.3266517Z ##[endgroup]
release-preflight	Run harness verification	2026-06-19T08:46:19.3602997Z Documentation check passed
release-preflight	Run harness verification	2026-06-19T08:46:19.3880721Z Security Notes check passed
release-preflight	Run harness verification	2026-06-19T08:46:19.7258393Z Security pattern gate passed
release-preflight	Run harness verification	2026-06-19T08:46:20.0471813Z Supply-chain verification passed
release-preflight	Run harness verification	2026-06-19T08:46:20.0783478Z GitHub bootstrap policy check passed
release-preflight	Run harness verification	2026-06-19T08:46:20.1771367Z 
release-preflight	Run harness verification	2026-06-19T08:46:20.1771970Z > bandscope@0.1.3 lint
release-preflight	Run harness verification	2026-06-19T08:46:20.1773692Z > npm run lint:workspaces && npm run check:docs && npm run check:security-notes && npm run check:security-gates && npm run check:supply-chain && npm run check:github-bootstrap && npm run check:python-docstrings && npm run ruff:check && npm run ruff:format:check && npm run bandit:check
release-preflight	Run harness verification	2026-06-19T08:46:20.1774633Z 
release-preflight	Run harness verification	2026-06-19T08:46:20.2780363Z 
release-preflight	Run harness verification	2026-06-19T08:46:20.2781091Z > bandscope@0.1.3 lint:workspaces
release-preflight	Run harness verification	2026-06-19T08:46:20.2781611Z > npm run lint --workspaces --if-present
release-preflight	Run harness verification	2026-06-19T08:46:20.2781843Z 
release-preflight	Run harness verification	2026-06-19T08:46:20.3907125Z 
release-preflight	Run harness verification	2026-06-19T08:46:20.3907826Z > @bandscope/desktop@0.1.0 lint
release-preflight	Run harness verification	2026-06-19T08:46:20.3908373Z > eslint "src/**/*.{ts,tsx}" vite.config.ts
release-preflight	Run harness verification	2026-06-19T08:46:20.3908751Z 
release-preflight	Run harness verification	2026-06-19T08:46:22.2193864Z 
release-preflight	Run harness verification	2026-06-19T08:46:22.2194644Z > @bandscope/shared-types@0.1.0 lint
release-preflight	Run harness verification	2026-06-19T08:46:22.2195153Z > eslint "src/**/*.ts" "test/**/*.ts"
release-preflight	Run harness verification	2026-06-19T08:46:22.2195372Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.4829418Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.4830158Z > bandscope@0.1.3 check:docs
release-preflight	Run harness verification	2026-06-19T08:46:23.4830825Z > python3 scripts/checks/verify_docs.py
release-preflight	Run harness verification	2026-06-19T08:46:23.4831175Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.5107685Z Documentation check passed
release-preflight	Run harness verification	2026-06-19T08:46:23.6119094Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.6119864Z > bandscope@0.1.3 check:security-notes
release-preflight	Run harness verification	2026-06-19T08:46:23.6120575Z > python3 scripts/checks/verify_security_notes.py
release-preflight	Run harness verification	2026-06-19T08:46:23.6120818Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.6403954Z Security Notes check passed
release-preflight	Run harness verification	2026-06-19T08:46:23.7425954Z 
release-preflight	Run harness verification	2026-06-19T08:46:23.7426677Z > bandscope@0.1.3 check:security-gates
release-preflight	Run harness verification	2026-06-19T08:46:23.7427145Z > python3 scripts/checks/security_gates.py
release-preflight	Run harness verification	2026-06-19T08:46:23.7427410Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.0769186Z Security pattern gate passed
release-preflight	Run harness verification	2026-06-19T08:46:24.1839131Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.1839744Z > bandscope@0.1.3 check:supply-chain
release-preflight	Run harness verification	2026-06-19T08:46:24.1840243Z > python3 scripts/checks/verify_supply_chain.py
release-preflight	Run harness verification	2026-06-19T08:46:24.1840483Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.5064854Z Supply-chain verification passed
release-preflight	Run harness verification	2026-06-19T08:46:24.6190381Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.6191198Z > bandscope@0.1.3 check:github-bootstrap
release-preflight	Run harness verification	2026-06-19T08:46:24.6191995Z > python3 scripts/checks/verify_github_bootstrap_policy.py
release-preflight	Run harness verification	2026-06-19T08:46:24.6192427Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.6566222Z GitHub bootstrap policy check passed
release-preflight	Run harness verification	2026-06-19T08:46:24.7626133Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.7627011Z > bandscope@0.1.3 check:python-docstrings
release-preflight	Run harness verification	2026-06-19T08:46:24.7628358Z > sh -c 'cd services/analysis-engine && uv run ruff check src tests ../../scripts --select D100,D101,D102,D103,D104,D105,D106,D107'
release-preflight	Run harness verification	2026-06-19T08:46:24.7629442Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.8451921Z All checks passed!
release-preflight	Run harness verification	2026-06-19T08:46:24.9480214Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.9480947Z > bandscope@0.1.3 ruff:check
release-preflight	Run harness verification	2026-06-19T08:46:24.9482220Z > sh -c 'cd services/analysis-engine && uv run ruff check src tests'
release-preflight	Run harness verification	2026-06-19T08:46:24.9482715Z 
release-preflight	Run harness verification	2026-06-19T08:46:24.9838055Z All checks passed!
release-preflight	Run harness verification	2026-06-19T08:46:25.0836729Z 
release-preflight	Run harness verification	2026-06-19T08:46:25.0837721Z > bandscope@0.1.3 ruff:format:check
release-preflight	Run harness verification	2026-06-19T08:46:25.0838352Z > sh -c 'cd services/analysis-engine && uv run ruff format --check src tests'
release-preflight	Run harness verification	2026-06-19T08:46:25.0838975Z 
release-preflight	Run harness verification	2026-06-19T08:46:25.1213114Z Would reformat: tests/test_supply_chain_policy.py
release-preflight	Run harness verification	2026-06-19T08:46:25.1213706Z 1 file would be reformatted, 59 files already formatted
release-preflight	Run harness verification	2026-06-19T08:46:25.1387124Z ##[error]Process completed with exit code 1.

Failed check: Scorecard

• Type: check_run
• Conclusion: FAILURE
• Details URL: https://github.com/ContextualWisdomLab/bandscope/runs/82315546887
• Workflow run id: 82315546887

No GitHub Actions job log is available for this status context.

[github-actions]

OpenCode Review Overview

• Head SHA: ac685dfac638f183118cd51fa363fa9c6acf34a3
• Workflow run: 27815684284
• Workflow attempt: 1
• Gate result: OPENCODE_REVIEW_UNAVAILABLE (approval step)

OpenCode Agent did not produce a valid review payload after all current-head GitHub Checks completed.

• Result: OPENCODE_REVIEW_UNAVAILABLE
• Reason: OpenCode review attempts did not complete or did not return a valid control block.
• OpenCode outcomes: primary=failed, fallback=failed, second_fallback=failed
• Head SHA: ac685dfac638f183118cd51fa363fa9c6acf34a3
• Workflow run: 27815684284
• Workflow attempt: 1

No blocking review was submitted because this is an agent/runtime failure, not a source-backed code finding.

Dismissed as stale: this CHANGES_REQUESTED review is tied to old head 002d0f8 and failed checks from run 27815472569. Current head ac685df has all checks passing, including ci, release-preflight, build-baseline, security-audit, and OpenCode review run 27815684284.