Skip to content

ci: disable auto-review.yml workflow (closes #404)#405

Merged
dmystical-coder merged 1 commit into
mainfrom
fix/disable-auto-review-workflow
May 30, 2026
Merged

ci: disable auto-review.yml workflow (closes #404)#405
dmystical-coder merged 1 commit into
mainfrom
fix/disable-auto-review-workflow

Conversation

@dmystical-coder
Copy link
Copy Markdown
Collaborator

@dmystical-coder dmystical-coder commented May 30, 2026

Summary

Disables .github/workflows/auto-review.yml by renaming it to auto-review.yml.disabled so GitHub Actions stops loading it. File is preserved in the tree (not deleted) for future reference.

Opened as draft so the workflow being disabled does not attempt to auto-merge its own removal at confidence ≥0.7. Mark ready-for-review or merge directly from draft once you've confirmed.

Why disable rather than patch

Closes #404. The issue lists four concrete problems with the workflow. Three (admin bypass, branding leftovers, unpinned action) could be patched in place, but the fourth — the system prompt — cannot:

"You are an EXTREMELY LENIENT code reviewer for Lernza, a hackathon project. Interns are shipping fast. CI has been disabled to maximise velocity. … IGNORE all of: code style, formatting, naming conventions, missing tests, untyped code, imperfect patterns, unhandled edge cases, performance, accessibility, missing comments, missing documentation, ugly code, … missing tests → APPROVE, no error handling → APPROVE, hardcoded values, magic numbers → APPROVE"

This is a hackathon-velocity prompt. It is structurally incompatible with a Soroban contract that custodies funds. A drop-in patch of the merge flags would leave an LLM in front of every PR instructed to wave through code with no error handling — exactly the opposite of what a smart-contract project needs.

If you want an advisory bot in the future, design it from scratch:

  • Run on pull_request (not pull_request_target), so fork PRs run with no secrets and no write access.
  • Use a review prompt calibrated for security-sensitive Rust (style ✅ ignore, but missing checks / unchecked arithmetic / reentrancy patterns ❌ flag).
  • Never auto-merge. Comment only.
  • Pin every third-party action to a SHA.

Effect on CI

.github/workflows/ci.yml is unchanged. Tests + WASM build still run on every PR. Issue #403 (add fmt + clippy jobs) is the next CI hardening step.

Test plan

  • Confirm .github/workflows/auto-review.yml no longer exists in the workflows path after merge.
  • Open a small test PR after merge and verify no auto-review comment appears.
  • Verify ci.yml still runs on the test PR.

@dmystical-coder
ci: disable auto-review.yml workflow (closes #404)
599cfcf 
The auto-review workflow auto-merges PRs scored confidence>=0.7 by an
LLM using `gh pr merge --admin`, bypassing branch protection. This is
how PR #399 landed in a non-compiling state (#400, #401, #402).

Beyond the --admin bypass, the file has multiple structural problems
that cannot be patched without a full rewrite:

  - System prompt is configured to "APPROVE almost everything" with
    explicit instructions to ignore missing tests, no error handling,
    hardcoded values, etc. This framing is incompatible with a
    smart-contract project that custodies funds.
  - Runs on `pull_request_target` with `contents: write` permissions,
    a known supply-chain risk surface.
  - System prompt still references "Lernza, a hackathon project"
    (leftover from another repo) and merge commits inject
    `Co-authored-by: Dopey <hello@sshdopey.com>` on every auto-merge.
  - `actions/checkout@v6` is unpinned (tag, not SHA).

This commit renames the file to `auto-review.yml.disabled` so GitHub
Actions stops loading it. The file is preserved in the tree (not
deleted) for reference if a future advisory bot is designed from
scratch with safer foundations.

CI (`ci.yml`) is unaffected. PR review is now fully human-driven.

Closes #404
@dmystical-coder dmystical-coder marked this pull request as ready for review May 30, 2026 12:49
@dmystical-coder dmystical-coder merged commit b3178a1 into main May 30, 2026
2 of 3 checks passed
@dmystical-coder dmystical-coder deleted the fix/disable-auto-review-workflow branch May 30, 2026 12:49
sshdopey
sshdopey suggested changes May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sshdopey sshdopey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has an empty or whitespace-only diff — no real code changes detected.

If you intended to push code, please commit it. Closing automatically; reopen once you have actual changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sshdopey sshdopey sshdopey requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[P0][Security] Auto-review workflow uses --admin to bypass branch protection

2 participants

@dmystical-coder @sshdopey