Add unreviewed-merge detector (SOC 2 compliance)#464
Conversation
Calls the reusable workflow at Comfy-Org/github-workflows. On every push to main, finds the associated PR, and if it was merged without an approving review, files a tracking issue in Comfy-Org/unreviewed-merges. approval-mode: latest-per-reviewer Requires the UNREVIEWED_MERGES_TOKEN secret (fine-grained PAT with issues:write on Comfy-Org/unreviewed-merges) to be configured.
Codecov Report✅ All modified and coverable lines are covered by tests. @@ Coverage Diff @@
## main #464 +/- ##
=======================================
Coverage 83.25% 83.25%
=======================================
Files 45 45
Lines 6801 6801
=======================================
Hits 5662 5662
Misses 1139 1139 🚀 New features to boost your workflow:
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds a new GitHub Actions workflow that detects unreviewed merges to main and master branches. It configures per-commit concurrency, enforces read-only permissions, and delegates detection to a pinned reusable workflow with per-reviewer approval tracking—ensuring that no code slips through without a proper review (no commits without review commendations, if you will). ChangesUnreviewed Merge Detection Workflow
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
…nto the run/ package + single-client architecture Upstream (dffa5c1..a392f55) carried five telemetry/tracking commits; most of #461/#463 was already on this branch, so the merge mainly ports #465 and #468 into our architecture: - PostHog dual-send + lifecycle events (#461): already present in our tracking.py (_dispatch fan-out) and cmdline.py run lifecycle; conflicts resolved to our superset (keeps _ensure_user_id(persist=), submit_feedback, submit_agent_review, _consent_enabled). - DO_NOT_TRACK / COMFY_NO_TELEMETRY (#463): already present; kept ours. - cli: event prefix (#465): took upstream's POSTHOG_EVENT_PREFIX in tracking.py PostHogProvider.capture + upstream's prefix tests in tests/comfy_cli/test_tracking_providers.py. - Comfy-Usage-Source header (#468): run.py was deleted here, so the header + extra_data.comfy_usage_source landed in comfy_cli/command/run/execution.py (WorkflowExecution.queue) and comfy_cli/comfy_client.py (Client._request header on every local/cloud request, submit_prompt extra_data); generate/client.py auto-merged upstream's header. Adapted tests/comfy_cli/cloud/test_client.py extra_data assertions accordingly. - SOC2 unreviewed-merge detector (#464) + pytest.yml codecov bump: taken from upstream as-is. - uv.lock: took upstream then regenerated with `uv lock` (posthog already a dependency here). - Upstream's non-TTY auto-consent assertion in test_tracking.py kept at our deliberate behavior (non-interactive sessions do NOT auto-enable tracking). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Adds the unreviewed-merge detector for SOC 2 compliance.
On every push to
main, this workflow finds the associated PR. If it was merged without an approving review, the reusable workflow atComfy-Org/github-workflowsfiles a tracking issue inComfy-Org/unreviewed-mergeswith labels and (if provided) the inlineJustification:line from the PR body.Action required before merge
The
UNREVIEWED_MERGES_TOKENrepo secret must be configured. It is a fine-grained PAT withissues:writeonComfy-Org/unreviewed-merges. Without it the workflow run will fail with a clear error message.Approval mode
See the comment in the file. This repo uses
latest-per-reviewerbecause of its branch-protection / stale-review-dismissal configuration.Reusable workflow pin
Pinned to
Comfy-Org/github-workflows@4d9cb6b87f953bb7cd69954280e1465fb9bd2040(v1). The trailing# v1comment matches the moving tag. Bump via Dependabot/Renovate.