From 16de1984fb2bf31bb301f1486297019692495680 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Sun, 31 May 2026 14:28:10 +0200 Subject: [PATCH] =?UTF-8?q?feat(security-issue-sync):=20tune=20pre-flight?= =?UTF-8?q?=20classifier=20=E2=80=94=20skill-marker=20detection=20+=20rela?= =?UTF-8?q?xed=20rules?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A dry-run of #414's pre-flight against a real adopter tracker revealed the original rules misfired in two ways: - The "last comment author is a bot" check was structurally unreachable on single-operator private trackers where the sync skill writes rollup updates as the operator's personal GitHub user, not as a *[bot] account. - The 7-day updatedAt safety override caught most trackers because every tracker had been touched by the recent sync itself (rollup-comment writes, label flips) — conflating skill activity with substantive activity. Skip rate measured ~5% in this setup vs the predicted 30-50%. This tunes the classifier with two changes: 1. Skill-or-bot detection. Treat a comment as bot-equivalent when its body starts with the skill marker ` + ``` + + Concretely, treat the last-comment author as *bot-equivalent* if + **any** of these is true: + + - `login in {github-actions[bot], dependabot[bot]}` or + `login` ends with `[bot]` (real GitHub App accounts). + - The body starts with `