The previously pinned SHA (5d9602ee...) had a runtime bug:
require('@actions/github') throws MODULE_NOT_FOUND because
actions/github-script does not expose @actions/github on the
inline-script Node module-resolution path.
The fix at Comfy-Org/github-workflows@8ec13264 uses github.getOctokit()
instead — which IS the action's documented API for instantiating a
second Octokit client with a different token.
Surfaced by smoke-testing the detector in Comfy-Org/cloud#3917.
Best-practice hardening for the caller of the reusable detector workflow:
- Replace @v1 tag with the immutable commit SHA 5d9602ee... (# v1 comment
preserves human-readable version info). Satisfies pin-validation tools
like pinact and zizmor.
- Add explicit minimum permissions (contents: read, pull-requests: read)
at workflow level so the default permissive token scope is not granted.
Shrinks this workflow from ~210 lines to ~20 by delegating the detection
logic to a centralized reusable workflow in Comfy-Org/github-workflows.
Future changes ship from that one repo and propagate here automatically.
- Fetch full PR via pulls.get() to get merged_by (not in simple schema)
- Add idempotency check before issue creation to prevent duplicates
- Use SHA-scoped concurrency group to allow parallel independent runs
- Guard c.user null for deleted GitHub accounts
- Retry issue creation without assignee on 422
- Align policy text: "3 business days" → "3 days" to match implementation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dismissed approvals should NOT be counted in OSS repos — PRs require
current approval at merge time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
"Dismiss stale reviews on new commits" changes APPROVED → DISMISSED
when commits are pushed after approval. The review still happened,
so count DISMISSED as a valid approval.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Support both main and master branches (ComfyUI uses master)
- Dynamically detect branch from push context instead of hardcoding
- Fix approval check to use latest review per reviewer (handles dismissed reviews)
- Add UNREVIEWED_MERGES_TOKEN validation before use
- Add concurrency control to prevent duplicate issues
- Fix version comment: v7 -> v7.1.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Detects PRs merged to main without an approving review and creates
tracking issues in Comfy-Org/unreviewed-merges for audit purposes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
