npm - clud-bug - Versions diffs - 0.6.23 → 0.6.24 - Mend

clud-bug 0.6.23 → 0.6.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/templates/workflow-py.yml.tmpl +10 -6
package/templates/workflow-ts.yml.tmpl +10 -6
package/templates/workflow.yml.tmpl +20 -13

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.6.23",
+  "version": "0.6.24",
   "description": "Skill-driven Claude PR review. Ship a brand-voice skill, get brand reviews. Each finding cites the skill that motivated it. CLI installs the workflow + a baseline kit; add more from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmade/clud-bug/issues",

package/templates/workflow-py.yml.tmpl CHANGED Viewed

@@ -28,10 +28,13 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
             # v0.6.23 / §5: max_turns must always be emitted — see workflow.yml.tmpl for design notes.
-            echo "max_turns=15" >> "$GITHUB_OUTPUT"
+            # Grouped redirect (v0.6.24) silences the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
           IS_WORKFLOW_ONLY=true
@@ -105,8 +108,9 @@ jobs:
       id-token: write
       # checks: write — composite emits per-skill check-runs (BB.3).
       checks: write
-      # actions: read (v0.6.23 / §5) — github_ci MCP server. See workflow.yml.tmpl for design notes.
-      actions: read
+      # v0.6.24: `actions: read` (added in v0.6.23) backed out — broke
+      # `pull_request` trigger firing on private consumer repos. See
+      # workflow.yml.tmpl for the diagnosis.
     steps:
       - uses: actions/checkout@v6
@@ -212,7 +216,7 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.23
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: summary now posted by github-actions[bot].

package/templates/workflow-ts.yml.tmpl CHANGED Viewed

@@ -28,10 +28,13 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
             # v0.6.23 / §5: max_turns must always be emitted — see workflow.yml.tmpl for design notes.
-            echo "max_turns=15" >> "$GITHUB_OUTPUT"
+            # Grouped redirect (v0.6.24) silences the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
           IS_WORKFLOW_ONLY=true
@@ -105,8 +108,9 @@ jobs:
       id-token: write
       # checks: write — composite emits per-skill check-runs (BB.3).
       checks: write
-      # actions: read (v0.6.23 / §5) — github_ci MCP server. See workflow.yml.tmpl for design notes.
-      actions: read
+      # v0.6.24: `actions: read` (added in v0.6.23) backed out — broke
+      # `pull_request` trigger firing on private consumer repos. See
+      # workflow.yml.tmpl for the diagnosis.
     steps:
       - uses: actions/checkout@v6
@@ -212,7 +216,7 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.23
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: summary now posted by github-actions[bot].

package/templates/workflow.yml.tmpl CHANGED Viewed

@@ -42,15 +42,18 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6   # default
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
             # v0.6.23 / §5: max_turns must always be emitted because
             # clud-bug-review runs (is_workflow_only=false). Without
-            # this, --max-turns ${{ ... }} expands to '--max-turns '
-            # (empty), failing the CLI invocation. Empty-CHANGED
-            # fires on gh pr diff auth/network failures + the
-            # (theoretical) no-changed-files PR.
-            echo "max_turns=15" >> "$GITHUB_OUTPUT"
+            # this, --max-turns $-{{ ... }} expands to '--max-turns '
+            # (empty), failing the CLI invocation. Empty-CHANGED fires
+            # on gh pr diff auth/network failures + the (theoretical)
+            # no-changed-files PR. Grouped redirect (v0.6.24) silences
+            # the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
@@ -154,11 +157,15 @@ jobs:
       # the GitHub Checks API for any skill in .clud-bug.json's strictSkills
       # list (BB.3, v0.5.10+). No-op when strictSkills is unset.
       checks: write
-      # actions: read (v0.6.23 / §5) — claude-code-action's bundled
-      # github_ci MCP server needs this to introspect recent CI runs.
-      # Per-job GITHUB_TOKEN permissions aren't inherited, so this
-      # MUST be on the clud-bug-review job, not paths-check.
-      actions: read
+      # v0.6.23 attempted to add `actions: read` here for the github_ci
+      # MCP server bundled with claude-code-action. v0.6.24 backed it
+      # out: on private consumer repos the `pull_request` trigger
+      # silently stopped firing the workflow after the permissions
+      # block changed (validated against tokenomics — public agent-skills
+      # kept firing, private tokenomics/rezgen did not). claude-code-action
+      # warns about the missing `actions: read` but reviews still run
+      # correctly. Re-add via a separate path once we understand the
+      # private-repo trigger-registration semantics.
     steps:
       - uses: actions/checkout@v6
@@ -335,7 +342,7 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.23
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: the summary is now posted by the workflow