From 60fadf4b558cb5111f0dd1c63472275ba7bee148 Mon Sep 17 00:00:00 2001 From: fullstackjam Date: Thu, 9 Jul 2026 09:17:17 +0800 Subject: [PATCH 1/3] chore(deps): bump Go toolchain to 1.25.12 Resolves GO-2026-5856 (Encrypted Client Hello privacy leak in crypto/tls), which govulncheck's drift sensor flags as "Found in: crypto/tls@go1.25.11 / Fixed in: crypto/tls@go1.25.12". All CI uses go-version-file: go.mod, so bumping the go directive upgrades the toolchain everywhere. No toolchain line needed; `go mod tidy` is a no-op. Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f6ee6ab..cb94540 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openbootdotdev/openboot -go 1.25.11 +go 1.25.12 require ( github.com/charmbracelet/bubbles v0.20.0 From 89695a2c467c52effa8108ed450a7bbe1bd945ae Mon Sep 17 00:00:00 2001 From: fullstackjam Date: Thu, 9 Jul 2026 09:17:17 +0800 Subject: [PATCH 2/3] ci: grant Claude review workflow write to post reviews MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Claude Code Review workflow completed successfully on every PR but never posted anything — the run's GITHUB_TOKEN had PullRequests: read, so the action generated a review then silently dropped it ("No buffered inline comments"). Bump pull-requests and issues to write so inline comments and the summary comment can actually be posted back to the PR. Auth (claude_code_oauth_token) and the /code-review plugin prompt are left unchanged — the run logs show both already work. Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo --- .github/workflows/claude-code-review.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index b5e8cfd..b5f5b62 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -19,10 +19,14 @@ jobs: # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' runs-on: ubuntu-latest + # write on pull-requests + issues is required for the action to POST its + # review back to the PR: inline review comments use the pull-requests API, + # the summary comment uses the issues API. With read-only the review runs + # but silently posts nothing ("No buffered inline comments"). permissions: contents: read - pull-requests: read - issues: read + pull-requests: write + issues: write id-token: write steps: From 416be95feb9f207e66db046a843efd7e5d04171a Mon Sep 17 00:00:00 2001 From: fullstackjam Date: Thu, 9 Jul 2026 09:17:17 +0800 Subject: [PATCH 3/3] ci: run L4 vm-e2e on every PR to main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CLAUDE.md and docs/HARNESS.md describe L4 as running "on every PR", but the workflow only triggered on push to test/vm-e2e-speed and manual dispatch. Add a pull_request trigger (matching test.yml / harness.yml) so reality matches the documented intent. It stays non-blocking — it's not in .github/required-checks.txt — so it reports without gating merges. Claude-Session: https://claude.ai/code/session_01HLoiSd2k9EJJ1HPjjDgUgo --- .github/workflows/vm-e2e-spike.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/vm-e2e-spike.yml b/.github/workflows/vm-e2e-spike.yml index 5b5df47..6d089b7 100644 --- a/.github/workflows/vm-e2e-spike.yml +++ b/.github/workflows/vm-e2e-spike.yml @@ -3,6 +3,8 @@ name: vm-e2e-spike on: push: branches: ["test/vm-e2e-speed"] + pull_request: + branches: [main, master] workflow_dispatch: jobs: