fix(ci): address P1 review comments from Greptile

sanchitmonga22 · claude · sanchitmonga22 · commit 4f398f5e0539 · 2026-04-18T15:53:17.000-07:00
- auto-tag.yml: add pull-requests: write permission so gh pr comment
  on the merged PR doesn't 403 (missing scope caused implicit none)
- sync-versions.sh: add runanywhere_genie/pubspec.yaml to Flutter version
  bump loop — was silently skipped, shipping stale version on every release
- release.yml: add native_ios to validate_consumer_swift needs — the job
  downloads the iOS artifact but previously could start before native_ios
  finished, causing download-artifact to fail with artifact not found

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
@@ -30,7 +30,8 @@ on:
     branches: [main]
 
 permissions:
-  contents: write    # needed to commit version bump + push tag
+  contents: write       # needed to commit version bump + push tag
+  pull-requests: write  # needed for gh pr comment on the merged PR
 
 jobs:
   auto-tag:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -340,7 +340,7 @@ jobs:
   # ---------------------------------------------------------------------------
 
   validate_consumer_swift:
-    needs: [validate, sdk_kotlin]   # dependency is arbitrary — we just want artifacts to exist
+    needs: [validate, native_ios, sdk_kotlin]  # native_ios produces the iOS artifact this job downloads
     if: always() && needs.validate.result == 'success'
     runs-on: macos-14
     timeout-minutes: 20
diff --git a/comments/PR_478_comments.md b/comments/PR_478_comments.md
@@ -0,0 +1,128 @@
+# PR #478 – Comment Triage
+
+- Repo: RunanywhereAI/runanywhere-sdks
+- PR Title: feat(ci): per-artifact build system foundation (pr-build + release workflows)
+- PR URL: https://github.com/RunanywhereAI/runanywhere-sdks/pull/478
+- Total review comments: 38 (+ 7 issue/general comments)
+- Triage date: 2026-04-18
+
+---
+
+## Summary & Status
+
+| Category | Count | Status |
+|---|---|---|
+| New P1 fixes (Greptile, round 3) | 3 | ✅ All fixed in this session |
+| Bot comments previously addressed | 35 | ✅ Addressed per PR description |
+| Issue (general) comments | 7 | ℹ️ All automated/administrative |
+
+**This session addressed the 3 P1 defects** flagged by Greptile in its latest review (comment #38 + PR-body summary, created 2026-04-18). No GitHub issues were opened per user instruction.
+
+---
+
+## Section 1 – Quick & Easy Fixes
+
+### QEF-1 – `auto-tag.yml` missing `pull-requests: write` permission
+
+- Source comment: https://github.com/RunanywhereAI/runanywhere-sdks/pull/478#discussion_r3105952276
+- Author: greptile-apps[bot]
+- File / location: `.github/workflows/auto-tag.yml:32-34`
+- LUS (Legitimacy & Urgency): 5
+- CS (Complexity): 1
+- Type: bug
+
+**Original Comment:**
+> **Missing `pull-requests: write` permission breaks PR comment step**
+> When `permissions` is declared explicitly in a workflow, any scope not listed is implicitly set to `none`. The "Comment on merged PR" step runs `gh pr comment` which requires `pull-requests: write`. With only `contents: write` declared, that step will always exit with a 403.
+
+**Fix applied:**
+```yaml
+permissions:
+  contents: write       # needed to commit version bump + push tag
+  pull-requests: write  # needed for gh pr comment on the merged PR
+```
+
+**Status:** ✅ Fixed — `pull-requests: write` added to `auto-tag.yml`
+
+---
+
+### QEF-2 – `sync-versions.sh` silently skips `runanywhere_genie/pubspec.yaml`
+
+- Source comment: Greptile PR-body summary (2026-04-18) + inline context
+- Author: greptile-apps[bot]
+- File / location: `scripts/sync-versions.sh:134-141`
+- LUS (Legitimacy & Urgency): 5
+- CS (Complexity): 1
+- Type: bug
+
+**Original Comment:**
+> **`runanywhere_genie` pubspec.yaml silently skipped on every version bump**
+> `sdk/runanywhere-flutter/packages/runanywhere_genie/pubspec.yaml` exists and contains `version: 0.16.0`, but it is absent from the loop. After every `sync-versions.sh` call the genie package stays pinned to the old version, so a release ships with inconsistent Flutter package versions.
+
+**Fix applied:** Added `runanywhere_genie/pubspec.yaml` to the Flutter packages loop:
+```bash
+for pkg in \
+    ".../runanywhere/pubspec.yaml" \
+    ".../runanywhere_genie/pubspec.yaml" \   # ← added
+    ".../runanywhere_llamacpp/pubspec.yaml" \
+    ".../runanywhere_onnx/pubspec.yaml"; do
+```
+
+**Status:** ✅ Fixed
+
+---
+
+### QEF-3 – `validate_consumer_swift` can start before `native_ios` finishes
+
+- Source comment: Greptile PR-body summary (2026-04-18)
+- Author: greptile-apps[bot]
+- File / location: `.github/workflows/release.yml:342-344`
+- LUS (Legitimacy & Urgency): 4
+- CS (Complexity): 1
+- Type: bug
+
+**Original Comment:**
+> **`validate_consumer_swift` can start before `native_ios` finishes**
+> This job gates on `sdk_kotlin` (~60 min) but downloads the `native-ios-macos` artifact from `native_ios` (~90 min). Because they run in parallel, `validate_consumer_swift` can start while the iOS build is still running, causing `download-artifact` to fail with "artifact not found." `continue-on-error: true` hides this but the validation never actually runs.
+
+**Fix applied:** Added `native_ios` to the `needs` list:
+```yaml
+needs: [validate, native_ios, sdk_kotlin]  # native_ios produces the iOS artifact this job downloads
+```
+
+**Status:** ✅ Fixed
+
+---
+
+## Previously Addressed Comments (35 bot comments, rounds 1-2)
+
+The PR description states "37 review comments from Greptile + CodeRabbit addressed" as of the prior commits. Key items that were verified already resolved:
+
+| ID | Item | Resolution |
+|---|---|---|
+| r3083890744 | Version mismatch warning-only (release.yml) | ✅ Already hardened to `exit 1` |
+| r3083890793 | `publish` job creates live release on failure | ✅ Fixed: `draft: true` + proper `needs` guard |
+| r3083890836 | Kotlin build failure silently tolerated | ✅ Fixed: removed `|| true` |
+| r3084027246 | Missing `done` in pr-build.yml shell loop | ✅ Fixed |
+| r3084481035 | Kotlin PR job doesn't use native artifacts | ✅ Addressed |
+| r3084481047 | Version drift not a hard stop | ✅ Already `exit 1` in release.yml |
+| r3096882263 | Release not created as draft | ✅ Fixed: `draft: true` |
+| r3096882275 | `.gitleaksbaseline` Match field leaks key suffixes | ℹ️ Pre-existing historical findings; `Match` fully redacted per current baseline |
+| r3096882284 | Root `gradle.properties` legacy key | ✅ `useLocalNatives` canonical |
+| r3096882281 | AGENTS.md stale `testLocal` label | ✅ Updated |
+| r3096882299 | `sync-checksums.sh` regex may hit sibling block | ✅ Regex anchored to target block |
+| r3096882303 | `bump_json_version` may rewrite nested `version` fields | ✅ Pattern uses `^` anchor |
+| r3096882311 | `stat` fallback leaves `$size` unset | ✅ Default assigned |
+| All others | Various minor/style nits | ✅ Addressed in prior commits |
+
+---
+
+## Section 2 – Larger / Structural Issues
+
+Per user instruction, **no GitHub issues were opened**. Items that warrant future tracking:
+
+| Item | Severity | Notes |
+|---|---|---|
+| Gitleaks binary installed without SHA-256 verification (`secret-scan.yml`) | Medium | Hard to pin: checksum changes each release. Acceptable risk for internal CI. |
+| `.gitleaksbaseline` Match field historical key suffixes | Low | Pre-existing; secrets already rotated per `docs/secrets-audit.md` |
+| Third-party actions use mutable tags (setup-toolchain) | Low | Cosmetic; pin to SHAs in follow-up |
diff --git a/scripts/sync-versions.sh b/scripts/sync-versions.sh
@@ -135,6 +135,7 @@ echo ""
 echo ">> Flutter SDK:"
 for pkg in \
     "${REPO_ROOT}/sdk/runanywhere-flutter/packages/runanywhere/pubspec.yaml" \
+    "${REPO_ROOT}/sdk/runanywhere-flutter/packages/runanywhere_genie/pubspec.yaml" \
     "${REPO_ROOT}/sdk/runanywhere-flutter/packages/runanywhere_llamacpp/pubspec.yaml" \
     "${REPO_ROOT}/sdk/runanywhere-flutter/packages/runanywhere_onnx/pubspec.yaml"; do
     bump_pubspec_version "$pkg"
