PR: feat: PolyPilot CI integration test workflow (Linux/GTK + MauiDevFlow)
Merged: 2026-04-22 by PureWeen
Review runs: 1 automated (review-on-open, commit 8c5815f) + 1 human re-review (before merge)
Skill Coverage Analysis
| Skill |
Relevant? |
Referenced? |
Gap? |
| gh-aw-guide |
⚠️ Adjacent (.yml not .md) |
Implicitly (permissions, security) |
Minor — permissions finding unfixed at merge |
| maui-ai-debugging |
✅ Yes (MauiProgram.cs DevFlow setup) |
❌ No |
✅ Human caught it; bot generated 0 comments on MauiProgram.cs |
| processing-state-safety |
❌ No |
— |
— |
| multi-agent-orchestration |
❌ No |
— |
— |
| performance-optimization |
❌ No |
— |
— |
Review Accuracy
| Metric |
Count |
| True Positives (Fixed) |
3 — #1 binary exit guard, #3 tool install ` |
| True Positives (Unresolved — merged unfixed) |
5 — #2, #4, #6, #7, #8 |
| False Positives |
0 |
| False Negatives (missed) |
0 |
| Correctly Discarded |
3 — /tmp path, package ID, manual-only trigger |
Unresolved Findings That Merged
The initial automated review found 8 real issues. The human's second review cycle checked a different set of 8 findings on the evolved code (after 27 commits), never cross-referencing the original bot findings. Five original findings slipped through to merge.
Finding #2 — Unquoted expression interpolation (Linux job, line 94)
${{ steps.find-binary.outputs.binary }} > /tmp/polypilot-stdout.log 2>/tmp/polypilot-stderr.log &The Mac Catalyst job correctly uses a quoted env var (BINARY="${{ ... }}"). The Linux job directly interpolates without quotes. An empty or space-containing path would break the redirect.
Fix: "${{ steps.find-binary.outputs.binary }}" > /tmp/polypilot-stdout.log ...
Finding #4 — Wrong MAUI workload on Linux/GTK job (line 48)
run: dotnet workload install maui-android
PolyPilot.Gtk.csproj targets net10.0 (plain .NET), not net10.0-android. The maui-android workload installs Android SDK tooling irrelevant for GTK. The Mac Catalyst and Windows jobs both correctly use dotnet workload install maui.
Fix: dotnet workload install maui — consistent with the other 2 jobs in the same file.
Finding #6 — No permissions: block on any of the 3 jobs
No job declares an explicit permissions: block. With workflow_dispatch + push triggers, GITHUB_TOKEN defaults to write-all. The workflow only reads the repo and runs tests.
Fix: Add to each job:
permissions:
contents: read
Finding #7 — Unused issue_number and scenario inputs (lines 6–17)
Both inputs are declared but never referenced in any step. A user selecting scenario: full receives identical smoke tests to scenario: smoke — silently misleading.
Fix: Remove both inputs until implemented, or gate steps with if: inputs.scenario == 'full'.
Finding #8 — Stale action versions (lines 34, 251, 259, 281, 525, 557, 649)
All actions/checkout@v4 and actions/upload-artifact@v4 — 7 instances. build.yml uses @v6 and @v7 respectively.
Fix: Update all to actions/checkout@v6 and actions/upload-artifact@v7.
Root Cause: Cross-Cycle Finding Tracking Gap
The core process failure: the second review cycle checked new issues on the evolved 27-commit code state but did not verify the original bot findings were resolved. Five original True Positives slipped through unnoticed.
Improvement suggestion: When approving a PR that had a prior CHANGES_REQUESTED automated review, explicitly re-check each original finding before approving. The review system could support this by outputting a "prior findings checklist" that the second reviewer marks resolved or deferred.
Adversarial Consensus Quality ✅
The 3 correctly-discarded findings demonstrate the consensus mechanism working well:
/tmp path prohibition (1/3) — correctly overruled: CI runner /tmp is standard practice, not subject to the agent-workspace prohibition- Wrong package ID (1/3) — correctly overruled:
Microsoft.Maui.Cli is the correct package name
- Manual-only trigger (1/3) — correctly overruled:
workflow_dispatch is intentional for heavyweight integration tests
No false positives in the initial review.
Auto-closes in 30 days if not addressed.
Generated by Review Retrospective for issue #615 · ◷
PR: feat: PolyPilot CI integration test workflow (Linux/GTK + MauiDevFlow)
Merged: 2026-04-22 by PureWeen
Review runs: 1 automated (review-on-open, commit 8c5815f) + 1 human re-review (before merge)
Skill Coverage Analysis
.ymlnot.md)Review Accuracy
/tmppath, package ID, manual-only triggerUnresolved Findings That Merged
The initial automated review found 8 real issues. The human's second review cycle checked a different set of 8 findings on the evolved code (after 27 commits), never cross-referencing the original bot findings. Five original findings slipped through to merge.
Finding #2 — Unquoted expression interpolation (Linux job, line 94)
${{ steps.find-binary.outputs.binary }} > /tmp/polypilot-stdout.log 2>/tmp/polypilot-stderr.log &The Mac Catalyst job correctly uses a quoted env var (
BINARY="${{ ... }}"). The Linux job directly interpolates without quotes. An empty or space-containing path would break the redirect.Fix:
"${{ steps.find-binary.outputs.binary }}" > /tmp/polypilot-stdout.log ...Finding #4 — Wrong MAUI workload on Linux/GTK job (line 48)
PolyPilot.Gtk.csprojtargetsnet10.0(plain .NET), notnet10.0-android. Themaui-androidworkload installs Android SDK tooling irrelevant for GTK. The Mac Catalyst and Windows jobs both correctly usedotnet workload install maui.Fix:
dotnet workload install maui— consistent with the other 2 jobs in the same file.Finding #6 — No
permissions:block on any of the 3 jobsNo job declares an explicit
permissions:block. Withworkflow_dispatch+pushtriggers,GITHUB_TOKENdefaults towrite-all. The workflow only reads the repo and runs tests.Fix: Add to each job:
Finding #7 — Unused
issue_numberandscenarioinputs (lines 6–17)Both inputs are declared but never referenced in any step. A user selecting
scenario: fullreceives identical smoke tests toscenario: smoke— silently misleading.Fix: Remove both inputs until implemented, or gate steps with
if: inputs.scenario == 'full'.Finding #8 — Stale action versions (lines 34, 251, 259, 281, 525, 557, 649)
All
actions/checkout@v4andactions/upload-artifact@v4— 7 instances.build.ymluses@v6and@v7respectively.Fix: Update all to
actions/checkout@v6andactions/upload-artifact@v7.Root Cause: Cross-Cycle Finding Tracking Gap
The core process failure: the second review cycle checked new issues on the evolved 27-commit code state but did not verify the original bot findings were resolved. Five original True Positives slipped through unnoticed.
Improvement suggestion: When approving a PR that had a prior CHANGES_REQUESTED automated review, explicitly re-check each original finding before approving. The review system could support this by outputting a "prior findings checklist" that the second reviewer marks resolved or deferred.
Adversarial Consensus Quality ✅
The 3 correctly-discarded findings demonstrate the consensus mechanism working well:
/tmppath prohibition (1/3) — correctly overruled: CI runner/tmpis standard practice, not subject to the agent-workspace prohibitionMicrosoft.Maui.Cliis the correct package nameworkflow_dispatchis intentional for heavyweight integration testsNo false positives in the initial review.
Auto-closes in 30 days if not addressed.