fix(ci): add synchronize trigger to PR Review workflow

[WilliamBerryiii]

Description

Add synchronize to the pull_request.types trigger array in the PR Review agentic workflow so the review bot re-runs automatically when new commits are pushed to an open PR. Previously, the workflow only triggered on opened and ready_for_review, requiring a manual Actions UI re-run after pushing follow-up commits.

The lock file was recompiled with gh-aw v0.67.1 (upgraded from v0.65.6), which also bumps AWF v0.25.11→v0.25.13, MCPG v0.2.11→v0.2.14, and introduces report_incomplete and setup-trace-id infrastructure.

Related Issue(s)

Fixes #1322

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

• Compiled with gh aw compile pr-review — 0 errors, 0 warnings
• Validated with gh aw validate pr-review — 0 errors, 0 warnings
• Confirmed synchronize present in compiled lock file trigger types
• Verified concurrency group and cancel-in-progress: true remain intact

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

N/A — no AI artifacts changed.

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate
• Docusaurus tests: npm run docs:test

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

The only new dependency pin is github/gh-aw-actions/setup@v0.67.1 with SHA 80471a493be8c528dd27daf73cd644242a7965e0, auto-generated by the gh-aw compiler.

Additional Notes

The label_command: re-review option was investigated but cannot coexist with pull_request triggers that include non-label event types (opened, ready_for_review, synchronize) due to a gh-aw compiler constraint. Manual re-trigger remains available via the Actions UI re-run button.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.65%. Comparing base (057c691) to head (3f301f7).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1323      +/-   ##
==========================================
- Coverage   87.66%   87.65%   -0.02%     
==========================================
  Files          61       61              
  Lines        9328     9328              
==========================================
- Hits         8177     8176       -1     
- Misses       1151     1152       +1     

Flag	Coverage Δ
pester	85.22% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

Overview

This is a clean, well-scoped PR. The core change — adding synchronize to the pull_request.types trigger in pr-review.md — directly addresses the primary objective from #1322. The lock file was properly recompiled, the PR description is thorough, and the existing cancel-in-progress: true concurrency group was already in place to handle rapid successive pushes safely.

Issue Alignment

✅ Core objective met: synchronize added to pull_request.types.

ℹ️ The label_command: re-review item from #1322 was not implemented. The PR explicitly documents the gh-aw compiler constraint preventing its coexistence with non-label pull_request event types. This is a sound and transparent explanation — the PR title and scope are appropriately narrowed to what was actually feasible.

PR Template Compliance

✅ All required sections filled in and accurate. Type of Change checkboxes (Bug fix, GitHub Actions workflow) correctly reflect the changes. Testing steps are concrete and verifiable.

Coding Standards

✅ The single-line pr-review.md change is compliant with workflow instructions and conventions.

ℹ️ Version annotation discrepancy in auto-generated lock file (inline comments added): The gh-aw v0.67.1 compiler updated version comment annotations for actions/checkout (v4.2.2 → v6.0.2) and actions/upload-artifact (v4.4.3 → v7) while leaving their SHAs unchanged. Since the SHA is the authoritative security pin, there is no security regression. The annotations appear to reflect updated internal metadata in the new compiler — but the version labels look unusual and may be worth raising with the gh-aw team if confirmed inaccurate.

Code Quality

✅ Minimal and correct. The trace-id infrastructure and job-name input added by the updated compiler are non-functional improvements that improve observability of agentic workflow runs. No logic regressions introduced.

Action Items

None blocking. All findings above are informational. This PR is ready for human review and merge.

Generated by PR Review for issue #1323 · ● 1.8M

[chaosdinosaur]

Thanks for fixing this!

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

Review Summary

This is a focused, well-described fix that correctly addresses the core ask from issue #1322. The change is minimal and purposeful.

---

✅ Issue Alignment

Issue #1322 requested two changes:

1. ✅ Add synchronize to pull_request.types — implemented
2. ⚠️ Add label_command: re-review — not implemented (compiler constraint documented in PR description)

The partial implementation is acceptable. The PR description clearly explains the label_command constraint and offers the Actions UI re-run as a manual fallback. Worth tracking in the issue for a future compiler version that relaxes this constraint.

---

✅ PR Template Compliance

All required sections are filled in correctly. Checkboxes are accurate for the change type (Bug fix + GitHub Actions workflow). The automated checks section is intentionally unchecked (CI runs these). No issues.

---

✅ Coding Standards

Workflow instructions compliance:

• Dependency pinning: All actions pinned to full SHAs with semantic version comments ✅
• Permissions: Inherited from the existing compiled structure ✅
• Runners: ubuntu-latest ✅
• persist-credentials: false retained on all checkout steps ✅

---

💡 Advisory Observation — Version Label Drift in Auto-Generated File

In pr-review.lock.yml, the gh-aw compiler updated version comment labels for two actions whose SHAs did not change:

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd — comment changed from # v4.2.2 → # v6.0.2
• actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f — comment changed from # v4.4.3 → # v7

The same SHA cannot correspond to two different semantic versions. Since this file is auto-generated (DO NOT EDIT), this is a compiler-side labeling issue rather than a PR defect — the pinned SHA is what matters for execution, not the comment. No action required from the PR author, but it may be worth raising with the gh-aw compiler maintainers to ensure comment labels are consistent with pinned SHAs.

---

✅ Code Quality and Security

• The synchronize event addition is the correct solution for the described problem.
• The existing concurrency group with cancel-in-progress: true appropriately handles rapid successive pushes — no changes needed there.
• The new github/gh-aw-actions/setup@v0.67.1 dependency is properly pinned to SHA 80471a493be8c528dd27daf73cd644242a7965e0 in both actions-lock.json and the lock file.
• No secrets exposure, no unsafe input handling, no logic errors observed.

---

No blocking issues. The PR is in good shape.

Generated by PR Review for issue #1323 · ● 890.5K

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

---

PR Review: fix/1322-pr-review-triggers

Overview

This PR is a clean, well-scoped fix that adds the synchronize event type to the PR Review workflow trigger, ensuring the automated review runs on new commits pushed to an open PR — not just on opened and ready_for_review. The follow-up annotation cleanup commit (correcting # v7 → # v7.0.0) improves comment accuracy with no functional impact.

---

✅ Issue Alignment

Fixes #1322. The linked issue requests that the PR Review workflow fire on new pushes to open PRs, which was broken because synchronize was absent from the trigger list. The one-line change to pr-review.md directly and correctly resolves this. No scope creep, no missing requirements.

---

✅ PR Template Compliance

The PR description includes a clear description, a valid issue reference (Fixes #1322), an appropriate type of change, and testing notes (recompile verified). The commit messages follow conventional commit format with proper scope and emoji footer per repository conventions. No template violations found.

---

✅ Coding Standards — GitHub Actions Workflow Conventions

All requirements from the workflow instructions file are satisfied:

Requirement	Status
Third-party actions pinned to full commit SHA	✅ All 4 actions use full SHAs
Top-level permissions: block declared	✅ permissions: {} at line 56 of lock file
Job-level permissions declared	✅ All jobs define explicit permissions
SHA comments include semantic version	✅ e.g., # v7.0.0, # v0.67.1
SHA in lock file matches actions-lock.json	✅ 80471a493be8c528dd27daf73cd644242a7965e0 consistent
concurrency: block prevents duplicate runs	✅ Present with cancel-in-progress: true

The ubuntu-slim runner in the auto-generated lock file is a gh-aw platform-managed runner — not a violation of the ubuntu-latest convention, which applies to manually authored workflows.

---

✅ Code Quality

pr-review.md (source of truth): Single-line addition of synchronize to the event types array. Correct and minimal.

pr-review.lock.yml recompile: The net changes reflect the gh-aw v0.65.6 → v0.67.1 compiler upgrade. The compiled output correctly includes synchronize in the trigger list and uses the pinned SHA for github/gh-aw-actions/setup@v0.67.1.

actions-lock.json: The new entry for github/gh-aw-actions/setup@v0.67.1 matches the SHA used in the lock file exactly — no drift between the two tracking files.

Annotation fix commit: Correcting # v7 to # v7.0.0 is a worthwhile accuracy improvement; the SHA itself is unchanged so the security posture is unaffected.

---

Summary

No issues found. The PR correctly fixes the missing synchronize trigger, keeps the auto-generated lock file in sync with the source definition, and leaves all security-relevant SHA pins intact.

Generated by PR Review for issue #1323 · ● 5.8M