[PR Triage Report] PR Triage Report - 2026-04-09

[github-actions]

Triage Date: 2026-04-09 | Open PRs: 13 | Workflow Run: 24190230225

---

Summary

All 13 open PRs carry triage:complete labels from prior runs, but three critical issues require maintainer attention before any merges can proceed cleanly.

---

Critical Findings

1. Shell Quoting Fix Conflict Cluster (Security)

Three PRs all address overlapping shell injection/quoting issues in default-workflow.yaml step-03. They use incompatible approaches and will conflict:

PR	Approach	Tests	Security Labels
#4245	Replace heredocs with direct env-var assignment (eliminates heredoc boundary)	No dedicated tests	triage:security-review
#4236	Unified heredoc quoting + PR URL resolution fix	No dedicated tests	triage:security-review
#4228	Quoted heredoc defense-in-depth + 171 ADO/injection tests	171 tests	triage:security-review

Recommendation: Choose one approach; close the others. #4245 represents the deepest fix (eliminates the attack surface entirely). #4228 has the most test coverage. Consider merging #4245 and cherry-picking the tests from #4228.

2. Duplicate External Documentation PRs

Both fix the same issue (clarifying required vs optional API keys):

• docs: clarify required vs optional API keys in .env setup (#3844) #4112 (xingzihai) — "clarify required vs optional API keys in .env setup (docs: CONTRIBUTING.md .env setup doesn't say which API keys are required vs optional #3844)"
• docs: clarify API keys required vs optional in CONTRIBUTING.md #3984 (chaoxie48-ship-it) — "clarify API keys required vs optional in CONTRIBUTING.md"

Recommendation: Review both diffs, merge the more accurate one, close the other.

3. External Automated PR #4234 (Unverified)

PR from sonusonukgupta-gif is labeled as "Automated technical solution for #4233" with only a one-liner body and no description of what was changed. Base SHA is behind main.

Recommendation: Inspect the actual diff before any action. Do not merge without understanding what it contains.

---

PR Status by Priority

High Priority (Security + High-Priority Labels)

PR	Title	Risk	Notes
#4245	fix(recipes): heredoc → env-var assignment	Medium	Conflict cluster; deepest security fix
#4236	fix(recipes): step-03 quoting + PR URL	Medium	Conflict cluster; dual fix
#4228	fix: step-03 defense-in-depth quoting	Medium	Conflict cluster; most tests
#4207	fix: SEARCH_TITLE quoting + unsafe conditions	Low	Self-declared merge-ready; CI green
#4203	fix: smart-orchestrator teardown hardening	Medium	3-cycle quality audit; CI green

Medium Priority

PR	Title	Risk	Notes
#4216	feat: ANTHROPIC_DISABLED flag	Medium	41 tests; co-authored with Copilot
#4190	fix(cli): entrypoint + patch surfaces	Medium	Tests pass; pyright clean

Low Priority / Clean Merges (rebase needed first)

PR	Title	Risk	Notes
#4199	fix(recipe-runner): auto-update binary	Low	Targeted; low blast radius
#4198	fix(knowledge_builder): guard copilot flag	Low	Targeted flag guard
#4186	docs(multitask): TIMEOUT_LIFECYCLE.md	Low	Docs only; 19 tests
#4112	docs: clarify API keys	Low	Duplicate — see #3984
#3984	docs: clarify API keys	Low	Duplicate — see #4112

---

Base SHA Status

All 13 PRs are behind the current main HEAD (fbea48e). Each will require a rebase before merge.

---

Recommended Action Order

1. Resolve the conflict cluster (fix(recipes): replace quoted heredocs with direct env-var assignment (skwaq#469) #4245/fix(recipes): step-03 shell quoting + PR URL resolution (#4221, #4233) #4236/fix: repair shell quoting in step-03 issue creation (#4221) #4228) — pick one, close the others
2. Close one of the duplicate docs PRs (docs: clarify required vs optional API keys in .env setup (#3844) #4112/docs: clarify API keys required vs optional in CONTRIBUTING.md #3984)
3. Manually review external PR Fix: Issue #4233 #4234 diff; close if not needed
4. Rebase and merge the clean low-risk PRs: fix: correct SEARCH_TITLE quoting and unsafe conditions in default-workflow #4207, fix(recipe-runner): auto-update rust runner binary on version mismatch (#4189) #4199, fix(knowledge_builder): guard --dangerously-skip-permissions against copilot binary (#4188) #4198, docs(multitask): add TIMEOUT_LIFECYCLE.md and update reference docs #4186
5. Queue medium-risk PRs for code review: fix(#4169): smart-orchestrator teardown hardening + atlas refresh #4203, fix(cli): preserve entrypoint and patch surfaces #4190, feat: safe Anthropic disablement via ANTHROPIC_DISABLED flag #4216

Generated by PR Triage Agent · ◷

• expires on Apr 10, 2026, 12:35 PM UTC

[github-actions]

This issue is being closed as outdated. A newer issue has been created: #4295

View newer issue

---

This action was performed automatically by the PR Triage Agent workflow.