fix: [#781] marker-guard non-strict on bridge-merge push to main

[anandgupta42]

What does this PR do?

Fixes the Marker Guard job failing on push-to-main immediately after a bridge / upstream-merge PR is squash-merged.

The PR-side path of the workflow already runs analyze.ts --markers in non-strict mode for upstream/merge-* head_refs. But once such a PR is squash-merged, the push event onto main has no head_ref / second-parent / branch-name signal, so the workflow falls back to:

bun run script/upstream/analyze.ts --markers --base "${{ github.event.before }}" --strict

For a bridge merge that overlays hundreds of upstream files, the diff legitimately contains piles of upstream code without altimate_change blocks, and strict mode fails. That's exactly what happened on the v1.4.0 bridge merge:

• Run: https://github.com/AltimateAI/altimate-code/actions/runs/25264283463
• Output: ⚠ Found 98 file(s) with unmarked custom code → --strict mode — failing CI

This patch detects bridge / upstream-merge commits in the pushed range by commit subject (grep -qiE '(bridge|merge) upstream') and downgrades strict→non-strict for those pushes. Warnings are still printed in the job output; the PR-side review already gated marker integrity for the change before it landed.

The Branding leak audit and Require-markers regression backstop steps remain unconditional — the only thing being relaxed is the strict diff-based marker check on push, and only when the push contains a bridge/upstream-merge commit.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Issue for this PR

Closes #781

How did you verify your code works?

Re-ran the marker tooling locally against the exact range from the failing run (941c8cae21..3cc3d4cb68 on origin/main):

• Detection regex — git log --format=%s 941c8cae21..3cc3d4cb68 origin/main | grep -qiE '(bridge|merge) upstream' → matches the squash-merge subject feat: bridge upstream v1.4.0 across history rewrite + 3 backports + adversarial test suite (#757). Without --strict, the workflow takes the new bridge-merge path.
• Non-strict marker run — bun run script/upstream/analyze.ts --markers --base 941c8cae21f124f509da6cc0ca0313a06473e50c prints 97 warnings and exits 0 (vs strict mode exiting 1).
• Other guard steps still pass on current main HEAD:
  • bun run script/upstream/analyze.ts --branding → exit 0, "All blocks properly closed".
  • bun run script/upstream/analyze.ts --require-markers --strict → exit 0, "All behavior-patched files have markers" (38/38).
• Marker parser tests — cd script/upstream && bun test → 22 pass, 0 fail.
• YAML validity — python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))" → OK.
• No false-positive risk for normal pushes — the regex only matches the literal subject patterns bridge upstream / merge upstream. Dependabot, release, and ordinary feature commits do not contain these phrases, so non-bridge pushes still take the strict path.

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Summary by cubic

Make the Marker Guard job run in non-strict mode on pushes to main that include a bridge/upstream-merge commit, preventing false failures after squash merges. Normal pushes remain strict.

• Bug Fixes
  • Detect bridge/upstream-merge commits in the pushed range by subject and run analyze.ts --markers --base <before> without --strict.
  • Keep --branding and --require-markers --strict unchanged; warnings still surface in job output.

^{Written for commit 94e7a65. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflow to improve marker validation handling. The system now intelligently differentiates between standard repository pushes and upstream-related commits, applying appropriate validation modes for each scenario type. Initial push operations continue to bypass marker checks as expected, with no changes to existing branch logic.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI workflow now detects bridge/merge-upstream commits in the pushed range by matching commit subjects against a pattern. When such commits are found, the marker check runs in non-strict mode; otherwise, strict mode is enforced. This prevents false positives when squash-merging upstream bridge PRs to main.

Changes

Marker Guard Bridge Detection

Layer / File(s)	Summary
Conditional Logic .github/workflows/ci.yml	Push events now detect "bridge/merge upstream" commits via git log --oneline ... | grep -qiE '(bridge|merge) upstream' and conditionally pass --strict flag to analyze.ts --markers based on detection result.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A bridge came to town with upstream treasure,
But the markers cried foul—strict checking's pleasure!
Now we peek at the commit, see what's truly new,
And relax the strict guard for bridge-merges too. 🌉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description template requires the word 'PINEAPPLE' at the very top for AI-generated content, which is missing from this PR description.	Add 'PINEAPPLE' at the top of the PR description as required by the template for AI-generated contributions.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing the marker-guard job to run in non-strict mode for bridge-merge pushes to main.
Linked Issues check	✅ Passed	The PR successfully addresses issue #781 by detecting bridge/upstream-merge commits via grep pattern matching and downgrading strict to non-strict mode, exactly as specified in the issue requirements.
Out of Scope Changes check	✅ Passed	All changes in the workflow file are directly scoped to fixing the marker-guard strict mode issue for bridge-merge pushes; no extraneous modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/marker-guard-bridge-merge-push

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get your free trial and get 200 agent minutes per Slack user (a $50 value).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 448-451: Update the git-log subject matching used in the
if-condition that runs bun run script/upstream/analyze.ts: replace the current
grep regex '(bridge|merge) upstream' with a broader pattern that accepts either
a space or a hyphen and also matches hyphenated forms like bridge-merge; for
example change the grep invocation in the if block to use a regex such as
'(bridge|merge)(?:[ -]upstream|[-]merge)?' so commits like "bridge-merge",
"bridge-upstream" and "merge upstream" are all detected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 48ea5b70-88db-46f6-a39a-e552d6d4568a

📥 Commits

Reviewing files that changed from the base of the PR and between 3cc3d4c and 94e7a65.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

CURRENT_RE='(bridge|merge) upstream'
PROPOSED_RE='(^|[[:space:][:punct:]])(upstream/merge-[^[:space:]]*|merge[[:space:]/_-]+upstream|bridge[[:space:]/_-]+(merge|upstream))([[:space:][:punct:]]|$)'

echo "Recent commit subjects:"
git log -n 200 --format='%s' | sed 's/^/  - /'

echo
echo "Matches with CURRENT_RE:"
git log -n 200 --format='%s' | grep -niE "$CURRENT_RE" || true

echo
echo "Matches with PROPOSED_RE:"
git log -n 200 --format='%s' | grep -niE "$PROPOSED_RE" || true

Repository: AltimateAI/altimate-code

Length of output: 281

---

🏁 Script executed:

cd /tmp && git clone --quiet https://github.com/AltimateAI/altimate-code.git && cd altimate-code
sed -n '448,451p' .github/workflows/ci.yml

Repository: AltimateAI/altimate-code

Length of output: 397

---

🏁 Script executed:

cd /tmp/altimate-code && rg -n "(bridge|merge) upstream" .github/workflows/ci.yml

Repository: AltimateAI/altimate-code

Length of output: 50

---

🏁 Script executed:

cd /tmp/altimate-code && rg -n "Bridge/upstream-merge\|git log.*grep.*qiE" .github/workflows/ci.yml

Repository: AltimateAI/altimate-code

Length of output: 50

---

🏁 Script executed:

cd /tmp/altimate-code && wc -l .github/workflows/ci.yml && rg -n "git log" .github/workflows/ci.yml

Repository: AltimateAI/altimate-code

Length of output: 97

---

🏁 Script executed:

cd /tmp/altimate-code && sed -n '440,460p' .github/workflows/ci.yml

Repository: AltimateAI/altimate-code

Length of output: 1431

---

Broaden bridge/upstream subject matching to prevent false negatives on pushed commits.

Line 449's regex (bridge|merge) upstream only matches space-separated patterns. The repository's actual commit subjects use hyphenated variants like bridge-merge (confirmed in recent commits), which won't match. This causes strict mode to run on bridge pushes, reintroducing the original CI failure.

The proposed regex correctly matches these variants and should be applied before merge.

Suggested patch

-            if git log --format=%s "${{ github.event.before }}..${{ github.sha }}" \
-                 | grep -qiE '(bridge|merge) upstream'; then
+            BRIDGE_UPSTREAM_RE='(^|[[:space:][:punct:]])(upstream/merge-[^[:space:]]*|merge[[:space:]/_-]+upstream|bridge[[:space:]/_-]+(merge|upstream))([[:space:][:punct:]]|$)'
+            if git log --format=%s "${{ github.event.before }}..${{ github.sha }}" \
+                 | grep -qiE "$BRIDGE_UPSTREAM_RE"; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 448 - 451, Update the git-log subject
matching used in the if-condition that runs bun run script/upstream/analyze.ts:
replace the current grep regex '(bridge|merge) upstream' with a broader pattern
that accepts either a space or a hyphen and also matches hyphenated forms like
bridge-merge; for example change the grep invocation in the if block to use a
regex such as '(bridge|merge)(?:[ -]upstream|[-]merge)?' so commits like
"bridge-merge", "bridge-upstream" and "merge upstream" are all detected.

[cubic-dev-ai]

No issues found across 1 file