fix(ci): replace gh pr review with gh api for checkout-free approval

[nullvariant]

Summary

• gh pr review implicitly requires a local git repository, causing fatal: not a git repository in the ci-gated-approve job which intentionally runs without actions/checkout
• This prevented Justice Bot from recording approvals, breaking OpenSSF Scorecard Code-Review scoring (8.1 → 7.7)
• Both approve steps (dependency-review and ci-gated-approve) now use gh api directly, consistent with the existing duplicate-check pattern and the no-checkout security design

Test plan

• Merge this PR and verify Justice Bot's ci-gated-approve job succeeds on the next PR
• Confirm the PR receives an approval from nullvariant-justice[bot]
• Monitor OpenSSF Scorecard score recovery over the next scan cycle

[qodo-code-review]

Review Summary by Qodo

Replace gh pr review with gh api for checkout-free approvals

🐞 Bug fix

Walkthroughs

Description

• Replace gh pr review with gh api for checkout-free PR approvals
• Fixes Justice Bot approval failures in ci-gated-approve job
• Restores OpenSSF Scorecard Code-Review scoring capability
• Maintains consistency with existing duplicate-check pattern

Diagram

flowchart LR
  A["gh pr review<br/>requires git repo"] -->|broken in<br/>no-checkout job| B["ci-gated-approve fails"]
  B -->|breaks| C["OpenSSF Scorecard<br/>Code-Review score"]
  D["gh api direct call<br/>no git required"] -->|fixes| E["ci-gated-approve succeeds"]
  E -->|restores| F["OpenSSF Scorecard<br/>Code-Review score"]

Loading

File Changes

1. .github/workflows/justice-bot.yml 🐞 Bug fix +6/-4

Replace gh pr review with gh api calls

• Replaced gh pr review "$PR_NUMBER" --approve with `gh api
 "repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/reviews"` in dependency-review approval step
• Updated ci-gated-approve job to use gh api instead of gh pr review for PR approval
• Both approval steps now use -f event="APPROVE" and -f body="..." flags for API calls
• Maintains existing duplicate-approval check logic while fixing git repository requirement

.github/workflows/justice-bot.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Repeated bot approvals 🐞 Bug ⚙ Maintainability

Description

In dependency-review, the workflow triggers on pull_request_target synchronize events and the
new approval step always creates a new review, so the bot can post multiple approvals on the same PR
over time. This clutters the PR review timeline and creates unnecessary API calls/notifications.

Code

.github/workflows/justice-bot.yml[R281-283]

+          gh api "repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
+            -f event="APPROVE" \
+            -f body="⚖️ Justice approves this dependency update. All safety checks passed."

Evidence

The workflow is configured to run on pull_request_target for both opened and synchronize, and
the dependency-review approval step unconditionally calls the PR reviews create endpoint without
checking whether nullvariant-justice[bot] already approved (unlike the later CI-gated approval job
which does a duplicate check).

.github/workflows/justice-bot.yml[8-13]
.github/workflows/justice-bot.yml[268-284]
.github/workflows/justice-bot.yml[355-366]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`dependency-review` posts an approval review every time the workflow runs (including `synchronize`), creating repeated Justice approvals on active PRs.

### Issue Context
`ci-gated-approve` already avoids duplicates by querying existing reviews and skipping if Justice has already approved; `dependency-review` should do the same before creating a review.

### Fix Focus Areas
- .github/workflows/justice-bot.yml[272-284]
- .github/workflows/justice-bot.yml[355-366]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Implicit POST for approvals 🐞 Bug ⚙ Maintainability

Description

The new approval steps call gh api .../reviews without explicitly setting the HTTP method, relying
on GH CLI defaults to infer POST from -f flags. This is inconsistent with other API calls in the
workflow that explicitly set non-GET methods and makes the intent less audit-friendly.

Code

.github/workflows/justice-bot.yml[R363-365]

+            gh api "repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/reviews" \
+              -f event="APPROVE" \
+              -f body="⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards."

Evidence

The approval calls omit an explicit -X POST, while a nearby write call (updating an existing
comment) explicitly sets -X PATCH, indicating the workflow otherwise tends to be explicit about
HTTP methods for mutations.

.github/workflows/justice-bot.yml[260-262]
.github/workflows/justice-bot.yml[281-283]
.github/workflows/justice-bot.yml[363-366]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The review-creation `gh api` calls rely on implicit method inference.

### Issue Context
Other mutating `gh api` usage in this workflow is explicit about method (e.g., PATCH). Making POST explicit improves readability and reduces accidental regressions during edits.

### Fix Focus Areas
- .github/workflows/justice-bot.yml[281-283]
- .github/workflows/justice-bot.yml[363-366]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[nullvariant-mimi]

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!

---

バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 125a243.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[nullvariant-ciel]

🕊️ Ciel's Mediation 💤

*~~ drifting lazily through still air ~~ The zoo is napping today...*

1 zoo member has reviewed this PR.

Zoo Member	Status
🐰 Mimi	Commented

😴 A quiet day at the zoo. Only one member peeked at this PR.

---

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud