From 659708c88c4ec6261a25667fe6935dd8119a495d Mon Sep 17 00:00:00 2001
From: Nathan Heskew <nathan@harperdb.io>
Date: Wed, 20 May 2026 15:31:12 -0700
Subject: [PATCH 1/2] Bump both reviewer pins to ai-review-prompts@ea19009

Adopts the promoted Gemini calibration (ai-review-prompts#41) and
restores both reviewers to a single shared pin.

Gemini changes vs the prior pin (128656e40):
- Single-shot architecture validated empirically over 5 iteration
  rounds in PR #87 (gemini/inline-calibrate)
- Prior-review body fetched and injected as continuity context when
  the prior had findings (### N. headers); skipped on no-blockers
  priors so the model doesn't get primed to hunt for issues against
  uninformative context
- Prompt's "your output IS the PR comment" section reworded to
  allow shell/file research tools while still forbidding self-
  posting (the workflow handles posting)
- post-review-comment.sh now strips leading whitespace from the
  marker line so a non-whitespace-stable provider can't break the
  marker check

Claude reviewer is byte-identical between f22bf7d and ea19009 in
ai-review-prompts; bumping the pin is a no-op for Claude behavior
but restores the two reviewers to a single shared upgrade motion.
The "intentionally NOT in lockstep" comment from the divergence
period is replaced with a note that lockstep is restored.

PR #87 (gemini/inline-calibrate) is now superseded by this PR and
will be closed without merging.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/claude-review.yml | 4 ++--
 .github/workflows/gemini-review.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml
index 1f9aa04..186f5ec 100644
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   review:
-    uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@f22bf7dcb7d22d5de94c938daa9d790f2b5c776b # main 2026-05-18 (post #37 + #38 + #40 — calibration layer update + label-gated bot-PR review; gemini-review.yml pin intentionally NOT in lockstep here — Gemini reviewer has known issues being worked separately, no need to drag it along)
+    uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@ea190091328bcee674c4739ccc97dda177ecf0c5 # main 2026-05-20 (post #41 — Gemini calibration promoted; both reviewers back in lockstep on the same ai-review-prompts SHA, no _claude-review.yml changes vs the prior pin)
     # Caller-side permissions, scoped at the calling-job level (NOT
     # workflow-level — that placement caps the reusable's per-job
     # grants below what they need and breaks the workflow at startup;
@@ -51,7 +51,7 @@ jobs:
       # introspect their own ref (`github.workflow_ref` resolves to the
       # CALLER's ref in `workflow_call` context), and `uses: …@<ref>`
       # is parsed literally so we can't interpolate a variable.
-      ai-review-prompts-ref: f22bf7dcb7d22d5de94c938daa9d790f2b5c776b
+      ai-review-prompts-ref: ea190091328bcee674c4739ccc97dda177ecf0c5
       review-layers: |
         universal
         harper/common
diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
index 936a315..8245487 100644
--- a/.github/workflows/gemini-review.yml
+++ b/.github/workflows/gemini-review.yml
@@ -34,13 +34,13 @@ concurrency:
 
 jobs:
   review:
-    uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@128656e40c87c0e1293c542a5500df4f68dbff85 # main 2026-05-12 (post #25 — workflow posts Gemini response, output-name fix, default model gemini-3-flash-preview)
+    uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@ea190091328bcee674c4739ccc97dda177ecf0c5 # main 2026-05-20 (post #41 — Gemini calibration from oauth#87 promoted; single-shot supersedes the MCP rewrite, prior-body continuity, marker-check robustness)
     with:
       # Same SHA as the `uses:` ref above. See claude-review.yml
       # in this repo for why the duplication is unavoidable
       # (reusable workflows can't introspect their own ref in
       # workflow_call context).
-      ai-review-prompts-ref: 128656e40c87c0e1293c542a5500df4f68dbff85
+      ai-review-prompts-ref: ea190091328bcee674c4739ccc97dda177ecf0c5
       review-layers: |
         universal
         harper/common

From cebd952209c3c627e78a1ff14911f5804d5071ee Mon Sep 17 00:00:00 2001
From: Nathan Heskew <nathan@harperdb.io>
Date: Wed, 20 May 2026 17:59:47 -0700
Subject: [PATCH 2/2] Add caller-side permissions block to gemini-review.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors the hardening on claude-review.yml — explicit grant at the
calling-job level for the union the reusable's authorize + review
jobs need (contents: read + pull-requests: write + id-token: write).
The workflow happens to work without this on oauth today because
the repo default is permissive enough, but the explicit grant
survives repo-default changes and matches claude-review.yml's
shape and discipline.

Surfaced as a finding by Gemini's own review of this PR (#88) —
exactly the loop the calibration was built for.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/gemini-review.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
index 8245487..b13d5b4 100644
--- a/.github/workflows/gemini-review.yml
+++ b/.github/workflows/gemini-review.yml
@@ -35,6 +35,22 @@ concurrency:
 jobs:
   review:
     uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@ea190091328bcee674c4739ccc97dda177ecf0c5 # main 2026-05-20 (post #41 — Gemini calibration from oauth#87 promoted; single-shot supersedes the MCP rewrite, prior-body continuity, marker-check robustness)
+    # Caller-side permissions, scoped at the calling-job level (NOT
+    # workflow-level — that placement caps the reusable's per-job
+    # grants below what they need and breaks the workflow at startup;
+    # see ai-review-prompts#39/#40 for the incident). Union of what
+    # the reusable's `authorize` (`contents: read`) and `review`
+    # (`contents: read + pull-requests: write + id-token: write`)
+    # jobs declare. GitHub's rule: caller's GITHUB_TOKEN permissions
+    # can only be DOWNGRADED (not elevated) by the called workflow,
+    # so the caller must grant at least the union the reusable needs.
+    # Mirrors claude-review.yml in this repo — surfaced as a finding
+    # by Gemini's own review on PR #88.
+    # Reference: https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
     with:
       # Same SHA as the `uses:` ref above. See claude-review.yml
       # in this repo for why the duplication is unavoidable