security-review: agent re-posts comments for already resolved review threads #75
Description
Problem
The security review agent re-posts inline review comments for findings that were already resolved in previous reviews. This creates noise and duplicate comments on the PR.
Expected Behavior
When a review thread has been resolved (either manually by a human or via the /create-issue command), the security review agent should not re-post the same finding on subsequent runs (triggered by synchronize events).
Current State
The workflow instructions already include cache memory logic to avoid duplicates (step 1):
"Avoid repeating the same inline comments from previous reviews if the previous comment is not resolved yet nor outdated"
However, the agent is not reliably detecting already-resolved threads and is re-posting findings.
Investigation
- Verify the cache memory is being read correctly and contains previous review data
- Check if the agent is comparing findings against resolved threads via the GitHub API
- Consider using the
pull_requeststoolset to list existing review comments and their resolution status before posting - Improve the prompt to explicitly check thread resolution status via API before posting
Related
- PR feat: add agentic workflows and security posture #51 — feat: add agentic workflows and security posture
.github/workflows/security-review.md— security review workflow