From eab0c1c5fabdc725d9721a0502d9983bdb6a89cc Mon Sep 17 00:00:00 2001 From: Phil Leggetter Date: Tue, 17 Mar 2026 00:43:08 +0000 Subject: [PATCH 1/3] docs(issue-auto-implement): document CI trigger and approval for bot-created PRs Made-with: Cursor --- .github/actions/issue-auto-implement/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/actions/issue-auto-implement/README.md b/.github/actions/issue-auto-implement/README.md index cb9f6f7..d8cee11 100644 --- a/.github/actions/issue-auto-implement/README.md +++ b/.github/actions/issue-auto-implement/README.md @@ -9,6 +9,12 @@ Reusable composite action for label-triggered issue automation: assess (request 3. **Trigger label** — Create the labels once so you can add them to issues. Either run the **Issue auto-implement setup** workflow (Actions → Issue auto-implement setup → Run workflow), which creates `automation/auto-implement`, `automation/needs-info`, and `automation/pr-created`; or create the trigger label **`automation/auto-implement`** manually in the repo (Settings or Issues → Labels). The main action also ensures these labels exist when it runs, but the trigger label must exist before you can add it to an issue. 4. **Trigger** — On an issue, add the label `automation/auto-implement`. The workflow runs: it assesses the issue (request more info vs implement), and if implement, runs the Claude Code CLI and opens a PR. You can also comment on the issue (to add context and re-trigger) or review the PR (to iterate). +## CI and approval for bot-created PRs + +PRs created by the action use `GITHUB_TOKEN`, so GitHub does not trigger `pull_request` workflows on them. This action therefore triggers the **test** workflow via `workflow_dispatch` on the new branch after creating a PR, so CI checks appear. The **test** workflow must include `workflow_dispatch:` in its `on:` block. + +To require a human to approve workflow runs before they execute (e.g. for security), set **Settings → Actions → General → Approval for running fork pull request workflows from contributors** to **Require approval for all external contributors**. Then each bot-created PR will show workflow(s) awaiting approval until someone with write access approves. + ## Usage (reference) Used by `.github/workflows/issue-auto-implement.yml`. Requires `anthropic_api_key` (e.g. from repo secret `AUTO_IMPLEMENT_ANTHROPIC_API_KEY`), one of `github_allowed_trigger_min_permission` or `github_allowed_trigger_team` (repo variables), and `github_token` from the workflow. From c388d2f35cfdbb5097d7ddce2902a5417bdd41c5 Mon Sep 17 00:00:00 2001 From: Phil Leggetter Date: Tue, 17 Mar 2026 01:16:24 +0000 Subject: [PATCH 2/3] fix(issue-auto-implement): add workflows: write so push succeeds when implement changes workflow files Made-with: Cursor --- .github/workflows/issue-auto-implement.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/issue-auto-implement.yml b/.github/workflows/issue-auto-implement.yml index 0a2735c..9e9fe22 100644 --- a/.github/workflows/issue-auto-implement.yml +++ b/.github/workflows/issue-auto-implement.yml @@ -27,6 +27,7 @@ jobs: issues: write pull-requests: write actions: write # trigger test workflow on PR branch so checks appear (PRs created by bot may not trigger pull_request) + workflows: write # allow push when implement touches .github/workflows/* (GitHub rejects workflow file changes without this) # read:org only needed if using team check (AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM) steps: - name: Checkout From 710dcf5ef6f7cc0084f8fc4f8cc9e462c88e4663 Mon Sep 17 00:00:00 2001 From: Phil Leggetter Date: Tue, 17 Mar 2026 01:18:18 +0000 Subject: [PATCH 3/3] docs(issue-auto-implement): document workflows: write when implement may edit workflow files Made-with: Cursor --- .github/actions/issue-auto-implement/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/issue-auto-implement/README.md b/.github/actions/issue-auto-implement/README.md index d8cee11..98ed241 100644 --- a/.github/actions/issue-auto-implement/README.md +++ b/.github/actions/issue-auto-implement/README.md @@ -4,7 +4,7 @@ Reusable composite action for label-triggered issue automation: assess (request ## How to use (quick start) -1. **Workflow** — Ensure `.github/workflows/issue-auto-implement.yml` exists and calls this action (see the workflow in this repo for the exact `on:` and `uses:`). +1. **Workflow** — Ensure `.github/workflows/issue-auto-implement.yml` exists and calls this action (see the workflow in this repo for the exact `on:` and `uses:`). If implement might change workflow files, the job must include `workflows: write` in its `permissions` (see [CI/CD](#cicd-what-you-need-to-run-this-workflow)). 2. **Secrets and variables** — In the repo: Settings → Secrets and variables → Actions. Add secret **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (Anthropic API key). For who can trigger, set **one** of: **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (e.g. `push` or `maintain`; works with default token) or **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`** (e.g. `org/team`; token needs `read:org`). 3. **Trigger label** — Create the labels once so you can add them to issues. Either run the **Issue auto-implement setup** workflow (Actions → Issue auto-implement setup → Run workflow), which creates `automation/auto-implement`, `automation/needs-info`, and `automation/pr-created`; or create the trigger label **`automation/auto-implement`** manually in the repo (Settings or Issues → Labels). The main action also ensures these labels exist when it runs, but the trigger label must exist before you can add it to an issue. 4. **Trigger** — On an issue, add the label `automation/auto-implement`. The workflow runs: it assesses the issue (request more info vs implement), and if implement, runs the Claude Code CLI and opens a PR. You can also comment on the issue (to add context and re-trigger) or review the PR (to iterate). @@ -42,7 +42,7 @@ Secrets and variables use an action-specific prefix (e.g. `AUTO_IMPLEMENT_`) so To use this action in GitHub Actions: -1. **Workflow** — Call the action from a workflow (e.g. `.github/workflows/issue-auto-implement.yml`) on `issues.labeled`, `issue_comment`, `pull_request_review`, and/or `pull_request_review_comment`. The job needs `contents: write`, `issues: write`, `pull-requests: write`. +1. **Workflow** — Call the action from a workflow (e.g. `.github/workflows/issue-auto-implement.yml`) on `issues.labeled`, `issue_comment`, `pull_request_review`, and/or `pull_request_review_comment`. The job needs `contents: write`, `issues: write`, `pull-requests: write`. If the implement step may edit files under `.github/workflows/`, also add **`workflows: write`** so the push is allowed (GitHub rejects workflow file changes without it). 2. **Secrets** — Add **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (repo secret). Used for the assess step and passed to the Claude Code CLI in the implement step. 3. **Variables (trigger gate)** — Set **one** of: - **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (repo variable): `triage`, `push`, `maintain`, or `admin`. Only users with at least this repo permission can trigger. Works with default `GITHUB_TOKEN`.