Complete configuration guide for GitHub Workflow Blueprint
This guide covers all required settings to make the blueprint workflows function correctly.
- Required Secrets
- Branch Protection Rules
- GitHub Projects v2 Setup
- Repository Settings
- GitHub Actions Permissions
- Labels Configuration
- Optional Settings
- Validation Checklist
Location: Repository Settings → Secrets and variables → Actions
Purpose: Enables Claude Code Action for AI-powered code reviews
How to get it:
- Go to https://console.anthropic.com/
- Navigate to API Keys section
- Create a new API key
- Copy the key
How to set it:
# Via gh CLI
gh secret set ANTHROPIC_API_KEY
# Via GitHub UI
Settings → Secrets and variables → Actions → New repository secret
Name: ANTHROPIC_API_KEY
Secret: <your-api-key>Required by:
- Claude Code Review workflow (optional, will skip if not set)
Purpose: Enables GitHub Projects v2 integration and Wiki sync
How to create it:
- Go to https://github.com/settings/tokens
- Click "Generate new token" → "Generate new token (classic)"
- Name:
PROJECTS_TOKENorGitHub Workflow Automation - Select scopes:
- ✅
repo(Full control of private repositories) - ✅
project(Full control of projects) - ✅
write:discussion(Read and write team discussions)
- ✅
- Set expiration (recommend: No expiration or 1 year)
- Generate token and copy it
How to set it:
# Via gh CLI
gh secret set PROJECTS_TOKEN
# Via GitHub UI
Settings → Secrets and variables → Actions → New repository secret
Name: PROJECTS_TOKEN
Secret: <your-token>Required by:
project-synccomposite action- All workflows that update project board status
- Wiki sync workflow
Purpose: Alternative to ANTHROPIC_API_KEY for Claude Code Review
How to get it:
- Go to https://claude.com/settings/oauth-tokens
- Create new OAuth token
- Copy the token
How to set it:
gh secret set CLAUDE_CODE_OAUTH_TOKENNote: Only needed if using OAuth flow instead of API key. The workflow will skip Claude Code Review if neither secret is set.
Location: Repository Settings → Branches → Branch protection rules
Branch name pattern: main
Required Settings:
-
✅ Require a pull request before merging
- ✅ Require approvals: 1 (minimum)
- ✅ Dismiss stale pull request approvals when new commits are pushed
⚠️ Do NOT check "Require approval from Code Owners" (unless you want this)
-
✅ Require status checks to pass before merging
- ✅ Require branches to be up to date before merging
- Required status checks (add these):
Validate Source BranchProduction BuildSmoke TestsDeployment ReadinessRelease Gate Status
-
✅ Require conversation resolution before merging
-
✅ Require linear history (enforces squash or rebase merges)
-
⚠️ Do not allow bypassing the above settings (recommended)
- ✅ Restrict deletions (cannot delete main branch)
- ✅ Restrict force pushes (cannot force push to main)
- ✅ Require signed commits (optional, recommended for security)
CLI Command:
gh api repos/{owner}/{repo}/branches/main/protection \
--method PUT \
--field required_status_checks='{"strict":true,"checks":[{"context":"Validate Source Branch"},{"context":"Production Build"},{"context":"Smoke Tests"},{"context":"Deployment Readiness"},{"context":"Release Gate Status"}]}' \
--field enforce_admins=true \
--field required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \
--field restrictions=null \
--field required_linear_history=true \
--field allow_force_pushes=false \
--field allow_deletions=false \
--field required_conversation_resolution=trueBranch name pattern: dev
Required Settings:
-
✅ Require a pull request before merging
⚠️ Require approvals: 0 (or 1 if you want reviews)- ✅ Dismiss stale pull request approvals when new commits are pushed
-
✅ Require status checks to pass before merging
- ✅ Require branches to be up to date before merging
- Required status checks:
Validate Branch NameValidate PR TitleValidate Linked IssueRun Quality Checks
-
✅ Require conversation resolution before merging
-
⚠️ Allow force pushes (UNCHECKED - do not allow)
- ✅ Restrict deletions
⚠️ Allow administrators to bypass (optional, for emergency fixes)
CLI Command:
gh api repos/{owner}/{repo}/branches/dev/protection \
--method PUT \
--field required_status_checks='{"strict":true,"checks":[{"context":"Validate Branch Name"},{"context":"Validate PR Title"},{"context":"Validate Linked Issue"},{"context":"Run Quality Checks"}]}' \
--field enforce_admins=false \
--field required_pull_request_reviews='{"required_approving_review_count":0,"dismiss_stale_reviews":true}' \
--field restrictions=null \
--field allow_force_pushes=false \
--field allow_deletions=false \
--field required_conversation_resolution=trueLocation: Repository → Projects tab → Link a project
Option 1: Via GitHub UI
- Go to your repository
- Click Projects tab
- Click Link a project → New project
- Choose Board template
- Name:
Development Workflow(or your choice) - Click Create project
Option 2: Via gh CLI
# Create new project
gh project create --owner <username> --title "Development Workflow"
# Link to repository
gh project link <project-number> --repo <username>/<repo>Required Status Values (in this exact order):
| Status | Purpose |
|---|---|
| To Triage | New issues pending review |
| Backlog | Approved but not scheduled |
| Ready | Ready to start work |
| In Progress | Actively being worked on |
| In Review | PR created, awaiting review |
| To Deploy | Merged to dev, ready for release |
| Done | Released to production |
How to configure:
- Open your project board
- Click ⚙️ (Settings) in top-right
- Go to Custom fields → Status
- Add/edit status options to match the list above
- Set default to To Triage
Important: The workflow expects these exact names. If you use different names, update the project-sync composite action.
You need the project URL for the PROJECT_URL secret:
# Via gh CLI
gh project list --owner <username>
# The URL will be like:
# https://github.com/users/<username>/projects/<number>Save this URL - you'll need it for the bootstrap workflow.
Location: Repository Settings → General
- ✅ Issues (required for issue tracking)
- ✅ Wikis (required for wiki sync workflow)
⚠️ Discussions (optional, recommended for community)⚠️ Projects (should be enabled automatically)
- ✅ Allow squash merging (recommended default)
- ✅ Default to pull request title
⚠️ Allow merge commits (optional)⚠️ Allow rebase merging (optional)- ✅ Always suggest updating pull request branches
- ✅ Automatically delete head branches (recommended)
⚠️ Do not archive this repository (unless intentional)
Location: Repository Settings → Actions → General
Required Configuration:
- ✅ Allow all actions and reusable workflows
- (Or restrict to specific actions if you prefer)
Workflow permissions:
-
✅ Read and write permissions
- Required for:
- Creating/updating issues
- Commenting on PRs
- Updating project boards
- Creating releases
- Syncing wikis
- Required for:
-
✅ Allow GitHub Actions to create and approve pull requests
- (Optional, only if you want automated PR creation)
Fork pull request workflows:
- ✅ Run workflows from fork pull requests
- Require approval for first-time contributors: ✅ Enabled
Location: Repository → Issues → Labels
Run the bootstrap.yml workflow to automatically create these, or create manually:
status:ready- 🟢 Green - Ready to startstatus:in-progress- 🟡 Yellow - Work in progressstatus:in-review- 🟠 Orange - In code reviewstatus:to-deploy- 🔵 Blue - Ready for deployment
type:feature- 🟣 Purple - New featuretype:fix- 🔴 Red - Bug fixtype:hotfix- 🔥 Dark red - Critical hotfixtype:docs- 📘 Light blue - Documentationtype:refactor- 🔧 Grey - Code refactoringtype:test- ✅ Green - Testing
platform:web- 🌐 Blue - Web platformplatform:mobile- 📱 Purple - Mobile platformplatform:fullstack- 🔗 Orange - Full-stack
priority:critical- 🔴 Red - Critical prioritypriority:high- 🟠 Orange - High prioritypriority:medium- 🟡 Yellow - Medium prioritypriority:low- 🟢 Green - Low priority
claude-code- 🤖 Purple - Created by Claude Code
Auto-create labels:
# Run bootstrap workflow
gh workflow run bootstrap.yml
# Or create via CLI
gh label create "status:ready" --color "0E8A16" --description "Ready to start"
gh label create "type:feature" --color "A855F7" --description "New feature"
# ... repeat for all labelsLocation: Repository Settings → Pages
Configuration:
- ✅ Source: GitHub Actions
⚠️ Branch: (Leave as GitHub Actions, not gh-pages)- ✅ Enforce HTTPS: Enabled
Deployment:
- Automatic via
deploy-pages.ymlworkflow - Site URL:
https://<username>.github.io/<repo>/
Location: Repository Settings → Code security and analysis
Enable:
- ✅ Dependabot alerts
- ✅ Dependabot security updates
- ✅ Dependabot version updates (configured via
.github/dependabot.yml)
Pre-configured in this blueprint:
- Weekly npm dependency updates
- Weekly GitHub Actions updates
Location: Repository Settings → Environments
Recommended Environments:
- Protection rules:
- Required reviewers: 0 (or 1 if you want)
- Wait timer: 0 minutes
- Protection rules:
- ✅ Required reviewers: 1+
- ✅ Wait timer: 5 minutes (prevents accidental deployments)
- ✅ Deployment branches: Only
main
After completing setup, verify everything works:
# Check secrets are set (will show names only, not values)
gh secret listExpected output:
ANTHROPIC_API_KEY Updated 2025-XX-XX
PROJECTS_TOKEN Updated 2025-XX-XX
# Run initial setup
gh workflow run bootstrap.yml
# Check status
gh run list --workflow=bootstrap.yml --limit 1Expected: Creates labels, validates project board, checks secrets
# Try to push directly to main (should fail)
git checkout main
echo "test" >> test.txt
git add test.txt
git commit -m "test: direct commit"
git push origin main
# Expected: rejected by remote# Create test issue
gh issue create --title "Test: Validate setup" --body "Testing workflow automation"
# Expected: Issue created, added to project board in "To Triage" status# Create feature branch
git checkout -b feature/test-setup
echo "# Test" > TEST.md
git add TEST.md
git commit -m "feat: test workflow"
git push -u origin feature/test-setup
# Create PR to dev
gh pr create --base dev --title "feat: Test workflow" --body "Closes #<issue-number>"
# Expected:
# - Branch name validation passes
# - PR title validation passes
# - Linked issue validation passes
# - Quality checks run- Open your project board
- Find the test issue created above
- Verify it appears in "To Triage" column
- Create a branch from the issue
- Verify issue moves to "In Progress"
# Merge feature to dev
gh pr merge <pr-number> --squash
# Create release PR
gh pr create --base main --head dev --title "release: v1.0.0" --body "Release notes..."
# Expected:
# - Source branch validation passes (dev allowed)
# - All release gates run
# - Project board updatesSolution:
- Verify secret is set:
gh secret list - If missing, create PAT with
repoandprojectscopes - Set secret:
gh secret set PROJECTS_TOKEN
Solution:
- Verify project board exists and is linked to repo
- Verify PROJECTS_TOKEN has
projectscope - Check project board status field has correct values
- Run
gh project list --owner <username>to verify access
Solution:
- Verify required status checks are passing
- Check branch protection rules match workflow names exactly
- Temporarily disable "Require branches to be up to date" if needed
Solution:
- Go to Settings → Actions → General
- Set "Workflow permissions" to "Read and write permissions"
- Enable "Allow GitHub Actions to create and approve pull requests"
Solution:
# Run bootstrap workflow
gh workflow run bootstrap.yml
# Or create manually via CLI/UI- Quick Start Guide - Get started in 5 minutes
- Complete Setup Guide - Detailed installation
- Workflows Reference - All 8 workflows explained
- Troubleshooting Guide - Common issues and fixes
For advanced users, here's a script to automate most settings:
#!/bin/bash
# setup-github.sh - Automated GitHub setup
set -e
REPO="${1:-$(gh repo view --json nameWithOwner -q .nameWithOwner)}"
PROJECT_URL="${2:-}"
echo "🔧 Setting up GitHub repository: $REPO"
# 1. Enable required features
echo "📝 Enabling repository features..."
gh api repos/$REPO -X PATCH \
--field has_issues=true \
--field has_wiki=true \
--field has_projects=true \
--field allow_squash_merge=true \
--field delete_branch_on_merge=true
# 2. Set workflow permissions
echo "🔐 Configuring Actions permissions..."
gh api repos/$REPO/actions/permissions -X PUT \
--field enabled=true \
--field allowed_actions="all"
gh api repos/$REPO/actions/permissions/workflow -X PUT \
--field default_workflow_permissions="write" \
--field can_approve_pull_request_reviews=true
# 3. Run bootstrap workflow
echo "🚀 Running bootstrap workflow..."
gh workflow run bootstrap.yml -R $REPO
echo "✅ Setup complete!"
echo ""
echo "⚠️ Manual steps remaining:"
echo "1. Set ANTHROPIC_API_KEY secret"
echo "2. Set PROJECTS_TOKEN secret"
echo "3. Configure branch protection rules"
echo "4. Link project board (if not already linked)"
echo ""
echo "Run: ./setup/validate.sh to verify setup"Last Updated: 2025-11-07 Version: 1.0.0 Status: Production Ready