Skip to content

Commit ec63b07

Browse files
committed
fix(issue-auto-implement): rename to AUTO_IMPLEMENT_GITHUB_PUSH_TOKEN, document all token types
Rename secret to include GITHUB in the name for consistency. Document that push_token accepts personal PATs (classic or fine-grained) and GitHub App installation tokens. https://claude.ai/code/session_01PHFVduUenioa8nn4NMCabe
1 parent b7d5bb5 commit ec63b07

2 files changed

Lines changed: 10 additions & 6 deletions

File tree

.github/actions/issue-auto-implement/README.md

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,17 @@ Reusable composite action for label-triggered issue automation: assess (request
55
## How to use (quick start)
66

77
1. **Workflow** — Ensure `.github/workflows/issue-auto-implement.yml` exists and calls this action (see the workflow in this repo for the exact `on:` and `uses:`). If implement might change workflow files, see [CI/CD](#cicd-what-you-need-to-run-this-workflow) for push permission requirements.
8-
2. **Secrets and variables** — In the repo: Settings → Secrets and variables → Actions. Add secret **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (Anthropic API key). Optionally add **`AUTO_IMPLEMENT_PUSH_TOKEN`** (a PAT with `repo` scope) so CI checks run on bot-created PRs (see [CI checks on bot-created PRs](#ci-checks-on-bot-created-prs)). For who can trigger, set **one** of: **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (e.g. `push` or `maintain`; works with default token) or **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`** (e.g. `org/team`; token needs `read:org`).
8+
2. **Secrets and variables** — In the repo: Settings → Secrets and variables → Actions. Add secret **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (Anthropic API key). Optionally add **`AUTO_IMPLEMENT_GITHUB_PUSH_TOKEN`** (a PAT with `repo` scope) so CI checks run on bot-created PRs (see [CI checks on bot-created PRs](#ci-checks-on-bot-created-prs)). For who can trigger, set **one** of: **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (e.g. `push` or `maintain`; works with default token) or **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`** (e.g. `org/team`; token needs `read:org`).
99
3. **Trigger label** — Create the labels once so you can add them to issues. Either run the **Issue auto-implement setup** workflow (Actions → Issue auto-implement setup → Run workflow), which creates `automation/auto-implement`, `automation/needs-info`, and `automation/pr-created`; or create the trigger label **`automation/auto-implement`** manually in the repo (Settings or Issues → Labels). The main action also ensures these labels exist when it runs, but the trigger label must exist before you can add it to an issue.
1010
4. **Trigger** — On an issue, add the label `automation/auto-implement`. The workflow runs: it assesses the issue (request more info vs implement), and if implement, runs the Claude Code CLI and opens a PR. You can also comment on the issue (to add context and re-trigger) or review the PR (to iterate).
1111

1212
## CI checks on bot-created PRs
1313

14-
By default, PRs created with `GITHUB_TOKEN` do not trigger `pull_request` workflows (a GitHub restriction to prevent recursive runs). To get CI checks on bot-created PRs, set the optional **`push_token`** input to a PAT (classic with `repo` scope, or fine-grained with `contents: write` + `pull-requests: write`). The action uses this token for `git push` and PR creation, so GitHub sees events from a real user and triggers all `pull_request` workflows normally.
14+
By default, PRs created with `GITHUB_TOKEN` do not trigger `pull_request` workflows (a GitHub restriction to prevent recursive runs). To get CI checks on bot-created PRs, set the optional **`push_token`** input to a PAT or GitHub App installation token. The action uses this token for `git push` and PR creation, so GitHub sees events from a non-Actions identity and triggers all `pull_request` workflows normally. Accepted token types:
15+
16+
- **Personal Access Token (classic)**`repo` scope
17+
- **Personal Access Token (fine-grained)**`contents: write` + `pull-requests: write` permissions
18+
- **GitHub App installation token** — same permissions (e.g. via `actions/create-github-app-token`)
1519

1620
If `push_token` is not set, the action falls back to `github_token` and CI workflows will not trigger automatically on bot PRs.
1721

@@ -36,7 +40,7 @@ Used by `.github/workflows/issue-auto-implement.yml`. Requires `anthropic_api_ke
3640
| `max_implement_retries` | No | 3 | Max retries on verify failure (cap 5) |
3741
| `github_allowed_trigger_team` | No* | - | Team slug (e.g. org/team); only members can trigger. Repo variable `AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`. Ignored if min_permission is set. Token needs read:org. |
3842
| `github_allowed_trigger_min_permission` | No* | - | Require actor has at least this repo permission: triage, push, maintain, or admin. Repo variable `AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`. Works with default GITHUB_TOKEN. |
39-
| `push_token` | No | - | PAT or GitHub App token for git push and PR creation. When set, GitHub triggers `pull_request` workflows on bot PRs. Falls back to `github_token`. |
43+
| `push_token` | No | - | PAT or GitHub App installation token for git push and PR creation. When set, GitHub triggers `pull_request` workflows on bot PRs. Falls back to `github_token`. |
4044
| `post_pr_comment` | No | false | When true, post a comment on the issue linking to the new PR when one is created. |
4145

4246
*One of `github_allowed_trigger_min_permission` or `github_allowed_trigger_team` must be set (via repo variables).
@@ -48,7 +52,7 @@ Secrets and variables use an action-specific prefix (e.g. `AUTO_IMPLEMENT_`) so
4852
To use this action in GitHub Actions:
4953

5054
1. **Workflow** — Call the action from a workflow (e.g. `.github/workflows/issue-auto-implement.yml`) on `issues.labeled`, `issue_comment`, `pull_request_review`, and/or `pull_request_review_comment`. The job needs `contents: write`, `issues: write`, `pull-requests: write`. If the implement step may edit files under `.github/workflows/`, GitHub may reject the push; the workflow syntax has no `workflows` permission key. Enable **Settings → Actions → General → Allow GitHub Actions to create and approve pull requests** (or use a PAT with appropriate scope) so the run can push workflow file changes.
51-
2. **Secrets** — Add **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (repo secret). Used for the assess step and passed to the Claude Code CLI in the implement step. Optionally add **`AUTO_IMPLEMENT_PUSH_TOKEN`** (a PAT with `repo` scope, or fine-grained with `contents: write` + `pull-requests: write`) so CI checks run on bot-created PRs.
55+
2. **Secrets** — Add **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (repo secret). Used for the assess step and passed to the Claude Code CLI in the implement step. Optionally add **`AUTO_IMPLEMENT_GITHUB_PUSH_TOKEN`** (a PAT with `repo` scope, or fine-grained with `contents: write` + `pull-requests: write`) so CI checks run on bot-created PRs.
5256
3. **Variables (trigger gate)** — Set **one** of:
5357
- **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (repo variable): `triage`, `push`, `maintain`, or `admin`. Only users with at least this repo permission can trigger. Works with default `GITHUB_TOKEN`.
5458
- **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`** (repo variable): org/team slug (e.g. `org/team-name`). Only team members can trigger. Token must have `read:org` (use a PAT if `GITHUB_TOKEN` lacks it).
@@ -60,7 +64,7 @@ No other setup is required. Optionally set `verify_commands` (default `go test .
6064
## Secrets and variables (repo setup)
6165

6266
- **`AUTO_IMPLEMENT_ANTHROPIC_API_KEY`** (repo secret) — Claude API key for the assess and implement steps. Add under Settings → Secrets and variables → Actions.
63-
- **`AUTO_IMPLEMENT_PUSH_TOKEN`** (repo secret, optional) — PAT for git push and PR creation. When set, GitHub triggers `pull_request` workflows on bot PRs so CI checks appear. Classic PAT with `repo` scope, or fine-grained with `contents: write` + `pull-requests: write`.
67+
- **`AUTO_IMPLEMENT_GITHUB_PUSH_TOKEN`** (repo secret, optional) — PAT or GitHub App installation token for git push and PR creation. When set, GitHub triggers `pull_request` workflows on bot PRs so CI checks appear. See [CI checks on bot-created PRs](#ci-checks-on-bot-created-prs) for accepted token types.
6468
- **Trigger gate (set one):**
6569
- **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION`** (repo variable) — Require the triggering user to have at least this repo permission: `triage`, `push`, `maintain`, or `admin`. Works with the default `GITHUB_TOKEN`. Add under Settings → Secrets and variables → Actions → Variables.
6670
- **`AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM`** (repo variable) — GitHub Team slug (e.g. `org/team-name`) whose members may trigger. The first step checks `github.actor` against this team. The token needs `read:org`; if `GITHUB_TOKEN` lacks it, use a PAT and pass it as `github_token`.

.github/workflows/issue-auto-implement.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ jobs:
3939
with:
4040
anthropic_api_key: ${{ secrets.AUTO_IMPLEMENT_ANTHROPIC_API_KEY }}
4141
github_token: ${{ secrets.GITHUB_TOKEN }}
42-
push_token: ${{ secrets.AUTO_IMPLEMENT_PUSH_TOKEN }}
42+
push_token: ${{ secrets.AUTO_IMPLEMENT_GITHUB_PUSH_TOKEN }}
4343
github_allowed_trigger_min_permission: ${{ vars.AUTO_IMPLEMENT_ALLOWED_TRIGGER_MIN_PERMISSION }}
4444
github_allowed_trigger_team: ${{ vars.AUTO_IMPLEMENT_ALLOWED_TRIGGER_TEAM }}
4545
# Skip acceptance tests in verify (they need HOOKDECK_CLI_TESTING_API_KEY); unit tests use -short

0 commit comments

Comments
 (0)