From 49ce9d5121100d482c31e4c88034288e5354a532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= Date: Mon, 26 Jan 2026 19:57:33 +1100 Subject: [PATCH 1/2] chore: add branch-protection annotation to scorecard config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using GitHub Rulesets instead of classic branch protection: - Rulesets require 1 approver and code owner review - last_push_approval disabled to allow auto-approve bot - bypass_actors: [] prevents admin bypass Signed-off-by: JasonXuDeveloper - 傑 --- .scorecard.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.scorecard.yml b/.scorecard.yml index c72229cf..bf9e9e05 100644 --- a/.scorecard.yml +++ b/.scorecard.yml @@ -47,3 +47,12 @@ annotations: - token-permissions reasons: - reason: not-applicable # Write permissions required for test reporting and release automation + + # Branch protection: Using GitHub Rulesets instead of classic branch protection + # - Rulesets require 1 approver and code owner review + # - "last push approval" disabled to allow auto-approve bot to work + # - "apply to administrators" handled via bypass_actors: [] in rulesets + - checks: + - branch-protection + reasons: + - reason: not-applicable # Using GitHub Rulesets with auto-approve bot requiring last_push_approval disabled From 312e5c978c101b8740d9dde2ffad048c219f43ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= Date: Mon, 26 Jan 2026 20:01:27 +1100 Subject: [PATCH 2/2] fix(ci): check claude[bot] comment for auto-approve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Claude Code Action posts a comment with 'No issues found. Checked for bugs and CLAUDE.md compliance.' when review passes. Check for this comment instead of check run output fields which are not set. Signed-off-by: JasonXuDeveloper - 傑 --- .github/workflows/auto-approve.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index b5a2026b..a490674c 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -50,17 +50,19 @@ jobs: HEAD_SHA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER --jq '.head.sha') echo "Head SHA: $HEAD_SHA" - # Check Claude review status and output - CLAUDE_CHECK=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review")') - CLAUDE_STATUS=$(echo "$CLAUDE_CHECK" | jq -r '.conclusion' | head -1) - CLAUDE_OUTPUT=$(echo "$CLAUDE_CHECK" | jq -r '.output.summary // .output.text // ""' | head -1) - echo "Claude review status: $CLAUDE_STATUS" - echo "Claude review output: $CLAUDE_OUTPUT" - - # Check if Claude found no issues (exact message check) + # Check Claude review - look for "No issues found" comment from claude[bot] + # Claude posts a comment with this exact message when review passes + CLAUDE_COMMENTS=$(gh api "repos/${{ github.repository }}/issues/$PR_NUMBER/comments" --jq '[.[] | select(.user.login == "claude[bot]") | .body] | join("\n")') + CLAUDE_APPROVED="false" - if [ "$CLAUDE_STATUS" == "success" ] && echo "$CLAUDE_OUTPUT" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then + if echo "$CLAUDE_COMMENTS" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then + echo "Claude review found: No issues" CLAUDE_APPROVED="true" + else + echo "Claude review: Issues found or review not complete" + # Check if claude-review check status for debugging + CLAUDE_STATUS=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review") | .conclusion' | head -1) + echo "Claude review check status: $CLAUDE_STATUS" fi echo "Claude approved: $CLAUDE_APPROVED"