From 66b05524c09df89139ad568997fd69580c6636cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= <jason@xgamedev.net>
Date: Mon, 26 Jan 2026 20:05:56 +1100
Subject: [PATCH] fix(ci): fix auto-approve to check claude[bot] comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Check PR comments from claude[bot] for 'No issues found' message
- Add branch-protection annotation to scorecard config explaining
  why last_push_approval is disabled (required for auto-approve bot)

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
---
 .github/workflows/auto-approve.yml | 17 ++++++++---------
 .scorecard.yml                     | 10 ++++++++++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
index b5a2026b..4ef49be6 100644
--- a/.github/workflows/auto-approve.yml
+++ b/.github/workflows/auto-approve.yml
@@ -50,17 +50,16 @@ jobs:
           HEAD_SHA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER --jq '.head.sha')
           echo "Head SHA: $HEAD_SHA"
 
-          # Check Claude review status and output
-          CLAUDE_CHECK=$(gh api repos/${{ github.repository }}/commits/$HEAD_SHA/check-runs --jq '.check_runs[] | select(.name == "claude-review")')
-          CLAUDE_STATUS=$(echo "$CLAUDE_CHECK" | jq -r '.conclusion' | head -1)
-          CLAUDE_OUTPUT=$(echo "$CLAUDE_CHECK" | jq -r '.output.summary // .output.text // ""' | head -1)
-          echo "Claude review status: $CLAUDE_STATUS"
-          echo "Claude review output: $CLAUDE_OUTPUT"
-
-          # Check if Claude found no issues (exact message check)
+          # Check Claude review - look for "No issues found" comment from claude[bot]
+          # Claude posts a PR comment with this message when review passes
+          CLAUDE_COMMENTS=$(gh api "repos/${{ github.repository }}/issues/$PR_NUMBER/comments" --jq '[.[] | select(.user.login == "claude[bot]") | .body] | join("\n")')
+
           CLAUDE_APPROVED="false"
-          if [ "$CLAUDE_STATUS" == "success" ] && echo "$CLAUDE_OUTPUT" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then
+          if echo "$CLAUDE_COMMENTS" | grep -q "No issues found. Checked for bugs and CLAUDE.md compliance"; then
+            echo "Claude review: No issues found"
             CLAUDE_APPROVED="true"
+          else
+            echo "Claude review: Issues found or not yet complete"
           fi
           echo "Claude approved: $CLAUDE_APPROVED"
 
diff --git a/.scorecard.yml b/.scorecard.yml
index c72229cf..a426605b 100644
--- a/.scorecard.yml
+++ b/.scorecard.yml
@@ -47,3 +47,13 @@ annotations:
       - token-permissions
     reasons:
       - reason: not-applicable # Write permissions required for test reporting and release automation
+
+  # Branch protection: Using GitHub Rulesets with auto-approve bot
+  # - Rulesets require 1 approver (provided by auto-approve bot)
+  # - Code owner review is required
+  # - last_push_approval disabled to allow auto-approve bot to work
+  # - bypass_actors: [] prevents admin bypass
+  - checks:
+      - branch-protection
+    reasons:
+      - reason: not-applicable # Using Rulesets with auto-approve bot requiring last_push_approval disabled