From 216ab0b142c78979e1ac3d76476cddf456d9d84f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= <jason@xgamedev.net>
Date: Mon, 26 Jan 2026 20:13:19 +1100
Subject: [PATCH 1/2] test: verify auto-approve works with last_push_approval
 enabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated scorecard annotation to reflect that last_push_approval is now enabled.

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
---
 .scorecard.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.scorecard.yml b/.scorecard.yml
index a426605b..cce01704 100644
--- a/.scorecard.yml
+++ b/.scorecard.yml
@@ -48,12 +48,13 @@ annotations:
     reasons:
       - reason: not-applicable # Write permissions required for test reporting and release automation
 
-  # Branch protection: Using GitHub Rulesets with auto-approve bot
+  # Branch protection: Using GitHub Rulesets instead of classic branch protection
   # - Rulesets require 1 approver (provided by auto-approve bot)
   # - Code owner review is required
-  # - last_push_approval disabled to allow auto-approve bot to work
-  # - bypass_actors: [] prevents admin bypass
+  # - last_push_approval enabled
+  # - bypass_actors: [] prevents admin bypass (equivalent to "apply to administrators")
+  # Scorecard may not fully recognize ruleset settings vs classic branch protection
   - checks:
       - branch-protection
     reasons:
-      - reason: not-applicable # Using Rulesets with auto-approve bot requiring last_push_approval disabled
+      - reason: not-applicable # Using Rulesets; Scorecard may not recognize all settings

From d3ca4ddc5d7f7221237043b10edcbead544bf7c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JasonXuDeveloper=20-=20=E5=82=91?= <jason@xgamedev.net>
Date: Mon, 26 Jan 2026 20:37:19 +1100
Subject: [PATCH 2/2] fix(ci): add pull-requests write permission for Claude
 comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Claude Code Action needs write permission to post review comments on PRs.

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
---
 .github/workflows/claude-code-review.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
index e1a58d52..4d3e3a80 100644
--- a/.github/workflows/claude-code-review.yml
+++ b/.github/workflows/claude-code-review.yml
@@ -12,7 +12,7 @@ on:
 
 permissions:
   contents: read
-  pull-requests: read
+  pull-requests: write
   issues: read
 
 jobs:
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: read
+      pull-requests: write
       issues: read
       id-token: write