feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts#281
Conversation
…icts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds an optional ChangesAgentic Auto-Rebase with Claude Conflict Resolution
Sequence DiagramssequenceDiagram
participant PR as PR update event
participant AutoRebase as auto-rebase-reusable.yml
participant GitMerge as git merge/rebase
participant GitHubAPI as GitHub issue comment API
participant IssueEvent as issue_comment event
participant ClaudeRebase as claude-rebase job
participant Validation as GH_PAT_WORKFLOWS validation
participant Checkout as actions/checkout
participant Claude as anthropics/claude-code-action
participant GitOps as git operations
participant Summary as summary comment
PR->>AutoRebase: merge/rebase triggered
AutoRebase->>GitMerge: attempt merge
GitMerge-->>AutoRebase: 422 Conflict
AutoRebase->>GitHubAPI: delete prior <!-- auto-rebase-conflict -->
GitHubAPI-->>AutoRebase: deleted
AutoRebase->>GitHubAPI: post new <!-- auto-rebase-conflict --> (body varies by HAS_PAT)
GitHubAPI-->>IssueEvent: fires issue_comment
IssueEvent->>ClaudeRebase: trigger (comment contains sentinel)
ClaudeRebase->>Validation: validate GH_PAT_WORKFLOWS
ClaudeRebase->>Checkout: checkout with full history
ClaudeRebase->>Claude: run rebase/conflict resolution prompt
Claude->>GitOps: rebase onto base, resolve conflicts (including uses: pin resolution via API)
alt Success
GitOps-->>Claude: conflicts resolved
Claude->>GitOps: force-push rebased branch
GitOps-->>Summary: push complete
Summary->>Summary: post success summary
else Failure
GitOps-->>Claude: unresolvable conflicts
Claude->>GitOps: abort rebase
GitOps-->>Summary: aborted
Summary->>Summary: post failure instructions
end
Estimated Code Review Effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly Related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI is passing (CodeQL still analyzing). @petry-projects/org-leads — this PR is ready for review and merge. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 62c7976405
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Adds an agentic fallback path for merge-conflict situations encountered by the org’s auto-rebase workflow by triggering a new Claude job from an idempotent conflict sentinel comment.
Changes:
- Update auto-rebase conflict comment text to indicate Claude will attempt an automatic resolution (using the existing
<!-- auto-rebase-conflict -->sentinel). - Add a new
claude-rebasejob toclaude-code-reusable.ymlthat triggers on the sentinel comment fromgithub-actions[bot]and instructs Claude to rebase, resolve conflicts, push, and summarize.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/claude-code-reusable.yml | Adds claude-rebase automation job triggered by the conflict sentinel comment to attempt an agentic rebase + conflict resolution. |
| .github/workflows/auto-rebase-reusable.yml | Updates the posted 422/merge-conflict PR comment to announce the Claude fallback and provides updated manual steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 125-136: The conflict comment always promises an automatic Claude
rebase; modify the logic that builds and posts CONFLICT_BODY so it checks the
GH_PAT_WORKFLOWS environment flag before claiming automation — if
GH_PAT_WORKFLOWS is unset, either omit the sentence "Claude will attempt to
resolve this automatically" and instead state that only manual resolution is
available, or skip posting the sentinel entirely; update the branch that invokes
gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$CONFLICT_BODY" to use the
adjusted CONFLICT_BODY (or not run) based on GH_PAT_WORKFLOWS.
In @.github/workflows/claude-code-reusable.yml:
- Around line 426-431: The workflow conflict resolution currently accepts the
“newer” `uses:` pin without verifying tag/branch → SHA mapping; update the
action-pin conflict branch in the YAML so that before choosing `git checkout
--ours -- <file>` or `git checkout --theirs -- <file>` the agent performs a
GitHub API lookup (using gh api repos/{owner}/{repo}/git/refs/tags/{tag} and
/branches/{branch}) to resolve tags/branches to SHAs, compare the resolved SHAs
to determine which is actually newer, and only then apply the appropriate
checkout decision for `uses:` lines; ensure SHA-vs-SHA comparisons never rely on
guessing and always use the API lookup.
- Around line 352-356: The current workflow if-condition rejects comments
authored by a PAT because it hardcodes github.event.comment.user.login ==
'github-actions[bot]'; remove that login equality check and rely solely on the
sentinel comment text (the contains(github.event.comment.body, '<!--
auto-rebase-conflict -->') check) or broaden the check to accept both
'github-actions[bot]' and the PAT owner; update the conditional that currently
references github.event.comment.user.login so PAT-authored comments (when
GH_PAT_WORKFLOWS is used) will trigger the rebase workflow.
In `@standards/ci-standards.md`:
- Around line 524-526: Lines describing the sentinel and secrets exceed
configured max line length causing markdownlint MD013 failures; wrap or reflow
those long sentences in the paragraph referencing the sentinel `<!--
auto-rebase-conflict -->`, the job `claude-rebase` in
`claude-code-reusable.yml`, the tokens `GITHUB_TOKEN` and `GH_PAT_WORKFLOWS`,
and the `dependabot-rebase.yml` exclusion so each line falls under the max
length—e.g., split the long sentence about GH_PAT_WORKFLOWS and the sentinel
behavior into two or more shorter sentences and/or break after commas to keep
each line within the markdownlint limit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 1a785f04-1246-41aa-962a-0a6b4a5a9f16
📒 Files selected for processing (3)
.github/workflows/auto-rebase-reusable.yml.github/workflows/claude-code-reusable.ymlstandards/ci-standards.md
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 89c0c310ad
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Remove user.login == 'github-actions[bot]' check from claude-rebase
trigger — PAT-authenticated comments are authored by the PAT owner,
not 'github-actions[bot]', so that check always blocks the job when
the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
manual-only message instead of falsely promising Claude will rebase.
Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
choosing which action pin is newer; abort if version is unresolvable.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 111-142: The current logic always deletes and reposts the SENTINEL
("<!-- auto-rebase-conflict -->") which cancels in-progress claude-rebase runs;
change it to only delete+repost when the conflict signature changes by embedding
the base-branch head SHA in the sentinel (e.g., "<!-- auto-rebase-conflict:SHA
-->") and comparing it to the current BASE_BRANCH head before deleting;
specifically, obtain the current BASE_BRANCH head SHA (via gh api or git
ls-remote), update how OLD_COMMENT_IDS and sentinel matching work to search
for/parse sentinels with a SHA, skip deleting/posting if an unresolved sentinel
with the same SHA already exists, and only delete+post when the SHA differs
(alternatively, make the concurrency setting change to cancel-in-progress: false
if you prefer queuing over skipping).
In @.github/workflows/claude-code-reusable.yml:
- Around line 442-444: Replace the permissive guidance in the "All other files:"
block (the sentence "Attempt a sensible merge of both sides if the intent is
clear.") with a strict rule to always abort on application-code conflicts and
post the failure comment; specifically: treat any conflict outside the
`.github/workflows/` directory as application-code and run `git rebase --abort`
immediately, do not attempt to merge or guess intent, and ensure the bot posts
the failure comment instructing manual human review instead of proceeding.
- Around line 350-358: The workflow's claude-rebase job currently triggers on
any issue_comment containing '<!-- auto-rebase-conflict -->', allowing untrusted
users to invoke a PAT-backed run; update the job's if condition to also require
the comment author to be trusted by checking
github.event.comment.author_association is one of OWNER, MEMBER, or COLLABORATOR
(e.g. add "&& contains('OWNER,MEMBER,COLLABORATOR',
github.event.comment.author_association)" or explicit equality checks) so that
claude-rebase only runs for trusted authors, keeping the sentinel check ('<!--
auto-rebase-conflict -->') intact.
- Around line 359-361: The workflow concurrency block uses cancel-in-progress:
true which causes newly posted sentinel issue_comment events to evict in-flight
claude-rebase jobs; update the concurrency setting so that cancel-in-progress is
false (leave the group: claude-rebase-${{ github.event.issue.number }}
unchanged) so a freshly posted sentinel queues behind an active rebase rather
than aborting it.
- Around line 426-440: Update the two gh api calls used to resolve tag/branch
SHAs: for the tag resolution call (currently using "gh api
repos/{owner}/{repo}/git/refs/tags/{tag}") add the output filter to extract the
tag object SHA ("--jq '.object.sha'"), and replace the branch call ("gh api
repos/{owner}/{repo}/git/ref/heads/{branch}") with the canonical branches
endpoint ("gh api repos/{owner}/{repo}/branches/{branch}") and add the output
filter to extract the commit SHA ("--jq '.commit.sha'"); keep the descriptive
comments but standardize the endpoints and --jq selectors to match the
documented patterns.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ea36f09f-b4e1-4836-a31d-4604f366ed44
📒 Files selected for processing (3)
.github/workflows/auto-rebase-reusable.yml.github/workflows/claude-code-reusable.ymlstandards/ci-standards.md
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: da34df4cee
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Add author_association trust gate to claude-rebase trigger; only
OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
preventing spurious cancellation of in-flight claude-rebase runs on
active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
freshly-posted sentinel queues behind a running rebase rather than
aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
with --jq '.object.sha' for tags and /branches/{branch} with
--jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
for tag pins and commit-date comparison (via /git/commits/{sha}) for
SHA pins.
- Tighten 'All other files' conflict rule: always abort on
application-code conflicts; never attempt to merge by intent.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: cd1016f2f632f30e7aa84fc95b99ae79fc416f8c
Review mode: triage-approved (single reviewer)
Summary
Adds an agentic fallback to the org's auto-rebase flow: when auto-rebase-reusable.yml hits a 422 merge conflict it now posts a sentinel comment (with the base HEAD SHA embedded) that fires a new claude-rebase job in claude-code-reusable.yml. The job checks out the PR branch with GH_PAT_WORKFLOWS, asks Claude to rebase onto the base branch (preferring newer action pins on YAML conflicts, aborting on application-code conflicts), and posts a summary or failure comment.
Confirming the triage tier's low-risk assessment — the security gates are correct and CI is fully green.
Linked issue analysis
Closes #279 (feat(auto-rebase): assign conflicting PRs to Claude for agentic rebase). All acceptance criteria are addressed:
- ✅ Conflicting PR gets a comment noting Claude will handle it (
auto-rebase-reusable.ymlupdated body). - ✅
claude-rebasejob fires on the sentinel and rebases resolvable branches. - ✅ Application-code conflicts →
git rebase --abort+ clear failure comment with manual steps (step 7b in the prompt). - ✅ No infinite loops — sentinel embeds
BASE_SHAso a repost only happens when the base has actually moved; thecancel-in-progress: falseconcurrency group prevents stomping in-flight runs.
Findings
Security gates (verified):
claude-rebaseif:restricts trigger toauthor_association∈ {OWNER, MEMBER, COLLABORATOR} plus sentinel-substring match — drive-byCONTRIBUTOR/NONEcommenters cannot fire it.- Both actions are SHA-pinned:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd(v6.0.2) andanthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416(v1.0.119). --allowedToolsis a narrow allowlist (gh pr checkout,gh pr view,gh pr comment,gh api,git*,Edit,Write) — noBash(*:*)orWebFetch.- Push uses
--force-with-lease. - Prompt interpolates only
${{ github.event.issue.number }}(numeric) — no attacker-controlled title/branch/body strings injected into shell context. - Pre-flight step fails fast (
exit 1) whenGH_PAT_WORKFLOWSis absent, with a clear error message.
Auto-rebase sentinel logic:
BASE_SHA=$(gh api .../git/ref/heads/$BASE_BRANCH ...)and stale-sentinel deletion both operate on values that are either SHAs or numericdatabaseIds extracted viajq— safe underbash -eand quoting.- Stale-sentinel deletion uses
|| trueto tolerate already-deleted comments without aborting the loop.
Standards doc: standards/ci-standards.md updated to document the new sentinel behavior and the GH_PAT_WORKFLOWS requirement (matches the workflow header comment).
No blocking issues. The earlier CodeRabbit change-request rounds were addressed across the 7 commits; CodeRabbit's final review is APPROVED.
CI status
All required checks green (or appropriately skipped):
- ✅ AgentShield, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud, ShellCheck, Lint, claude-code, Detect ecosystems, CodeRabbit
- ⏭ Skipped (no matching ecosystem/event): npm/pnpm/pip/cargo audit, govulncheck, dependabot-automerge, claude-{fix-review-comments,ci-fix,issue}
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…icts (#281) * feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts When auto-rebase encounters a 422 merge conflict, it now posts a comment noting that Claude will attempt resolution automatically. The new claude-rebase job in claude-code-reusable.yml watches for that sentinel comment and runs Claude Code to check out the branch, rebase onto main, resolve conflicts (preferring newer action pins for workflow files, aborting on ambiguous application-code conflicts), push, and post a summary. Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation. Closes #279 Co-authored-by: Don Petry <don-petry@users.noreply.github.com> * fix: address review comments on PR #281 - P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml workflow_call and use it for GH_TOKEN so sentinel comments are posted with a PAT, enabling issue_comment events to trigger claude-rebase - P2: fix reversed --ours/--theirs in rebase prompt (during git rebase, --ours = base branch being rebased onto, --theirs = PR branch work) - P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step that fails fast if not set; remove || github.token fallback so pushes always use the PAT and trigger CI) - P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a new issue_comment event always fires on repeat conflicts - P5: change fetch-depth from 1 to 0 for full history needed by rebase - P6: fetch specific base ref (git fetch origin <baseRefName>) rather than a bare 'git fetch origin' before rebasing - P7: update standards/ci-standards.md §8 to reflect Claude automatic rebase behavior and clarify GH_PAT_WORKFLOWS requirement Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(lint): wrap long lines in ci-standards.md §8 MD013 line-length limit is 200 chars; wrap the new bullet 4 and Secrets paragraph to stay within it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address new review comments and yamllint failure - Remove user.login == 'github-actions[bot]' check from claude-rebase trigger — PAT-authenticated comments are authored by the PAT owner, not 'github-actions[bot]', so that check always blocks the job when the PAT is configured. Rely on the sentinel text alone. - Shorten ::error:: message in Verify step to fix yamllint line-length violation (was 260 chars, now under 200). - Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a manual-only message instead of falsely promising Claude will rebase. Add HAS_PAT env var to carry the PAT-presence flag into the script. - Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before choosing which action pin is newer; abort if version is unresolvable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: address CodeRabbit and codex review comments (round 3) - Add author_association trust gate to claude-rebase trigger; only OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job, preventing untrusted users from invoking a PAT-backed run. - Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base HEAD SHA) and skip delete+repost when the same SHA sentinel exists, preventing spurious cancellation of in-flight claude-rebase runs on active-main repos. - Switch claude-rebase concurrency to cancel-in-progress: false so a freshly-posted sentinel queues behind a running rebase rather than aborting it. - Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag} with --jq '.object.sha' for tags and /branches/{branch} with --jq '.commit.sha' for branches. - Replace invalid SHA-based version comparison with semver comparison for tag pins and commit-date comparison (via /git/commits/{sha}) for SHA pins. - Tighten 'All other files' conflict rule: always abort on application-code conflicts; never attempt to merge by intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>



Summary
auto-rebase-reusable.yml: Updates the conflict comment to note that Claude will attempt an automatic rebase, instead of asking the author to resolve manually.claude-code-reusable.yml: Adds a newclaude-rebasejob that fires onissue_commentevents where the commenter isgithub-actions[bot]and the body contains<!-- auto-rebase-conflict -->. Claude checks out the PR branch, rebases onto the base branch, resolves conflicts (preferring newer action pins for workflow YAML, aborting on ambiguous application-code conflicts), pushes, and posts a summary.How it works
<!-- auto-rebase-conflict -->sentinel comment (updated to say Claude will handle it).claude-rebasejob inclaude-code-reusable.ymlfires on that comment.claude-rebasefires exactly once per conflict situation.Acceptance criteria addressed
claude-rebasejob fires and successfully rebases branches where conflicts are resolvableCloses #279
Generated with Claude Code
Summary by CodeRabbit
New Features
Improvements
Documentation