Skip to content

feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts#281

Merged
donpetry-bot merged 7 commits into
mainfrom
claude/issue-279-20260513-1728
May 14, 2026
Merged

feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts#281
donpetry-bot merged 7 commits into
mainfrom
claude/issue-279-20260513-1728

Conversation

@don-petry

@don-petry don-petry commented May 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • auto-rebase-reusable.yml: Updates the conflict comment to note that Claude will attempt an automatic rebase, instead of asking the author to resolve manually.
  • claude-code-reusable.yml: Adds a new claude-rebase job that fires on issue_comment events where the commenter is github-actions[bot] and the body contains <!-- auto-rebase-conflict -->. Claude checks out the PR branch, rebases onto the base branch, resolves conflicts (preferring newer action pins for workflow YAML, aborting on ambiguous application-code conflicts), pushes, and posts a summary.

How it works

  1. Auto-rebase hits a 422 merge conflict → posts the idempotent <!-- auto-rebase-conflict --> sentinel comment (updated to say Claude will handle it).
  2. The claude-rebase job in claude-code-reusable.yml fires on that comment.
  3. Claude rebases, resolves conflicts per the strategy in the prompt, and pushes or aborts with a clear explanation.
  4. Idempotency: the sentinel prevents the conflict comment from being re-posted, so claude-rebase fires exactly once per conflict situation.

Acceptance criteria addressed

  • A PR with a merge conflict gets a comment from auto-rebase noting Claude will handle it
  • The claude-rebase job fires and successfully rebases branches where conflicts are resolvable
  • For unresolvable conflicts, Claude posts a clear explanation and aborts cleanly
  • No infinite loops: the idempotency sentinel prevents retriggering after Claude's push

Closes #279

Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Comment-triggered automated PR rebase job that attempts to resolve merge conflicts and reports results on the PR.
  • Improvements

    • Optional personal access token support to enable full automated rebasing; when absent, guidance directs manual resolution.
    • Conflict handling now posts a fresh resolution comment each time and reports which files were resolved or need manual fixes.
  • Documentation

    • Updated CI documentation describing the auto-rebase conflict workflow and authentication requirements.

Review Change Stack

…icts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 13, 2026 17:33
@don-petry don-petry requested a review from a team as a code owner May 13, 2026 17:33
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented May 13, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 25 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9e2e5f31-655b-4fcb-9da2-70d8cf7eb5e5

📥 Commits

Reviewing files that changed from the base of the PR and between da34df4 and cd1016f.

📒 Files selected for processing (2)
  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/claude-code-reusable.yml
📝 Walkthrough

Walkthrough

Adds an optional GH_PAT_WORKFLOWS secret and changes auto-rebase to delete-and-repost a <!-- auto-rebase-conflict --> sentinel on merge conflicts; a new claude-rebase job (requires the PAT) is added to rebase and attempt automatic conflict resolution, with updated docs describing the flow.

Changes

Agentic Auto-Rebase with Claude Conflict Resolution

Layer / File(s) Summary
Authentication secret and fallback
.github/workflows/auto-rebase-reusable.yml
Declares optional GH_PAT_WORKFLOWS on workflow_call and wires step env to set GH_TOKEN to the PAT when present, exposing HAS_PAT for conditional messaging.
Conflict detection and sentinel triggering
.github/workflows/auto-rebase-reusable.yml
On merge conflict, delete any prior <!-- auto-rebase-conflict --> comments and post a fresh sentinel comment each time; comment body differs when HAS_PAT is true versus false.
Claude-rebase job implementation
.github/workflows/claude-code-reusable.yml
Adds claude-rebase job triggered by issue_comment containing the sentinel; requires GH_PAT_WORKFLOWS, checks out with full history, runs anthropics/claude-code-action with PAT-backed github_token to rebase and resolve conflicts (including uses: pin resolution), force-pushes on success, and posts success/failure comments.
Integration documentation
standards/ci-standards.md
Updates guidance to require deleting/reposting the sentinel to trigger claude-rebase, documents that GH_PAT_WORKFLOWS is required to fire the issue_comment workflow, and explains fallback behavior.

Sequence Diagrams

sequenceDiagram
  participant PR as PR update event
  participant AutoRebase as auto-rebase-reusable.yml
  participant GitMerge as git merge/rebase
  participant GitHubAPI as GitHub issue comment API
  participant IssueEvent as issue_comment event
  participant ClaudeRebase as claude-rebase job
  participant Validation as GH_PAT_WORKFLOWS validation
  participant Checkout as actions/checkout
  participant Claude as anthropics/claude-code-action
  participant GitOps as git operations
  participant Summary as summary comment

  PR->>AutoRebase: merge/rebase triggered
  AutoRebase->>GitMerge: attempt merge
  GitMerge-->>AutoRebase: 422 Conflict
  AutoRebase->>GitHubAPI: delete prior <!-- auto-rebase-conflict -->
  GitHubAPI-->>AutoRebase: deleted
  AutoRebase->>GitHubAPI: post new <!-- auto-rebase-conflict --> (body varies by HAS_PAT)
  GitHubAPI-->>IssueEvent: fires issue_comment
  IssueEvent->>ClaudeRebase: trigger (comment contains sentinel)
  ClaudeRebase->>Validation: validate GH_PAT_WORKFLOWS
  ClaudeRebase->>Checkout: checkout with full history
  ClaudeRebase->>Claude: run rebase/conflict resolution prompt
  Claude->>GitOps: rebase onto base, resolve conflicts (including uses: pin resolution via API)
  alt Success
    GitOps-->>Claude: conflicts resolved
    Claude->>GitOps: force-push rebased branch
    GitOps-->>Summary: push complete
    Summary->>Summary: post success summary
  else Failure
    GitOps-->>Claude: unresolvable conflicts
    Claude->>GitOps: abort rebase
    GitOps-->>Summary: aborted
    Summary->>Summary: post failure instructions
  end
Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding Claude as an agentic fallback for automated conflict resolution in merge-conflict scenarios.
Linked Issues check ✅ Passed All coding objectives from issue #279 are met: sentinel comment posted on conflicts, claude-rebase job triggers on issue_comment with sentinel, rebase and conflict resolution implemented with intelligent strategies, and idempotency preserved.
Out of Scope Changes check ✅ Passed All changes are scoped to implementing the agentic rebase fallback: workflow updates, new job implementation, and documentation updates directly support the stated objectives.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-279-20260513-1728

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Contributor Author

CI is passing (CodeQL still analyzing). @petry-projects/org-leads — this PR is ready for review and merge.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 62c7976405

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/auto-rebase-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/auto-rebase-reusable.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an agentic fallback path for merge-conflict situations encountered by the org’s auto-rebase workflow by triggering a new Claude job from an idempotent conflict sentinel comment.

Changes:

  • Update auto-rebase conflict comment text to indicate Claude will attempt an automatic resolution (using the existing <!-- auto-rebase-conflict --> sentinel).
  • Add a new claude-rebase job to claude-code-reusable.yml that triggers on the sentinel comment from github-actions[bot] and instructs Claude to rebase, resolve conflicts, push, and summarize.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/claude-code-reusable.yml Adds claude-rebase automation job triggered by the conflict sentinel comment to attempt an agentic rebase + conflict resolution.
.github/workflows/auto-rebase-reusable.yml Updates the posted 422/merge-conflict PR comment to announce the Claude fallback and provides updated manual steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/auto-rebase-reusable.yml
This was referenced May 13, 2026
github-actions Bot and others added 3 commits May 13, 2026 22:59
- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 125-136: The conflict comment always promises an automatic Claude
rebase; modify the logic that builds and posts CONFLICT_BODY so it checks the
GH_PAT_WORKFLOWS environment flag before claiming automation — if
GH_PAT_WORKFLOWS is unset, either omit the sentence "Claude will attempt to
resolve this automatically" and instead state that only manual resolution is
available, or skip posting the sentinel entirely; update the branch that invokes
gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$CONFLICT_BODY" to use the
adjusted CONFLICT_BODY (or not run) based on GH_PAT_WORKFLOWS.

In @.github/workflows/claude-code-reusable.yml:
- Around line 426-431: The workflow conflict resolution currently accepts the
“newer” `uses:` pin without verifying tag/branch → SHA mapping; update the
action-pin conflict branch in the YAML so that before choosing `git checkout
--ours -- <file>` or `git checkout --theirs -- <file>` the agent performs a
GitHub API lookup (using gh api repos/{owner}/{repo}/git/refs/tags/{tag} and
/branches/{branch}) to resolve tags/branches to SHAs, compare the resolved SHAs
to determine which is actually newer, and only then apply the appropriate
checkout decision for `uses:` lines; ensure SHA-vs-SHA comparisons never rely on
guessing and always use the API lookup.
- Around line 352-356: The current workflow if-condition rejects comments
authored by a PAT because it hardcodes github.event.comment.user.login ==
'github-actions[bot]'; remove that login equality check and rely solely on the
sentinel comment text (the contains(github.event.comment.body, '<!--
auto-rebase-conflict -->') check) or broaden the check to accept both
'github-actions[bot]' and the PAT owner; update the conditional that currently
references github.event.comment.user.login so PAT-authored comments (when
GH_PAT_WORKFLOWS is used) will trigger the rebase workflow.

In `@standards/ci-standards.md`:
- Around line 524-526: Lines describing the sentinel and secrets exceed
configured max line length causing markdownlint MD013 failures; wrap or reflow
those long sentences in the paragraph referencing the sentinel `<!--
auto-rebase-conflict -->`, the job `claude-rebase` in
`claude-code-reusable.yml`, the tokens `GITHUB_TOKEN` and `GH_PAT_WORKFLOWS`,
and the `dependabot-rebase.yml` exclusion so each line falls under the max
length—e.g., split the long sentence about GH_PAT_WORKFLOWS and the sentinel
behavior into two or more shorter sentences and/or break after commas to keep
each line within the markdownlint limit.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1a785f04-1246-41aa-962a-0a6b4a5a9f16

📥 Commits

Reviewing files that changed from the base of the PR and between 6f46503 and 624baf8.

📒 Files selected for processing (3)
  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/claude-code-reusable.yml
  • standards/ci-standards.md

Comment thread .github/workflows/auto-rebase-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml
Comment thread standards/ci-standards.md Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 89c0c310ad

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/claude-code-reusable.yml Outdated
- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-rebase-reusable.yml:
- Around line 111-142: The current logic always deletes and reposts the SENTINEL
("<!-- auto-rebase-conflict -->") which cancels in-progress claude-rebase runs;
change it to only delete+repost when the conflict signature changes by embedding
the base-branch head SHA in the sentinel (e.g., "<!-- auto-rebase-conflict:SHA
-->") and comparing it to the current BASE_BRANCH head before deleting;
specifically, obtain the current BASE_BRANCH head SHA (via gh api or git
ls-remote), update how OLD_COMMENT_IDS and sentinel matching work to search
for/parse sentinels with a SHA, skip deleting/posting if an unresolved sentinel
with the same SHA already exists, and only delete+post when the SHA differs
(alternatively, make the concurrency setting change to cancel-in-progress: false
if you prefer queuing over skipping).

In @.github/workflows/claude-code-reusable.yml:
- Around line 442-444: Replace the permissive guidance in the "All other files:"
block (the sentence "Attempt a sensible merge of both sides if the intent is
clear.") with a strict rule to always abort on application-code conflicts and
post the failure comment; specifically: treat any conflict outside the
`.github/workflows/` directory as application-code and run `git rebase --abort`
immediately, do not attempt to merge or guess intent, and ensure the bot posts
the failure comment instructing manual human review instead of proceeding.
- Around line 350-358: The workflow's claude-rebase job currently triggers on
any issue_comment containing '<!-- auto-rebase-conflict -->', allowing untrusted
users to invoke a PAT-backed run; update the job's if condition to also require
the comment author to be trusted by checking
github.event.comment.author_association is one of OWNER, MEMBER, or COLLABORATOR
(e.g. add "&& contains('OWNER,MEMBER,COLLABORATOR',
github.event.comment.author_association)" or explicit equality checks) so that
claude-rebase only runs for trusted authors, keeping the sentinel check ('<!--
auto-rebase-conflict -->') intact.
- Around line 359-361: The workflow concurrency block uses cancel-in-progress:
true which causes newly posted sentinel issue_comment events to evict in-flight
claude-rebase jobs; update the concurrency setting so that cancel-in-progress is
false (leave the group: claude-rebase-${{ github.event.issue.number }}
unchanged) so a freshly posted sentinel queues behind an active rebase rather
than aborting it.
- Around line 426-440: Update the two gh api calls used to resolve tag/branch
SHAs: for the tag resolution call (currently using "gh api
repos/{owner}/{repo}/git/refs/tags/{tag}") add the output filter to extract the
tag object SHA ("--jq '.object.sha'"), and replace the branch call ("gh api
repos/{owner}/{repo}/git/ref/heads/{branch}") with the canonical branches
endpoint ("gh api repos/{owner}/{repo}/branches/{branch}") and add the output
filter to extract the commit SHA ("--jq '.commit.sha'"); keep the descriptive
comments but standardize the endpoints and --jq selectors to match the
documented patterns.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ea36f09f-b4e1-4836-a31d-4604f366ed44

📥 Commits

Reviewing files that changed from the base of the PR and between 624baf8 and da34df4.

📒 Files selected for processing (3)
  • .github/workflows/auto-rebase-reusable.yml
  • .github/workflows/claude-code-reusable.yml
  • standards/ci-standards.md

Comment thread .github/workflows/auto-rebase-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml
Comment thread .github/workflows/claude-code-reusable.yml Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: da34df4cee

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
Comment thread .github/workflows/claude-code-reusable.yml Outdated
- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@sonarqubecloud

Copy link
Copy Markdown

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: cd1016f2f632f30e7aa84fc95b99ae79fc416f8c
Review mode: triage-approved (single reviewer)

Summary

Adds an agentic fallback to the org's auto-rebase flow: when auto-rebase-reusable.yml hits a 422 merge conflict it now posts a sentinel comment (with the base HEAD SHA embedded) that fires a new claude-rebase job in claude-code-reusable.yml. The job checks out the PR branch with GH_PAT_WORKFLOWS, asks Claude to rebase onto the base branch (preferring newer action pins on YAML conflicts, aborting on application-code conflicts), and posts a summary or failure comment.

Confirming the triage tier's low-risk assessment — the security gates are correct and CI is fully green.

Linked issue analysis

Closes #279 (feat(auto-rebase): assign conflicting PRs to Claude for agentic rebase). All acceptance criteria are addressed:

  • ✅ Conflicting PR gets a comment noting Claude will handle it (auto-rebase-reusable.yml updated body).
  • claude-rebase job fires on the sentinel and rebases resolvable branches.
  • ✅ Application-code conflicts → git rebase --abort + clear failure comment with manual steps (step 7b in the prompt).
  • ✅ No infinite loops — sentinel embeds BASE_SHA so a repost only happens when the base has actually moved; the cancel-in-progress: false concurrency group prevents stomping in-flight runs.

Findings

Security gates (verified):

  • claude-rebase if: restricts trigger to author_association ∈ {OWNER, MEMBER, COLLABORATOR} plus sentinel-substring match — drive-by CONTRIBUTOR/NONE commenters cannot fire it.
  • Both actions are SHA-pinned: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) and anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 (v1.0.119).
  • --allowedTools is a narrow allowlist (gh pr checkout, gh pr view, gh pr comment, gh api, git*, Edit, Write) — no Bash(*:*) or WebFetch.
  • Push uses --force-with-lease.
  • Prompt interpolates only ${{ github.event.issue.number }} (numeric) — no attacker-controlled title/branch/body strings injected into shell context.
  • Pre-flight step fails fast (exit 1) when GH_PAT_WORKFLOWS is absent, with a clear error message.

Auto-rebase sentinel logic:

  • BASE_SHA=$(gh api .../git/ref/heads/$BASE_BRANCH ...) and stale-sentinel deletion both operate on values that are either SHAs or numeric databaseIds extracted via jq — safe under bash -e and quoting.
  • Stale-sentinel deletion uses || true to tolerate already-deleted comments without aborting the loop.

Standards doc: standards/ci-standards.md updated to document the new sentinel behavior and the GH_PAT_WORKFLOWS requirement (matches the workflow header comment).

No blocking issues. The earlier CodeRabbit change-request rounds were addressed across the 7 commits; CodeRabbit's final review is APPROVED.

CI status

All required checks green (or appropriately skipped):

  • ✅ AgentShield, Agent Security Scan, Secret scan (gitleaks), CodeQL (actions), SonarCloud, ShellCheck, Lint, claude-code, Detect ecosystems, CodeRabbit
  • ⏭ Skipped (no matching ecosystem/event): npm/pnpm/pip/cargo audit, govulncheck, dependabot-automerge, claude-{fix-review-comments,ci-fix,issue}

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@donpetry-bot donpetry-bot merged commit 865cf10 into main May 14, 2026
22 checks passed
@donpetry-bot donpetry-bot deleted the claude/issue-279-20260513-1728 branch May 14, 2026 15:12
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 8, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 10, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
…icts (#281)

* feat(auto-rebase): add claude-rebase agentic fallback for merge conflicts

When auto-rebase encounters a 422 merge conflict, it now posts a comment
noting that Claude will attempt resolution automatically. The new
claude-rebase job in claude-code-reusable.yml watches for that sentinel
comment and runs Claude Code to check out the branch, rebase onto main,
resolve conflicts (preferring newer action pins for workflow files, aborting
on ambiguous application-code conflicts), push, and post a summary.

Idempotency is preserved: the existing <!-- auto-rebase-conflict --> sentinel
prevents the conflict comment from being re-posted, so claude-rebase fires
exactly once per conflict situation.

Closes #279

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>

* fix: address review comments on PR #281

- P1: add GH_PAT_WORKFLOWS optional secret to auto-rebase-reusable.yml
  workflow_call and use it for GH_TOKEN so sentinel comments are posted
  with a PAT, enabling issue_comment events to trigger claude-rebase
- P2: fix reversed --ours/--theirs in rebase prompt (during git rebase,
  --ours = base branch being rebased onto, --theirs = PR branch work)
- P3: require GH_PAT_WORKFLOWS for claude-rebase job (add pre-check step
  that fails fast if not set; remove || github.token fallback so pushes
  always use the PAT and trigger CI)
- P4: replace ALREADY_POSTED skip with delete-and-repost strategy so a
  new issue_comment event always fires on repeat conflicts
- P5: change fetch-depth from 1 to 0 for full history needed by rebase
- P6: fetch specific base ref (git fetch origin <baseRefName>) rather
  than a bare 'git fetch origin' before rebasing
- P7: update standards/ci-standards.md §8 to reflect Claude automatic
  rebase behavior and clarify GH_PAT_WORKFLOWS requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(lint): wrap long lines in ci-standards.md §8

MD013 line-length limit is 200 chars; wrap the new bullet 4 and
Secrets paragraph to stay within it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address new review comments and yamllint failure

- Remove user.login == 'github-actions[bot]' check from claude-rebase
  trigger — PAT-authenticated comments are authored by the PAT owner,
  not 'github-actions[bot]', so that check always blocks the job when
  the PAT is configured. Rely on the sentinel text alone.
- Shorten ::error:: message in Verify step to fix yamllint line-length
  violation (was 260 chars, now under 200).
- Conditional conflict message: when GH_PAT_WORKFLOWS is unset, post a
  manual-only message instead of falsely promising Claude will rebase.
  Add HAS_PAT env var to carry the PAT-presence flag into the script.
- Require GitHub API lookup (gh api .../git/refs/tags/{tag}) before
  choosing which action pin is newer; abort if version is unresolvable.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address CodeRabbit and codex review comments (round 3)

- Add author_association trust gate to claude-rebase trigger; only
  OWNER/MEMBER/COLLABORATOR comments with the sentinel can fire the job,
  preventing untrusted users from invoking a PAT-backed run.
- Change sentinel to '<!-- auto-rebase-conflict:SHA -->' (embed base
  HEAD SHA) and skip delete+repost when the same SHA sentinel exists,
  preventing spurious cancellation of in-flight claude-rebase runs on
  active-main repos.
- Switch claude-rebase concurrency to cancel-in-progress: false so a
  freshly-posted sentinel queues behind a running rebase rather than
  aborting it.
- Fix API lookup paths in prompt: use canonical GET /git/ref/tags/{tag}
  with --jq '.object.sha' for tags and /branches/{branch} with
  --jq '.commit.sha' for branches.
- Replace invalid SHA-based version comparison with semver comparison
  for tag pins and commit-date comparison (via /git/commits/{sha}) for
  SHA pins.
- Tighten 'All other files' conflict rule: always abort on
  application-code conflicts; never attempt to merge by intent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(auto-rebase): assign conflicting PRs to Claude for agentic rebase

3 participants