Add PR Auto-Fix workflow: any failing PR → Claude fixes it (Layer 2)#60
Merged
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Broadens the Renovate conflict resolver into a general 'failing PR -> Claude fixes it' workflow. Triggers on CI failure (workflow_run) and a scheduled conflict sweep. Hard trust gate (non-fork, allowlisted authors). Pushes only to the PR's own branch; folds in the auto-merge decision (stable dependency-bot PRs, gated on required checks). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fschrhunt
changed the title
…lure) The docker:// step produced startup_failure on every run since 2026-05-29, leaving the repo with no working workflow-lint gate. Switch to the documented download-actionlint.bash method, which also unblocks using this check as the required gate for PR auto-merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A reusable
pr-autofix.ymlthat, when a PR is failing — CI red and/or merge-conflicted — runs Claude Code to get it back to a healthy, mergeable, green state, then pushes to the PR's own branch. Generalizes the original Renovate-only conflict resolver per the broader goal: any failing (trusted) PR gets auto-fixed.Triggers (set by each repo's caller)
workflow_runon the repo's CI workflow completing withfailure→ fix that PR's checks.schedule→ sweep forCONFLICTINGPRs (conflicts have no CI event).workflow_dispatch→ manual.Security model (this auto-invokes an agent with a write token)
isCrossRepository == false) whose author is allowlisted (renovate[bot],dependabot[bot],fschrhunt— extendable viaallowed_authorsinput). Forks / unknown authors are ignored. CI-failure path also verifies the run's head repo == this repo.^[A-Za-z0-9._/-]+$first) — the agent literally cannot push tomain.run:reads viaenv:.Auto-merge (resolves the Option-3 decision / DEV-44)
A Renovate/Dependabot PR that this run makes mergeable and that's ≥
stability_days(default 3) old gets GitHub auto-merge enabled — but only if the base branch has a required status check. With none (website today), the step safely skips and logs why, because GitHub auto-merge would otherwise merge with no CI gate. Human PRs never auto-merge.Validation
ruby -ryamlparse +bash -non all three embedded scripts pass locally. actionlint runs in this repo's CI on the PR.Rollout
Pilot caller in
getnodus/website(separate PR). Merge this first — callers reference@main. To enable safe auto-merge on website, add a required status check onmain(its CI is currently advisory/none).🤖 Generated with Claude Code