Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .claude/rules/ci-git-push.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
description: Git push rules for CI environments (GitHub Actions workflows)
globs:
alwaysApply: true
---

# Git Push in CI

When running inside GitHub Actions (the `CI` or `GITHUB_ACTIONS` environment variable is set):

1. **NEVER modify the git remote URL.** The `actions/checkout` step configures credentials via `persist-credentials: true`. Running `git remote set-url` destroys this configuration.

2. **NEVER embed tokens in URLs.** Do not use `https://x-access-token:$TOKEN@github.com/...` as a remote URL. The credential helper is already configured.

3. **Just push directly.** Use `git push origin <branch>` — authentication is handled automatically by the credential helper that `actions/checkout` configured.

4. **If a push times out, retry with a longer timeout** (e.g., `timeout 300`). Do not assume a timeout is an authentication failure.

5. **If a push genuinely fails with an auth error**, reconfigure the credential helper using `$PUSH_TOKEN` (not `$GH_TOKEN`):
```
git config --local credential.helper '!f() { echo "username=x-access-token"; echo "password=$PUSH_TOKEN"; }; f'
```
`$PUSH_TOKEN` is the correct token for the PR's fork. `$GH_TOKEN` only has access to the upstream repo.

6. **Use `$PR_BRANCH` for the branch name** when pushing — it is set by the workflow.
10 changes: 10 additions & 0 deletions .github/workflows/reusable-claude-on-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,13 @@ jobs:
persist-credentials: true
fetch-depth: 0

- name: Verify push credentials
run: |
echo "Remote URL: $(git remote get-url origin)"
echo "Credential helper configured by checkout — testing ls-remote..."
git ls-remote --exit-code origin HEAD > /dev/null 2>&1
echo "Push credentials verified."
Comment on lines +83 to +88

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Verify push authorization, not just fetch authorization

Line 87 uses git ls-remote, which only checks read access, so this can pass while later git push still fails (the exact failure mode this PR targets). Also, redirecting stderr to /dev/null removes useful failure diagnostics.

Suggested fix
       - name: Verify push credentials
         run: |
           echo "Remote URL: $(git remote get-url origin)"
-          echo "Credential helper configured by checkout — testing ls-remote..."
-          git ls-remote --exit-code origin HEAD > /dev/null 2>&1
+          echo "Credential helper configured by checkout — testing push authorization (dry-run)..."
+          git push --dry-run origin "HEAD:${{ steps.pr.outputs.branch }}"
           echo "Push credentials verified."
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Verify push credentials
run: |
echo "Remote URL: $(git remote get-url origin)"
echo "Credential helper configured by checkout — testing ls-remote..."
git ls-remote --exit-code origin HEAD > /dev/null 2>&1
echo "Push credentials verified."
- name: Verify push credentials
run: |
echo "Remote URL: $(git remote get-url origin)"
echo "Credential helper configured by checkout — testing push authorization (dry-run)..."
git push --dry-run origin "HEAD:${{ steps.pr.outputs.branch }}"
echo "Push credentials verified."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reusable-claude-on-pr.yaml around lines 83 - 88, The
“Verify push credentials” step only validates read access via git ls-remote in
the workflow, so it can succeed even when later git push fails; update this
check in the reusable-claude-on-pr workflow to verify actual push authorization
using the same origin remote, and keep stderr visible so failures provide
diagnostics. Use the existing “Verify push credentials” step and its git
remote/origin setup to replace the read-only probe with a push-oriented
validation.


- name: Authenticate to GCP via WIF
id: gcp-auth
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
Expand Down Expand Up @@ -114,6 +121,9 @@ jobs:
ANTHROPIC_VERTEX_PROJECT_ID: hosted-control-planes
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
PR_NUMBER: ${{ github.event.issue.number }}
PR_REPO: ${{ steps.pr.outputs.repo }}
PR_BRANCH: ${{ steps.pr.outputs.branch }}
PUSH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
CLAUDE_PROMPT: ${{ inputs.claude-prompt }}
MAX_TURNS: ${{ inputs.max-turns }}
ALLOWED_TOOLS: ${{ inputs.allowed-tools }}
Expand Down