feat(ci): add bot-comment dispatcher#123
Merged
Merged
Conversation
The a-novel-side copy of the per-org bot-comment dispatcher (counterpart to a-novel-kit/stack#73). Derives org/App-id/owner from github.repository_owner and reads this org's AGENT_BOT_PRIVATE_KEY org secret; posts a PR/issue/review comment as the bot and nothing else. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds an org-scoped GitHub Actions workflow dispatcher (bot-comment) to mint a GitHub App installation token for a single repo and post PR/issue/review comments as the org’s bot, driven via workflow_dispatch.
Changes:
- Introduces
.github/workflows/bot-comment.yamlworkflow withworkflow_dispatchinputs for target repo/number/body/reply target/nonce. - Validates inputs before minting an App token scoped to the target repository with comment-related permissions.
- Posts a comment (or an inline review reply) with a nonce marker to provide idempotency.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kushuh
added a commit
to a-novel-kit/stack
that referenced
this pull request
Jun 18, 2026
Addresses the Copilot review on a-novel/.github#123 (same workflow file): add a concurrency group keyed by repo/number/nonce so the idempotency check can't race two same-nonce runs into a double-post; add 'set -euo pipefail' to the validate step; and reword the header + README to state the token scope precisely — issues+pull_requests write rule out push/merge/release by permission, while not authoring/editing a PR is enforced by what the job does (comment then exit) on a protected-branch workflow, not by the token. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Concurrency group keyed by repo/number/nonce (idempotency can't race a double-post); 'set -euo pipefail' in the validate step; and a precise header re: token scope (issues+pull_requests write rule out push/merge by permission, not-authoring is enforced by what the job does). Keeps this copy identical to a-novel-kit/stack. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
kushuh
added a commit
to a-novel-kit/stack
that referenced
this pull request
Jun 18, 2026
* feat(cli): replace local bot tokens with a CI comment dispatcher Posting as the org App bot no longer mints a token on a dev machine. `a-novel core bot-comment <org> <repo> <number> --body … [--reply-to <id>]` triggers a centralized `bot-comment` workflow_dispatch in this repo with the operator's own gh token; the workflow alone holds the App keys (Actions secrets), mints a comment-only scoped token, posts, and exits. The CLI correlates the run by a nonce in the run-name and waits synchronously (`gh run watch --exit-status`), surfacing the failed-step log on error. Comment-only is now structural, not a deny-list: the dispatcher can only post a comment, so there is no local token to misuse and no bot path to push/merge/author a PR. Removes bot-token/bot-gh, the JWT/PEM machinery, and the local .secrets/*.pem requirement. Handles top-level comments on PRs or issues, and --reply-to for PR review-thread replies (issues share one number space with PRs, so a number is never ambiguous). Routes every comment in the resolve-pr-feedback, open-pull-request, use-a-novel-cli and write-bash-scripts skills through bot-comment, and updates the READMEs to the no-local-key model. Requires two repo Actions secrets (BOT_ANOVEL_KEY, BOT_ANOVELKIT_KEY) and actions:write for dispatchers; the workflow is dispatchable once it lands on master. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix: align bot-comment with per-org org secrets and harden inputs The bot App key is now an org-level secret (AGENT_BOT_PRIVATE_KEY), one per org. Org secrets don't cross org boundaries, so a single dispatcher in a-novel-kit/stack can't read a-novel's key. Switch to one dispatcher per org: the workflow derives owner/App-id from github.repository_owner and reads its own org's AGENT_BOT_PRIVATE_KEY, and the CLI routes <org> to that org's dispatcher repo (a-novel-kit/stack, a-novel/.github). Also addresses the Copilot review on #73: validate repo/reply_to/nonce in the workflow before minting and reject number 0/leading-zeros; validate --reply-to as a positive integer in the CLI; and read gh stdout separately from stderr (runGHOut) so progress/warning chatter can't corrupt the run-list JSON parse. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: drop deleted bot-token.sh path from use-a-novel-cli Addresses copilot-pull-request-reviewer review feedback on #73. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(ci): harden bot-comment dispatcher per review Addresses the Copilot review on a-novel/.github#123 (same workflow file): add a concurrency group keyed by repo/number/nonce so the idempotency check can't race two same-nonce runs into a double-post; add 'set -euo pipefail' to the validate step; and reword the header + README to state the token scope precisely — issues+pull_requests write rule out push/merge/release by permission, while not authoring/editing a PR is enforced by what the job does (comment then exit) on a protected-branch workflow, not by the token. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the a-novel-side copy of the
bot-commentdispatcher — the counterpart toa-novel-kit/stack#73, which adds the same workflow for the a-novel-kit org plus thea-novel core bot-commentCLI that drives both.The workflow is byte-identical to the one in
a-novel-kit/stack: it derives org / App-ID / owner fromgithub.repository_owner(here,a-novel), reads this org'sAGENT_BOT_PRIVATE_KEYorg secret, mints a token scoped to the single target repo with comment-only permissions, posts, and exits. It can do exactly one thing — post a PR/issue/review comment asanovelbot-agent[bot]; it cannot push, merge, or author a PR.Why one dispatcher per org
Org-level secrets don't cross org boundaries, so each org hosts its own dispatcher reading its own
AGENT_BOT_PRIVATE_KEY. This repo (a-novel/.github) is the a-novel org's dispatcher home;a-novel-kit/stackis a-novel-kit's.Requires
AGENT_BOT_PRIVATE_KEYorg secret ina-novel(theanovelbot-agentprivate key), with repository visibility including this public repo.actions: writefor each operator/agent that dispatches here.Pairs with
a-novel-kit/stack#73(the CLI + a-novel-kit dispatcher). This can merge independently.🤖 Generated with Claude Code