Skip to content

feat: Improve documentation suggestion workflow #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Corey-T1000 wants to merge 1 commit into from
Closed

feat: Improve documentation suggestion workflow #487

Corey-T1000 wants to merge 1 commit into from

Conversation

@Corey-T1000
Copy link

@Corey-T1000 Corey-T1000 commented Jan 16, 2026

Summary

Improves the documentation suggestion workflow based on security review and usability feedback.

Security Improvements

  • Org membership validation: Label-based triggers now verify the label adder is an org member via GitHub API
  • Tightened tool allowlist: Replaced Bash(git:*) wildcards with explicit commands (checkout, branch, add, commit, push, diff)
  • Fixed DRY_RUN type bug: Boolean-to-string coercion was causing label check bypass
  • Concurrency control: Only one workflow run per issue at a time
  • Reduced fetch-depth: Changed from 0 to 1 to limit git history exposure
  • Restricted WebFetch: Limited to docs.authzed.com only

UX Improvements

  • Structured issue template: New doc-suggestion.yml template with required fields
  • Auto-create draft PR: Workflow now creates the PR directly (not just a link)
  • Vercel preview URL: Issue comment includes preview link for reviewers
  • Smart reviewer assignment: Labels added by org members → reviewer is label adder; otherwise issue author
  • Timeout notifications: Cancelled/timed-out jobs now notify the issue author
  • Resilient failure handling: Notification steps use continue-on-error to avoid silent failures

Trigger Logic

Trigger Who What Happens
Issue opened with Docs label Org member Auto-runs
approved label added Org member (verified) Runs
workflow_dispatch (dry_run=true) Anyone with dispatch access Dry run only
workflow_dispatch (dry_run=false) Anyone with dispatch access Requires approved label

Test Plan

  • Create test issue using new template as org member → should auto-trigger
  • Run workflow_dispatch with dry_run=true on existing issue → should analyze without changes
  • Have non-org user create issue → should NOT auto-trigger
  • Add approved label as org member to external issue → should trigger
  • Verify Vercel preview URL format in generated comments
  • Test timeout scenario (optional - requires long-running task)

Files Changed

  • .github/ISSUE_TEMPLATE/doc-suggestion.yml (new)
  • .github/workflows/claude.yml (modified)

🤖 Generated with Claude Code

@Corey-T1000 @claude
feat: Improve documentation suggestion workflow
58eedc2 
Security improvements:
- Add org membership validation for label-based triggers
- Tighten allowedTools to explicit git/gh commands (no wildcards)
- Fix DRY_RUN boolean-to-string type coercion bug
- Add concurrency control (one run per issue)
- Reduce fetch-depth to 1 (limit history exposure)
- Restrict WebFetch to docs.authzed.com only

UX improvements:
- Add structured issue template for doc suggestions
- Auto-create draft PR (instead of just link)
- Include Vercel preview URL in issue comment
- Request review from appropriate user (label adder or issue author)
- Add timeout notification (cancelled jobs now notify users)
- Add failure notification with workflow run link

Trigger logic:
- Org members with 'Docs' label: auto-runs on issue open
- External users: requires org member to add 'approved' label
- workflow_dispatch: dry_run=true skips label check for testing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link
Contributor

vercel bot commented Jan 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Ready Ready Preview, Comment Jan 16, 2026 9:32pm

Request Review

@github-actions
Copy link
Contributor

github-actions bot commented Jan 16, 2026

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

@samkim samkim mentioned this pull request Jan 17, 2026
Open
@samkim
Copy link
Member

samkim commented Jan 17, 2026

Closing in favor of #489

Most of the changes in this PR are changing intentional decisions and limits placed in the workflow currently.

@samkim samkim closed this Jan 17, 2026
@github-actions github-actions bot locked and limited conversation to collaborators Jan 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Corey-T1000 @samkim