From 897d1f1c037d04aab23b1015ef6bd2bdaeb71828 Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Tue, 19 May 2026 17:06:17 +0100
Subject: [PATCH 1/3] Attest pull request to Kosli trail in apply workflow

Adds a `kosli attest pr github` step at the end of the
reset-drift-detection job so the PR that triggered the apply is
recorded against the Kosli trail. The Kosli CLI auto-detects the
org, repo, and commit from the GitHub Actions environment, and the
flow/trail/host/api-token come from existing env vars on the job.

A new `github_token` secret is added to the reusable workflow
inputs to authenticate the lookup; callers should pass
`secrets.GITHUB_TOKEN`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index baedcf9..689747a 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -42,6 +42,9 @@ on:
       kosli_api_token:
         description: "Kosli API token. Required when kosli_template_file is set."
         required: false
+      github_token:
+        description: "GitHub token used by `kosli attest pr github` to look up pull requests. Required when kosli_template_file is set."
+        required: false
 
 jobs:
   apply:
@@ -129,3 +132,10 @@ jobs:
       - name: Kosli attest drift plan
         if: inputs.kosli_template_file != ''
         run: kosli attest artifact /tmp/drift.plan.json --artifact-type file --name drift-plan
+
+      - name: Kosli attest pull request
+        if: inputs.kosli_template_file != ''
+        run: |
+          kosli attest pr github \
+            --name pull-request \
+            --github-token ${{ secrets.github_token }}

From a6970711f55bdce9fd7a76f57d11789a40e87ed0 Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Tue, 19 May 2026 17:10:23 +0100
Subject: [PATCH 2/3] Skip PR attestation when github_token is not provided

To support a gradual rollout, callers should be able to adopt the new
reusable-workflow version without immediately supplying a GitHub token.
The github_token secret is already declared `required: false`, but the
attest-PR step previously ran unconditionally and would fail with an
empty token. Gate the step on `secrets.github_token != ''` so it is
skipped when no token is passed, and update the secret description to
match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index 689747a..0fbd845 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -43,7 +43,7 @@ on:
         description: "Kosli API token. Required when kosli_template_file is set."
         required: false
       github_token:
-        description: "GitHub token used by `kosli attest pr github` to look up pull requests. Required when kosli_template_file is set."
+        description: "GitHub token used by `kosli attest pr github` to look up pull requests. Optional; when omitted the pull-request attestation step is skipped."
         required: false
 
 jobs:
@@ -134,7 +134,7 @@ jobs:
         run: kosli attest artifact /tmp/drift.plan.json --artifact-type file --name drift-plan
 
       - name: Kosli attest pull request
-        if: inputs.kosli_template_file != ''
+        if: inputs.kosli_template_file != '' && secrets.github_token != ''
         run: |
           kosli attest pr github \
             --name pull-request \

From e5a6f302774bb776a99fd310f19e0b022a8088d6 Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Tue, 19 May 2026 17:16:07 +0100
Subject: [PATCH 3/3] Grant pull-requests: read to reset-drift-detection job

The `kosli attest pr github` step queries the GitHub API to find the
pull request associated with the merge commit, which requires the
GITHUB_TOKEN to carry the `pull-requests: read` scope. Declare it on
the job so the token used inside the reusable workflow has the
permission it needs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index 0fbd845..3cfbbc9 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -74,6 +74,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: read
     env:
       KOSLI_ORG: ${{ inputs.kosli_org }}
       KOSLI_HOST: ${{ inputs.kosli_host }}