diff --git a/CLAUDE.md b/CLAUDE.md index af3c58a02..50b9bcccb 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -452,6 +452,36 @@ Even if the agent strongly believes a change improves the project, these three categories require explicit user approval via AskUserQuestion. No exceptions. No auto-merging. No "I'll just clean this up." +## Checking out PRs from garrytan-agents + +When the user says "check out " and the PR is from `garrytan-agents/gstack` +(or any other fork that is NOT a collaborator on `garrytan/gstack`), do NOT just +`gh pr checkout`. Fork PRs don't receive base-repo secrets (`ANTHROPIC_API_KEY`, +`OPENAI_API_KEY`, etc.), so the eval/E2E CI jobs fail with empty-env auth errors +regardless of what's set on the base repo. + +**Workflow:** push the branch to `garrytan/gstack` (the base repo) and re-target +the PR from there. + +Concretely, after `gh pr checkout `: + +1. Note the original PR number and head branch name. +2. Push the same branch to the base repo: `git push origin HEAD:` + (origin = `garrytan/gstack`, since the worktree is set up with that remote). +3. Close the fork PR (`gh pr close --comment "moving to base-repo branch for secret access"`). +4. Open a new PR from the base-repo branch: `gh pr create --base main --head `. +5. New PR's workflows will get secrets automatically. + +Why not fix it on the fork side? `garrytan-agents` isn't a collaborator on +`garrytan/gstack`. Adding it as a collaborator (option A) or flipping the +repo-wide "send secrets to fork PRs" toggle (option B) would let secrets reach +fork PRs from anyone — broader blast radius than just moving this one branch. +Option C (this section) keeps secret-distribution scope tight. + +If the user asks you to skip the move (e.g., "just leave it as a fork PR"), +respect that — eval CI will fail with empty-env auth, but check-freshness, +workflow-lint, and windows-tests will still pass on the fork PR. + ## CHANGELOG + VERSION style **Versioning invariant (workspace-aware ship).** VERSION is a monotonic ordered