From 5a425d366b5459bbc2c274357fe05d16f23baa58 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Wed, 13 May 2026 10:59:37 -0700 Subject: [PATCH] docs(CLAUDE.md): add workflow for fork PRs from garrytan-agents Fork PRs from non-collaborators don't get base-repo secrets passed to their CI workflows, so eval/E2E jobs fail with empty-env auth. New section: when checking out a PR from garrytan-agents, push the branch to garrytan/gstack and re-target the PR from there. Co-Authored-By: Claude Opus 4.7 (1M context) --- CLAUDE.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index af3c58a02..50b9bcccb 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -452,6 +452,36 @@ Even if the agent strongly believes a change improves the project, these three categories require explicit user approval via AskUserQuestion. No exceptions. No auto-merging. No "I'll just clean this up." +## Checking out PRs from garrytan-agents + +When the user says "check out " and the PR is from `garrytan-agents/gstack` +(or any other fork that is NOT a collaborator on `garrytan/gstack`), do NOT just +`gh pr checkout`. Fork PRs don't receive base-repo secrets (`ANTHROPIC_API_KEY`, +`OPENAI_API_KEY`, etc.), so the eval/E2E CI jobs fail with empty-env auth errors +regardless of what's set on the base repo. + +**Workflow:** push the branch to `garrytan/gstack` (the base repo) and re-target +the PR from there. + +Concretely, after `gh pr checkout `: + +1. Note the original PR number and head branch name. +2. Push the same branch to the base repo: `git push origin HEAD:` + (origin = `garrytan/gstack`, since the worktree is set up with that remote). +3. Close the fork PR (`gh pr close --comment "moving to base-repo branch for secret access"`). +4. Open a new PR from the base-repo branch: `gh pr create --base main --head `. +5. New PR's workflows will get secrets automatically. + +Why not fix it on the fork side? `garrytan-agents` isn't a collaborator on +`garrytan/gstack`. Adding it as a collaborator (option A) or flipping the +repo-wide "send secrets to fork PRs" toggle (option B) would let secrets reach +fork PRs from anyone — broader blast radius than just moving this one branch. +Option C (this section) keeps secret-distribution scope tight. + +If the user asks you to skip the move (e.g., "just leave it as a fork PR"), +respect that — eval CI will fail with empty-env auth, but check-freshness, +workflow-lint, and windows-tests will still pass on the fork PR. + ## CHANGELOG + VERSION style **Versioning invariant (workspace-aware ship).** VERSION is a monotonic ordered