chore(ci): use SHOPIFY_GH_ACCESS_TOKEN for agent PRs (#2192)

naqvitalha · web-flow · commit ce349cfb820d · 2026-03-23T18:04:32.000Z
* fix(ci): triage only triggers when agent-triage label is added by a qualified user

* chore(ci): improve agent workflows and skills from run feedback

- Add pod install to allowed tools in fix, bot, and android-bot workflows
- Add bundle exec to android-bot allowed tools (was missing)
- Add git fetch origin main step to fix, bot, and android-bot workflows
  to prevent "no merge base" errors when diffing against main
- Switch raise-pr skill to use --body-file instead of inline --body
  to avoid Claude Code permission checks on markdown headers
- Triage skill: search closed issues too to catch regressions
- Triage skill: allow clarification comments on vague feature requests
- Fix skill: feature requests skip the "reproduce first" constraint

* fix(ci): address copilot review comments

- raise-pr: use Write tool instead of cat for /tmp/pr-body.md (cat not in allowed tools)
- triage: fix Rules section to match Step 5 comment guidance

* chore(ci): use SHOPIFY_GH_ACCESS_TOKEN for agent-raised PRs

Agent-raised PRs must use the dedicated SHOPIFY_GH_ACCESS_TOKEN for
PR creation to be mergeable. This injects it as AGENT_PR_TOKEN env var
in all 3 agent workflows and updates the raise-pr skill and CLAUDE.md
to enforce usage.

* chore(ci): remove timeout-minutes from agent workflows

Let agent workflows run without a hard timeout so they can complete
naturally. Triage workflow keeps its 10-minute timeout.

* chore(ci): kill background processes before finishing on CI

Metro and other background processes prevent GitHub Actions jobs from
exiting after the agent finishes. Added mandatory cleanup instructions
to CLAUDE.md, fix-github-issue skill, and raise-pr skill.

* fix(ci): allow GH_TOKEN prefixed gh pr commands in agent workflows

The Bash permission pattern Bash(gh pr *) doesn't match when prefixed
with GH_TOKEN=. Add explicit Bash(GH_TOKEN=* gh pr *) to ALLOWED_TOOLS.
diff --git a/.claude/skills/fix-github-issue/SKILL.md b/.claude/skills/fix-github-issue/SKILL.md
@@ -23,7 +23,8 @@ These are hard rules. Violating any of them is a failure.
 3. Implement the fix
 4. Review your code for any obvious problems
 5. Verify the fix using `agent-device` skill
-6. **Raise a PR** using the raise-pr skill. When running interactively, confirm with dev first. On CI, raise directly.
+6. **Kill background processes** — before raising a PR, kill any Metro bundler or other background processes you started (see Cleanup section below).
+7. **Raise a PR** using the raise-pr skill. When running interactively, confirm with dev first. On CI, raise directly.
 
 ## Running Metro
 
@@ -69,6 +70,19 @@ This runs `detox build -c ios.sim.release` followed by `detox test -c ios.sim.re
 cd fixture/react-native && yarn react-native run-ios
 ```
 
+## Cleanup (MANDATORY on CI)
+
+**Before raising a PR or finishing, kill all background processes you started.** On CI, leftover processes (especially Metro) prevent the GitHub Actions job from exiting, causing it to run until the timeout.
+
+```bash
+# Kill Metro bundler
+lsof -ti:8081 | xargs kill -9 2>/dev/null || true
+# Kill any other background processes you started
+kill %1 2>/dev/null || true
+```
+
+Always do this **before** the raise-pr step.
+
 ## Common Pitfalls
 
 - **`estimatedItemSize` does not exist** in this FlashList — it is not a prop. Do not add it to repro screens.
diff --git a/.claude/skills/raise-pr/SKILL.md b/.claude/skills/raise-pr/SKILL.md
@@ -15,6 +15,16 @@ description: Create a GitHub PR for FlashList. Ensures no AI/Claude attribution
 
 ---
 
+## Step 0 — Kill Background Processes (MANDATORY on CI)
+
+Before creating the branch and PR, kill any background processes you started (Metro, emulators, etc.). On CI, leftover processes prevent the GitHub Actions job from exiting.
+
+```bash
+lsof -ti:8081 | xargs kill -9 2>/dev/null || true
+```
+
+---
+
 ## Step 1 — Create Branch and Commit
 
 ### Branch naming
@@ -110,11 +120,13 @@ Fixes #<number>
 - [ ] No regressions on related screens
 EOF
 
-gh pr create \
+GH_TOKEN="$AGENT_PR_TOKEN" gh pr create \
   --title "fix(<scope>): <description>" \
   --body-file /tmp/pr-body.md
 ```
 
+**MANDATORY:** The `GH_TOKEN="$AGENT_PR_TOKEN"` prefix is required. PRs created without it cannot be merged. On CI, `AGENT_PR_TOKEN` is set automatically from `SHOPIFY_GH_ACCESS_TOKEN`. Locally, ensure it is exported or pass your token directly.
+
 Before running `gh pr create`, double-check:
 - [ ] No mention of Claude, AI, Anthropic, or any AI tool anywhere
 - [ ] Description explains the "what" and "why" clearly
diff --git a/.github/workflows/agent-android-bot.yml b/.github/workflows/agent-android-bot.yml
@@ -26,12 +26,12 @@ env:
     Bash(git log),Bash(git log *),Bash(git diff),Bash(git diff *),Bash(git status),Bash(git show *),
     Bash(git checkout *),Bash(git add *),Bash(git commit *),Bash(git push -u *),
     Bash(git branch),Bash(git branch *),Bash(git rev-parse *),Bash(git fetch),Bash(git fetch *),
-    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),
+    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),Bash(GH_TOKEN=* gh pr *),
     Bash(agent-device *),
     Bash(adb devices),Bash(adb wait-for-device),Bash(adb install *),Bash(adb reverse *),
     Bash(adb shell getprop *),Bash(adb shell am *),Bash(adb shell pm *),Bash(adb shell screenrecord *),
     Bash(adb pull *),Bash(adb shell kill *),Bash(adb shell pidof *),
-    Bash(curl -s http://localhost:*),
+    Bash(curl http://localhost:*),Bash(curl -s http://localhost:*),Bash(curl -sS http://localhost:*),
     Bash(grep *),Bash(find *),Bash(ls),Bash(ls *),Bash(mkdir *),Bash(rm *),
     Bash(kill *),Bash(lsof),Bash(lsof *),Bash(nohup *),Bash(sleep *),
     Bash(head *),Bash(tail *),Bash(wc *),Bash(sort *),Bash(uniq *),
@@ -41,7 +41,6 @@ env:
 jobs:
   bot:
     runs-on: ubuntu-latest
-    timeout-minutes: 45
     if: >-
       github.event_name == 'workflow_dispatch' ||
       (
@@ -151,6 +150,7 @@ jobs:
         uses: anthropics/claude-code-action@bf4f0de6fccd1eea7044a5f903fc928aff363134 # v1
         env:
           ANTHROPIC_BASE_URL: https://proxy.shopify.ai/vendors/anthropic
+          AGENT_PR_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
         with:
           trigger_phrase: "@android-agent"
           anthropic_api_key: ${{ secrets.AI_PROXY_TOKEN }}
diff --git a/.github/workflows/agent-bot.yml b/.github/workflows/agent-bot.yml
@@ -26,9 +26,9 @@ env:
     Bash(git log),Bash(git log *),Bash(git diff),Bash(git diff *),Bash(git status),Bash(git show *),
     Bash(git checkout *),Bash(git add *),Bash(git commit *),Bash(git push -u *),
     Bash(git branch),Bash(git branch *),Bash(git rev-parse *),Bash(git fetch),Bash(git fetch *),
-    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),
-    Bash(agent-device *),Bash(xcrun simctl list),Bash(xcrun simctl list *),Bash(xcrun simctl get_app_container *),Bash(xcrun simctl install *),Bash(xcrun simctl launch *),Bash(xcrun simctl boot *),Bash(sips *),
-    Bash(curl -s http://localhost:*),
+    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),Bash(GH_TOKEN=* gh pr *),
+    Bash(agent-device *),Bash(xcrun simctl list),Bash(xcrun simctl list *),Bash(xcrun simctl get_app_container *),Bash(xcrun simctl install *),Bash(xcrun simctl launch *),Bash(xcrun simctl boot *),Bash(sips *),Bash(xcodebuild *),
+    Bash(curl http://localhost:*),Bash(curl -s http://localhost:*),Bash(curl -sS http://localhost:*),
     Bash(grep *),Bash(find *),Bash(ls),Bash(ls *),Bash(mkdir *),Bash(rm *),
     Bash(kill *),Bash(lsof),Bash(lsof *),Bash(nohup *),Bash(sleep *),
     Bash(head *),Bash(tail *),Bash(wc *),Bash(sort *),Bash(uniq *),
@@ -38,7 +38,6 @@ env:
 jobs:
   bot:
     runs-on: macos-latest
-    timeout-minutes: 45
     if: >-
       github.event_name == 'workflow_dispatch' ||
       (
@@ -75,6 +74,7 @@ jobs:
         uses: anthropics/claude-code-action@bf4f0de6fccd1eea7044a5f903fc928aff363134 # v1
         env:
           ANTHROPIC_BASE_URL: https://proxy.shopify.ai/vendors/anthropic
+          AGENT_PR_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
         with:
           trigger_phrase: "@agent"
           anthropic_api_key: ${{ secrets.AI_PROXY_TOKEN }}
diff --git a/.github/workflows/agent-fix.yml b/.github/workflows/agent-fix.yml
@@ -18,9 +18,9 @@ env:
     Bash(git log),Bash(git log *),Bash(git diff),Bash(git diff *),Bash(git status),Bash(git show *),
     Bash(git checkout *),Bash(git add *),Bash(git commit *),Bash(git push -u *),
     Bash(git branch),Bash(git branch *),Bash(git rev-parse *),Bash(git fetch),Bash(git fetch *),
-    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),
-    Bash(agent-device *),Bash(xcrun simctl list),Bash(xcrun simctl list *),Bash(xcrun simctl get_app_container *),Bash(xcrun simctl install *),Bash(xcrun simctl launch *),Bash(xcrun simctl boot *),Bash(sips *),
-    Bash(curl -s http://localhost:*),
+    Bash(gh issue *),Bash(gh pr *),Bash(gh label *),Bash(GH_TOKEN=* gh pr *),
+    Bash(agent-device *),Bash(xcrun simctl list),Bash(xcrun simctl list *),Bash(xcrun simctl get_app_container *),Bash(xcrun simctl install *),Bash(xcrun simctl launch *),Bash(xcrun simctl boot *),Bash(sips *),Bash(xcodebuild *),
+    Bash(curl http://localhost:*),Bash(curl -s http://localhost:*),Bash(curl -sS http://localhost:*),
     Bash(grep *),Bash(find *),Bash(ls),Bash(ls *),Bash(mkdir *),Bash(rm *),
     Bash(kill *),Bash(lsof),Bash(lsof *),Bash(nohup *),Bash(sleep *),
     Bash(head *),Bash(tail *),Bash(wc *),Bash(sort *),Bash(uniq *),
@@ -45,7 +45,6 @@ jobs:
           github.event.comment.author_association == 'COLLABORATOR'
         )
       )
-    timeout-minutes: 60
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -71,6 +70,7 @@ jobs:
         uses: anthropics/claude-code-action@bf4f0de6fccd1eea7044a5f903fc928aff363134 # v1
         env:
           ANTHROPIC_BASE_URL: https://proxy.shopify.ai/vendors/anthropic
+          AGENT_PR_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
         with:
           anthropic_api_key: ${{ secrets.AI_PROXY_TOKEN }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -35,6 +35,23 @@ Node 22.18.0
 - PR titles should be under 70 characters and match the commit format
 - Link issues with `Fixes #<number>` in the commit/PR body
 
+## Agent PR Token (MANDATORY)
+
+**All agent-raised PRs MUST use `SHOPIFY_GH_ACCESS_TOKEN` for PR creation.** PRs created without this token cannot be merged.
+
+- On CI: The token is available as `$AGENT_PR_TOKEN` environment variable in agent workflows.
+- When creating a PR, **always** use: `GH_TOKEN="$AGENT_PR_TOKEN" gh pr create ...`
+- The default `GITHUB_TOKEN` is used for all other operations (issue comments, push, checkout). Only PR creation uses `AGENT_PR_TOKEN`.
+- **Never** use bare `gh pr create` without the `GH_TOKEN="$AGENT_PR_TOKEN"` prefix — the PR will be unmergeable.
+
+## CI Cleanup (MANDATORY)
+
+**Before finishing on CI, kill all background processes you started** — especially Metro (`port 8081`). Leftover processes prevent the GitHub Actions job from exiting, causing it to run until timeout and waste CI minutes.
+
+```bash
+lsof -ti:8081 | xargs kill -9 2>/dev/null || true
+```
+
 ## Available Skills
 
 Skills are reusable workflows in `.claude/skills/`. Use them when relevant:
