Add Notion integration for read-only workspace access (#182)

Co-authored-by: baudbot-agent <baudbot-agent@users.noreply.github.com>
Co-authored-by: Ben Vinegar <ben@benv.ca>

Author: 3 people

.env.schema

@@ -182,6 +182,13 @@ SLACK_BROKER_DEDUPE_TTL_MS=1200000
 # @docs(https://linear.app/settings/api)
 LINEAR_API_KEY=
 
+# ── Notion (optional) ────────────────────────────────────────────────────────
+
+# Notion integration secret (internal integration token)
+# @type=string
+# @docs(https://www.notion.so/my-integrations)
+NOTION_API_KEY=
+
 # ── Tool Guard ───────────────────────────────────────────────────────────────
 
 # Unix username of the agent

.github/workflows/integration.yml

@@ -76,12 +76,29 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Gate external fork PRs
+        id: gate
+        shell: bash
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Skip integration for external fork PRs
+        if: steps.gate.outputs.enabled != 'true'
+        run: |
+          echo "Skipping droplet integration for external fork pull requests (secrets are unavailable)."
+
       - name: Generate ephemeral SSH key
+        if: steps.gate.outputs.enabled == 'true'
         run: |
           mkdir -p ~/.ssh
           ssh-keygen -t ed25519 -f ~/.ssh/ci_key -N "" -q
 
       - name: Create droplet
+        if: steps.gate.outputs.enabled == 'true'
         id: droplet
         env:
           DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
@@ -94,6 +111,7 @@ jobs:
           echo "$output"
 
       - name: Wait for SSH
+        if: steps.gate.outputs.enabled == 'true'
         env:
           DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
         run: |
@@ -102,6 +120,7 @@ jobs:
             ~/.ssh/ci_key
 
       - name: Upload source
+        if: steps.gate.outputs.enabled == 'true'
         run: |
           tar czf /tmp/baudbot-src.tar.gz \
             --exclude=node_modules --exclude=.git .
@@ -111,6 +130,7 @@ jobs:
             "root@${{ steps.droplet.outputs.DROPLET_IP }}:/tmp/baudbot-src.tar.gz"
 
       - name: Setup and test
+        if: steps.gate.outputs.enabled == 'true'
         run: |
           bash bin/ci/droplet.sh run \
             "${{ steps.droplet.outputs.DROPLET_IP }}" \
@@ -119,7 +139,7 @@ jobs:
             "CI_ANTHROPIC_API_KEY=${{ secrets.CI_ANTHROPIC_API_KEY }}"
 
       - name: Cleanup
-        if: always()
+        if: always() && steps.gate.outputs.enabled == 'true'
         env:
           DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
         run: |

CONFIGURATION.md

@@ -84,6 +84,23 @@ The `linear` extension provides a tool for interacting with the Linear issue tra
 |----------|-------------|---------------|
 | `LINEAR_API_KEY` | Linear API key (personal or OAuth token) | Go to [Linear Settings → API](https://linear.app/settings/api), create a **Personal API key**. For workspace-wide access, create an OAuth application instead. The key needs read/write access to issues and comments. |
 
+### Notion Integration
+
+The `notion` extension provides a read-only tool for accessing your Notion workspace. The agent can search for pages and databases, retrieve full page content (including nested blocks), query database entries, and inspect database schemas.
+
+| Variable | Description | How to get it |
+|----------|-------------|---------------|
+| `NOTION_API_KEY` | Notion integration secret (internal integration token) | Go to [Notion → My integrations](https://www.notion.so/my-integrations), create a new **Internal Integration**. Copy the **Internal Integration Token** (starts with `secret_`). After creating the integration, share the pages/databases you want the agent to access by clicking **"•••"** → **Add connections** → select your integration. The integration can only read content explicitly shared with it. |
+
+**Capabilities:**
+- `search` — Find pages and databases by text query or type filter
+- `get` — Read full page content with all blocks (paragraphs, headings, lists, code, callouts, etc.)
+- `list` — Query database entries with filters and sorting
+- `database` — Inspect database schema and property types
+
+**Permissions:**  
+The integration token only provides read access to pages/databases explicitly shared with the integration. It cannot create, update, or delete content.
+
 ### Slack Channels
 
 | Variable | Description | How to get it |