Skip to content

feat(automation): Add Amber issue-to-PR automation system #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeremyeder merged 3 commits into from
Nov 28, 2025
Merged

feat(automation): Add Amber issue-to-PR automation system #369

jeremyeder merged 3 commits into from
Nov 28, 2025

Conversation

@jeremyeder
Copy link
Collaborator

@jeremyeder jeremyeder commented Nov 25, 2025

Summary

This PR adds the complete Amber background agent system for automated issue-to-PR workflows via GitHub Actions.

This is a rebased version of #354, now on a feature branch to avoid merge conflicts.

Features

Automation Workflows

  • 🤖 Auto-Fix (label: amber:auto-fix) - Formatting, linting, trivial fixes
  • 🔧 Refactoring (label: amber:refactor) - Break large files, extract patterns
  • 🧪 Test Coverage (label: amber:test-coverage) - Add missing tests

Components

  • GitHub Actions workflow using claude-code-action@v1
  • Structured issue templates for guided UX
  • Comprehensive documentation (quickstart + full guide)
  • Configuration file with risk-based automation policies
  • Workflow diagrams and architecture documentation

Security

  • ✅ No command injection (env var injection prevention)
  • ✅ Minimal permissions (contents:write, issues:write, pull-requests:write)
  • ✅ Token redaction in logs
  • ✅ Branch protection (never pushes to main)

Files Added/Modified

  • .github/workflows/amber-issue-handler.yml - Main workflow
  • .github/workflows/README.md - Updated workflow documentation
  • CLAUDE.md - Updated project overview with Amber section

Documentation

Changes from Original PR #354

  • Rebased onto latest upstream/main (commit 7d79c81)
  • Resolved merge conflicts in CLAUDE.md and workflow files
  • Now using feature branch instead of main branch

Testing

Created test issue #353 to verify workflow triggers correctly once this PR is merged.

Checklist

  • Documentation added
  • Security best practices followed
  • Issue templates created
  • Configuration file added
  • README updated with Amber section
  • Rebased on latest upstream/main

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

@jeremyeder @claude
feat(automation): add Amber issue-to-PR automation system
9c202d0 
Implements complete GitHub Actions workflow for automated development
tasks triggered by issue labels.

Features:
- Auto-fix workflow (amber:auto-fix) - formatting, linting, trivial fixes
- Refactoring workflow (amber:refactor) - break large files, extract patterns
- Test coverage workflow (amber:test-coverage) - add missing tests

Components:
- GitHub Actions workflow with security best practices
- Structured issue templates for guided UX
- Comprehensive documentation (quickstart + full guide)
- Configuration file with risk-based automation policies
- Workflow diagrams and architecture documentation

Security:
- No command injection (env var injection prevention)
- Minimal permissions (contents:write, issues:write, pull-requests:write)
- Token redaction in logs
- Branch protection (never pushes to main)

Documentation:
- docs/amber-quickstart.md - 5-minute setup guide
- docs/amber-automation.md - Complete 4,000+ word guide
- docs/diagrams/amber-workflow.md - Mermaid diagrams
- AMBER_SETUP.md - Setup checklist and testing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025

Claude Code Review

Summary

This PR adds the Amber background agent system for automated issue-to-PR workflows. The implementation includes comprehensive documentation, issue templates, configuration, and a GitHub Actions workflow. Overall, this is a well-documented feature with good security awareness, but the workflow implementation has critical issues that will prevent it from functioning correctly.

Recommendation: Request Changes - The workflow cannot execute successfully in its current form and requires significant rework of the execution step.

Issues by Severity

Blocker Issues

1. Non-Functional Execution Step (amber-issue-handler.yml:153-267)

The execution step attempts to use @anthropic-ai/claude-code npm package which doesn't exist, and falls back to basic Anthropic API calls which cannot interact with git, filesystem, or execute tools. The workflow expects Amber to modify files, commit, and push - which won't happen with just text responses.

Impact: The workflow will execute but produce no actual changes, making the entire Amber system non-functional.

Recommendation: Restore claude-code-action@v1 usage or implement proper Claude Code SDK integration.

2. Hardcoded Absolute Path (amber-issue-handler.yml:153)

Path hardcoded to /Users/jeder/repos/platform/CLAUDE.md will not exist in GitHub Actions runner.

Fix: Change to relative path: CLAUDE.md

3. Missing Error Handling in PR Creation (amber-issue-handler.yml:267-327)

No error handling for PR creation failures (conflicts, duplicate PRs, etc).

Fix: Add try-catch blocks with proper error messages.

Critical Issues

4. Security: Token Not Redacted (amber-issue-handler.yml:201-203)

git clone with embedded token will leak in error output.

Fix: Use token masking first, or reuse existing checkout action.

5. Missing Dependency Installation

Fallback Python code requires anthropic package but it's not installed.

Fix: Add pip install anthropic>=0.68.0 step.

6. Working Directory Confusion (amber-issue-handler.yml:198-202)

Creates temp directory and clones repo again, despite already checking out at the beginning. Wastes time and bandwidth.

Fix: Remove temp directory creation, use existing checkout.

Major Issues

7. No Timeout Configuration

Execution has no timeout, could run until 6-hour job limit.

Fix: Add timeout-minutes: 15

8. Missing Validation of Changes

Doesn't verify linters pass or tests run before committing despite documentation promising this.

Fix: Add validation step that runs appropriate linters/tests.

9. Configuration File Not Used

Comprehensive amber-config.yml defines safety guardrails but workflow never reads or enforces them.

Fix: Add validation step against config.

10. Branch Name Sanitization Insufficient

Removes all spaces creating unreadable names like amberrefactorlargefile.

Fix: Replace invalid chars with dashes, collapse multiple dashes.

Minor Issues

  • Documentation inconsistency (references non-existent workflows)
  • Hardcoded model name with no override
  • No rate limiting
  • Missing rollback strategy documentation
  • Weak template guidance (files marked optional)

Positive Highlights

  1. Excellent comprehensive documentation
  2. Good security awareness on injection prevention
  3. Well-designed issue templates
  4. Thoughtful configuration design with risk-based policies
  5. Structured prompts following best practices
  6. Proper git hygiene (conventional commits, issue references)

Recommendations

Priority 1 (Blockers - Must Fix Before Merge)

  1. Fix the execution step (restore claude-code-action@v1 or proper SDK)
  2. Fix hardcoded path in prompt template
  3. Add error handling for PR creation

Priority 2 (Critical - Should Fix Before Merge)

  1. Fix token security in git operations
  2. Remove duplicate clone, use existing checkout
  3. Add timeout to execution step
  4. Add linter/test validation before committing

Priority 3 (Major - Address Soon After Merge)

  1. Implement config enforcement
  2. Add rate limiting
  3. Fix branch naming sanitization

Conclusion

This PR represents significant effort with excellent documentation and infrastructure design. However, the core workflow execution is fundamentally broken and will not work as implemented.

Suggested Path Forward:

  1. Restore claude-code-action@v1 approach
  2. Fix three blocker issues
  3. Merge with known limitations documented
  4. Address critical/major issues in follow-up PRs

Generated with Claude Code

@jeremyeder jeremyeder mentioned this pull request Nov 25, 2025
Open
19 tasks
@jeremyeder
Copy link
Collaborator Author

jeremyeder commented Nov 25, 2025

this is ready but i want to wait for a release to get pushed.

@jeremyeder
fix(workflows): correct claude-code-action v1 inputs and permissions
6e2a200 
- Add id-token: write permission for OIDC authentication
- Replace invalid prompt_file input with prompt input
- Read prompt file content and pass as string to action
- Fixes GitHub Actions error: 'Unexpected input(s) prompt_file'

Resolves workflow failure at:
https://github.com/ambient-code/platform/actions/runs/19751306206
@jeremyeder
Copy link
Collaborator Author

jeremyeder commented Nov 28, 2025

Workflow Fix Applied ✅

This PR now includes the fix for the GitHub Actions workflow errors.

Issues Fixed:

  1. ✅ Added id-token: write permission (required for OIDC/OAuth authentication)
  2. ✅ Replaced invalid prompt_file input with prompt (reading file content via heredoc)
  3. ✅ Removed non-existent auto_commit and commit_message inputs

Why It Was Failing:

The anthropics/claude-code-action@v1 API changed - it expects:

  • prompt (string content) not prompt_file (file path)
  • id-token: write permission for OAuth token flows

Current Status:

  • The fix is committed at 6e2a200
  • Note: The workflow will continue failing on main until this PR is merged
  • Once merged, the Amber automation will work correctly

Ready to merge - all fixes are in place! 🚀

@jeremyeder jeremyeder merged commit 12a3d20 into ambient-code:main Nov 28, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeremyeder