Fix robustness issues in auto-fix-ci workflow [auto-fix]

claude · claude · commit 8defd7ea2ac4 · 2026-01-15T00:26:32.000Z
- Add PR open check before attempting fixes
- Check last 3 commits for [auto-fix] tag (not just last one)
- Handle case where workflow fails but no jobs failed
- Fix comment step to only run when failure_details succeeded
- Remove unnecessary id-token permission
- Add note about fork PR limitation
diff --git a/.github/workflows/auto-fix-ci.yml b/.github/workflows/auto-fix-ci.yml
@@ -1,5 +1,8 @@
 name: Auto Fix CI Failures
 
+# NOTE: This workflow only works for PRs from branches in the same repo.
+# Fork PRs cannot be auto-fixed because GITHUB_TOKEN lacks push access to forks.
+
 on:
   workflow_run:
     workflows: ["Validate"]
@@ -11,7 +14,6 @@ permissions:
   pull-requests: write
   actions: read
   issues: write
-  id-token: write
 
 jobs:
   auto-fix:
@@ -25,32 +27,51 @@ jobs:
       startsWith(github.event.workflow_run.head_branch, 'claude/')
     runs-on: ubuntu-latest
     steps:
+      - name: Check if PR is still open
+        id: pr_check
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: ${{ github.event.workflow_run.pull_requests[0].number }}
+            });
+            return { isOpen: pr.data.state === 'open' };
+
       - name: Checkout code
+        if: fromJSON(steps.pr_check.outputs.result).isOpen
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 10
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Check if last commit was auto-fix (prevent loops)
+      - name: Check for recent auto-fix commits (prevent loops)
+        if: fromJSON(steps.pr_check.outputs.result).isOpen
         id: check_loop
         run: |
-          LAST_COMMIT_MSG=$(git log -1 --pretty=%s)
-          if [[ "$LAST_COMMIT_MSG" == *"[auto-fix]"* ]]; then
+          # Check last 3 commits for auto-fix tag to be more robust
+          RECENT_COMMITS=$(git log -3 --pretty=%s)
+          if echo "$RECENT_COMMITS" | grep -q "\[auto-fix\]"; then
             echo "skip=true" >> $GITHUB_OUTPUT
-            echo "Last commit was an auto-fix, skipping to prevent loop"
+            echo "Recent commit was an auto-fix, skipping to prevent loop"
           else
             echo "skip=false" >> $GITHUB_OUTPUT
           fi
 
       - name: Setup git identity
-        if: steps.check_loop.outputs.skip != 'true'
+        if: |
+          fromJSON(steps.pr_check.outputs.result).isOpen &&
+          steps.check_loop.outputs.skip != 'true'
         run: |
           git config --global user.email "claude[bot]@users.noreply.github.com"
           git config --global user.name "claude[bot]"
 
       - name: Get CI failure details
-        if: steps.check_loop.outputs.skip != 'true'
+        if: |
+          fromJSON(steps.pr_check.outputs.result).isOpen &&
+          steps.check_loop.outputs.skip != 'true'
         id: failure_details
         uses: actions/github-script@v7
         with:
@@ -69,6 +90,15 @@ jobs:
 
             const failedJobs = jobs.data.jobs.filter(job => job.conclusion === 'failure');
 
+            if (failedJobs.length === 0) {
+              return {
+                runUrl: run.data.html_url,
+                failedJobs: [],
+                errorLogs: [],
+                hasFailedJobs: false
+              };
+            }
+
             let errorLogs = [];
             for (const job of failedJobs) {
               try {
@@ -79,7 +109,7 @@ jobs:
                 });
                 errorLogs.push({
                   jobName: job.name,
-                  logs: logs.data.substring(0, 50000) // Limit log size
+                  logs: logs.data.substring(0, 50000)
                 });
               } catch (e) {
                 errorLogs.push({
@@ -92,11 +122,15 @@ jobs:
             return {
               runUrl: run.data.html_url,
               failedJobs: failedJobs.map(j => j.name),
-              errorLogs: errorLogs
+              errorLogs: errorLogs,
+              hasFailedJobs: true
             };
 
       - name: Fix CI failures with Claude
-        if: steps.check_loop.outputs.skip != 'true'
+        if: |
+          fromJSON(steps.pr_check.outputs.result).isOpen &&
+          steps.check_loop.outputs.skip != 'true' &&
+          fromJSON(steps.failure_details.outputs.result).hasFailedJobs
         id: claude
         uses: anthropics/claude-code-action@v1
         with:
@@ -137,22 +171,37 @@ jobs:
           claude_args: "--allowedTools 'Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(git:*),Bash(uv:*),Bash(python:*),Bash(pytest:*),Bash(ruff:*)'"
 
       - name: Comment on PR with fix status
-        if: always() && steps.check_loop.outputs.skip != 'true'
+        if: |
+          always() &&
+          fromJSON(steps.pr_check.outputs.result).isOpen &&
+          steps.check_loop.outputs.skip != 'true' &&
+          steps.failure_details.outcome == 'success'
         uses: actions/github-script@v7
         with:
           script: |
             const prNumber = ${{ github.event.workflow_run.pull_requests[0].number }};
-            const conclusion = '${{ steps.claude.outcome }}';
+            const claudeOutcome = '${{ steps.claude.outcome }}';
+            const hasFailedJobs = ${{ fromJSON(steps.failure_details.outputs.result).hasFailedJobs }};
             const runUrl = '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}';
+            const failureUrl = '${{ fromJSON(steps.failure_details.outputs.result).runUrl }}';
 
             let body;
-            if (conclusion === 'success') {
+            if (!hasFailedJobs) {
+              body = `## CI Auto-Fix Skipped
+
+            The CI workflow failed but no individual jobs failed (possibly a setup/infrastructure issue).
+
+            - **Fix workflow run**: ${runUrl}
+            - **Original failure**: ${failureUrl}
+
+            Manual investigation may be required.`;
+            } else if (claudeOutcome === 'success') {
               body = `## CI Auto-Fix Attempted
 
             Claude has analyzed the CI failure and attempted to fix the issues.
 
             - **Fix workflow run**: ${runUrl}
-            - **Original failure**: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
+            - **Original failure**: ${failureUrl}
 
             Please review the changes pushed to this branch.`;
             } else {
@@ -161,7 +210,7 @@ jobs:
             Claude attempted to fix the CI failure but encountered issues.
 
             - **Fix workflow run**: ${runUrl}
-            - **Original failure**: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
+            - **Original failure**: ${failureUrl}
 
             Manual intervention may be required.`;
             }
