Skip to content

[BRE-1832] refactor(bitwarden-devops-engineer): manual git ops#151

Open
fntyler wants to merge 3 commits into
mainfrom
bre-1832/git-operations-skills
Open

[BRE-1832] refactor(bitwarden-devops-engineer): manual git ops#151
fntyler wants to merge 3 commits into
mainfrom
bre-1832/git-operations-skills

Conversation

@fntyler

@fntyler fntyler commented Jun 23, 2026

Copy link
Copy Markdown

🎟️ Tracking

BRE-1832

📔 Objective

Remove auto-approved git add/commit/push from the action-remediate and workflow-fix skills so these mutating operations are run manually by the user.

  • Drop git add/git commit/git push from skill allowed-tools
  • Present commands for manual run, then create the draft PR after push
  • Retarget the diff-confirmation rule to the hand-off step
  • Bump plugin to 0.1.4 with CHANGELOG and README catalog updates

[BRE-1832](https://bitwarden.atlassian.net/browse/BRE-1832)

Remove auto-approved git add/commit/push from the action-remediate and workflow-fix skills so these mutating operations are run manually by the user.

* Drop `git add`/`git commit`/`git push` from skill `allowed-tools`
* Present commands for manual run, then create the draft PR after push
* Retarget the diff-confirmation rule to the hand-off step
* Bump plugin to 0.1.4 with CHANGELOG and README catalog updates
@fntyler fntyler requested a review from a team as a code owner June 23, 2026 20:21
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown

Plugin Validation Summary — bitwarden-devops-engineer

PR #151 · All checks passed ✅

This PR removes the auto-approved mutating git operations (git add, git commit, git push) from the action-remediate and workflow-fix skills so they are run manually by the user, and bumps the plugin to 0.1.4 with a matching changelog entry.

Scope validated

File Result
.claude-plugin/plugin.json ✅ Pass
CHANGELOG.md ✅ Pass
skills/action-remediate/SKILL.md ✅ Pass
skills/workflow-fix/SKILL.md ✅ Pass

1. Plugin structure (plugin-validator) — ✅ Pass

  • Manifest (plugin.json): valid JSON; name kebab-case, version 0.1.4 is valid semver; all fields well-formed, no unknown fields.
  • Version/name consistency: 0.1.4 matches across plugin.json (line 3), marketplace.json (lines 61–64), and CHANGELOG.md (line 8). Name consistent everywhere.
  • CHANGELOG: Valid Keep a Changelog format; ## [0.1.4] - 2026-06-23 entry under a proper ### Security category, descending version order.
  • Auto-discovery: Compliant skills-only plugin layout (skills/<name>/SKILL.md). README.md present. No stray artifacts.
  • Credentials: None found.

Errors: 0 · Warnings: 0

2. Skill review (skill-reviewer) — ✅ Pass

  • Both changed skills have valid frontmatter (name matches directory, description present with two <example> blocks each), strong third-person/imperative descriptions, and are appropriately lean (~500–600 words; no over-engineered progressive disclosure needed).
  • All cross-skill references resolve: action-audit, workflow-audit, and bitwarden-workflow-linter-rules all exist in the same plugin with matching name fields.
  • Skill bodies correctly align with the reduced allowed-tools: git add/commit/push are presented as manual user commands (action-remediate Step 3, workflow-fix Step 7) rather than executed.

Errors: 0 · Warnings: 2 (minor, non-blocking)

Minor suggestions (not required for merge):

  • skills/workflow-fix/SKILL.md:67 — the step_pinned exception invokes gh api; ensure the procedure documented in bitwarden-workflow-linter-rules uses the gh api --method GET form so it matches the allowed-tools allow-list (line 17) and is not denied at runtime.
  • skills/workflow-fix/SKILL.md:5-6 vs :47 — the description says "Run the workflow-audit skill first," while the body offers to run the linter automatically if the user didn't. Consider aligning the wording.

3. Security review (reviewing-claude-config) — ✅ Pass

  • Secrets/credentials: None. All git/gh examples use placeholders only.
  • No committed settings.local.json.
  • Permission scoping — action-remediate line 18: Read, Edit, Glob, Grep, Bash(gh pr create:*), Bash(git checkout:*), Bash(git diff:*). Mutating git add/commit/push correctly removed. Remaining Bash perms are read-only or branch setup. ✅ Intent of PR confirmed.
  • Permission scoping — workflow-fix line 17: Read, Edit, Glob, Grep, Skill, Bash(bwwl:*), Bash(gh api --method GET *), Bash(git checkout:*), Bash(git diff:*), Bash(git status:*), Bash(gh pr create:*). Mutating git ops correctly removed; gh api constrained to read-only --method GET. ✅ Intent of PR confirmed.
  • No dangerous auto-approvals: no Bash(*) wildcard, no overly broad file access. Both skills enforce "Only modify files under .github/" in their Rules.

Critical: 0 · Major: 0 · Minor: 0


Verdict

APPROVE — All required checks pass. The version bump (0.1.4) and changelog entry are present and consistent, the allowed-tools changes correctly reflect the stated intent of removing auto-approved mutating git operations, and no security issues were found. The two skill-review warnings are minor polish items and do not block merge.

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Bitwarden Claude Code Review

Overall Assessment: REQUEST CHANGES

This PR removes the auto-approved git add/git commit/git push permissions from the action-remediate and workflow-fix skills so these mutating operations are run manually by the user, retargets the diff-confirmation rule to the hand-off step, and bumps the plugin to 0.1.4 with CHANGELOG and README updates. The security intent is sound and the skill bodies, branch names, and retained tools (gh pr create, read-only git diff/git status) are internally consistent. The version bump and changelog entry comply with repository requirements. One README table cell lost its column-alignment padding and will fail the prettier lint check.

Code Review Details
  • ⚠️ : README table cell lost column-alignment padding; will fail prettier --check lint CI
    • README.md:16

Comment thread README.md Outdated
theMickster
theMickster previously approved these changes Jun 24, 2026
Comment on lines 66 to +70
```bash
git add .github/
git commit -m "Remediate <action-name> action usage"
git push -u origin fix/action-remediation-<action-name-slug>
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛏️ If the user is now responsible for manually committing and pushing, is this inline bash necessary?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a valid point. There is ambiguity here. I'll revisit this to be a bit more explicit with the intent. 👍

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 064b2ee

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with these changes, thoughts @SaintPatrck?

Thanks for the work to improve the plugin @fntyler!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants