Summary
Task 6.5 of the Phase 6 plan (docs/superpowers/plans/phase-6-promotion.md) authors runtime-check-private-freshness.yml — a workflow that computes a path-scoped commit-count denominator across glitchwerks/claude-configs (per spec §13 Q7). To do this, the workflow needs an authenticated read on claude-configs.
The intended auth path was the existing claude-action-runner App. As surfaced by verify-app-secrets.yml run 25411149108:
=== /installation/repositories (installation scope) ===
glitchwerks/github-actions
installation token works on 1 repo(s)
The App is only installed on glitchwerks/github-actions, not on glitchwerks/claude-configs. Task 6.5 will fail at the cross-repo git log <pinned-sha>..<main-head> -- <paths> step.
Three resolution paths
|
Approach |
Trade-off |
| A |
Install claude-action-runner on glitchwerks/claude-configs |
Cleanest; reuses existing App. One admin click |
| B |
Use GITHUB_TOKEN — works for public repos via cross-repo read |
Only works if claude-configs is public AND read access is sufficient; doesn't scale to writing |
| C |
Add a separate PAT secret (CLAUDE_CONFIGS_READ_PAT) |
Adds rotation surface |
Recommendation: A if claude-configs is private, B if public and read-only suffices.
Acceptance criteria
Blocks
This blocks Task 6.5 only. Tasks 6.1-6.4 (STAGE 5, rollback workflow, dry-runs) and Tasks 6.6-6.10 (prune, §13 Q5/Q4, PR opening) are independent.
Plan reference
docs/superpowers/plans/phase-6-promotion.md Task 6.5- Pre-execution check PE-6 (deferred — App-JWT required to verify from CLI)
🤖 Generated by Claude Code on behalf of @cbeaulieu-gt
Summary
Task 6.5 of the Phase 6 plan (
docs/superpowers/plans/phase-6-promotion.md) authorsruntime-check-private-freshness.yml— a workflow that computes a path-scoped commit-count denominator acrossglitchwerks/claude-configs(per spec §13 Q7). To do this, the workflow needs an authenticated read onclaude-configs.The intended auth path was the existing
claude-action-runnerApp. As surfaced byverify-app-secrets.ymlrun 25411149108:The App is only installed on
glitchwerks/github-actions, not onglitchwerks/claude-configs. Task 6.5 will fail at the cross-repogit log <pinned-sha>..<main-head> -- <paths>step.Three resolution paths
claude-action-runneronglitchwerks/claude-configsGITHUB_TOKEN— works for public repos via cross-repo readclaude-configsis public AND read access is sufficient; doesn't scale to writingCLAUDE_CONFIGS_READ_PAT)Recommendation: A if
claude-configsis private, B if public and read-only suffices.Acceptance criteria
glitchwerks/claude-configsis public or privateclaude-action-runneronclaude-configswith at minimumcontents: readandmetadata: readGITHUB_TOKENis sufficient for the path-scopedgit logTask 6.5 needs (no auth required for public-repo clones)verify-app-secrets.ymlafter install to confirmclaude-configsappears in/installation/repositoriesBlocks
This blocks Task 6.5 only. Tasks 6.1-6.4 (STAGE 5, rollback workflow, dry-runs) and Tasks 6.6-6.10 (prune, §13 Q5/Q4, PR opening) are independent.
Plan reference
docs/superpowers/plans/phase-6-promotion.mdTask 6.5🤖 Generated by Claude Code on behalf of @cbeaulieu-gt