The App installation token lacks contents:write, so creating the
pocketbase-sync/<slug> branch failed with 403 "Resource not accessible by
integration". Mirror the slash bot: run the CT-defaults branch/commit/PR
operations with the built-in GITHUB_TOKEN (workflow now requests
contents:write + pull-requests:write), while the App token still posts the
user-facing comments/reactions. ensureBranch/upsertCtDefaultsPr shadow
ghRequest with a GITHUB_TOKEN-authenticated ghDefault.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Trigger and all user-facing text now use @pocketbase-bot (the bare
@pocketbase handle collides with an existing account)
- Confirm flow only trusts a pocketbase-pending marker found in a comment
authored by this bot app (performed_via_github_app.id == PB_BOT_APP_ID),
preventing a forged-marker spoof; decoded operations are re-validated
against the field/op allow-lists before applying (shared sanitizeOperations)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds an isolated workflow that lets maintainers manage PocketBase script
records in plain English by mentioning @pocketbase in an issue/PR comment
(e.g. "@pocketbase change RAM to 4096 on zigbee2mqtt").
- Interprets the request with GitHub Models (built-in GITHUB_TOKEN + models:read)
- Posts under a dedicated GitHub App identity (PB_BOT_APP_ID/PB_BOT_APP_PRIVATE_KEY)
- Propose-then-confirm: replies with the parsed change set and a hidden marker;
applies only after "@pocketbase confirm"
- Reuses the slash bot's field/note/method allow-lists, validation, revalidate,
and CT-defaults sync PR logic; self-author guard prevents trigger loops
- Existing /pocketbase slash bot is untouched (triggers do not overlap)
Inert until the GitHub App is created and its two secrets are added.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
