The App installation token lacks contents:write, so creating the
pocketbase-sync/<slug> branch failed with 403 "Resource not accessible by
integration". Mirror the slash bot: run the CT-defaults branch/commit/PR
operations with the built-in GITHUB_TOKEN (workflow now requests
contents:write + pull-requests:write), while the App token still posts the
user-facing comments/reactions. ensureBranch/upsertCtDefaultsPr shadow
ghRequest with a GITHUB_TOKEN-authenticated ghDefault.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Trigger and all user-facing text now use @pocketbase-bot (the bare
@pocketbase handle collides with an existing account)
- Confirm flow only trusts a pocketbase-pending marker found in a comment
authored by this bot app (performed_via_github_app.id == PB_BOT_APP_ID),
preventing a forged-marker spoof; decoded operations are re-validated
against the field/op allow-lists before applying (shared sanitizeOperations)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds an isolated workflow that lets maintainers manage PocketBase script
records in plain English by mentioning @pocketbase in an issue/PR comment
(e.g. "@pocketbase change RAM to 4096 on zigbee2mqtt").
- Interprets the request with GitHub Models (built-in GITHUB_TOKEN + models:read)
- Posts under a dedicated GitHub App identity (PB_BOT_APP_ID/PB_BOT_APP_PRIVATE_KEY)
- Propose-then-confirm: replies with the parsed change set and a hidden marker;
applies only after "@pocketbase confirm"
- Reuses the slash bot's field/note/method allow-lists, validation, revalidate,
and CT-defaults sync PR logic; self-author guard prevents trigger loops
- Existing /pocketbase slash bot is untouched (triggers do not overlap)
Inert until the GitHub App is created and its two secrets are added.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Job gate uses contains() instead of startsWith() so comments with leading
text still trigger the bot
- Script scans all lines for the first one starting with /pocketbase, instead
of only reading line 0
- Command-line detection moved above the permission check so mid-sentence
mentions exit silently without a "not authorized" reply
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- close-new-script-prs: trigger on added script file OR label, exempt by
author_association (OWNER/MEMBER/COLLABORATOR) instead of team API
- close_issue_in_dev: match VED issues by derived slug, close all matches
- lock-issue: lock closed issues after 7 days instead of 3
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update the node version drift check to count drift only when our script version is lower than upstream, so newer local versions no longer create false-positive drift issues.
Co-authored-by: Michel Roegl-Brunner <michel.roegl-brunner@example.com>
notes_json was sent as JSON.stringify(arr) inside JSON.stringify(),
causing PocketBase to receive a string instead of a JSON array.
patchMethods already does it correctly — align patchNotes.
Add frontend revalidation and richer command handling for the PocketBase GitHub bot. Key changes:
- Expose FRONTEND_URL and REVALIDATE_SECRET to workflow env and add a best-effort revalidate() helper to ping the frontend after edits.
- Introduce shared parsing/helpers: parseKVPairs, parseTokens, readJsonBlob, formatNotesList, formatMethodsList, and other utilities to centralize logic.
- Add an "info" subcommand to display script details, links, credentials, install methods and notes.
- Improve note handling (add/edit/remove) to use shared parsers and call revalidate after updates; tweak messages and reactions.
- Expand install method management: support add/remove/edit operations, new method fields (cpu, ram, hdd, os, version, config_path, script), validation of unknown fields, and better formatting. Persist install_methods_json as JSON (not stringified JSON) when PATCHing.
- Replace ad-hoc field parsers with the shared key=value parser for field updates and SET handling; call revalidate after SET/field patches.
- Update help text and minor message wording/formatting.
- In push-json-to-pocketbase workflow, remove writing config_path from pushed payload.
These changes aim to make the bot more robust, easier to extend, and ensure frontend caches are refreshed after data changes.
Compute today's date once and use a consolidated patchBody for PATCH requests (including last_update_commit from PR_URL/COMMIT_URL). Add logic to promote dev scripts on merge: if record.is_dev === true, set is_dev to false and script_created to today, and log the promotion. Replace the previous duplicated date construction with the new patchBody.
