Skip to content

ci: harden Mintlify docs automation (AI triage classifier + scoped generator) #2405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chelojimenez merged 1 commit into from
Jun 5, 2026
+73 −26
Merged

ci: harden Mintlify docs automation (AI triage classifier + scoped generator) #2405

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 0 additions & 19 deletions .github/workflows/auto-merge-mintlify.yml
View file
Open in desktop

This file was deleted.

63 changes: 63 additions & 0 deletions .github/workflows/mintlify-triage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Mintlify PR Triage

# Auto-triages documentation PRs opened by the Mintlify bot. A Claude classifier
# verifies each PR against the actual code, then takes exactly ONE action:
# - MERGE (enable auto-merge; it lands only after CI passes) when it can
# positively confirm the docs are accurate, user-facing, and apply cleanly.
# - CLOSE in every other case — stale / backend-internal / inaccurate /
# duplicate, or anything it cannot confidently verify (bias to close).
# Replaces the previous "auto-merge every bot PR" workflow.

on:
pull_request:
types: [opened]

concurrency:
group: mintlify-triage-${{ github.event.pull_request.number }}
cancel-in-progress: true

jobs:
triage:
# Gate on the PR author, not github.actor (which is spoofable and is the
# human, not the bot, on reopen).
if: github.event.pull_request.user.login == 'mintlify[bot]'
runs-on: ubuntu-latest
permissions:
contents: write # enable auto-merge
pull-requests: write # close / comment
id-token: write # claude-code-action auth
actions: read # read CI status
Comment on lines +25 to +29

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Grant issues:write for label operations

In the triage workflow I checked, the GITHUB_TOKEN permissions explicitly omit issues, so unspecified permissions are none; GitHub's Labels REST API documents Create a label as requiring Issues repository permission with write access. Because the very next step runs gh label create ... --force, every Mintlify PR run will fail before Claude can merge/close/review anything unless this job grants issues: write.

Useful? React with 👍 / 👎.

Comment thread
coderabbitai[bot] marked this conversation as resolved.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1 # full file tree (code + docs) so feature greps work
Comment on lines +32 to +35

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/mintlify-triage.yml"

echo "== File =="
wc -l "$FILE"
echo
echo "== Uses lines =="
rg -n "^\s*uses:" "$FILE" || true

echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,120p'

Repository: MCPJam/inspector

Length of output: 298

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/mintlify-triage.yml"

echo "== Full file (numbered) =="
cat -n "$FILE"

echo
echo "== Permissions occurrences =="
rg -n "permissions:" "$FILE" || true

echo
echo "== Checkout step block (lines containing checkout until blank line or next - name/uses) =="
# crude but sufficient for small file
awk '
  /uses: actions\/checkout@/ {start=1}
  start {print}
  start && NR>1 && NF==0 {exit}
' "$FILE"

Repository: MCPJam/inspector

Length of output: 5171

🌐 Web query:

actions/checkout v4 persist-credentials default write token .git/config

💡 Result:

In actions/checkout (v4 and later), the persist-credentials input defaults to true [1][2][3]. While earlier iterations of the action directly wrote the authentication token into the local.git/config file, recent updates have improved credential security by storing them in a separate file within the runner's temporary directory ($RUNNER_TEMP) [3][4][5][6]. The action then references this file using git config include.path mechanisms rather than embedding the token directly into the repository's primary configuration [6]. Key points regarding this behavior: - Default behavior: The action automatically configures the token to enable authenticated git commands (like git fetch or git push) during the job [7][8][3]. - Security: Credentials are kept in a separate file under $RUNNER_TEMP, not directly inside.git/config [3][4][5][6]. - Cleanup: The token and the associated temporary configuration file are removed during post-job cleanup [7][8][3]. - Opt-out: You can disable this behavior by setting persist-credentials: false in your workflow step [7][8][3].

Citations:

Pin third-party actions to commit SHAs and disable checkout credential persistence

  • actions/checkout@v4 and anthropics/claude-code-action@v1 are on mutable tags—pin both to full commit SHAs.
  • actions/checkout defaults persist-credentials to true; since this job has contents/pull-requests: write, set with: persist-credentials: false on checkout to avoid leaving authenticated git credentials configured during the run.
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 29-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mintlify-triage.yml around lines 29 - 32, Update the
workflow to pin mutable action tags to immutable commit SHAs: replace uses:
actions/checkout@v4 and uses: anthropics/claude-code-action@v1 with their
respective full commit SHAs so the actions are deterministic; additionally, add
with: persist-credentials: false to the actions/checkout invocation (alongside
fetch-depth) to prevent leaving authenticated git credentials in the runner when
the job has contents/pull-requests: write.

persist-credentials: false # job has write perms; Claude uses gh, not git auth

- name: Classify and act
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
additional_permissions: |
actions: read
claude_args: >-
--model claude-sonnet-4-6
--allowed-tools "Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr merge:*),Bash(gh pr close:*),Bash(gh pr comment:*),Bash(git grep:*),Bash(git log:*),Bash(git show:*),Bash(git ls-files:*),Grep,Glob,Read"
prompt: |
You are the documentation-PR triager for ${{ github.repository }}. PR #${{ github.event.pull_request.number }} was opened by the Mintlify docs bot. Decide and execute EXACTLY ONE outcome: MERGE or CLOSE. Bias toward CLOSE — only MERGE when you can positively verify the PR is good. Everything published must be user-facing, accurate, and free of backend/internal detail. Do not ask questions; take the action yourself with the gh CLI.

Investigate first (read-only):
- Diff + metadata: `gh pr diff ${{ github.event.pull_request.number }}` and `gh pr view ${{ github.event.pull_request.number }} --json files,mergeable,mergeStateStatus,title,body`. A non-mergeable / conflicting PR usually means it targets a page that was renamed or deleted (stale).
- Confirm any feature the PR documents actually exists in the code: `git grep -i "<symbol or exact UI string>" -- mcpjam-inspector/ sdk/`. If you cannot find it, treat the feature as non-existent.

@cursor cursor Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Triage skips CLI code paths

Medium Severity

The triage prompt tells the classifier to verify features only under mcpjam-inspector/ and sdk/, but many user-facing docs describe cli/ behavior. Legitimate bot PRs can be closed as documenting non-existent features when symbols live only in cli/.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7b97cd4. Configure here.

- Check whether the content is already documented: `git grep -i "<phrase>" -- docs/`.

MERGE only if you can confirm ALL of: the PR is mergeable; every target page still exists; the feature is present in the code; the content is user-facing and accurate; and it is not a duplicate or editing anything under `docs/contributing/**`.

CLOSE in every other case — stale (deleted/renamed page or not mergeable); backend/internal content (Convex, internal HTTP endpoints/routes, environment variables, secrets/keys, server-side persistence or runtime, internal source-file paths); a feature you cannot find in the code; a duplicate; a clear factual error versus the code; OR anything you are not confident enough to merge. Closing is safe and cheap — the bot regenerates a fresh PR when the code changes again.

@cursor cursor Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Early mergeable check closes PRs

Medium Severity

Triage runs immediately on opened and requires mergeable to MERGE, while GitHub often reports mergeable as unknown right after open. With a close bias, valid docs PRs can be closed before mergeability is computed.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7b97cd4. Configure here.

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 5, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't close PRs while mergeability is still pending

Because this workflow runs immediately on pull_request.opened, gh pr view --json mergeable,mergeStateStatus can still report an unknown/non-mergeable value for a clean PR while GitHub computes the test merge commit; GitHub's Pulls API docs state that mergeable may be null while a background job computes it and the request should be retried after giving it time. With the current CLOSE rule, a newly opened Mintlify PR can be closed as stale before GitHub has finished computing mergeability, so the triager should wait/retry or distinguish UNKNOWN/null from an actual conflict.

Useful? React with 👍 / 👎.


Execute exactly one, then stop:
- MERGE → `gh pr merge ${{ github.event.pull_request.number }} --auto --squash`
- CLOSE → `gh pr close ${{ github.event.pull_request.number }} --comment "<one concise sentence on why>"`
Comment on lines +46 to +61

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore the promised REVIEW fallback.

The workflow now forces every uncertain case into CLOSE, but the PR objective for this automation explicitly calls for a third outcome: label needs-human-review when the classifier cannot decide. As written, ambiguous-but-possibly-correct docs PRs will be auto-closed instead of escalated, which changes the contract and makes the triage materially harsher than intended. Please add the REVIEW path back to both the tool allowlist and the prompt’s decision rules.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mintlify-triage.yml around lines 45 - 60, The workflow
removed the REVIEW fallback: update the allowed-tools string (the
--allowed-tools entry) to permit labeling (e.g., include Bash(gh pr label:* or
Bash(gh pr edit:*)) and modify the prompt decision block (the prompt: | text
that currently forces MERGE or CLOSE) to add a third branch "REVIEW" when the
classifier is unsure; implement the exact action by adding a new EXECUTE line
that runs a gh command to apply the needs-human-review label (for example `gh pr
label ${{ github.event.pull_request.number }} --add needs-human-review` or `gh
pr edit ... --add-label needs-human-review`) and ensure the instructions state
to choose MERGE, CLOSE, or REVIEW (label then stop) so
ambiguous-but-possibly-correct PRs are escalated rather than auto-closed.


Keep the comment to a single sentence.
17 changes: 10 additions & 7 deletions .github/workflows/update-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ on:

jobs:
update-docs:
# Only run if PR was actually merged (not just closed)
if: github.event.pull_request.merged == true
# Only run when a non-bot PR is actually merged. Skipping mintlify[bot]'s own
# merged docs PRs prevents a generate -> auto-merge -> generate loop.
if: github.event.pull_request.merged == true && github.event.pull_request.user.login != 'mintlify[bot]'
runs-on: ubuntu-latest

steps:
Expand Down Expand Up @@ -70,13 +71,15 @@ jobs:
'```',
``,
`## Instructions`,
`First, review the merged diff and the repository's \`docs/\` directory to assess whether documentation changes are actually needed. If no relevant updates are needed, make no file changes and do not open a PR.`,
`First, review the merged diff and the repository's \`docs/\` directory to decide whether USER-FACING documentation actually needs to change. If not, make no changes and do not open a PR.`,
``,
`If updates are needed, categorize the change and update only the appropriate docs under \`docs/\`. We have two main types of docs:`,
`1. **Feature docs** (how users use features)`,
`2. **Contributing docs** (engineering concepts for technical contributors) live under \`docs/contributing/\` and \`docs/evals/\``,
`Hard rules:`,
`- Only edit user-facing feature docs. NEVER create or modify anything under \`docs/contributing/**\` — that directory is internal and off-limits to this agent.`,
`- NEVER document backend or internal implementation details: Convex, internal HTTP endpoints or routes, environment variables, secrets or keys, server-side persistence/runtime mechanics, or internal source-file paths.`,
`- Ground every statement in the provided diff and the current code/docs. Do NOT invent features, flags, tools, defaults, or numbers; if you cannot confirm a detail from the diff or the repository, omit it.`,
`- Target the CURRENT docs structure. If the relevant page appears to have been renamed or removed, update the current equivalent page instead of recreating the old one; check \`docs/docs.json\` for the live page list.`,
``,
`Keep edits minimal, precise, and user-focused. When adding/moving pages, update \`docs/docs.json\` to keep navigation accurate. Use concise commit messages and open a focused PR only when changes are required. Use .mmd files for diagrams and other visual content if needed.`,
`Keep edits minimal, precise, and user-focused. When adding or moving pages, update \`docs/docs.json\` so navigation stays accurate. Use concise commit messages and open a single focused PR only when user-facing changes are required. Use .mmd files for diagrams and other visual content if needed.`,
Comment thread
coderabbitai[bot] marked this conversation as resolved.
].join('\n');

const url = `https://api.mintlify.com/v1/agent/${projectId}/job`;
Expand Down
Loading