From 1684618336db9e8812083d9bf5e5592f4cceb31c Mon Sep 17 00:00:00 2001
From: topcoder1 <topcoder1@gmail.com>
Date: Thu, 30 Apr 2026 10:30:23 -0700
Subject: [PATCH 1/2] docs: soften OIDC caveat, document workflow-perms
 autoflip

---
 README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 42b6e48..aa85210 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ The script reads `ANTHROPIC_API_KEY` from env, falling back to 1Password (`op://
 
 ## Caveats
 
-- **Target repo must allow workflow writes:** Settings → Actions → General → Workflow permissions → "Read and write permissions"
-- **`gh pr merge --auto` only waits if there are required status checks.** Without a ruleset, it merges immediately. Add a ruleset on each target repo before relying on auto-merge.
+- **Target repo workflow permissions:** must be "Read and write" (Settings → Actions → General). `install-pr-review.sh` auto-flips this; if you wire callers manually, flip it yourself.
+- **`gh pr merge --auto` only waits if there are required status checks.** Without a ruleset, it merges immediately. `install-pr-review.sh` creates a ruleset by default (`--no-ruleset` to skip).
+- **Install PR's `Claude Review` check may fail** with an OIDC "workflow validation" error on PRs that modify the workflow file itself. In practice it often passes; if it fails, merge with admin bypass. Subsequent PRs work normally.
 - **This repo is public** — required for cross-account reusable-workflow calls (e.g. `topcoder1/ci-workflows` → `whois-api-llc/*`). The workflows contain no secrets.

From d7dbb6f6732eda591ade546bb2332d7ac6f9b1d9 Mon Sep 17 00:00:00 2001
From: topcoder1 <topcoder1@gmail.com>
Date: Thu, 30 Apr 2026 10:55:16 -0700
Subject: [PATCH 2/2] ci: trigger Claude Review (post-install)