chore: add autofix.ci workflow

[jdx]

Summary

• Adds autofix.ci GitHub Actions workflow that automatically fixes linting/formatting issues in PRs
• Runs mise run render ::: lint-fix to regenerate docs and apply hk fix --all --slow
• Uses autofix-ci/action@v1.3.3 to commit fixes back to the PR branch
• Skips bot PRs (renovate, mend)
• Matches the pattern used in pitchfork and fnox

Test plan

• actionlint passes
• prettier passes
• Verify autofix runs on a subsequent PR

🤖 Generated with Claude Code

---

Note

Low Risk
CI-only change that adds an automated fixer/committer workflow; main risk is unexpected auto-commits or longer PR CI times, with no production/runtime impact.

Overview
Adds a new .github/workflows/autofix.yml workflow that runs on pull_request to main and automatically applies repo fixes (via mise + bun i and mise run render ::: lint-fix) and commits them back to the PR using autofix-ci/action.

The job uses Rust caching, checks out submodules, enforces concurrency cancellation, and skips running for renovate[bot] and mend[bot] PRs.

^{Written by Cursor Bugbot for commit f05bdbe. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Autofix workflow lacks commit permissions

Medium Severity

autofix.yml sets permissions.contents to read, but autofix-ci/action needs write access to push fix commits back to the PR branch. This prevents the workflow from performing its core behavior, so it runs but cannot apply or publish autofixes.

Additional Locations (1)

• .github/workflows/autofix.yml#L32-L33

 

[greptile-apps]

Greptile Summary

Adds autofix.ci workflow to automatically fix linting and formatting issues in PRs

• Runs mise run render ::: lint-fix to regenerate docs and apply fixes
• Uses pinned action versions with commit SHAs for security
• Skips bot PRs (renovate, mend)
• Critical issue: Workflow will fail because autofix-ci/action needs contents: write and pull-requests: write permissions to commit fixes back to the PR, but currently only has contents: read

Confidence Score: 2/5

• This PR will not work as intended due to incorrect permissions configuration
• The workflow contains a critical logic error where the permissions are set to contents: read but the autofix-ci/action requires write access to push commits back to the PR. This will cause the workflow to fail when it tries to commit fixes. Once the permissions are corrected to contents: write and pull-requests: write, the workflow should function properly.
• .github/workflows/autofix.yml requires immediate attention to fix permissions

Important Files Changed

Filename	Overview
.github/workflows/autofix.yml	New autofix workflow added but has critical permission issue - requires contents: write and pull-requests: write instead of contents: read

_{Last reviewed commit: f05bdbe}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

The autofix-ci/action requires write permissions to push fixes back to the PR. This will fail with contents: read.

Suggested change

	permissions:
	contents: read
	permissions:
	contents: write
	pull-requests: write

[greptile-apps]

Greptile Summary

Adds autofix.ci GitHub Actions workflow that automatically fixes linting/formatting issues in PRs targeting main. The workflow runs on pull requests (excluding bot PRs from renovate/mend), executes mise run render ::: lint-fix to regenerate docs and apply hk fix --all --slow, then commits fixes back to the PR branch using autofix-ci/action@v1.3.3.

Key changes:

• New .github/workflows/autofix.yml workflow with 10min timeout, Rust caching, and concurrency control
• mise.lock updated by the autofix bot itself (added communique tool), demonstrating the workflow is functional
• Workflow uses pinned action SHAs for security and matches patterns used in other repos (pitchfork, fnox)

Note on permissions: Previous review thread mentioned contents: read permission issue. However, autofix-ci/action uses GitHub App authentication with its own credentials, not the workflow's GITHUB_TOKEN, so the contents: read permission is actually correct for this use case.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a CI-only change with no runtime impact
• The workflow is a CI-only addition that matches established patterns from other repos. The autofix bot has already successfully run (evidenced by the mise.lock commit), validating the configuration works. The workflow uses pinned action SHAs, includes appropriate bot filtering, and has no impact on production code or runtime behavior.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/autofix.yml	Adds autofix.ci workflow to auto-commit lint/format fixes on PRs; uses correct action patterns and bot filtering
mise.lock	Auto-generated lockfile updated by autofix.ci bot to add communique tool dependency

_{Last reviewed commit: 24f6eb1}

[greptile-apps]

Greptile Summary

Adds an autofix.ci GitHub Actions workflow that automatically applies linting and formatting fixes to pull requests. The workflow triggers on PRs to main, runs mise run render ::: lint-fix to regenerate documentation and apply hk fix --all --slow, then commits any changes back to the PR using the autofix-ci/action. It skips bot PRs (renovate, mend) and uses concurrency cancellation to avoid redundant runs.

The workflow has already run successfully (as evidenced by commits 85d2976 and 24f6eb1), proving the implementation works correctly. The mise.lock changes are auto-generated platform additions from running the workflow.

Note: The previous comment about contents: read causing failures is incorrect - autofix.ci uses a GitHub App with its own authentication token, so the workflow-level contents: read permission is appropriate and does not interfere with the action's ability to push commits.

Confidence Score: 5/5

• This PR is safe to merge - it's a CI-only workflow addition with no production impact
• The workflow adds automation for code quality without affecting runtime behavior. The implementation has already been proven to work (commits from autofix.ci bot exist in the PR). The permissions are correctly configured despite the previous comment's concern - autofix.ci uses its own GitHub App token. The workflow includes safety features like bot filtering and timeout limits.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/autofix.yml	Adds GitHub Actions workflow to automatically fix linting/formatting issues on PRs using autofix.ci
mise.lock	Auto-generated lockfile updated with additional platform targets for existing tools

_{Last reviewed commit: 85d2976}