// Activate when user asks to commit, push changes, create a PR, open a pull request, or submit changes for review. Activate when process skill reaches commit or PR phase. Provides commit message formatting and PR structure. PRs default to dev branch, not main. Works with git-privacy skill.
Activate when a subagent completes work and needs continuation check. Activate when a task finishes to determine next steps or when detecting work patterns in user messages. Governs automatic work continuation and queue management.
Orchestrate the end-to-end development workflow with autonomous quality gates. Use when users ask to implement/run workflow phases, start or continue development, handle review/QA findings, or process actionable comments by routing through create-work-items -> plan-work-items -> run-work-items. Enforces TDD by default for implementation work and only pauses for genuine decisions.
Activate when user asks to release, bump version, cut a release, merge to main, or tag a version. Handles version bumping (semver), CHANGELOG updates, PR merging, git tagging, and GitHub release creation.
Create and classify typed work items (epic, story, feature, bug, finding, work-item) in the configured tracking backend. Use when users ask to create/capture work or when actionable findings/comments are discovered from review, PR feedback, QA, regressions, or defect reports.
Plan and prioritize existing typed work items with dependency and hierarchy validation. Use when users ask to sequence work, when new actionable findings/comments were captured, or when blockers/dependencies changed before execution.
Activate when user needs coordination, story breakdown, task delegation, or progress tracking. Activate when the pm skill is requested or work requires planning before implementation. PM coordinates specialists but does not implement.
| name | commit-pr |
| description | Activate when user asks to commit, push changes, create a PR, open a pull request, or submit changes for review. Activate when process skill reaches commit or PR phase. Provides commit message formatting and PR structure. PRs default to dev branch, not main. Works with git-privacy skill. |
| category | process |
| scope | development |
| subcategory | version-control |
| tags | ["git","pull-request","commit","review"] |
| version | 10.2.19 |
| author | Karsten Samaschke |
| contact-email | karsten@vanillacore.net |
| website | https://vanillacore.net |
This skill handles git commits and pull requests with specific formatting requirements.
Use this skill when the request requires commit, push, PR creation, or PR merge actions.
Use this skill when prompts include:
devDo not use this skill for:
release| Test ID | Type | Prompt / Condition | Expected Result |
|---|---|---|---|
| CPR-T1 | Positive trigger | "Commit these changes and push the branch" | skill triggers |
| CPR-T2 | Positive trigger | "Create a PR to dev with a summary and test plan" | skill triggers |
| CPR-T3 | Negative trigger | "Explain this PR feedback" | skill does not trigger |
| CPR-T4 | Negative trigger | "Plan work items for these findings" | skill does not trigger |
| CPR-T5 | Behavior | skill triggered for commit/PR | enforces prerequisites, branch/worktree policy, and no-AI-attribution commit/PR content |
| CPR-T6 | Behavior | missing autonomy.system_level in user ica.config.json | asks user, persists autonomy.system_level, then proceeds |
| CPR-T7 | Behavior | missing autonomy.project_level in project ica.config.json | asks user, persists autonomy.project_level, then proceeds |
| CPR-T8 | Behavior | project autonomy is follow-system | resolves effective autonomy and applies it to confirmation behavior for commit/push/PR/merge |
| CPR-T9 | Behavior | PR created to dev | automatically runs post-PR Stage 3 review loop and posts fresh review receipt for current head SHA |
| CPR-T10 | Behavior | security review enabled for scope | automatically runs security review loop, fixes findings, and posts fresh security receipt for current head SHA |
| CPR-T11 | Behavior | repo has no required checks configured | treats checks gate as pass-with-note (no required checks configured) instead of indefinite block |
| CPR-T12 | Behavior | security receipt missing verifiable dedicated-subagent execution fields | fails merge gate and requires refreshed receipt with executor verification |
Resolve autonomy settings from ica.config.json hierarchy (not tracking config):
${ICA_HOME}/ica.config.json$HOME/.codex/ica.config.json$HOME/.claude/ica.config.json./ica.config.jsonRequired keys:
autonomy.system_level: L1 | L2 | L3 (default L2)autonomy.project_level: follow-system | L1 | L2 | L3 (default follow-system)Bootstrap prompts (if missing):
autonomy.system_level missing:
L2 (recommended), L1, or L3?"ica.config.jsonautonomy.project_level missing:
follow-system (recommended), L1, L2, or L3?"ica.config.jsonCompatibility:
autonomy.level exists and autonomy.system_level is missing, treat legacy value as system level for this run and persist it as autonomy.system_level.Effective level:
project_level is L1/L2/L3, use project levelproject_level is follow-system, use system levelEffective-level behavior for this skill:
L1: require explicit confirmation before each commit/push/PR/merge actionL2: follow standard gated flow with confirmations for significant/high-impact actionsL3: proceed automatically once all gates pass (except required explicit approvals for protected actions)PRs go to dev by default, NOT main.
feature/* → PR to dev (default, normal workflow)
dev → PR to main (release only, requires explicit request)
# CORRECT - PR to dev (default)
gh pr create --base dev
# WRONG - PR to main (unless releasing)
gh pr create --base main # DO NOT DO THIS!
Before ANY commit or PR, you MUST:
Resolve effective autonomy level from ICA config
autonomy.system_level + autonomy.project_level and effective level (L1/L2/L3)ica.config.json at correct scopeResolve branch/worktree behavior from ICA config
git.worktree_branch_behavior from ica.config.jsonalways_new: ensure changes are on a dedicated worktree + prefixed branchmain or devRun tests - All tests must pass
Run reviewer skill - Must complete with no blocking findings
Run security review - Must complete with no blocking security findings
security-best-practices for supported stacksFix all findings - Auto-fix or get human decision
Run validate skill checks - Ensure completion criteria + state transition validity
Run backend-aware tracking verification for the selected backend
Confirm larger changes explicitly - Always ask before committing broad/high-impact changes
BLOCKED until prerequisites pass:
- git commit
- git push
- gh pr create
If you skip these steps, you are violating the process.
Pre-commit gate:
validate checks passPre-PR-create gate:
dev by default; main only for explicit release)always_new requires dedicated worktree + prefixed branch)Pre-merge gate:
validate checks pass for merge candidateFail-closed behavior:
Read git.worktree_branch_behavior from ica.config.json hierarchy.
Allowed values:
always_newaskcurrent_branchIf missing:
ica.config.jsonEnforcement:
always_new, create and use a dedicated worktree + prefixed branchask, ask before commit/PR scope and honor responsecurrent_branch, still enforce branch safety (dev default PR target, never feature work on main)Large-change confirmation is mandatory regardless of policy.
Branch prefix resolution (no hardcoding):
git.worktree_branch_prefix is set, use it (examples: agent/, claude/, cursor/)codex/, claude/, cursor/, gemini/, antigravity/)agent/Branch name template:
<resolved-prefix><short-scope-slug>-<YYYYMMDDHHMMSS>NEVER include any of the following in commits or PRs:
Co-Authored-By: lines for AI models or toolsYou CAN include:
Use this format for commit messages:
<type>: <short description>
<optional body with more details>
| Type | Usage |
|---|---|
feat | New feature |
fix | Bug fix |
docs | Documentation changes |
refactor | Code refactoring |
test | Adding or updating tests |
chore | Maintenance tasks |
style | Formatting, missing semicolons, etc. |
perf | Performance improvements |
# Simple commit
git commit -m "feat: Add user authentication endpoint"
# Commit with body (use HEREDOC)
git commit -m "$(cat <<'EOF'
fix: Resolve race condition in payment processing
The payment processor was not awaiting transaction confirmation
before updating order status. Added proper async handling.
EOF
)"
When creating PRs with gh pr create:
# ALWAYS specify --base dev (unless releasing to main)
gh pr create --base dev --title "<type>: <title under 70 chars>" --body "$(cat <<'EOF'
## Summary
- Brief overview (1-3 bullets)
## Changes
- What was modified
## Test Plan
- [ ] Test case 1
- [ ] Test case 2
## Breaking Changes
- (if applicable)
EOF
)"
Only when explicitly releasing:
gh pr create --base main --title "release: v10.2.0" --body "$(cat <<'EOF'
## Release Summary
- Version: v10.2.0
- Changes since last release
## Verification
- [ ] Dev branch stable
- [ ] All tests passing
- [ ] Release notes updated
EOF
)"
git status to see changesgit diff to review what changedgit add -A for sensitive files)tests + reviewer + validate + tracking verify)git log origin/dev..HEAD to see all commits for the PRvalidate + tracking verify + target-branch check)gh pr create --base dev (NOT main!)Immediately after PR creation (and after every push to PR branch), run this loop:
security-best-practicessecurity-engineer for high-risk/complex issuesICA-REVIEW-RECEIPT (Findings: 0, Result: PASS)ICA-SECURITY-REVIEW-RECEIPT (Findings: 0, Result: PASS, dedicated security subagent evidence)no required checks configured and continuegh pr create --base maingit tag v10.2.0This skill may be used to merge PRs, but ONLY after the merge gates below are satisfied.
ICA-REVIEW / ICA-REVIEW-RECEIPT comment.Reviewer-Stage: 3 (temp checkout) (dedicated reviewer/subagent context)Reviewer-Agent: ... (subagent) (must indicate subagent execution)Head-SHA: <sha> matching the PR's current headRefOidFindings: 0 and NO FINDINGSResult: PASSICA-SECURITY-REVIEW-RECEIPT comment.Security-Reviewer-Stage: post-pr (temp checkout)Security-Reviewer-Agent: ... (subagent)Security-Reviewer-Execution: dedicated-security-subagentSecurity-Reviewer-Executor: github:<login>Security-Reviewer-Run-ID: <non-empty run id>Head-SHA: <sha> matching the PR's current headRefOidFindings: 0 and NO FINDINGSResult: PASSSecurity-Reviewer-Executor login.gh pr checks <PR-number> must show all required checks passing.no required checks configured).validate checks for release/merge readiness.workflow.auto_merge=true for the current AgentTask/workflow context.
dev (never main).By default this repo uses self-review-and-merge:
If you want to also enforce GitHub-style approvals (at least 1 APPROVED review), set:
workflow.require_github_approval=trueNotes:
APPROVED review.Auto-merge is controlled by the workflow configuration that drives AgentTasks:
workflow.auto_merge./ica.workflow.json or ~/.claude/ica.workflow.json over ica.workflow.default.jsonMinimal project workflow example (ica.workflow.json):
{
"medium": { "auto_merge": true },
"large": { "auto_merge": true },
"mega": { "auto_merge": true }
}
PR=<PR-number>
HEAD_SHA=$(gh pr view "$PR" --json headRefOid --jq .headRefOid)
# Grab the most recent receipt body (if any)
RECEIPT=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-REVIEW-RECEIPT"))) | last | .body // ""')
echo "$RECEIPT" | rg -q "Reviewer-Stage: 3 \\(temp checkout\\)" || echo "Missing Stage 3 receipt"
echo "$RECEIPT" | rg -q "Reviewer-Agent:.*\\(subagent\\)" || echo "Missing Reviewer-Agent subagent marker"
echo "$RECEIPT" | rg -q "Head-SHA: $HEAD_SHA" || echo "Receipt is missing/stale for current head SHA"
echo "$RECEIPT" | rg -q "Findings: 0" || echo "Receipt does not indicate zero findings"
echo "$RECEIPT" | rg -q "NO FINDINGS" || echo "Receipt does not include NO FINDINGS marker"
echo "$RECEIPT" | rg -q "Result: PASS" || echo "Receipt does not indicate PASS"
If any verification line fails: DO NOT MERGE. Re-run reviewer Stage 3 and post a fresh receipt.
PR=<PR-number>
HEAD_SHA=$(gh pr view "$PR" --json headRefOid --jq .headRefOid)
SEC_RECEIPT=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-SECURITY-REVIEW-RECEIPT"))) | last | .body // ""')
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Stage: post-pr \\(temp checkout\\)" || echo "Missing security stage marker"
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Agent:.*\\(subagent\\)" || echo "Missing security subagent marker"
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Execution: dedicated-security-subagent" || echo "Missing dedicated security execution marker"
echo "$SEC_RECEIPT" | rg -q "^Security-Reviewer-Run-ID: [A-Za-z0-9._:-][A-Za-z0-9._:-]*$" || echo "Missing/invalid security run id"
echo "$SEC_RECEIPT" | rg -q "Head-SHA: $HEAD_SHA" || echo "Security receipt is missing/stale for current head SHA"
echo "$SEC_RECEIPT" | rg -q "Findings: 0" || echo "Security receipt does not indicate zero findings"
echo "$SEC_RECEIPT" | rg -q "NO FINDINGS" || echo "Security receipt does not include NO FINDINGS marker"
echo "$SEC_RECEIPT" | rg -q "Result: PASS" || echo "Security receipt does not indicate PASS"
SEC_EXECUTOR=$(echo "$SEC_RECEIPT" | sed -n 's/^Security-Reviewer-Executor: github:\\(.*\\)$/\\1/p' | head -n1)
SEC_AUTHOR=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-SECURITY-REVIEW-RECEIPT"))) | last | .author.login // ""')
test -n "$SEC_EXECUTOR" || echo "Missing security executor login"
[ "$SEC_AUTHOR" = "$SEC_EXECUTOR" ] || echo "Security executor/login mismatch (author=$SEC_AUTHOR executor=$SEC_EXECUTOR)"
If any verification line fails: DO NOT MERGE. Re-run post-PR security review and post a fresh receipt.
PR=<PR-number>
HEAD_SHA=$(gh pr view "$PR" --json headRefOid --jq .headRefOid)
BASE_BRANCH=$(gh pr view "$PR" --json baseRefName --jq .baseRefName)
DATE_UTC=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
SEC_REVIEWER=$(gh api user --jq .login)
SEC_RUN_ID="sec-$(date -u +%Y%m%dT%H%M%SZ)-${HEAD_SHA:0:12}"
gh pr comment "$PR" --body "$(cat <<EOF
ICA-SECURITY-REVIEW
ICA-SECURITY-REVIEW-RECEIPT
Security-Reviewer-Stage: post-pr (temp checkout)
Security-Reviewer-Agent: security reviewer (subagent)
Security-Reviewer-Execution: dedicated-security-subagent
Security-Reviewer-Executor: github:$SEC_REVIEWER
Security-Reviewer-Run-ID: $SEC_RUN_ID
PR: #$PR
Base: $BASE_BRANCH
Head-SHA: $HEAD_SHA
Date-UTC: $DATE_UTC
Findings: 0
NO FINDINGS
Result: PASS
EOF
)"
PR=<PR-number>
CHECKS_OUTPUT=$(gh pr checks "$PR" 2>&1 || true)
if echo "$CHECKS_OUTPUT" | rg -q "no checks reported"; then
echo "No required checks configured; checks gate = pass-with-note."
else
echo "$CHECKS_OUTPUT"
fi
PR=<PR-number>
REQUIRE_GH_APPROVAL=${REQUIRE_GH_APPROVAL:-false} # set to true if workflow.require_github_approval=true
PR_AUTHOR=$(gh pr view "$PR" --json author --jq .author.login)
GH_USER=$(gh api user --jq .login)
APPROVALS=$(gh pr view "$PR" --json reviews --jq '[.reviews[] | select(.state=="APPROVED")] | length')
if [ "$REQUIRE_GH_APPROVAL" = "true" ]; then
if [ "$PR_AUTHOR" = "$GH_USER" ]; then
echo "Self-authored PR ($GH_USER): GitHub forbids self-approval; approvals require a bot/second identity."
else
test "$APPROVALS" -ge 1 || echo "Missing GitHub APPROVED review"
fi
fi
gh pr merge <PR-number> --squash --delete-branch
# Stage files
git add src/auth/login.ts src/auth/types.ts
# Commit without any AI attribution
git commit -m "feat: Add login validation with rate limiting"
gh pr create --title "feat: Add user authentication" --body "$(cat <<'EOF'
## Summary
- Implements JWT-based authentication
- Adds login/logout endpoints
- Includes rate limiting for security
## Changes
- Added `src/auth/` module with authentication logic
- Updated API routes to include auth endpoints
- Added middleware for protected routes
## Test Plan
- [ ] Test login with valid credentials
- [ ] Test login with invalid credentials
- [ ] Verify rate limiting after 5 failed attempts
EOF
)"
When this skill runs, produce:
system_level, project_level, effective level, and whether defaults were bootstrapped)git.worktree_branch_behavior) and enforcement resultSecurity-Reviewer-Execution, Security-Reviewer-Executor, Security-Reviewer-Run-ID) and executor/author matchno required checks configured)git diff before committing