oaustegard/opening-prs
opening-prs/SKILL.md
Open a GitHub PR via API as a flowing graph — branch + push + create_pr + mergeable poll, with structural protection against pushing to main/master/etc. Use when a Claude Code or Claude.ai container needs to land changes on GitHub via the API (no git CLI required) and the prose "create branch, push, open PR, wait for mergeable" workflow keeps drifting under context pressure.
$ install --global
skillsauthnpx skillsauth add oaustegard/claude-skills opening-prsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 11, 2026, 5:59 AM256.2s4 files scanned
SKILL.md
- name:
- opening-prs
- description:
- Open a GitHub PR via API as a flowing graph — branch + push + create_pr + mergeable poll, with structural protection against pushing to main/master/etc. Use when a Claude Code or Claude.ai container needs to land changes on GitHub via the API (no git CLI required) and the prose "create branch, push, open PR, wait for mergeable" workflow keeps drifting under context pressure.
- version:
- 0.1.0
- requires:
- flowing
Opening PRs
A flowing graph that turns the imperative "create branch, push files,
open a PR, poll mergeable_state" workflow into a structural DAG. The
"NEVER push directly to main" rule is encoded as a validate= gate that
physically can't be skipped.
from opening_prs import open_pr
result = open_pr(
repo="owner/repo",
branch_name="feat/cool-thing",
title="Add cool thing",
body="## Summary\n\n...",
files=[
("src/cool.py", "<file content>"),
("docs/cool.md", "<file content>"),
],
base="main", # default; protected names are also rejected
)
print(result["pr_url"]) # https://github.com/.../pull/N
print(result["mergeable_state"]) # clean | dirty | unstable | behind | blocked
What this fixes
The gh pr create workflow (or hand-rolled API calls) has five steps in
prose form:
- Determine the branch name
- Get the base branch's HEAD SHA
- Create the branch
- Push files to the branch
- Create the PR
- Poll
mergeable_stateuntil GitHub finishes computing it
Each step has known failure modes:
- Step 1: Accidentally pushing to
main— the diagnosed pattern that motivated github-procedures §6 in the first place. - Step 6: GitHub returns
mergeable_state: nullimmediately after creation. Need to poll. "Wait a few seconds and check" is prose, not a procedure — so it gets skipped under context pressure.
This skill encodes both as flowing primitives:
determine_branch ──▶ guard ──▶ get_base_head ──▶ create_branch
│ │
│ ▼
│ push_files
│ │
│ ▼
│ create_pr
│ / \
│ ▼ ▼
│ wait_mergeable present_pr [terminal]
│
└─ validate=must_not_be_base_branch
-
validate=must_not_be_base_branchrejectsbranch_name in {"main", "master", "trunk", "production", "prod"}— case-insensitive — and the configuredbaseitself. The body ofcreate_branchnever fires for a protected name. No GitHub API call happens for an invalid branch name. -
retry_until=lambda r: r["mergeable_state"] in SETTLED_STATESconsumes the retry budget while GitHub computes the merge result.unknownandnullkeep polling; settled states (clean,dirty,unstable,behind,blocked) stop. Exhaustion is soft: the PR is still presented with the last observed state.
Auth
Requires GH_TOKEN (or GITHUB_TOKEN) in the environment. Classic PAT
or fine-grained PAT with repo scope.
import os
os.environ["GH_TOKEN"] = "ghp_..." # or load from a .env file
The skill sends User-Agent: opening-prs on every API call. (GitHub
returns 401 "Bad credentials" without a UA, regardless of token
validity. Common trap.)
Result shape
{
"pr_url": "https://github.com/owner/repo/pull/N",
"pr_number": 42,
"pr_state": "open",
"branch": "feat/cool-thing",
"base": "main",
"head_sha": "abc123...",
"mergeable_state": "clean",
"files_pushed": ["src/cool.py", "docs/cool.md"],
"detached_failures": [],
}
Raises RuntimeError only if the main DAG fails (validate, branch
creation, file push, or PR creation). Mergeable polling exhaustion is a
soft failure — the PR exists, the field just isn't computed yet.
Tuning the mergeable poll
open_pr(
...,
mergeable_poll_retries=8, # default 8
mergeable_poll_base_ms=2000, # default 2s
mergeable_poll_max_ms=8000, # default 8s (cap on exponential backoff)
)
When NOT to use
- Pushing many large files (the GitHub Contents API is one-file-per-PUT
with base64 encoding — slow above ~10 files). Use
git pushif you have the CLI. - Needing to amend commits or rewrite history. This skill creates one commit per file via the contents API.
- Anything involving force-push, branch deletion, or PR review-state manipulation. Out of scope; use a different tool.
See also
flowing— the DAG runner this skill is built onclosing-issues— the symmetric "close + synthesize" flow- The
accessing-github-reposskill for byte-layer GitHub access patterns
Related Skills
oaustegard/verifying-claims
development
VerifiedTrustedCommunity
--- name: verifying-claims description: Check that a document's claims about code are actually true by reading the prose, the code, and the tests and reporting (or fixing) where they disagree. Use whenever the user wants to verify a README, guide, spec, or docstring still matches the code; whenever they mention documentation drift, doc-code sync, "is this still accurate", stale docs, or keeping docs/tests/code consistent; before publishing or merging a docs change; or as a periodic doc-accuracy
125SKILL.mdUpdated Jun 8, 2026
oaustegard/querying-markdown
tools
VerifiedTrustedCommunity
Query, filter, and transform Markdown structurally with mq — a jq-like CLI for Markdown. Use to extract headings/sections/code-blocks/links from .md files, build a table of contents, pull code blocks of a given language, slice or reshape LLM prompt/output Markdown, or batch-transform docs. Triggers on "extract sections from this markdown", "get all the code blocks", "jq for markdown", "mq", or any structural query over Markdown that grep/Read can't do cleanly.
125SKILL.mdUpdated Jun 8, 2026
oaustegard/composing-html
development
VerifiedTrustedCommunity
Composes single-file HTML artifacts (PR review writeups, status reports, incident postmortems, slide decks, design systems, prototypes, flowcharts, module maps, feature explainers, kanban boards, prompt tuners) from a small JSON spec instead of hand-written HTML/CSS/JS. Use when the user asks to "compare options side-by-side", requests an HTML version of a report or review or deck, asks for a flowchart, status update, postmortem, design system reference, interactive prototype, custom editor — or explicitly says "HTML artifact", "single HTML file", "self-contained HTML". Skip for ad-hoc HTML snippets (forms, emails, embedded widgets) where there's no template fit.
125SKILL.mdUpdated May 11, 2026
oaustegard/flowing
development
VerifiedTrustedCommunity
DAG workflow runner that encodes control flow in code, not prose. Use when a procedure has 3+ steps with branching, retries, or validation that must be enforced — gates as `when=`, edge contracts as `validate=`, predicate loops as `retry_until=`. The runner owns the graph; the LLM provides leaves. Also covers parallel execution, checkpoint resume, detached side-effects.
125SKILL.mdUpdated Apr 19, 2026