release(v0.2.3): harden GitHub PR receipt workflows

Author: error311

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## v0.2.3 - 05/12/2026
+
+- Added a guarded GitHub PR helper in the web UI for previewing and explicitly posting/updating a compact receipt comment from the current receipt.
+- Added web UI copy helpers for local GitHub dry runs, CI auto-comment commands, and a ready-to-use GitHub Actions workflow snippet.
+- Improved `runglass github detect` with PR URL, token readiness, and next-step diagnostics.
+- Made `runglass github comment --auto` print the detected GitHub context before posting.
+- Hardened GitHub docs around web UI behavior, token handling, and PR comment permissions.
+
 ## v0.2.2 - 05/11/2026
 
 - Added `runglass validate [latest|receipt-id|receipt.json|receipt-dir]` to check receipt JSON, CI artifact layout, and revert snapshot availability.

Cargo.lock

@@ -7,7 +7,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.2.2"
+version = "0.2.3"
 edition = "2021"
 license = "MIT"
 repository = "https://github.com/error311/runglass"

Cargo.toml

@@ -229,6 +229,8 @@ runglass github comment --receipt runglass-receipt/receipt.json --auto
 
 Authentication is read from `GITHUB_TOKEN`, `GH_TOKEN`, or `gh auth token`. RunGlass does not accept GitHub tokens as CLI arguments, so tokens do not need to appear in shell history or process listings. Tokens are not written into receipt artifacts. The GitHub token needs permission to write issue or pull request comments.
 
+The local web UI also includes a guarded GitHub PR receipt helper for saved receipts. It can preview the exact PR comment, copy local/CI commands, copy a GitHub Actions workflow snippet, and post or update the PR comment after explicit confirmation. Tokens are still resolved server-side only; the browser never asks for or stores a GitHub token.
+
 See [GitHub integration docs](docs/github-integration.md) for workflow examples, API behavior, and token permissions.
 
 ## CI Receipts

README.md

@@ -12,8 +12,8 @@ description = "Run one command and get a live receipt of what happened."
 anyhow = "1.0"
 chrono = "0.4"
 clap = { version = "4.5", features = ["derive"] }
-runglass-core = { path = "../runglass-core", version = "0.2.2" }
-runglass-web = { path = "../runglass-web", version = "0.2.2" }
+runglass-core = { path = "../runglass-core", version = "0.2.3" }
+runglass-web = { path = "../runglass-web", version = "0.2.3" }
 serde_json = "1.0"
 ureq = { version = "2.12", features = ["json"] }
 

crates/runglass-cli/Cargo.toml

@@ -33,6 +33,7 @@ struct RepoParts {
 
 pub(crate) fn detect_command(repo: Option<String>, pr: Option<u64>) -> Result<()> {
     let context = detect_context(repo, pr)?;
+    let token = token_source();
     println!("GitHub context");
     print_detected("Repository", context.repo.as_deref());
     print_detected(
@@ -41,7 +42,24 @@ pub(crate) fn detect_command(repo: Option<String>, pr: Option<u64>) -> Result<()
     );
     print_detected("Commit SHA", context.sha.as_deref());
     print_detected("Run URL", context.run_url.as_deref());
-    print_detected("Token", token_source().as_deref());
+    print_detected("Token", token.as_deref());
+    if let Some(url) = pr_url(context.repo.as_deref(), context.pr) {
+        print_detected("PR URL", Some(url.as_str()));
+    }
+    let ready = context.repo.is_some() && context.pr.is_some() && token.is_some();
+    println!(
+        "Comment readiness\t{}",
+        if ready {
+            "ready to post or update a PR comment"
+        } else {
+            "needs repository, pull request, and token"
+        }
+    );
+    if !ready {
+        println!(
+            "Next\tpass --repo owner/name and --pr <number>, and set GITHUB_TOKEN/GH_TOKEN or run gh auth login"
+        );
+    }
     Ok(())
 }
 
@@ -70,6 +88,19 @@ pub(crate) fn comment_command(report: &RunReport, options: GithubCommentOptions)
 
     let token = resolve_token()?;
     let client = GithubApiClient::new(options.api_url.as_deref().unwrap_or(DEFAULT_API_URL), token);
+    if options.auto {
+        println!(
+            "Detected GitHub context: {}/{}#{}{}",
+            repo.owner,
+            repo.repo,
+            pr,
+            context
+                .run_url
+                .as_deref()
+                .map(|url| format!(" ({url})"))
+                .unwrap_or_default()
+        );
+    }
     match client.find_marker_comment(&repo, pr)? {
         Some(comment_id) => {
             client.update_comment(&repo, comment_id, &body)?;
@@ -90,6 +121,10 @@ pub(crate) fn comment_command(report: &RunReport, options: GithubCommentOptions)
     Ok(())
 }
 
+fn pr_url(repo: Option<&str>, pr: Option<u64>) -> Option<String> {
+    Some(format!("https://github.com/{}/pull/{}", repo?, pr?))
+}
+
 fn detect_context(repo: Option<String>, pr: Option<u64>) -> Result<GithubContext> {
     let repo = repo
         .or_else(|| env::var("GITHUB_REPOSITORY").ok())

crates/runglass-cli/src/github.rs

@@ -11,7 +11,8 @@ description = "Embedded local web UI and export renderer for RunGlass receipts."
 [dependencies]
 anyhow = "1.0"
 chrono = { version = "0.4", features = ["serde"] }
-runglass-core = { path = "../runglass-core", version = "0.2.2" }
+runglass-core = { path = "../runglass-core", version = "0.2.3" }
 serde_json = "1.0"
 tiny_http = "0.12"
+ureq = { version = "2.12", features = ["json"] }
 webbrowser = "1.0"