chore: enable display_report and use deterministic git push (#2959)

## Summary - Enable `display_report: true` on trusted `claude-code-action` workflows so Claude's work summary appears in GitHub Actions step summaries - Leave `display_report` as default (false) for `closed-issue-comment` which processes untrusted input - Replace the "Push any unpushed changes" step in `pr-review-responder` with a deterministic `git push` instead of spawning a full `claude-code-action` invocation ## Test plan - Verify workflow YAML syntax is valid - Trigger a workflow run and confirm the step summary now appears - Confirm the deterministic push step works when there are/aren't unpushed commits 🤖 Generated with [Claude Code](https://claude.com/claude-code)  --- <a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2959" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>  --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

chore: enable display_report and use deterministic git push (#2959)
1b821854 · Will Chen · GitHub · aedc3dcc · 1b821854 · 1b821854
--- a/.github/workflows/claude-check-workflows.yml
+++ b/.github/workflows/claude-check-workflows.yml
@@ -44,6 +44,7 @@ jobs:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ steps.app-token.outputs.token }}
          claude_args: --model claude-sonnet-4-5-20250929
+          display_report: true
          prompt: |
            /dyad:check-workflows ${{ inputs.hours || '24' }}
      - name: Cleanup (self-hosted macOS)

--- a/.github/workflows/claude-deflake-e2e.yml
+++ b/.github/workflows/claude-deflake-e2e.yml
@@ -80,6 +80,7 @@ jobs:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ steps.app-token.outputs.token }}
          claude_args: --model claude-opus-4-6
+          display_report: true
          prompt: |
            /dyad:deflake-e2e-recent-commits ${{ inputs.commit_count || '10' }}
      - name: Cleanup (self-hosted macOS)

--- a/.github/workflows/claude-pr-review.yml
+++ b/.github/workflows/claude-pr-review.yml
@@ -64,6 +64,7 @@ jobs:
          # Disable progress tracking (try to save tokens)
          track_progress: false
+          display_report: true
          prompt: |
            /dyad:multi-pr-review ${{ github.event.pull_request.number }}

--- a/.github/workflows/claude-rebase.yml
+++ b/.github/workflows/claude-rebase.yml
@@ -108,6 +108,7 @@ jobs:
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ steps.base-app-token.outputs.token }}
+          display_report: true
          prompt: |
            You are orchestrating the /dyad:pr-rebase skill. Your job is to run it end-to-end as a sub-agent with NO shortcuts.

--- a/.github/workflows/claude-rules-review.yml
+++ b/.github/workflows/claude-rules-review.yml
@@ -42,6 +42,7 @@ jobs:
        with:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ steps.app-token.outputs.token }}
+          display_report: true
          direct: true
          allowed_tools: "Read,Glob,Grep,Bash(git log:*),Bash(gh issue create:*),Bash(gh issue list:*),Bash(gh issue close:*),Bash(gh label:*)"
          claude_args: --model claude-opus-4-6

--- a/.github/workflows/closed-issue-comment.yml
+++ b/.github/workflows/closed-issue-comment.yml
@@ -36,6 +36,7 @@ jobs:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          # See: https://github.com/anthropics/claude-code-action/blob/v1/docs/security.md
          github_token: ${{ steps.app-token.outputs.token }}
+          # display_report left as default (false) — this workflow processes untrusted issue comments
          allowed_non_write_users: "*"
          claude_args: |
            --model sonnet --allowedTools "Bash(gh issue reopen:*), Bash(gh issue comment:*)"

--- a/.github/workflows/pr-review-responder.yml
+++ b/.github/workflows/pr-review-responder.yml
@@ -43,6 +43,7 @@ jobs:
          permission-actions: write
          permission-contents: write
          permission-pull-requests: write
+          permission-workflows: write
      - name: Get PR info and check labels
        id: pr-info
@@ -224,6 +225,7 @@ jobs:
          owner: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.owner.login || github.event.workflow_run.head_repository.owner.login }}
          repositories: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.name || github.event.workflow_run.head_repository.name }}
          permission-contents: write
+          permission-workflows: write
      - name: Checkout repository
        if: steps.pr-info.outputs.should_continue == 'true'
@@ -281,6 +283,7 @@ jobs:
          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          github_token: ${{ steps.base-app-token.outputs.token }}
          claude_args: --model claude-opus-4-6
+          display_report: true
          prompt: |
            Run the following skill end-to-end. Execute every step sequentially. Do not skip, summarize, or stop early.
@@ -289,18 +292,13 @@ jobs:
      - name: Push any unpushed changes
        # In case the previous step accidentally forgot to push its changes
        if: steps.pr-info.outputs.should_continue == 'true' && always()
-        uses: anthropics/claude-code-action@v1
+        run: |
-        with:
+          if [ "$(git rev-list --count @{u}..HEAD 2>/dev/null || echo '0')" -gt 0 ]; then
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+            echo "Local branch is ahead of upstream, pushing..."
-          github_token: ${{ steps.base-app-token.outputs.token }}
+            git push --force-with-lease
-          claude_args: --model claude-opus-4-6
+          else
-          prompt: |
+            echo "No unpushed commits"
-            The previous step may have made local commits but
+          fi
-            accidentally forgot to push them to the origin remote. Run the following skill to
-            push any unpushed changes. If there are no unpushed commits, that's fine — just
-            exit successfully.
-            /dyad:fast-push
      - name: Check if commits were pushed
        # Use always() to ensure we detect commits even if Claude Code fails partway through.