Add autosolve actions for automated issue resolution

Go implementation of composite actions for Claude-powered automated
issue resolution:

- `autosolve/assess`: Runs Claude in read-only mode to evaluate whether
  a task is suitable for automated resolution.
- `autosolve/implement`: Runs Claude to implement a solution, validates
  changes against blocked paths, runs an AI security review of staged
  diffs, pushes to a fork, and creates a draft PR.

Key features:
- Precompiled Go binary (no Go toolchain needed at runtime)
- Per-file batched AI security review with generated-file detection
- Token usage tracking across phases with combined markdown summary
- Retry logic with Claude session resumption
- Skill file support for custom prompts

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Author: fantapop

.github/workflows/test.yml

@@ -8,4 +8,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - run: ./test.sh
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: autosolve/go.mod
+      - name: Run shell tests
+        run: ./test.sh
+      - name: Run Go tests
+        run: cd autosolve && go test ./... -count=1
+      - name: Check precompiled binary is up to date
+        run: |
+          binary_version="$(./autosolve/bin/autosolve-linux-amd64 version)"
+          source_hash="$(git ls-tree -r HEAD autosolve/ | grep --invert-match 'autosolve/bin/' | awk '{print $3}' | sort | git hash-object --stdin)"
+          expected_suffix="+${source_hash:0:8}"
+          if [[ "$binary_version" != *"$expected_suffix" ]]; then
+            echo "::error::Precompiled binary is stale (binary: $binary_version, source hash: ${source_hash:0:8}). Run ./autosolve/build.sh and commit the result."
+            exit 1
+          fi

CHANGELOG.md

@@ -8,6 +8,14 @@ Breaking changes are prefixed with "Breaking Change: ".
 
 ## [Unreleased]
 
+### Added
+
+- `autosolve/assess` action: evaluate tasks for automated resolution suitability
+  using Claude in read-only mode.
+- `autosolve/implement` action: autonomously implement solutions, validate
+  security, push to fork, and create PRs using Claude. Includes AI security
+  review, token usage tracking, and per-file batched diff analysis.
+
 ## [0.1.0] - 2026-03-23
 
 ### Added

autosolve/.gitignore

@@ -0,0 +1,2 @@
+# Local dev binary (built by `make build` or `go build`)
+/autosolve

autosolve/Makefile

@@ -0,0 +1,15 @@
+.PHONY: build build-linux test clean
+
+# Local dev binary
+build:
+	go build -o autosolve ./cmd/autosolve
+
+# Cross-compile for GitHub Actions (linux/amd64), same as build.sh
+build-linux:
+	./build.sh
+
+test:
+	go test ./... -count=1
+
+clean:
+	rm -f autosolve bin/autosolve-linux-amd64

autosolve/assess/action.yml

@@ -0,0 +1,65 @@
+name: Autosolve Assess
+description: Run Claude in read-only mode to assess whether a task is suitable for automated resolution.
+
+# Prerequisites:
+#   The calling workflow should install the Claude CLI BEFORE authenticating
+#   to any cloud provider.  npm post-install scripts run with the job's
+#   full environment, so installing after auth would expose credentials
+#   (e.g. the OIDC bearer token in gha-creds-*.json) to arbitrary code.
+
+inputs:
+  prompt:
+    description: The task to assess. Plain text instructions describing what needs to be done.
+    required: false
+    default: ""
+  skill:
+    description: Path to a skill/prompt file relative to the repo root.
+    required: false
+    default: ""
+  additional_instructions:
+    description: Extra context appended after the task prompt but before the assessment footer.
+    required: false
+    default: ""
+  assessment_criteria:
+    description: Custom criteria for the assessment. If not provided, uses default criteria.
+    required: false
+    default: ""
+  model:
+    description: Claude model ID.
+    required: false
+    default: "claude-opus-4-6"
+  blocked_paths:
+    description: Comma-separated path prefixes that cannot be modified (injected into security preamble).
+    required: false
+    default: ".github/workflows/"
+  working_directory:
+    description: Directory to run in (relative to workspace root). Defaults to workspace root.
+    required: false
+    default: "."
+
+outputs:
+  assessment:
+    description: PROCEED or SKIP
+    value: ${{ steps.assess.outputs.assessment }}
+  summary:
+    description: Human-readable assessment reasoning.
+    value: ${{ steps.assess.outputs.summary }}
+  result:
+    description: Full Claude result text.
+    value: ${{ steps.assess.outputs.result }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run assessment
+      id: assess
+      shell: bash
+      working-directory: ${{ inputs.working_directory }}
+      run: ${{ github.action_path }}/../bin/autosolve-linux-amd64 assess
+      env:
+        INPUT_PROMPT: ${{ inputs.prompt }}
+        INPUT_SKILL: ${{ inputs.skill }}
+        INPUT_ADDITIONAL_INSTRUCTIONS: ${{ inputs.additional_instructions }}
+        INPUT_ASSESSMENT_CRITERIA: ${{ inputs.assessment_criteria }}
+        INPUT_MODEL: ${{ inputs.model }}
+        INPUT_BLOCKED_PATHS: ${{ inputs.blocked_paths }}

autosolve/bin/autosolve-linux-amd64

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Cross-compile the autosolve binary for linux/amd64 (GitHub Actions runners).
+# The resulting binary is committed to the repo so the action doesn't need
+# Go installed at runtime.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+OUTDIR="bin"
+mkdir -p "$OUTDIR"
+
+# Compute a hash of the source tree (excluding bin/) so CI can verify the
+# committed binary matches the source without a bit-for-bit comparison.
+# Run git ls-tree from the repo root so path prefixes are consistent.
+SOURCE_HASH="$(cd "$(git rev-parse --show-toplevel)" && git ls-tree -r HEAD autosolve/ | grep --invert-match 'autosolve/bin/' | awk '{print $3}' | sort | git hash-object --stdin)"
+VERSION="$(git describe --tags --always)+${SOURCE_HASH:0:8}"
+
+echo "Building autosolve for linux/amd64 ($VERSION)..."
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -trimpath \
+  -ldflags="-s -w -X main.BuildSHA=$VERSION" \
+  -o "$OUTDIR/autosolve-linux-amd64" ./cmd/autosolve
+
+echo "Built $OUTDIR/autosolve-linux-amd64"
+ls -lh "$OUTDIR/autosolve-linux-amd64"

autosolve/build.sh

@@ -0,0 +1,107 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+
+	"github.com/cockroachdb/actions/autosolve/internal/action"
+	"github.com/cockroachdb/actions/autosolve/internal/assess"
+	"github.com/cockroachdb/actions/autosolve/internal/claude"
+	"github.com/cockroachdb/actions/autosolve/internal/config"
+	"github.com/cockroachdb/actions/autosolve/internal/git"
+	"github.com/cockroachdb/actions/autosolve/internal/github"
+	"github.com/cockroachdb/actions/autosolve/internal/implement"
+)
+
+// BuildSHA is set at build time via -ldflags.
+var BuildSHA = "dev"
+
+const usage = `Usage: autosolve <command>
+
+Commands:
+  assess      Run assessment phase
+  implement   Run implementation phase
+  version     Print the git SHA this binary was built from
+`
+
+func main() {
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer cancel()
+
+	if len(os.Args) < 2 {
+		fatalf(usage)
+	}
+
+	var err error
+	switch os.Args[1] {
+	case "assess":
+		err = runAssess(ctx)
+	case "implement":
+		err = runImplement(ctx)
+	case "version":
+		fmt.Println(BuildSHA)
+		return
+	default:
+		fatalf("unknown command: %s\n\n%s", os.Args[1], usage)
+	}
+
+	if err != nil {
+		action.LogError(err.Error())
+		os.Exit(1)
+	}
+}
+
+func fatalf(format string, args ...any) {
+	fmt.Fprintf(os.Stderr, format+"\n", args...)
+	os.Exit(1)
+}
+
+func runAssess(ctx context.Context) error {
+	cfg, err := config.LoadAssessConfig()
+	if err != nil {
+		return err
+	}
+	if err := config.ValidateAuth(); err != nil {
+		return err
+	}
+	tmpDir, err := ensureTmpDir()
+	if err != nil {
+		return err
+	}
+	return assess.Run(ctx, cfg, &claude.CLIRunner{}, tmpDir)
+}
+
+func runImplement(ctx context.Context) error {
+	cfg, err := config.LoadImplementConfig()
+	if err != nil {
+		return err
+	}
+	if err := config.ValidateAuth(); err != nil {
+		return err
+	}
+	tmpDir, err := ensureTmpDir()
+	if err != nil {
+		return err
+	}
+
+	gitClient := &git.CLIClient{}
+	defer implement.Cleanup(gitClient)
+
+	ghClient := &github.GithubClient{Token: cfg.PRCreateToken}
+	return implement.Run(ctx, cfg, &claude.CLIRunner{}, ghClient, gitClient, tmpDir)
+}
+
+func ensureTmpDir() (string, error) {
+	dir := os.Getenv("AUTOSOLVE_TMPDIR")
+	if dir != "" {
+		return dir, nil
+	}
+	dir, err := os.MkdirTemp("", "autosolve_*")
+	if err != nil {
+		return "", fmt.Errorf("creating temp dir: %w", err)
+	}
+	os.Setenv("AUTOSOLVE_TMPDIR", dir)
+	return dir, nil
+}

autosolve/cmd/autosolve/main.go

@@ -0,0 +1,3 @@
+module github.com/cockroachdb/actions/autosolve
+
+go 1.23.8