Claude Code

More and more developers let AI CLI tools like Claude Code run commands, look things up, and tidy up afterwards right on their own development machines. Wiring that AI workflow into Jira makes it even more powerful: the AI can look up issues, update statuses, leave comments, and map commit messages back to tickets. The star of this post, go-jira (https://github.com/appleboy/go-jira), is a Jira CLI built for exactly this scenario. But there’s a security question that keeps getting underrated — how does the CLI authenticate to Jira?

The most common answer historically is a PAT (Personal Access Token). It’s simple, but on an AI development machine it carries two very real risks:

1. The AI can read it by accident. A PAT usually lives in .env, a shell rc file, or some config file. The moment you let an AI agent “freely explore the filesystem” on that machine, this long-lived token — which carries your full account permissions — can get pulled into the context, or even written out into some piece of output.
2. A file that lives forever is an exposure surface that lives forever. A PAT doesn’t rotate. Once leaked, it stays valid until you manually revoke it. We’ve all heard the stories: synced to the cloud, swept into a backup, accidentally committed into a repo.

That’s why “switching CLI auth from a PAT to Jira OAuth” has been pulled back into the spotlight lately. This post documents how the new go-jira uses OAuth Login + refresh tokens to tuck tokens into the operating system’s Keyring, so developers can obtain a token conveniently and store it safely — and so AI CLIs like Claude Code can interact with Jira in a much safer way.

Note: go-jira’s OAuth only supports Jira Data Center, not Jira Cloud (the two use different OAuth flows).

越來越多開發者習慣在自己的開發機上，讓 Claude Code 這類 AI CLI 工具幫忙跑指令、查資料、收尾善後。把這條 AI 工作流接到 Jira 之後，威力更大：AI 可以幫你查 issue、更新狀態、補留言、把 commit 訊息對應到工單。本文的主角 go-jira（https://github.com/appleboy/go-jira）正是為了這個場景打造的 Jira CLI。但這裡有一個一直被低估的安全議題——CLI 要怎麼跟 Jira 認證？

過去最常見的做法是 PAT（Personal Access Token）。它確實簡單，但放在 AI 開發機上有兩個很實際的風險：

1. AI 可能不小心讀到它：PAT 通常被塞在 .env、shell rc、或某個設定檔裡。當你讓 AI agent 在這台機器上「自由探索檔案」時，這顆等同你帳號權限的長期 token 很可能就被讀進 context、甚至被寫進某段輸出裡。
2. 以檔案形式長期存在 = 長期暴露面：PAT 不會自動輪替，一旦外洩，在你手動撤銷之前它都是有效的。檔案被同步到雲端、被備份、被誤 commit 進 repo 的故事，大家都聽過。

所以「把 CLI 認證從 PAT 換成 Jira OAuth」這件事，最近被重新拉出來重視。這篇文章記錄 go-jira 新版本如何用 OAuth Login + Refresh Token 把 token 收進作業系統的 Keyring，讓開發者很方便地拿到、並且安全地保存 token，進而讓 Claude Code 等 AI CLI 能以更安全的方式跟 Jira 互動。

注意：go-jira 的 OAuth 只支援 Jira Data Center，不支援 Jira Cloud（兩者是不同的 OAuth 流程）。

Over the past year, the phrase “I wrote it with AI” has gone from “worth mentioning” to “weird if you didn’t” in pull request descriptions. Anthropic internally merged a single PR of 22,000 lines — largely produced by Claude, landing in their production reinforcement-learning codebase. When that story spread, most engineers didn’t react with awe; they reacted with anxiety: if they can pull that off, what’s stopping the wave of “PMs opening Claude Code and writing production code” from hitting our team?

You can’t stop it. But you can manage it. This post is the SDLC guideline I wrote for my own team after working through Erik Schluntz’s talk Vibe coding in prod | Code w/ Claude (Erik is a coding-agent researcher at Anthropic and co-author of Building Effective Agents). The whole thesis is one sentence: enjoy the AI speedup without sacrificing code quality, maintainability, system reliability, or security.

過去一年，「我用 AI 寫的」這句話在 Pull Request 描述裡出現的頻率，已經從「值得一提」變成「沒寫才奇怪」。Anthropic 內部曾合併過一個 22,000 行、由 Claude 大量產出、最後跑進正式環境強化學習程式碼庫的 PR——這件事傳出來的時候，多數工程師的第一反應不是讚嘆，而是焦慮：如果他們做得到，那我們團隊憑什麼擋得住「PM 直接開 Claude Code 寫 production code」的浪潮？

擋不住。但可以管好。這篇文章是我整理 Erik Schluntz（Anthropic 編程智能體研究員、《Building Effective Agents》共同作者）演講「Vibe coding in prod | Code w/ Claude」之後，為自己團隊寫的一份 SDLC 規範。核心命題只有一句：在享受 AI 加速的同時，不犧牲程式品質、可維護性、系統穩定性與資安。

As a developer who maintains multiple open-source projects on GitHub, my daily work goes far beyond writing code. I also deal with a constant stream of issues, PR reviews, releases, and other tasks that are tedious but critical. As projects grow, this workload quickly exceeds what one person can handle efficiently.

Over the past few months, I’ve integrated Claude Code and GitHub Copilot Review into my daily development workflow, and the results have been remarkable — tasks that used to take half a day now often get done in 1-2 hours. This post shares my complete workflow and explains why I believe the developer’s own technical ability is the key to using AI tools effectively.

身為一個在 GitHub 上長期維護多個開源專案的開發者，我每天面對的不只是寫程式，還有大量的 Issue 處理、PR Review、版本發佈等瑣碎但重要的工作。隨著專案規模成長，這些工作量已經遠超一個人能高效處理的範圍。

過去一段時間，我開始將 Claude Code 和 GitHub Copilot Review 整合進我的日常開發流程，結果讓我非常驚艷——原本需要半天的工作，現在經常在 1-2 小時內就能完成。這篇文章將分享我的完整流程，以及為什麼我認為開發者本身的技術能力，才是善用 AI 工具的關鍵。