fix: add check_run trigger to claude.yml (compliance #64)#84
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s Claude Code GitHub Actions workflow to align with the org standard and resolves the compliance finding for the missing check_run trigger (issue #64), delegating execution to the org reusable workflow.
Changes:
- Replaces the inlined
claude.ymlworkflow implementation with the org-standard thin-caller stub. - Adds
check_run: types: [completed]to enable CI-failure-driven automation. - Adds a
pull_request.paths-ignoreguard for.github/workflows/claude.ymlto avoid OIDC failures when only this file changes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request | ||
| # prevents the workflow from triggering only when the PR's entire changeset | ||
| # is limited to claude.yml alone. PRs that modify claude.yml *plus other | ||
| # files* will still trigger the workflow and hit the 401 error at token | ||
| # exchange. Other triggers (issue_comment, pull_request_review_comment, | ||
| # issues, check_run) are unaffected by paths-ignore and run as configured. |
| paths-ignore: | ||
| - '.github/workflows/claude.yml' # OIDC invariant — see header above |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
Pull request was closed
Superseded by automated re-review at
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 27af5808b4f7f4bd4016135f6e8e0e2be13e9c11
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)
Summary
This PR's branch is byte-for-byte identical to main — the diff is genuinely empty because the same changes (thin-caller stub migration) were already merged to main via a direct commit (77bb53e), making this PR superseded. Linked issue #64 was closed on 2026-05-11. Merging would only create a no-op merge commit; there are no code changes to assess, all CI checks are green, and no security concerns exist.
Findings
- info: PR branch (claude/issue-64-20260508-1419) is byte-for-byte identical to main. The described changes — replacing the inlined claude.yml with the org-standard thin-caller stub, adding check_run trigger, adding paths-ignore OIDC guard — are already live on main (see commit 77bb53e 'ci: replace inlined claude.yml with standard thin-caller stub'). Merging this PR would produce only a no-op merge commit. Consider closing the PR as superseded rather than merging.
- info: Linked compliance issue #64 (claude-missing-check-run-trigger) was closed on 2026-05-11, confirming the fix landed via main independently of this PR.
- minor: The cycle-1 review comment posted by donpetry-bot (2026-05-13) contained the literal placeholder '[Findings would be inserted here]' instead of actual review findings, causing a spurious fix-requested verdict. This was a bug in the review template rendering, not a real finding on this PR.
- info: All CI checks pass: AgentShield SUCCESS, CodeQL SUCCESS, SonarCloud SUCCESS (0 new issues, 0 security hotspots), unit-tests SUCCESS, CodeRabbit SUCCESS. mergeStateStatus is BLOCKED but no code changes exist, so this is likely a required-review gate rather than a code quality issue.
- info: The original PR commit (b01f9e0) used claude-code-reusable.yml@v1, but after repeated merges from main the branch now references @v2, matching current main. No version mismatch remains.
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 12286b52410f7dfb91176e6ec927cc128a396129
Review mode: triage-approved (single reviewer)
Summary
PR branch is byte-for-byte identical to main — the diff is empty (0 files, 0 additions, 0 deletions). The intended fix (replacing the inlined claude.yml with the org-standard thin-caller stub) already landed on main directly via commit b01f9e0, making this PR effectively superseded. The 33 commits ahead of main are all merge commits from main with no net change. Triage previously cleared this as low-risk; this confirmation review concurs.
Linked issue analysis
- Closes #64 (
Compliance: claude-missing-check-run-trigger) — issue is already CLOSED / COMPLETED as of 2026-05-11, since the same fix was applied directly tomain. Merging this PR is not required to resolve the compliance finding, but doing so is harmless (no-op merge commit).
Findings
- info: Diff against
mainis empty. There is no code, workflow, or configuration change to assess in this PR. - info: Branch is 33 commits ahead of
mainand 0 behind, all of which areMerge branch 'main' into claude/issue-64-...commits. - info: Since the prior cascade review at
27af5808, only one substantive change has appeared onmain(thepr-review.ymlGEMINI_API_KEYalias fix), which is unrelated to this PR's scope and is not part of this PR's diff.
CI status
All required checks green: agent-shield, Analyze (actions), CodeQL, SonarCloud, SonarCloud Code Analysis, unit-tests, dependency-audit / Detect ecosystems, CodeRabbit. Ecosystem-specific audit jobs (npm, pnpm, govulncheck, cargo, pip-audit) and dependabot-automerge skipped as expected. mergeStateStatus is BLOCKED only due to missing approval, which this review now satisfies.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
Superseded by automated re-review at 12286b5.
|
Pull request was closed
87f9b63 to
23fdbf1
Compare



Summary
claude.ymlwith the org-standard thin-caller stub frompetry-projects/.github/standards/workflows/claude.ymlcheck_run: types: [completed]trigger, enabling theclaude-ci-fixjob to respond to CI failures on PRs automaticallypaths-ignoreOIDC guard on thepull_requesttrigger to prevent 401 token failures on PRs that only change this filepetry-projects/.github/.github/workflows/claude-code-reusable.yml@v1Compliance
Resolves the
claude-missing-check-run-triggercompliance finding.Closes #64
Because this PR changes
claude.yml, theClaude Codeworkflow will fail with a 401 OIDC error on thepull_requesttrigger — this is the expected OIDC invariant behaviour documented in the file header. Thepaths-ignoreguard prevents this on future PRs once this file is on main. All other triggers (issue_comment, check_run, issues) are unaffected.Generated with Claude Code