Skip to content

fix: add check_run trigger to claude.yml (compliance #64)#84

Closed
don-petry wants to merge 0 commit into
mainfrom
claude/issue-64-20260508-1419
Closed

fix: add check_run trigger to claude.yml (compliance #64)#84
don-petry wants to merge 0 commit into
mainfrom
claude/issue-64-20260508-1419

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Replaces the repo-local inlined claude.yml with the org-standard thin-caller stub from petry-projects/.github/standards/workflows/claude.yml
  • Adds the missing check_run: types: [completed] trigger, enabling the claude-ci-fix job to respond to CI failures on PRs automatically
  • Adds paths-ignore OIDC guard on the pull_request trigger to prevent 401 token failures on PRs that only change this file
  • All Claude Code logic (prompt, allowedTools, job gating) now lives in the org reusable workflow petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1

Compliance

Resolves the claude-missing-check-run-trigger compliance finding.

Closes #64

⚠️ Note on CI for this PR

Because this PR changes claude.yml, the Claude Code workflow will fail with a 401 OIDC error on the pull_request trigger — this is the expected OIDC invariant behaviour documented in the file header. The paths-ignore guard prevents this on future PRs once this file is on main. All other triggers (issue_comment, check_run, issues) are unaffected.


Generated with Claude Code

Copilot AI review requested due to automatic review settings May 8, 2026 14:21
@coderabbitai

coderabbitai Bot commented May 8, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 38 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 81c9b649-fa1e-4ff6-97b0-ce36f7fa9ad5

📥 Commits

Reviewing files that changed from the base of the PR and between 5042df9 and b01f9e0.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-64-20260508-1419

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Claude Code GitHub Actions workflow to align with the org standard and resolves the compliance finding for the missing check_run trigger (issue #64), delegating execution to the org reusable workflow.

Changes:

  • Replaces the inlined claude.yml workflow implementation with the org-standard thin-caller stub.
  • Adds check_run: types: [completed] to enable CI-failure-driven automation.
  • Adds a pull_request.paths-ignore guard for .github/workflows/claude.yml to avoid OIDC failures when only this file changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +25 to +30
# NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request
# prevents the workflow from triggering only when the PR's entire changeset
# is limited to claude.yml alone. PRs that modify claude.yml *plus other
# files* will still trigger the workflow and hit the 401 error at token
# exchange. Other triggers (issue_comment, pull_request_review_comment,
# issues, check_run) are unaffected by paths-ignore and run as configured.
Comment on lines +45 to +46
paths-ignore:
- '.github/workflows/claude.yml' # OIDC invariant — see header above
@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@don-petry don-petry closed this May 11, 2026
auto-merge was automatically disabled May 11, 2026 21:38

Pull request was closed

@don-petry don-petry reopened this May 11, 2026
@don-petry don-petry closed this May 12, 2026
@don-petry don-petry reopened this May 12, 2026
@don-petry
don-petry enabled auto-merge (squash) May 12, 2026 01:43
@donpetry-bot

donpetry-bot commented May 13, 2026

Copy link
Copy Markdown
Contributor
Superseded by automated re-review at 27af5808b4f7f4bd4016135f6e8e0e2be13e9c11 — click to expand prior review.

Review — fix requested (cycle 1/3)

The automated review identified the following issues. Please address each one:

Findings to fix

[Findings would be inserted here]

Additional tasks

  1. Resolve all unresolved review thread comments from other reviewers
  2. Ensure all CI checks pass after your changes
  3. Rebase on the target branch if behind
  4. Do NOT modify files unrelated to the findings above

The review cascade will automatically re-review after new commits are pushed.

donpetry-bot
donpetry-bot previously approved these changes May 14, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 27af5808b4f7f4bd4016135f6e8e0e2be13e9c11
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7)

Summary

This PR's branch is byte-for-byte identical to main — the diff is genuinely empty because the same changes (thin-caller stub migration) were already merged to main via a direct commit (77bb53e), making this PR superseded. Linked issue #64 was closed on 2026-05-11. Merging would only create a no-op merge commit; there are no code changes to assess, all CI checks are green, and no security concerns exist.

Findings

  • info: PR branch (claude/issue-64-20260508-1419) is byte-for-byte identical to main. The described changes — replacing the inlined claude.yml with the org-standard thin-caller stub, adding check_run trigger, adding paths-ignore OIDC guard — are already live on main (see commit 77bb53e 'ci: replace inlined claude.yml with standard thin-caller stub'). Merging this PR would produce only a no-op merge commit. Consider closing the PR as superseded rather than merging.
  • info: Linked compliance issue #64 (claude-missing-check-run-trigger) was closed on 2026-05-11, confirming the fix landed via main independently of this PR.
  • minor: The cycle-1 review comment posted by donpetry-bot (2026-05-13) contained the literal placeholder '[Findings would be inserted here]' instead of actual review findings, causing a spurious fix-requested verdict. This was a bug in the review template rendering, not a real finding on this PR.
  • info: All CI checks pass: AgentShield SUCCESS, CodeQL SUCCESS, SonarCloud SUCCESS (0 new issues, 0 security hotspots), unit-tests SUCCESS, CodeRabbit SUCCESS. mergeStateStatus is BLOCKED but no code changes exist, so this is likely a required-review gate rather than a code quality issue.
  • info: The original PR commit (b01f9e0) used claude-code-reusable.yml@v1, but after repeated merges from main the branch now references @v2, matching current main. No version mismatch remains.

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: o4-mini → audit: opus 4.7). Reply if you need a human review.

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 12286b52410f7dfb91176e6ec927cc128a396129
Review mode: triage-approved (single reviewer)

Summary

PR branch is byte-for-byte identical to main — the diff is empty (0 files, 0 additions, 0 deletions). The intended fix (replacing the inlined claude.yml with the org-standard thin-caller stub) already landed on main directly via commit b01f9e0, making this PR effectively superseded. The 33 commits ahead of main are all merge commits from main with no net change. Triage previously cleared this as low-risk; this confirmation review concurs.

Linked issue analysis

  • Closes #64 (Compliance: claude-missing-check-run-trigger) — issue is already CLOSED / COMPLETED as of 2026-05-11, since the same fix was applied directly to main. Merging this PR is not required to resolve the compliance finding, but doing so is harmless (no-op merge commit).

Findings

  • info: Diff against main is empty. There is no code, workflow, or configuration change to assess in this PR.
  • info: Branch is 33 commits ahead of main and 0 behind, all of which are Merge branch 'main' into claude/issue-64-... commits.
  • info: Since the prior cascade review at 27af5808, only one substantive change has appeared on main (the pr-review.yml GEMINI_API_KEY alias fix), which is unrelated to this PR's scope and is not part of this PR's diff.

CI status

All required checks green: agent-shield, Analyze (actions), CodeQL, SonarCloud, SonarCloud Code Analysis, unit-tests, dependency-audit / Detect ecosystems, CodeRabbit. Ecosystem-specific audit jobs (npm, pnpm, govulncheck, cargo, pip-audit) and dependabot-automerge skipped as expected. mergeStateStatus is BLOCKED only due to missing approval, which this review now satisfies.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@donpetry-bot
donpetry-bot dismissed their stale review May 14, 2026 21:01

Superseded by automated re-review at 12286b5.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: claude-missing-check-run-trigger

3 participants