Skip to content

feat: switch to org-level reusable Claude Code workflow#64

Merged
don-petry merged 1 commit into
mainfrom
feat/reusable-claude-workflow
Apr 6, 2026
Merged

feat: switch to org-level reusable Claude Code workflow#64
don-petry merged 1 commit into
mainfrom
feat/reusable-claude-workflow

Conversation

@don-petry

@don-petry don-petry commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces inline claude.yml with a thin caller that delegates to petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
  • Prompt, config, and GH_PAT_WORKFLOWS support are now maintained centrally in the org repo
  • No behavioral change — same triggers, same permissions, same Claude behavior

Why

Centralizes maintenance so prompt/config updates only need one change instead of 7. Also adds github_token with workflows write scope so Claude can push .github/workflows/ files (previously blocked).

Test plan

  • CI passes on this PR
  • After merge, label a compliance issue with claude and verify Claude creates a PR

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Streamlined GitHub Actions workflow configuration by consolidating multiple jobs into a unified workflow process.

Copilot AI review requested due to automatic review settings April 6, 2026 18:17
@coderabbitai

coderabbitai Bot commented Apr 6, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The GitHub Actions workflow in .github/workflows/claude.yml has been refactored to consolidate two inline jobs into a single job that delegates execution to a centralized reusable workflow defined in the organization's .github repository. The consolidation eliminates inline logic while maintaining the same top-level permissions.

Changes

Cohort / File(s) Summary
Workflow Consolidation
.github/workflows/claude.yml
Replaced two standalone jobs (claude and claude-issue) with a single claude-code job that invokes a reusable workflow at petry-projects/.github/.github/workflows/claude-code-reusable.yml@main. Removed inline conditionals, checkout steps, direct action invocations, concurrency settings, and embedded configuration; retained top-level permissions and added secrets: inherit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately describes the main change: switching from inline Claude workflow jobs to using a centralized org-level reusable workflow, which is the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/reusable-claude-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Apr 6, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates this repo’s Claude Code GitHub Actions workflow to delegate execution to an org-level reusable workflow, centralizing prompt/config maintenance while keeping the same event triggers.

Changes:

  • Replaces the inline Claude Code workflow implementation with a uses: call to petry-projects/.github/.github/workflows/claude-code-reusable.yml.
  • Switches to inheriting secrets for the reusable workflow invocation.
  • Retains explicit job token permissions in the caller workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

runs-on: ubuntu-latest
timeout-minutes: 60
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reusable workflow is referenced as ...@main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the reusable workflow to an immutable ref (tag or commit SHA) for supply-chain safety and reproducibility.

Suggested change
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@<FULL_40_CHARACTER_COMMIT_SHA>

Copilot uses AI. Check for mistakes.
timeout-minutes: 60
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
secrets: inherit

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secrets: inherit passes all repository/environment secrets into the reusable workflow, which is a broader secret exposure surface than the previous inline workflow (which only needed specific secrets). Prefer explicitly mapping only the required secrets for Claude (e.g., CLAUDE_CODE_OAUTH_TOKEN / GH_PAT_WORKFLOWS) unless full inheritance is intentional and documented.

Suggested change
secrets: inherit
secrets:
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
GH_PAT_WORKFLOWS: ${{ secrets.GH_PAT_WORKFLOWS }}

Copilot uses AI. Check for mistakes.
Comment on lines +20 to 24
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
secrets: inherit
permissions:
contents: write

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous inline workflow had job-level guards (if:), concurrency for issue automation, and timeout-minutes: 60. This caller job has none, so it will invoke the reusable workflow on every issue_comment/review_comment creation and any issues:labeled event unless the reusable workflow re-implements those checks. To match the PR claim of “no behavioral change” (and to reduce unnecessary privileged runs), add equivalent if/concurrency/timeout here or ensure they’re enforced via inputs in the reusable workflow.

Copilot uses AI. Check for mistakes.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)

20-22: Pin to a specific commit SHA or immutable release tag instead of @main for supply-chain security.

Referencing @main means any change pushed to the org's repository main branch immediately affects this workflow. This creates supply-chain risk if the org repo is compromised or a breaking change is introduced.

Recommended alternatives:

  • Pin to a specific commit SHA (e.g., @a1b2c3d4...)
  • Use an immutable release tag (e.g., @v1.0.0)

This allows controlled updates and maintains an audit trail when the workflow version changes.

Example
-    uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
+    uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@<commit-sha>

Replace <commit-sha> with the desired commit or tag from the org's repository.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 20 - 22, Update the workflow job
`claude-code` to avoid using the floating `@main` ref: replace the `uses:
petry-projects/.github/.github/workflows/claude-code-reusable.yml@main`
reference with a pinned immutable ref (either a specific commit SHA like
`@<commit-sha>` or a release tag like `@vX.Y.Z`) so the `claude-code` job always
uses a fixed, auditable version of
`petry-projects/.github/.github/workflows/claude-code-reusable.yml`.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 23-29: The permissions block defined under the GitHub Actions job
(the permissions: mapping) is missing the workflows: write scope required to
allow changes to files under .github/workflows; update the permissions mapping
(the permissions: section) to include workflows: write alongside the existing
keys (contents, id-token, pull-requests, issues, actions, checks) so the job has
explicit write permission for workflows.

---

Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 20-22: Update the workflow job `claude-code` to avoid using the
floating `@main` ref: replace the `uses:
petry-projects/.github/.github/workflows/claude-code-reusable.yml@main`
reference with a pinned immutable ref (either a specific commit SHA like
`@<commit-sha>` or a release tag like `@vX.Y.Z`) so the `claude-code` job always
uses a fixed, auditable version of
`petry-projects/.github/.github/workflows/claude-code-reusable.yml`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bcfc0801-29e6-4525-9193-33f44e515874

📥 Commits

Reviewing files that changed from the base of the PR and between 3524b07 and d648e34.

📒 Files selected for processing (1)
  • .github/workflows/claude.yml

Comment on lines 23 to 29
permissions:
contents: write
id-token: write
pull-requests: write
issues: write
actions: read
checks: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the reusable workflow expects specific inputs or uses a PAT for workflows permissions
ast-grep --pattern 'workflow_call:
  $$$
'

# Also search for any workflows permission or GH_PAT reference in the codebase
rg -n 'workflows:|GH_PAT' --type yaml

Repository: petry-projects/markets

Length of output: 164


🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: petry-projects/markets

Length of output: 1051


🏁 Script executed:

# Find reusable workflows in the repository
fd --type f -name "*.yml" -o -name "*.yaml" | xargs grep -l "workflow_call" | head -20

Repository: petry-projects/markets

Length of output: 296


🏁 Script executed:

# Search for references to the reusable workflow in this repository
rg "claude-code-reusable" --type yaml

# Search for any documentation or comments about workflows permissions
rg "workflows.*write|workflow.*permission" --type yaml -i

# Check PR context or any CI standards documentation
fd -type f "*.md" | xargs grep -l "workflows.*write\|workflow.*permission" 2>/dev/null || true

Repository: petry-projects/markets

Length of output: 236


🏁 Script executed:

# Check if there's any reference to GH_PAT_WORKFLOWS or similar secrets in this repo
rg "GH_PAT|workflows.*secret" --type yaml -i

Repository: petry-projects/markets

Length of output: 48


🏁 Script executed:

# Find all workflow files and check their permissions
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10

Repository: petry-projects/markets

Length of output: 278


🏁 Script executed:

# Check for any documentation about permissions requirements
find . -name "*.md" -type f | xargs grep -l "workflows.*write" 2>/dev/null | head -5

Repository: petry-projects/markets

Length of output: 48


🏁 Script executed:

# Check git history or any PR-related files
ls -la .github/ | head -20

Repository: petry-projects/markets

Length of output: 360


🏁 Script executed:

# Check permissions in other workflow files
for file in .github/workflows/*.yml; do
  echo "=== $(basename $file) ==="
  grep -A 10 "permissions:" "$file" | head -15
done

Repository: petry-projects/markets

Length of output: 2068


Add workflows: write permission to the job.

The PR description states the goal is to add "workflows write scope so Claude can push files under .github/workflows/", but the job permissions block (lines 23-29) does not include workflows: write.

According to GitHub's permission model, contents: write alone is insufficient to modify files in .github/workflows/. The explicit workflows: write permission is required for this operation. Without it, pushes to .github/workflows/ files will be blocked.

Add the missing permission:

Suggested fix
    permissions:
      contents: write
      id-token: write
      pull-requests: write
      issues: write
      actions: read
      checks: read
      workflows: write
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 23 - 29, The permissions block
defined under the GitHub Actions job (the permissions: mapping) is missing the
workflows: write scope required to allow changes to files under
.github/workflows; update the permissions mapping (the permissions: section) to
include workflows: write alongside the existing keys (contents, id-token,
pull-requests, issues, actions, checks) so the job has explicit write permission
for workflows.

@don-petry don-petry merged commit 849c508 into main Apr 6, 2026
18 of 20 checks passed
@don-petry don-petry deleted the feat/reusable-claude-workflow branch April 6, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants