feat: switch to org-level reusable Claude Code workflow#64
Conversation
📝 WalkthroughWalkthroughThe GitHub Actions workflow in Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Pull request overview
Updates this repo’s Claude Code GitHub Actions workflow to delegate execution to an org-level reusable workflow, centralizing prompt/config maintenance while keeping the same event triggers.
Changes:
- Replaces the inline Claude Code workflow implementation with a
uses:call topetry-projects/.github/.github/workflows/claude-code-reusable.yml. - Switches to inheriting secrets for the reusable workflow invocation.
- Retains explicit job token permissions in the caller workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 | ||
| claude-code: | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main |
There was a problem hiding this comment.
The reusable workflow is referenced as ...@main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the reusable workflow to an immutable ref (tag or commit SHA) for supply-chain safety and reproducibility.
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main | |
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@<FULL_40_CHARACTER_COMMIT_SHA> |
| timeout-minutes: 60 | ||
| claude-code: | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main | ||
| secrets: inherit |
There was a problem hiding this comment.
secrets: inherit passes all repository/environment secrets into the reusable workflow, which is a broader secret exposure surface than the previous inline workflow (which only needed specific secrets). Prefer explicitly mapping only the required secrets for Claude (e.g., CLAUDE_CODE_OAUTH_TOKEN / GH_PAT_WORKFLOWS) unless full inheritance is intentional and documented.
| secrets: inherit | |
| secrets: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| GH_PAT_WORKFLOWS: ${{ secrets.GH_PAT_WORKFLOWS }} |
| claude-code: | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main | ||
| secrets: inherit | ||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
The previous inline workflow had job-level guards (if:), concurrency for issue automation, and timeout-minutes: 60. This caller job has none, so it will invoke the reusable workflow on every issue_comment/review_comment creation and any issues:labeled event unless the reusable workflow re-implements those checks. To match the PR claim of “no behavioral change” (and to reduce unnecessary privileged runs), add equivalent if/concurrency/timeout here or ensure they’re enforced via inputs in the reusable workflow.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/claude.yml (1)
20-22: Pin to a specific commit SHA or immutable release tag instead of@mainfor supply-chain security.Referencing
@mainmeans any change pushed to the org's repository main branch immediately affects this workflow. This creates supply-chain risk if the org repo is compromised or a breaking change is introduced.Recommended alternatives:
- Pin to a specific commit SHA (e.g.,
@a1b2c3d4...)- Use an immutable release tag (e.g.,
@v1.0.0)This allows controlled updates and maintains an audit trail when the workflow version changes.
Example
- uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main + uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@<commit-sha>Replace
<commit-sha>with the desired commit or tag from the org's repository.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/claude.yml around lines 20 - 22, Update the workflow job `claude-code` to avoid using the floating `@main` ref: replace the `uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main` reference with a pinned immutable ref (either a specific commit SHA like `@<commit-sha>` or a release tag like `@vX.Y.Z`) so the `claude-code` job always uses a fixed, auditable version of `petry-projects/.github/.github/workflows/claude-code-reusable.yml`.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/claude.yml:
- Around line 23-29: The permissions block defined under the GitHub Actions job
(the permissions: mapping) is missing the workflows: write scope required to
allow changes to files under .github/workflows; update the permissions mapping
(the permissions: section) to include workflows: write alongside the existing
keys (contents, id-token, pull-requests, issues, actions, checks) so the job has
explicit write permission for workflows.
---
Nitpick comments:
In @.github/workflows/claude.yml:
- Around line 20-22: Update the workflow job `claude-code` to avoid using the
floating `@main` ref: replace the `uses:
petry-projects/.github/.github/workflows/claude-code-reusable.yml@main`
reference with a pinned immutable ref (either a specific commit SHA like
`@<commit-sha>` or a release tag like `@vX.Y.Z`) so the `claude-code` job always
uses a fixed, auditable version of
`petry-projects/.github/.github/workflows/claude-code-reusable.yml`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: bcfc0801-29e6-4525-9193-33f44e515874
📒 Files selected for processing (1)
.github/workflows/claude.yml
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| pull-requests: write | ||
| issues: write | ||
| actions: read | ||
| checks: read |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the reusable workflow expects specific inputs or uses a PAT for workflows permissions
ast-grep --pattern 'workflow_call:
$$$
'
# Also search for any workflows permission or GH_PAT reference in the codebase
rg -n 'workflows:|GH_PAT' --type yamlRepository: petry-projects/markets
Length of output: 164
🏁 Script executed:
cat -n .github/workflows/claude.ymlRepository: petry-projects/markets
Length of output: 1051
🏁 Script executed:
# Find reusable workflows in the repository
fd --type f -name "*.yml" -o -name "*.yaml" | xargs grep -l "workflow_call" | head -20Repository: petry-projects/markets
Length of output: 296
🏁 Script executed:
# Search for references to the reusable workflow in this repository
rg "claude-code-reusable" --type yaml
# Search for any documentation or comments about workflows permissions
rg "workflows.*write|workflow.*permission" --type yaml -i
# Check PR context or any CI standards documentation
fd -type f "*.md" | xargs grep -l "workflows.*write\|workflow.*permission" 2>/dev/null || trueRepository: petry-projects/markets
Length of output: 236
🏁 Script executed:
# Check if there's any reference to GH_PAT_WORKFLOWS or similar secrets in this repo
rg "GH_PAT|workflows.*secret" --type yaml -iRepository: petry-projects/markets
Length of output: 48
🏁 Script executed:
# Find all workflow files and check their permissions
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10Repository: petry-projects/markets
Length of output: 278
🏁 Script executed:
# Check for any documentation about permissions requirements
find . -name "*.md" -type f | xargs grep -l "workflows.*write" 2>/dev/null | head -5Repository: petry-projects/markets
Length of output: 48
🏁 Script executed:
# Check git history or any PR-related files
ls -la .github/ | head -20Repository: petry-projects/markets
Length of output: 360
🏁 Script executed:
# Check permissions in other workflow files
for file in .github/workflows/*.yml; do
echo "=== $(basename $file) ==="
grep -A 10 "permissions:" "$file" | head -15
doneRepository: petry-projects/markets
Length of output: 2068
Add workflows: write permission to the job.
The PR description states the goal is to add "workflows write scope so Claude can push files under .github/workflows/", but the job permissions block (lines 23-29) does not include workflows: write.
According to GitHub's permission model, contents: write alone is insufficient to modify files in .github/workflows/. The explicit workflows: write permission is required for this operation. Without it, pushes to .github/workflows/ files will be blocked.
Add the missing permission:
Suggested fix
permissions:
contents: write
id-token: write
pull-requests: write
issues: write
actions: read
checks: read
workflows: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml around lines 23 - 29, The permissions block
defined under the GitHub Actions job (the permissions: mapping) is missing the
workflows: write scope required to allow changes to files under
.github/workflows; update the permissions mapping (the permissions: section) to
include workflows: write alongside the existing keys (contents, id-token,
pull-requests, issues, actions, checks) so the job has explicit write permission
for workflows.


Summary
claude.ymlwith a thin caller that delegates topetry-projects/.github/.github/workflows/claude-code-reusable.yml@mainGH_PAT_WORKFLOWSsupport are now maintained centrally in the org repoWhy
Centralizes maintenance so prompt/config updates only need one change instead of 7. Also adds
github_tokenwithworkflowswrite scope so Claude can push.github/workflows/files (previously blocked).Test plan
claudeand verify Claude creates a PR🤖 Generated with Claude Code
Summary by CodeRabbit