Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 5 additions & 73 deletions .github/workflows/claude.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# AI-assisted code review via Claude Code Action on PRs.
# Issue automation: implement, open PR, self-review, check CI, notify maintainer.
# Claude Code — thin caller that delegates to the org-level reusable workflow.
# All logic and prompts are maintained centrally in claude-code-reusable.yml.
# Standard: https://github.com/petry-projects/.github/blob/main/standards/ci-standards.md#4-claude-code-claudeyml
name: Claude Code

Expand All @@ -17,81 +17,13 @@ on:
permissions: {}

jobs:
# Interactive mode: PR reviews and @claude mentions
claude:
if: >-
(github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository) ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
(github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
runs-on: ubuntu-latest
timeout-minutes: 60
claude-code:
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reusable workflow is referenced as ...@main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the reusable workflow to an immutable ref (tag or commit SHA) for supply-chain safety and reproducibility.

Suggested change
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@<FULL_40_CHARACTER_COMMIT_SHA>

Copilot uses AI. Check for mistakes.
secrets: inherit

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secrets: inherit passes all repository/environment secrets into the reusable workflow, which is a broader secret exposure surface than the previous inline workflow (which only needed specific secrets). Prefer explicitly mapping only the required secrets for Claude (e.g., CLAUDE_CODE_OAUTH_TOKEN / GH_PAT_WORKFLOWS) unless full inheritance is intentional and documented.

Suggested change
secrets: inherit
secrets:
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
GH_PAT_WORKFLOWS: ${{ secrets.GH_PAT_WORKFLOWS }}

Copilot uses AI. Check for mistakes.
permissions:
contents: write
Comment on lines +20 to 24

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous inline workflow had job-level guards (if:), concurrency for issue automation, and timeout-minutes: 60. This caller job has none, so it will invoke the reusable workflow on every issue_comment/review_comment creation and any issues:labeled event unless the reusable workflow re-implements those checks. To match the PR claim of “no behavioral change” (and to reduce unnecessary privileged runs), add equivalent if/concurrency/timeout here or ensure they’re enforced via inputs in the reusable workflow.

Copilot uses AI. Check for mistakes.
id-token: write
pull-requests: write
issues: write
actions: read
checks: read
Comment on lines 23 to 29

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the reusable workflow expects specific inputs or uses a PAT for workflows permissions
ast-grep --pattern 'workflow_call:
  $$$
'

# Also search for any workflows permission or GH_PAT reference in the codebase
rg -n 'workflows:|GH_PAT' --type yaml

Repository: petry-projects/markets

Length of output: 164


🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: petry-projects/markets

Length of output: 1051


🏁 Script executed:

# Find reusable workflows in the repository
fd --type f -name "*.yml" -o -name "*.yaml" | xargs grep -l "workflow_call" | head -20

Repository: petry-projects/markets

Length of output: 296


🏁 Script executed:

# Search for references to the reusable workflow in this repository
rg "claude-code-reusable" --type yaml

# Search for any documentation or comments about workflows permissions
rg "workflows.*write|workflow.*permission" --type yaml -i

# Check PR context or any CI standards documentation
fd -type f "*.md" | xargs grep -l "workflows.*write\|workflow.*permission" 2>/dev/null || true

Repository: petry-projects/markets

Length of output: 236


🏁 Script executed:

# Check if there's any reference to GH_PAT_WORKFLOWS or similar secrets in this repo
rg "GH_PAT|workflows.*secret" --type yaml -i

Repository: petry-projects/markets

Length of output: 48


🏁 Script executed:

# Find all workflow files and check their permissions
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10

Repository: petry-projects/markets

Length of output: 278


🏁 Script executed:

# Check for any documentation about permissions requirements
find . -name "*.md" -type f | xargs grep -l "workflows.*write" 2>/dev/null | head -5

Repository: petry-projects/markets

Length of output: 48


🏁 Script executed:

# Check git history or any PR-related files
ls -la .github/ | head -20

Repository: petry-projects/markets

Length of output: 360


🏁 Script executed:

# Check permissions in other workflow files
for file in .github/workflows/*.yml; do
  echo "=== $(basename $file) ==="
  grep -A 10 "permissions:" "$file" | head -15
done

Repository: petry-projects/markets

Length of output: 2068


Add workflows: write permission to the job.

The PR description states the goal is to add "workflows write scope so Claude can push files under .github/workflows/", but the job permissions block (lines 23-29) does not include workflows: write.

According to GitHub's permission model, contents: write alone is insufficient to modify files in .github/workflows/. The explicit workflows: write permission is required for this operation. Without it, pushes to .github/workflows/ files will be blocked.

Add the missing permission:

Suggested fix
    permissions:
      contents: write
      id-token: write
      pull-requests: write
      issues: write
      actions: read
      checks: read
      workflows: write
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 23 - 29, The permissions block
defined under the GitHub Actions job (the permissions: mapping) is missing the
workflows: write scope required to allow changes to files under
.github/workflows; update the permissions mapping (the permissions: section) to
include workflows: write alongside the existing keys (contents, id-token,
pull-requests, issues, actions, checks) so the job has explicit write permission
for workflows.

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
- name: Run Claude Code
if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
uses: anthropics/claude-code-action@6e2bd52842c65e914eba5c8badd17560bd26b5de # v1.0.89
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
additional_permissions: |
actions: read
checks: read

# Automation mode: issue-triggered work — implement, open PR, review, and notify
claude-issue:
if: >-
github.event_name == 'issues' && github.event.action == 'labeled' &&
github.event.label.name == 'claude'
concurrency:
group: claude-issue-${{ github.event.issue.number }}
cancel-in-progress: true
runs-on: ubuntu-latest
timeout-minutes: 60
permissions:
contents: write
id-token: write
pull-requests: write
issues: write
actions: read
checks: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
- name: Run Claude Code
uses: anthropics/claude-code-action@6e2bd52842c65e914eba5c8badd17560bd26b5de # v1.0.89
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
label_trigger: "claude"
track_progress: "true"
additional_permissions: |
actions: read
checks: read
claude_args: |
--allowedTools "Bash(gh pr create:*),Bash(gh pr view:*),Bash(gh pr comment:*),Bash(gh issue comment:*),Bash(gh run view:*),Bash(gh run watch:*),Edit,Write"
prompt: |
Implement a fix for issue #${{ github.event.issue.number }}.

After implementing:
1. Create a pull request with a clear title and description. Include "Closes #${{ github.event.issue.number }}" in the PR body.
2. Self-review your own PR — look for bugs, style issues, missed edge cases, and test gaps. If you find problems, push fixes.
3. Review all comments and review threads on the PR. For each one:
- If you can address the feedback, make the fix, push, and mark the conversation as resolved.
- If the comment requires human judgment, leave a reply explaining what you need.
4. Check CI status. If CI fails, read the logs, fix the issues, and push again. Repeat until CI passes.
5. When CI is green, all actionable review comments are resolved, and the PR is ready, read the CODEOWNERS file and leave a comment tagging the relevant code owners to review and merge.
Loading