-
Notifications
You must be signed in to change notification settings - Fork 1
feat: switch to org-level reusable Claude Code workflow #64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,5 +1,5 @@ | ||||||||||
| # AI-assisted code review via Claude Code Action on PRs. | ||||||||||
| # Issue automation: implement, open PR, self-review, check CI, notify maintainer. | ||||||||||
| # Claude Code — thin caller that delegates to the org-level reusable workflow. | ||||||||||
| # All logic and prompts are maintained centrally in claude-code-reusable.yml. | ||||||||||
| # Standard: https://github.com/petry-projects/.github/blob/main/standards/ci-standards.md#4-claude-code-claudeyml | ||||||||||
| name: Claude Code | ||||||||||
|
|
||||||||||
|
|
@@ -17,81 +17,13 @@ on: | |||||||||
| permissions: {} | ||||||||||
|
|
||||||||||
| jobs: | ||||||||||
| # Interactive mode: PR reviews and @claude mentions | ||||||||||
| claude: | ||||||||||
| if: >- | ||||||||||
| (github.event_name == 'pull_request' && | ||||||||||
| github.event.pull_request.head.repo.full_name == github.repository) || | ||||||||||
| (github.event_name == 'issue_comment' && github.event.issue.pull_request && | ||||||||||
| contains(github.event.comment.body, '@claude') && | ||||||||||
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || | ||||||||||
| (github.event_name == 'pull_request_review_comment' && | ||||||||||
| contains(github.event.comment.body, '@claude') && | ||||||||||
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) | ||||||||||
| runs-on: ubuntu-latest | ||||||||||
| timeout-minutes: 60 | ||||||||||
| claude-code: | ||||||||||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main | ||||||||||
| secrets: inherit | ||||||||||
|
||||||||||
| secrets: inherit | |
| secrets: | |
| CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| GH_PAT_WORKFLOWS: ${{ secrets.GH_PAT_WORKFLOWS }} |
Copilot
AI
Apr 6, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The previous inline workflow had job-level guards (if:), concurrency for issue automation, and timeout-minutes: 60. This caller job has none, so it will invoke the reusable workflow on every issue_comment/review_comment creation and any issues:labeled event unless the reusable workflow re-implements those checks. To match the PR claim of “no behavioral change” (and to reduce unnecessary privileged runs), add equivalent if/concurrency/timeout here or ensure they’re enforced via inputs in the reusable workflow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the reusable workflow expects specific inputs or uses a PAT for workflows permissions
ast-grep --pattern 'workflow_call:
$$$
'
# Also search for any workflows permission or GH_PAT reference in the codebase
rg -n 'workflows:|GH_PAT' --type yamlRepository: petry-projects/markets
Length of output: 164
🏁 Script executed:
cat -n .github/workflows/claude.ymlRepository: petry-projects/markets
Length of output: 1051
🏁 Script executed:
# Find reusable workflows in the repository
fd --type f -name "*.yml" -o -name "*.yaml" | xargs grep -l "workflow_call" | head -20Repository: petry-projects/markets
Length of output: 296
🏁 Script executed:
# Search for references to the reusable workflow in this repository
rg "claude-code-reusable" --type yaml
# Search for any documentation or comments about workflows permissions
rg "workflows.*write|workflow.*permission" --type yaml -i
# Check PR context or any CI standards documentation
fd -type f "*.md" | xargs grep -l "workflows.*write\|workflow.*permission" 2>/dev/null || trueRepository: petry-projects/markets
Length of output: 236
🏁 Script executed:
# Check if there's any reference to GH_PAT_WORKFLOWS or similar secrets in this repo
rg "GH_PAT|workflows.*secret" --type yaml -iRepository: petry-projects/markets
Length of output: 48
🏁 Script executed:
# Find all workflow files and check their permissions
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10Repository: petry-projects/markets
Length of output: 278
🏁 Script executed:
# Check for any documentation about permissions requirements
find . -name "*.md" -type f | xargs grep -l "workflows.*write" 2>/dev/null | head -5Repository: petry-projects/markets
Length of output: 48
🏁 Script executed:
# Check git history or any PR-related files
ls -la .github/ | head -20Repository: petry-projects/markets
Length of output: 360
🏁 Script executed:
# Check permissions in other workflow files
for file in .github/workflows/*.yml; do
echo "=== $(basename $file) ==="
grep -A 10 "permissions:" "$file" | head -15
doneRepository: petry-projects/markets
Length of output: 2068
Add workflows: write permission to the job.
The PR description states the goal is to add "workflows write scope so Claude can push files under .github/workflows/", but the job permissions block (lines 23-29) does not include workflows: write.
According to GitHub's permission model, contents: write alone is insufficient to modify files in .github/workflows/. The explicit workflows: write permission is required for this operation. Without it, pushes to .github/workflows/ files will be blocked.
Add the missing permission:
Suggested fix
permissions:
contents: write
id-token: write
pull-requests: write
issues: write
actions: read
checks: read
workflows: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/claude.yml around lines 23 - 29, The permissions block
defined under the GitHub Actions job (the permissions: mapping) is missing the
workflows: write scope required to allow changes to files under
.github/workflows; update the permissions mapping (the permissions: section) to
include workflows: write alongside the existing keys (contents, id-token,
pull-requests, issues, actions, checks) so the job has explicit write permission
for workflows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reusable workflow is referenced as
...@main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the reusable workflow to an immutable ref (tag or commit SHA) for supply-chain safety and reproducibility.