ci: harden Claude PR review workflow, mirroring agents-forge-frontend#164
Conversation
Replace the stock code-review plugin config with a tailored setup: concurrency cancellation, draft/fork skip, scoped permissions, a 15m timeout, track_progress, and a KeepSimpleOSS-specific review prompt (Pages Router, SCSS tokens, no App Router/Tailwind, UX Core data guard). Lock --allowedTools to the inline-comment tool to resist prompt injection from untrusted PR content. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Claude finished @MaryWylde's task in 4m 3s —— View job Review: harden Claude PR review workflow
This is a CI/CD-only change ( Good improvements:
Flagged inline (1 likely bug, 1 to verify):
Worth a sanity check before relying on this in production: since |
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
| id-token: write | ||
|
|
||
| actions: read |
There was a problem hiding this comment.
Likely bug: issues: write was dropped, but the job now needs it.
This PR switches the action from the bundled Claude GitHub App to the workflow's own github_token: ${{ secrets.GITHUB_TOKEN }} (line 44) for posting comments, and also turns on track_progress: true (line 47), which creates/updates the tracking comment on the PR.
That tracking-comment write goes through GitHub's Issues Comments REST endpoint (/repos/{owner}/{repo}/issues/{issue_number}/comments) — which is used for all PR conversation comments, not just issue comments. That endpoint is gated by the issues permission, not pull-requests. With only contents: read, pull-requests: write, actions: read, the GITHUB_TOKEN likely gets a 403 when the action tries to create/update the tracking comment, since there's no App-token fallback anymore.
The pre-PR version of this file had issues: write for exactly this reason. Recommend restoring it:
permissions:
contents: read
pull-requests: write
issues: write
actions: read| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
Please double-check that actions/checkout@v6 is an actually-published tag before merging. If it doesn't exist (or isn't out yet), this step — and therefore the whole job — fails immediately on every PR. @v4 is the long-standing stable major; if you specifically need something newer than what's currently pinned, confirm the tag exists first.
Replace the stock code-review plugin config with a tailored setup: concurrency cancellation, draft/fork skip, scoped permissions, a 15m timeout, track_progress, and a KeepSimpleOSS-specific review prompt (Pages Router, SCSS tokens, no App Router/Tailwind, UX Core data guard). Lock --allowedTools to the inline-comment tool to resist prompt injection from untrusted PR content.