diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index aeb1aa0f55..1f2dc07847 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -1,42 +1,34 @@ name: Claude Code Review on: - # Use pull_request_target so this works for fork PRs and can mint an OIDC token. - # IMPORTANT: do NOT checkout or run fork code in this workflow. pull_request_target: types: [opened, synchronize, ready_for_review, reopened] - # Optional: Only run on specific file changes - # paths: - # - "src/**/*.ts" - # - "src/**/*.tsx" - # - "src/**/*.js" - # - "src/**/*.jsx" jobs: claude-review: - # Optional: Filter by PR author / association - # if: | - # github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' || - # github.event.pull_request.author_association == 'CONTRIBUTOR' - runs-on: ubuntu-latest permissions: contents: read pull-requests: write issues: read + actions: read id-token: write steps: - # NOTE: No checkout step on purpose. - # With pull_request_target, checking out PR code from forks can expose secrets. - + # IMPORTANT: no checkout for pull_request_target (fork-safe) - name: Run Claude Code Review id: claude-review uses: anthropics/claude-code-action@v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + + # Workaround: bypass Anthropic OIDC->GitHub App token exchange + github_token: ${{ github.token }} + plugin_marketplaces: 'https://github.com/anthropics/claude-code.git' plugins: 'code-review@claude-code-plugins' prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}' - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://code.claude.com/docs/en/cli-reference for available options + + # Optional: lets Claude read CI results + additional_permissions: | + actions: read