chore: implement audit quick wins and architectural doc updates #9417
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Util: Claude Code" | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_review_comment: | |
| types: [created] | |
| pull_request_review: | |
| types: [submitted] | |
| concurrency: | |
| group: util-claude-${{ github.event.issue.number || github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| claude: | |
| # Restrict to trusted authors only — without this gate, any drive-by commenter | |
| # on a public issue can issue arbitrary instructions to a privileged agent | |
| # (contents:write + pull-requests:write + issues:write). | |
| if: | | |
| contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), | |
| github.event.comment.author_association || github.event.review.author_association | |
| ) && ( | |
| (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || | |
| (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) | |
| ) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # Allow commits | |
| pull-requests: write # Allow PR creation | |
| issues: write # Allow issue comments | |
| id-token: write | |
| actions: read # Required for Claude to read CI results on PRs | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 # Full history for better context | |
| - name: Run Claude Code | |
| id: claude | |
| continue-on-error: true | |
| uses: anthropics/claude-code-action@567fe954a4527e81f132d87d1bdbcc94f7737434 # v1 | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| claude_args: "--model opus" | |
| # This is an optional setting that allows Claude to read CI results on PRs | |
| additional_permissions: | | |
| actions: read | |
| - name: Retry Claude (on failure) | |
| if: steps.claude.outcome == 'failure' | |
| id: claude_retry | |
| uses: anthropics/claude-code-action@567fe954a4527e81f132d87d1bdbcc94f7737434 # v1 | |
| with: | |
| claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} | |
| claude_args: "--model opus" | |
| additional_permissions: | | |
| actions: read | |