You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR adds two workflow files to integrate Claude Code into the repository. The PR is already merged — this review is informational.
claude.yml — On-demand Claude interactions
Issues:
Missing write permissions (claude.yml:22-26): Claude needs pull-requests: write and issues: write to post comments in response to @claude mentions. Without these, the action will fail to write its responses. This explains why this very workflow run needed special handling.
permissions:
contents: write # needed if Claude pushes changespull-requests: write # needed to post PR commentsissues: write # needed to post issue commentsid-token: writeactions: read
Redundant actions: read (claude.yml:25 and claude.yml:40-41): actions: read appears in both the permissions block and the additional_permissions input. The latter is redundant — the GitHub token already gets the permission from the permissions block.
claude-code-review.yml — Automatic PR review
Issues:
Missing write permissions (claude-code-review.yml:22-27): Same problem as above — Claude needs pull-requests: write to post review comments. Currently only has read permissions.
code-review plugin dependency (claude-code-review.yml:39-40): This workflow pulls a plugin from an external marketplace (https://github.com/anthropics/claude-code.git) via plugins: 'code-review@claude-code-plugins'. This is a supply chain risk — if that repository or branch is compromised or removed, the workflow breaks or worse, runs malicious code. Consider pinning to a specific commit SHA rather than a mutable branch reference, or verify this is an official/trusted Anthropic source.
fetch-depth: 1 (claude-code-review.yml:32-33): Shallow clone may cause issues if Claude needs to compare the PR diff against a base that isn't the immediate parent. For most PRs this is fine, but it can cause git diff failures on PRs with many commits. Consider fetch-depth: 0 for review workflows.
Summary
The primary actionable issue is missing write permissions on both workflows — the Claude action cannot post comments without pull-requests: write and issues: write. These should be patched.
Edit: looks like it only runs for those with write access, good
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.