From 473b1cc04d4a87899bb0eb1abf22386d2b0364c1 Mon Sep 17 00:00:00 2001 From: fynyky Date: Thu, 28 May 2026 07:13:21 +0000 Subject: [PATCH 1/2] Add Claude GitHub Actions integration with collaborator gate Only OWNER and COLLABORATOR associations can trigger Claude via @claude mentions. Removes id-token permission and adds concurrency guard. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/claude.yml | 46 ++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/claude.yml diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml new file mode 100644 index 0000000..613ee9b --- /dev/null +++ b/.github/workflows/claude.yml @@ -0,0 +1,46 @@ +name: Claude Code + +on: + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + issues: + types: [opened, assigned] + pull_request_review: + types: [submitted] + +concurrency: + group: claude-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} + cancel-in-progress: false + +jobs: + claude: + if: | + (github.event_name == 'issue_comment' && + contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && + contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review_comment' && + contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && + contains(github.event.comment.body, '@claude')) || + (github.event_name == 'pull_request_review' && + contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.review.author_association) && + contains(github.event.review.body, '@claude')) || + (github.event_name == 'issues' && + contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.issue.author_association) && + (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Claude Code + id: claude + uses: anthropics/claude-code-action@v1 + with: + anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} From d9998ca5dff18ad5db62506437c7fbc005391a49 Mon Sep 17 00:00:00 2001 From: fynyky Date: Thu, 28 May 2026 08:04:49 +0000 Subject: [PATCH 2/2] Restrict Claude action to owners and collaborators only Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/claude.yml | 52 +++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 613ee9b..c18b177 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -10,37 +10,53 @@ on: pull_request_review: types: [submitted] -concurrency: - group: claude-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }} - cancel-in-progress: false - jobs: claude: if: | - (github.event_name == 'issue_comment' && - contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && - contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && - contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association) && - contains(github.event.comment.body, '@claude')) || - (github.event_name == 'pull_request_review' && - contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.review.author_association) && - contains(github.event.review.body, '@claude')) || - (github.event_name == 'issues' && - contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.issue.author_association) && - (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) + (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude') && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR')) || + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude') && + (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'COLLABORATOR')) || + (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude') && + (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'COLLABORATOR')) || + (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) && + (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'COLLABORATOR')) runs-on: ubuntu-latest permissions: contents: write pull-requests: write issues: write - actions: read + id-token: write + actions: read # Required for Claude to read CI results on PRs steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 + with: + fetch-depth: 1 - name: Run Claude Code id: claude uses: anthropics/claude-code-action@v1 with: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} + + # Optional: Customize the trigger phrase (default: @claude) + # trigger_phrase: "/claude" + + # Optional: Trigger when specific user is assigned to an issue + # assignee_trigger: "claude-bot" + + # Optional: Configure Claude's behavior with CLI arguments + # claude_args: | + # --model claude-opus-4-1-20250805 + # --max-turns 10 + # --allowedTools "Bash(npm install),Bash(npm run build),Bash(npm run test:*),Bash(npm run lint:*)" + # --system-prompt "Follow our coding standards. Ensure all new code has tests. Use TypeScript for new files." + + # Optional: Advanced settings configuration + # settings: | + # { + # "env": { + # "NODE_ENV": "test" + # } + # } \ No newline at end of file