Skip to content

Fix claude pr #1243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbryngelson merged 2 commits into from
Feb 22, 2026
Merged

Fix claude pr #1243

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8975f88
Modify Claude Code Review workflow for fork PRs
sbryngelson Feb 22, 2026
20170c5
Refactor CLAUDE action configuration in workflow
sbryngelson Feb 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 8 additions & 10 deletions .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
name: Claude Code Review

on:
pull_request:
# Use pull_request_target so this works for fork PRs and can mint an OIDC token.
# IMPORTANT: do NOT checkout or run fork code in this workflow.
pull_request_target:
Comment on lines +4 to +6
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description/testing sections are still template placeholders (no motivation, testing details, or issue link). Please update the PR description to state what problem is being fixed, why these workflow changes are needed, and how they were validated (e.g., test run links or a screenshot of a successful workflow run).

Copilot uses AI. Check for mistakes.
Comment on lines +4 to +6
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

anthropics claude-code-action issue #621 pull_request_target automation mode PR comments

💡 Result:

In anthropics/claude-code-action Issue #621 (opened Oct 14, 2025, now closed), the reported problem is:

  • When a workflow runs on pull_request_target and you provide a prompt (i.e., “automation mode” / automated review), the action’s mode detector selects agent mode.
  • Agent mode does not create PR comments/reviews—it only outputs the review in the GitHub Actions step summary—so nothing appears as a comment on the PR, and use_sticky_comment: true has no effect in that mode. [1]

Why it happens (per the issue):

  • Agent mode explicitly disables comment creation via shouldCreateTrackingComment() { return false; }, and mode detection picks agent for PR events when prompt is set. [1]

Workaround noted in the issue:

  • Post-process the generated output (e.g., from claude-execution-output.json) and manually post it to the PR using something like gh pr comment .... [1]

If you tell me what outcome you want (e.g., “always comment on the PR even in automation mode” vs “only for Dependabot PRs”), I can suggest a concrete workflow YAML pattern.

Sources: [1]

🌐 Web query:

code-review claude-code-plugins pull_request_target automation mode comments 2025 2026

💡 Result:

  • pull_request_target support (for fork/Dependabot PRs with base-repo permissions): anthropics/claude-code-action added explicit support for the pull_request_target event on September 22, 2025, noting it uses the same payload shape as pull_request but runs with write permissions from the base repository (with associated security considerations). [1]

  • “Automation mode” vs “interactive mode” (what controls it):

    • Interactive mode = no prompt input → responds to @claude mentions and creates tracking/progress comments. [1]
    • Automation mode = prompt provided → runs immediately and does not create tracking comments by default. [1]

  • If you want comments/progress in automation mode: in v1, tracking comments are intentionally off “to reduce noise”; enable them with track_progress: true. [1]

  • Related (PR review comments behavior in the Code Review plugin): the official Code Review Claude plugin describes posting only high-confidence findings (default threshold 80) to reduce comment noise. [2]

Sources: custom-automations docs for anthropics/claude-code-action (incl. pull_request_target, mode detection, tracking comments) [1]; Anthropic Code Review plugin page [2].

[1] https://git.homeinfra.org/actions/claude-code-action/src/commit/f4d737af0b61a79741d8246c5207da5887746212/docs/custom-automations.md
[2] https://claude.com/plugins/code-review

pull_request_target + automation prompt may silently swallow review comments.

There is a confirmed bug in claude-code-action (Issue #621) where using a prompt input with pull_request_target triggers agent mode, which does not post reviews as PR comments—they only appear in the GitHub Actions Step Summary. Claude Code reviews should appear as PR comments visible to PR authors and reviewers, not only in the execution summary. The documented workaround is to post-process claude-execution-output.json and manually post it using gh pr comment.

This workflow uses both pull_request_target and a prompt: parameter, which is precisely the affected configuration. Issue #621 is now closed as of February 2026, but the fix status is unclear. The code-review@claude-code-plugins plugin's effect on this behavior is unconfirmed.

If reviews are not posted as PR comments, external contributors will never see automated feedback on their PRs.

Also applies to: 33-42

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude-code-review.yml around lines 4 - 6, The workflow
uses pull_request_target together with a prompt input which can trigger agent
mode in claude-code-action and cause reviews to be hidden; either switch the
event to pull_request or remove the prompt input to avoid agent mode, or add a
post-step that reads claude-execution-output.json and posts it as a PR comment
via gh pr comment (use the documented workaround). Update references to
pull_request_target, prompt, claude-code-action, claude-execution-output.json,
gh pr comment, and any usage of code-review@claude-code-plugins accordingly so
the workflow reliably posts PR comments to contributors.

types: [opened, synchronize, ready_for_review, reopened]
Comment on lines +4 to 7
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switching this workflow to pull_request_target means it will run in the base repo context for fork PRs and can access secrets.CLAUDE_CODE_OAUTH_TOKEN (and any other available secrets). That creates a real secret-exfiltration risk (e.g., via prompt injection in PR text or a compromised third-party action). Consider gating execution to trusted authors (MEMBER/OWNER/COLLABORATOR), requiring a manual trigger/approval step, or reverting to pull_request with no secrets and reduced permissions.

Copilot uses AI. Check for mistakes.
# Optional: Only run on specific file changes
# paths:
Expand All @@ -12,11 +14,10 @@ on:

jobs:
claude-review:
# Optional: Filter by PR author
# Optional: Filter by PR author / association
# if: |
# github.event.pull_request.user.login == 'external-contributor' ||
# github.event.pull_request.user.login == 'new-developer' ||
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
# github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR' ||
# github.event.pull_request.author_association == 'CONTRIBUTOR'
Comment on lines +17 to +20
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The optional author-association guard is commented out, so the job will run automatically for any PR (including forks) under pull_request_target. If the intent is to limit who can trigger a secrets-bearing workflow, uncomment/enforce an if: condition for trusted associations (e.g., MEMBER/OWNER/COLLABORATOR) or similar policy.

Copilot uses AI. Check for mistakes.

runs-on: ubuntu-latest
permissions:
Expand All @@ -26,10 +27,8 @@ jobs:
id-token: write
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id-token: write is a high-privilege permission. If this workflow doesn't strictly need GitHub OIDC, drop it to reduce blast radius; if it does, ensure any cloud trust policy is tightly scoped to this repo/workflow and doesn't allow unintended access from untrusted PR runs.

Suggested change
id-token: write

Copilot uses AI. Check for mistakes.

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
# NOTE: No checkout step on purpose.
# With pull_request_target, checking out PR code from forks can expose secrets.

- name: Run Claude Code Review
id: claude-review
Expand All @@ -41,4 +40,3 @@ jobs:
prompt: '/code-review:code-review ${{ github.repository }}/pull/${{ github.event.pull_request.number }}'
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options

19 changes: 2 additions & 17 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,28 +23,13 @@ jobs:
pull-requests: write
issues: write
id-token: write
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
actions: read

steps:
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Add a checkout step before running anthropics/claude-code-action@v1; otherwise the workflow runs Claude with an empty workspace, so it can't read or modify repository files.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/claude.yml, line 28:

<comment>Add a checkout step before running `anthropics/claude-code-action@v1`; otherwise the workflow runs Claude with an empty workspace, so it can't read or modify repository files.</comment>

<file context>
@@ -23,28 +23,13 @@ jobs:
-          fetch-depth: 1
+      actions: read
 
+    steps:
       - name: Run Claude Code
         id: claude
</file context>
Suggested change
steps:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read
Comment on lines 34 to 35
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

additional_permissions repeats actions: read, but this job already grants actions: read at the workflow permissions level (line 26). Consider removing the duplicate to make permission auditing clearer unless the action requires both.

Suggested change
additional_permissions: |
actions: read

Copilot uses AI. Check for mistakes.
Comment on lines +28 to 35
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the claude.yml file
fd -t f "claude.yml" .github/

Repository: MFlowCode/MFC

Length of output: 85

🌐 Web query:

anthropic claude-code-action official documentation examples

💡 Result:

Official documentation (Claude Code GitHub Actions / claude-code-action)

  • Anthropic docs: “Claude Code GitHub Actions” (setup, inputs like prompt / claude_args, and basic workflow example). [1]
  • Official action repo: anthropics/claude-code-action (README + detailed guides + examples/). [2]

Official example workflow (from the repo)

A minimal “respond to @claude” workflow is in examples/claude.yml. Here’s the core structure (abridged): [3]

name: Claude Code
on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]

jobs:
  claude:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # optional: prompt: "..."
          # optional: claude_args: "--max-turns 5"

Manual setup path (per Anthropic docs): install the Claude GitHub App, add ANTHROPIC_API_KEY as a repo secret, and copy the workflow from examples/claude.yml into .github/workflows/. [1]

🏁 Script executed:

cat -n .github/workflows/claude.yml

Repository: MFlowCode/MFC

Length of output: 1390

Missing actions/checkout step breaks interactive @claude file operations.

The official Anthropic template for claude.yml requires a repository checkout step before the action runs. The official example in the anthropics/claude-code-action repository shows - uses: actions/checkout@v6 as the first step before anthropics/claude-code-action@v1.

This workflow handles interactive mode (triggered by issue_comment, pull_request_review_comment, issues, pull_request_review) where Claude needs to read and modify repository files in response to @claude mentions. Without the checkout step, the action cannot access the repository contents, preventing any file-level operations.

🔧 Proposed fix 
    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
       - name: Run Claude Code
         id: claude
         uses: anthropics/claude-code-action@v1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
steps:
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# This is an optional setting that allows Claude to read CI results on PRs
additional_permissions: |
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@v1
with:
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
additional_permissions: |
actions: read
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 28 - 35, The workflow is missing a
repository checkout so the "Run Claude Code" step using
anthropics/claude-code-action@v1 cannot read or modify files; add an initial
step that runs actions/checkout@v6 (as the first step before the step with id
"claude") so the repository is available for interactive `@claude` file operations
and preserve existing with inputs like claude_code_oauth_token and
additional_permissions.


# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
# prompt: 'Update the pull request description to include a summary of changes.'

# Optional: Add claude_args to customize behavior and configuration
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
# or https://code.claude.com/docs/en/cli-reference for available options
# claude_args: '--allowed-tools Bash(gh pr:*)'

Loading