ci(claude-review): bump pin to f22bf7d + label-gated review + scoped caller permissions#85
Merged
Merged
Conversation
…caller permissions Catches up oauth's claude-review.yml from `128656e4` to `f22bf7d`, picking up three ai-review-prompts changes: - #37: harper/common.md gains "Meta-checks" section + reuse / CI hygiene / lockfile drift bullets. - #38: label-gated review for bot-authored PRs (`claude-review` label as opt-in gesture). Claude-only. - #40: the revert of #39's broken workflow-level `permissions: {}` (the reusable side is back to a verified-working state). Caller changes: - Pin bumped to `f22bf7d`. - `pull_request: types:` adds `labeled` for the bot-PR gesture. - Caller-side `permissions:` block at the calling-job level: permissions: contents: read pull-requests: write id-token: write Union of what the reusable's `authorize` and `review` jobs need. Placement at the calling-job level — NOT workflow-level — is the documented canonical pattern; workflow-level placement caps the reusable's per-job grants below what they need (the ai-review-prompts#39 → #40 incident showed this empirically). Reference: https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations Empirical verification: - The same caller-side pattern was tried earlier today on #84 (now superseded by this PR). CI showed `review / authorize` passing in ~10s and `review / review` starting cleanly and running for 34s before bailing on the upstream OIDC ref-validation gotcha (documented behavior for PRs that modify claude-review.yml itself — harmless). That's proof the permissions pattern gets the workflow past startup and into the reusable's jobs. NOT in this PR (superseding #84's broader scope): - gemini-review.yml pin bump — Gemini reviewer has ongoing reliability issues being worked separately; no value in dragging its pin along. - gemini-review-debug.yml — diagnostic workflow from earlier Gemini iteration sessions; lives in branch history but not on main, not part of this PR. Repo-side prerequisite (already applied via `gh label create`): - `claude-review` label exists on this repo. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Contributor
|
Reviewed; no blockers found. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #84. Clean branch from main with ONLY the Claude work — no gemini-review.yml bump, no gemini-review-debug.yml artifact, no leftover commits from the Gemini iteration sessions.
Pickups from ai-review-prompts main
Catches up oauth's claude-review.yml from
128656e4tof22bf7d:harper/common.mdcalibration update — "Meta-checks (run these before tracing internals)" section + reuse / CI hygiene / lockfile drift bullets.claude-reviewlabel as opt-in gesture). Claude-only.permissions: {}. Net: reusable side unchanged from pre-workflow: align prompt and config with claude-code-action docs example #39 verified-working state.Changes
Single-file change to
claude-review.yml:128656e4→f22bf7d.pull_request: types:addslabeledso theclaude-reviewlabel fires the bot-PR gesture.permissions:block at the calling-job level:Union of what the reusable's two jobs (
authorize:contents: read;review:contents: read + pull-requests: write + id-token: write) need. Placement at the calling-job level — not workflow-level — per GitHub's canonical pattern.Empirical verification (from the superseded #84)
Same caller-side pattern was already run on #84's CI:
review / authorize— passed (~10s)review / review— started successfully, ran for 34sreview / review— bailed at the end with the documented upstream OIDC ref-validation gotcha (workflow-modifying PR — "this is normal and you should ignore this error")That's proof the permissions pattern gets the workflow past startup and into the reusable's jobs. Once merged, the next non-workflow-modifying PR exercises the full review path normally.
Prerequisite (already applied via
gh label create)claude-reviewlabel exists on this repo.Not in this PR (queued separately)
🤖 Generated with Claude Code