09e9f3545f
Test / Code Quality (push) Has been cancelled
Test / Test (macos-latest, Python 3.10) (push) Has been cancelled
Test / Test (macos-latest, Python 3.11) (push) Has been cancelled
Test / Test (macos-latest, Python 3.12) (push) Has been cancelled
Test / Test (macos-latest, Python 3.13) (push) Has been cancelled
Test / Test (macos-latest, Python 3.14) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.10) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.11) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.12) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.13) (push) Has been cancelled
Test / Test (ubuntu-latest, Python 3.14) (push) Has been cancelled
Test / Test (windows-latest, Python 3.10) (push) Has been cancelled
Test / Test (windows-latest, Python 3.11) (push) Has been cancelled
Test / Test (windows-latest, Python 3.12) (push) Has been cancelled
Test / Test (windows-latest, Python 3.13) (push) Has been cancelled
Test / Test (windows-latest, Python 3.14) (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
dependency-audit / pip-audit (push) Has been cancelled
66 lines
2.8 KiB
YAML
66 lines
2.8 KiB
YAML
name: Claude Code
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
pull_request_review_comment:
|
|
types: [created]
|
|
issues:
|
|
types: [opened, assigned]
|
|
pull_request_review:
|
|
types: [submitted]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
claude:
|
|
# AND-gate on both the actor (``sender.login``) and the keyword. For the
|
|
# ``issues`` event we additionally require ``issue.user.login`` to match
|
|
# — otherwise an attacker could open an issue with ``@claude`` in the
|
|
# body and wait for ``teng-lin`` to assign it: ``sender`` would then be
|
|
# ``teng-lin`` while the prompt text remains attacker-authored. Keeping
|
|
# the author check pins both the trigger and the prompt to the same
|
|
# trusted account.
|
|
if: |
|
|
github.event.sender.login == 'teng-lin' && (
|
|
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
|
|
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
|
|
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
|
|
(github.event_name == 'issues' && github.event.issue.user.login == 'teng-lin' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
|
|
)
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write # Required to post inline review-thread comments (not just a sticky issue comment)
|
|
issues: read
|
|
id-token: write
|
|
actions: read # Required for Claude to read CI results on PRs
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v7
|
|
with:
|
|
fetch-depth: 1
|
|
persist-credentials: false
|
|
|
|
- name: Run Claude Code
|
|
id: claude
|
|
uses: anthropics/claude-code-action@558b1d6cab4085c7753fe402c10bef0fbb92ac7a # @ v1.0.165
|
|
with:
|
|
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
|
|
# This is an optional setting that allows Claude to read CI results on PRs
|
|
additional_permissions: |
|
|
actions: read
|
|
|
|
# Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
|
|
# prompt: 'Update the pull request description to include a summary of changes.'
|
|
|
|
# Allow the GitHub inline-comment tool so a `@claude review` lands its
|
|
# findings as inline PR review-thread comments (visible + addressable
|
|
# like gemini/coderabbit), instead of only a single sticky issue
|
|
# comment that the merge gate can miss. `--allowedTools` is additive in
|
|
# this action (base Read/Glob/Grep/LS stay included). See docs/usage.md.
|
|
claude_args: '--allowedTools "mcp__github_inline_comment__create_inline_comment"'
|
|
|