80 lines
3.7 KiB
YAML
80 lines
3.7 KiB
YAML
name: Claude Code
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
pull_request_review_comment:
|
|
types: [created]
|
|
issues:
|
|
# `edited` (not `assigned`) is the actionable event here: the `if:`
|
|
# block below checks `github.event.issue.body` / `.title` for
|
|
# `@claude`, which only changes on edit. Reassignment would fire
|
|
# the workflow without any matching body/title change.
|
|
types: [opened, edited]
|
|
pull_request_review:
|
|
types: [submitted]
|
|
|
|
jobs:
|
|
claude:
|
|
# Gate on author_association so only repo owners / members /
|
|
# collaborators (who already have write access) can trigger this
|
|
# workflow — required because the job is granted write scopes below.
|
|
if: |
|
|
(
|
|
github.event_name == 'issue_comment' &&
|
|
contains(github.event.comment.body, '@claude') &&
|
|
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
|
|
) ||
|
|
(
|
|
github.event_name == 'pull_request_review_comment' &&
|
|
contains(github.event.comment.body, '@claude') &&
|
|
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
|
|
) ||
|
|
(
|
|
github.event_name == 'pull_request_review' &&
|
|
contains(github.event.review.body, '@claude') &&
|
|
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
|
|
) ||
|
|
(
|
|
github.event_name == 'issues' &&
|
|
(contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
|
|
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
|
|
)
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
issues: write
|
|
id-token: write
|
|
actions: read # Required for Claude to read CI results on PRs
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 1
|
|
persist-credentials: false
|
|
|
|
- name: Run Claude Code
|
|
id: claude
|
|
uses: anthropics/claude-code-action@4481e6d3c7bbb88db2a928ca3444c536f589c7c1 # v1
|
|
with:
|
|
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
|
|
# This is an optional setting that allows Claude to read CI results on PRs
|
|
additional_permissions: |
|
|
actions: read
|
|
|
|
# Tools tailored to this repo's uv-native Python toolchain.
|
|
# See AGENTS.md for the canonical command reference.
|
|
#
|
|
# Both `gh` and `git` are enumerated to safe subcommands only.
|
|
# Writes that need a commit/branch are handled by the action
|
|
# itself via the GitHub API (see action.yml `branch_prefix` /
|
|
# `branch_name_template` inputs) — local `git add/commit/push`
|
|
# is not in the allowlist, so destructive variants
|
|
# (`push --force`, `reset --hard`, `branch -D`, `tag -d`,
|
|
# `checkout -- .`, `clean -fd`) are unreachable.
|
|
claude_args: |
|
|
--model claude-opus-4-7
|
|
--allowedTools "Edit,Write,Read,Bash(uv:*),Bash(make:*),Bash(python:*),Bash(python3:*),Bash(ruff:*),Bash(ty:*),Bash(pytest:*),Bash(gh pr view:*),Bash(gh pr diff:*),Bash(gh pr list:*),Bash(gh pr comment:*),Bash(gh pr edit:*),Bash(gh pr checks:*),Bash(gh issue view:*),Bash(gh issue list:*),Bash(gh issue comment:*),Bash(gh issue edit:*),Bash(gh api repos/*/pulls/*/comments:*),Bash(gh api repos/*/issues/*/comments:*),Bash(gh api repos/*/issues/*/timeline:*),Bash(gh run view:*),Bash(gh workflow view:*),Bash(gh search:*),Bash(git status:*),Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(git rev-parse:*),Bash(git ls-files:*),mcp__github_inline_comment__create_inline_comment"
|