ci(claude): mirror harper auth-gate + marker-based edit + script extraction#68
Merged
ci(claude): mirror harper auth-gate + marker-based edit + script extraction#68
Conversation
…action Brings oauth's claude workflows up to parity with harper after the last calibration sweep. Three harper PRs collapse here: - HarperFast/harper#444 (marker-based review-comment edit): * Top-level PR comment uses `<!-- claude-review:v1 -->` sentinel so subsequent reviews edit the right comment instead of clobbering an `@claude` mention response. * New `Find prior review comment` step looks up the integer database ID of the prior marker'd comment and exposes it as `PRIOR_REVIEW_COMMENT_ID` for the agent. * Log step also filters by marker; uses `updated_at` for the staleness guard since edit-in-place leaves `created_at` frozen. * Adds `Bash(gh api:*)` and `Write` to `--allowedTools`. - HarperFast/harper#447 (script extraction): * All inline `run: |` blocks pulled to `.github/scripts/`: compose-review-scope, find-prior-review-comment, log-review-to-ai-review-log, parse-claude-mention. * Workflows invoke via `bash .github/scripts/<name>.sh`. - HarperFast/harper#417 (two-job auth gate via App-minted org token): * New `authorize` job in each claude-*.yml. Mints an installation token from the HarperFast `HarperFast AI Workflows` GitHub App (Members:Read), checks team membership against the trust set derived from `.github/CODEOWNERS`. Single `if: needs.authorize.outputs.authorized == 'true'` on the work/ review job. * Script `authorize-claude-workflow.sh` is parameterized via USERS_TO_CHECK (newline-separated) + ADMIT_CLAUDE_BOT. Per-workflow specifics: - claude-review: PR author + event actor (both must pass); admits claude[bot] for AI-authored PRs. - claude-mention: commenter only; no claude[bot]. - claude-issue-to-pr: labeler (github.actor); no claude[bot]. * New `auth-gate-invariants.yml` workflow + script run on PRs touching claude-*.yml; validates structural invariants (authorize job present, app-token pinned to SHA, no write perms on authorize, secrets referenced, USERS_TO_CHECK set, needs/if shape on every other job). * Includes the post-review fixes from #417 review: - Auth script fails closed when USERS_TO_CHECK is empty or whitespace-only (loop-skip + trailing echo would otherwise authorize empty input). - Validator structurally enforces USERS_TO_CHECK presence. oauth-specific bits preserved as-is: - REVIEW_LAYERS includes `repo-type/plugin`. - `## Repo-specific checks (OAuth plugin)` section: CSRF, redirect URI, provider-of-record, session field preservation, path length bounds. - claude-mention.yml --allowedTools keeps the bun commands oauth uses (npm + bun mixed toolchain). - Setup Bun step preserved. - "Do NOT run `bun test`, `npm test`" guidance preserved. - oauth's longer claude-mention prompt (Documentation scope boundary, deploying-to-harper-fabric.md skill reference, etc.) preserved. Required (organization-level) secrets — already configured on the HarperFast org per harper #417 setup: - HARPERFAST_AI_CLIENT_ID - HARPERFAST_AI_APP_PRIVATE_KEY After merge: add `Auth gate invariants / validate` as a required status check on `main` in branch protection (same pattern as harper). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror of HarperFast/harper#452. Same fix applied to the oauth review workflow: max-turns doubled, turn-budget hint added, repo-wide search called out as the single biggest turn-burner. The triggering harper run is referenced as the concrete failure mode rather than re-running the same diagnosis on oauth (oauth hasn't seen the same failure yet, but the prompt and budget are identical, so the same exposure exists). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
Mirror of HarperFast/harper#453. Same one-line fix. The validator's USERS_TO_CHECK presence check used jq's `// empty` keyword, but ubuntu-latest's yq is mikefarah/yq (Go). yq's lexer rejects `empty`; `2>/dev/null` ate the error; the variable came back empty; the existence check tripped on every workflow. Replaces the expression with idiomatic yq: `.jobs.authorize.steps[].env.USERS_TO_CHECK | select(. != null)` piped through `head -1`. Verified locally with mikefarah/yq v4.53.2 against all three oauth claude-*.yml workflows — all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings oauth's claude workflows up to parity with harper after the last calibration sweep. Three harper PRs collapse into one mirror PR here.
harper#444<!-- claude-review:v1 -->);Find prior review commentstep; log step uses marker filter +updated_at;Bash(gh api:*)+Writeadded to allowedToolsharper#447run: |blocks extracted to.github/scripts/(compose-review-scope, find-prior-review-comment, log-review-to-ai-review-log, parse-claude-mention)harper#417authorizejob; CODEOWNERS-derived trust set;auth-gate-invariants.ymlvalidator. Includes the post-review fixes (fail closed on emptyUSERS_TO_CHECK; validator enforces it).Adapted for oauth
REVIEW_LAYERSkeepsrepo-type/plugin.## Repo-specific checks (OAuth plugin)section preserved — CSRF state tokens, redirect URI validation, provider-of-record, session field preservation, path length bounds.claude-mention.yml --allowedToolskeeps bun commands (oauth uses both npm and bun).@HarperFast/developersand@HarperFast/devops— both are admitted by the auth gate.Required setup
Org-level secrets are already configured on HarperFast (per harper#417 setup):
HARPERFAST_AI_CLIENT_IDHARPERFAST_AI_APP_PRIVATE_KEYThe App is installed with
Organization: Members: Readonly. No additional setup needed for oauth.Branch protection followup
After merge, add
Auth gate invariants / validateas a required status check onmain. Without that, a PR could weaken the auth gate (delete the authorize job, change the if to a tautology, etc.) and still merge. Same pattern as harper.Test plan
Followup
🤖 Generated with Claude Code