fix: use --bare and --tools in health probe CLI check#489
Merged
andreatgretel merged 1 commit intomainfrom Apr 2, 2026
Merged
Conversation
The "Verify Claude CLI" step fails on the CI runner because Claude Code tries to initialize keychain, LSP, plugins, and CLAUDE.md discovery before making the API call. On a bare runner these resources don't exist, causing exit code 1. - Add --bare to skip all initialization and force ANTHROPIC_API_KEY auth - Add --tools "" to disable tool definitions (health check doesn't need them, and this avoids sending a large payload to the gateway)
johnnygreco
approved these changes
Apr 2, 2026
Contributor
Greptile SummaryThis PR fixes the "Verify Claude CLI" step in the agentic CI health probe by adding Key changes:
Issue found:
|
| Filename | Overview |
|---|---|
| .github/workflows/agentic-ci-health-probe.yml | Adds --bare and --tools "" to the Claude CLI health check invocation to fix initialization failures on bare CI runners; --bare unconditionally forces API-key auth which breaks OAuth auth mode since the step has no auth-mode guard. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Workflow Trigger\nschedule / workflow_dispatch] --> B[Check required config\nAGENTIC_CI_MODEL set?]
B -->|missing| FAIL1[exit 1]
B -->|ok| C{Detect auth mode}
C -->|AGENTIC_CI_API_BASE_URL\n+ AGENTIC_CI_API_KEY set| D[mode=custom]
C -->|otherwise| E[mode=oauth]
D --> F[Ping inference API\ncurl POST /v1/messages]
E --> G[skip Ping step]
F -->|HTTP 2xx| H[Check latency threshold]
F -->|HTTP error| FAIL2[exit 1]
H --> I[Verify Claude CLI\nruns unconditionally]
G --> I
I --> J{ANTHROPIC_API_KEY\nset?}
J -->|custom mode: yes| K[claude --bare --tools '' ...\nAPI-key auth ✅]
J -->|oauth mode: empty| L[claude --bare --tools '' ...\nAPI-key auth forced\nbut no key ❌]
K --> M{Response contains\nHEALTH_CHECK_OK?}
L --> FAIL3[CLI fails]
M -->|yes| PASS[Health check passed]
M -->|no| WARN[::warning:: unexpected output]
Prompt To Fix All With AI
This is a comment left during a code review.
Path: .github/workflows/agentic-ci-health-probe.yml
Line: 92
Comment:
**`--bare` breaks OAuth auth mode**
The `--bare` flag forces `ANTHROPIC_API_KEY`-based authentication and disables keychain/OAuth reads (as stated in the PR description). However, the "Verify Claude CLI" step runs unconditionally in **both** auth modes (`custom` and `oauth`). In `oauth` mode, `AGENTIC_CI_API_KEY` is not set, so `ANTHROPIC_API_KEY` resolves to an empty string — meaning `--bare` will force API-key auth but with no key available, causing the health check to fail for all OAuth-mode runners.
The `--bare` flag should only be applied when in `custom` auth mode, or the step should be gated with `if: steps.auth.outputs.mode == 'custom'` (matching the `Ping inference API` step's guard):
```yaml
- name: Verify Claude CLI
if: steps.auth.outputs.mode == 'custom'
env:
```
Or, if OAuth mode should remain supported without `--bare`, conditionally apply the flag:
```bash
BARE_FLAG=""
[ -n "$ANTHROPIC_API_KEY" ] && BARE_FLAG="--bare"
RESULT=$(claude \
$BARE_FLAG \
--model "$MODEL" \
...
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "fix: use --bare and --tools in health pr..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| # Run a minimal prompt to verify auth + model + tool usage work end-to-end | ||
| # Run a minimal prompt to verify auth + model work end-to-end | ||
| RESULT=$(claude \ | ||
| --bare \ |
Contributor
There was a problem hiding this comment.
--bare breaks OAuth auth mode
The --bare flag forces ANTHROPIC_API_KEY-based authentication and disables keychain/OAuth reads (as stated in the PR description). However, the "Verify Claude CLI" step runs unconditionally in both auth modes (custom and oauth). In oauth mode, AGENTIC_CI_API_KEY is not set, so ANTHROPIC_API_KEY resolves to an empty string — meaning --bare will force API-key auth but with no key available, causing the health check to fail for all OAuth-mode runners.
The --bare flag should only be applied when in custom auth mode, or the step should be gated with if: steps.auth.outputs.mode == 'custom' (matching the Ping inference API step's guard):
- name: Verify Claude CLI
if: steps.auth.outputs.mode == 'custom'
env:Or, if OAuth mode should remain supported without --bare, conditionally apply the flag:
BARE_FLAG=""
[ -n "$ANTHROPIC_API_KEY" ] && BARE_FLAG="--bare"
RESULT=$(claude \
$BARE_FLAG \
--model "$MODEL" \
...Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/agentic-ci-health-probe.yml
Line: 92
Comment:
**`--bare` breaks OAuth auth mode**
The `--bare` flag forces `ANTHROPIC_API_KEY`-based authentication and disables keychain/OAuth reads (as stated in the PR description). However, the "Verify Claude CLI" step runs unconditionally in **both** auth modes (`custom` and `oauth`). In `oauth` mode, `AGENTIC_CI_API_KEY` is not set, so `ANTHROPIC_API_KEY` resolves to an empty string — meaning `--bare` will force API-key auth but with no key available, causing the health check to fail for all OAuth-mode runners.
The `--bare` flag should only be applied when in `custom` auth mode, or the step should be gated with `if: steps.auth.outputs.mode == 'custom'` (matching the `Ping inference API` step's guard):
```yaml
- name: Verify Claude CLI
if: steps.auth.outputs.mode == 'custom'
env:
```
Or, if OAuth mode should remain supported without `--bare`, conditionally apply the flag:
```bash
BARE_FLAG=""
[ -n "$ANTHROPIC_API_KEY" ] && BARE_FLAG="--bare"
RESULT=$(claude \
$BARE_FLAG \
--model "$MODEL" \
...
```
How can I resolve this? If you propose a fix, please make it concise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📋 Summary
Fix the "Verify Claude CLI" step in the agentic CI health probe, which has failed on all 3 runs since merge. The raw API curl passes but the Claude CLI invocation fails because it tries to initialize keychain, LSP, plugins, and CLAUDE.md discovery on a bare CI runner.
🐛 Fixed
--bareto skip all CLI initialization and forceANTHROPIC_API_KEYauth (no keychain/OAuth reads)--tools ""to disable tool definitions in the API request (health check doesn't need them)🔍 Attention Areas
agentic-ci-health-probe.yml- The two new flags in theclaudeinvocation. Validated via workflow_dispatch run which passes all steps.🤖 Generated with AI