fix(ci): claude-review trigger pull_request_target → pull_request#110
Merged
Conversation
…l_request The Anthropic action's OIDC token exchange rejects pull_request_target claims (upstream issue anthropics/claude-code-action#713). The first run on PR #7 with the new trigger failed at `App token exchange failed: 401 Unauthorized - Invalid OIDC token`. Upstream docs (docs/solutions.md > "Automatic PR Code Review") use `pull_request`, not `pull_request_target`, for auto-reviews. Switching to that. Trade-off: secrets are not available on `pull_request` from fork PRs, so a drive-by fork PR can't run Claude even if an admin pushes a fixup commit onto it (HEAD-committer trust gate would pass, but the action itself can't authenticate). Internal PRs — the dominant case on this repo — work fine because secrets are accessible. The trust gate continues to skip cleanly with conclusion=success for cases where Claude can't or shouldn't run, so the orchestrator's bot-clean wait isn't disrupted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
3 tasks
EricAndrechek
added a commit
that referenced
this pull request
May 12, 2026
## Two related noise sources Both produce red workflow runs on PR pushes that don't reflect actual problems and were flooding the inbox. ### 1. `claude-review.yml` failing on PRs that edit Claude's own files The Anthropic action runs a self-validation step that fails when its own workflow file (`.github/workflows/claude-review.yml`) or the prompt template (`.github/prompts/pr-review.md`) is in the PR's diff. Every PR touching Claude's wiring (#105, #108, #109, #110, #111, #113, the merge commit of #115) has logged a noisy red Claude check that resolves itself once the change merges. **Fix:** in `claude-review.yml`'s gate step, query the PR's changed files; if either path is in the diff, set `skip=true` and exit 0. The check shows success, the action never runs, the change still takes effect on the next PR's review. ### 2. `dependabot-automerge.yml push failure` ghost runs on every branch push #115 added `reviewers: ${{ replace(env.ADMINS, ',', ' ') }}` to convert the comma-separated `ADMINS` env var to the space-separated form the composite expects. Problem: `replace()` isn't a GitHub Actions expression function. The valid list is `contains`, `startsWith`, `endsWith`, `format`, `join`, `toJSON`, `fromJSON`, `hashFiles`, plus status checks. An unknown function fails workflow validation, and GitHub records a failed run with the file path (not the workflow's `name:`) as the display name and no jobs — every push to any branch since #115 merged. **Fix:** replace the bad expression with a real bash step that uses parameter expansion (`${ADMINS//,/ }`) to write `ADMINS_SPACE` to `$GITHUB_ENV`. The composite's `with:` then references `env.ADMINS_SPACE`. Both steps gated on `update-type == version-update:semver-major` so they only run when actually needed. ## Test plan - [ ] This PR's own Claude check: success (skip-gate catches the self-modification). - [ ] After merge, branch pushes no longer trigger the ghost `.github/workflows/dependabot-automerge.yml push failure` runs. - [ ] Next major-version Dependabot PR: both admins assigned correctly via `ADMINS_SPACE`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #109. The Anthropic action's OIDC token exchange rejects
pull_request_target's OIDC claims and we hitApp token exchange failed: 401 Unauthorized - Invalid OIDC tokenon the first run. This is upstream issue anthropics/claude-code-action#713 (open). Their docs (docs/solutions.md> "Automatic PR Code Review") usepull_request, notpull_request_target. Switching to that.What changes
pull_request_target→pull_request. Same event types.if:and the in-script case dispatch usepull_requestinstead ofpull_request_target.pull_requestdefaults to the PR's merge ref; we keep explicitly pinning to PR HEAD so the action sees the commit, not a merge artefact.Trade-off (worth knowing)
pull_requestruns from a fork PR with a read-only GITHUB_TOKEN and no access to repo secrets. Practical impact:CLAUDE_CODE_OAUTH_TOKENis empty in fork-PR contexts. This case wasn't supported before either (workflow_run was the prior trigger and fork PRs don't populateworkflow_run.pull_requests), so this is a wash, not a regression.Why not solve fork support some other way
The upstream pattern for fork-PR review is a two-workflow split: a
pull_requestworkflow that posts a "pending" status, and aworkflow_run/pull_request_targetfollow-up that runs the review with elevated tokens. That's exactly the chain we just removed in #109 because it kept breaking. Not worth re-introducing for a case we don't actually have.Test plan
Claude reviewcheck appears and completes successfully.🤖 Generated with Claude Code