Skip to content

fix(ci): claude-review trigger pull_request_target → pull_request#110

Merged
EricAndrechek merged 1 commit into
mainfrom
claude-review-pr-trigger
May 12, 2026
Merged

fix(ci): claude-review trigger pull_request_target → pull_request#110
EricAndrechek merged 1 commit into
mainfrom
claude-review-pr-trigger

Conversation

@EricAndrechek

Copy link
Copy Markdown
Member

Summary

Follow-up to #109. The Anthropic action's OIDC token exchange rejects pull_request_target's OIDC claims and we hit App token exchange failed: 401 Unauthorized - Invalid OIDC token on the first run. This is upstream issue anthropics/claude-code-action#713 (open). Their docs (docs/solutions.md > "Automatic PR Code Review") use pull_request, not pull_request_target. Switching to that.

What changes

  • Trigger: pull_request_targetpull_request. Same event types.
  • if: and the in-script case dispatch use pull_request instead of pull_request_target.
  • Checkout comment updated: pull_request defaults to the PR's merge ref; we keep explicitly pinning to PR HEAD so the action sees the commit, not a merge artefact.

Trade-off (worth knowing)

pull_request runs from a fork PR with a read-only GITHUB_TOKEN and no access to repo secrets. Practical impact:

  • Internal PRs (the dominant case on this repo) — fine. Secrets accessible.
  • Fork PRs from drive-by contributors — trust gate still skips them cleanly, conclusion=success, orchestrator's bot-clean isn't disrupted.
  • Fork PRs where an admin pushes a fixup commit — HEAD-committer trust gate passes, but the action then fails to authenticate because CLAUDE_CODE_OAUTH_TOKEN is empty in fork-PR contexts. This case wasn't supported before either (workflow_run was the prior trigger and fork PRs don't populate workflow_run.pull_requests), so this is a wash, not a regression.

Why not solve fork support some other way

The upstream pattern for fork-PR review is a two-workflow split: a pull_request workflow that posts a "pending" status, and a workflow_run/pull_request_target follow-up that runs the review with elevated tokens. That's exactly the chain we just removed in #109 because it kept breaking. Not worth re-introducing for a case we don't actually have.

Test plan

🤖 Generated with Claude Code

…l_request

The Anthropic action's OIDC token exchange rejects pull_request_target
claims (upstream issue anthropics/claude-code-action#713). The first
run on PR #7 with the new trigger failed at
`App token exchange failed: 401 Unauthorized - Invalid OIDC token`.

Upstream docs (docs/solutions.md > "Automatic PR Code Review") use
`pull_request`, not `pull_request_target`, for auto-reviews. Switching
to that.

Trade-off: secrets are not available on `pull_request` from fork PRs,
so a drive-by fork PR can't run Claude even if an admin pushes a
fixup commit onto it (HEAD-committer trust gate would pass, but the
action itself can't authenticate). Internal PRs — the dominant case
on this repo — work fine because secrets are accessible. The trust
gate continues to skip cleanly with conclusion=success for cases
where Claude can't or shouldn't run, so the orchestrator's bot-clean
wait isn't disrupted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions github-actions Bot added github_actions Pull requests that update GitHub Actions code area/infra CI, build, deploy, Docker, release labels May 12, 2026
@EricAndrechek EricAndrechek merged commit 407caf5 into main May 12, 2026
5 of 8 checks passed
@EricAndrechek EricAndrechek deleted the claude-review-pr-trigger branch May 12, 2026 13:07
EricAndrechek added a commit that referenced this pull request May 12, 2026
## Two related noise sources

Both produce red workflow runs on PR pushes that don't reflect actual
problems and were flooding the inbox.

### 1. `claude-review.yml` failing on PRs that edit Claude's own files

The Anthropic action runs a self-validation step that fails when its own
workflow file (`.github/workflows/claude-review.yml`) or the prompt
template (`.github/prompts/pr-review.md`) is in the PR's diff. Every PR
touching Claude's wiring (#105, #108, #109, #110, #111, #113, the merge
commit of #115) has logged a noisy red Claude check that resolves itself
once the change merges.

**Fix:** in `claude-review.yml`'s gate step, query the PR's changed
files; if either path is in the diff, set `skip=true` and exit 0. The
check shows success, the action never runs, the change still takes
effect on the next PR's review.

### 2. `dependabot-automerge.yml push failure` ghost runs on every
branch push

#115 added `reviewers: ${{ replace(env.ADMINS, ',', ' ') }}` to convert
the comma-separated `ADMINS` env var to the space-separated form the
composite expects. Problem: `replace()` isn't a GitHub Actions
expression function. The valid list is `contains`, `startsWith`,
`endsWith`, `format`, `join`, `toJSON`, `fromJSON`, `hashFiles`, plus
status checks. An unknown function fails workflow validation, and GitHub
records a failed run with the file path (not the workflow's `name:`) as
the display name and no jobs — every push to any branch since #115
merged.

**Fix:** replace the bad expression with a real bash step that uses
parameter expansion (`${ADMINS//,/ }`) to write `ADMINS_SPACE` to
`$GITHUB_ENV`. The composite's `with:` then references
`env.ADMINS_SPACE`. Both steps gated on `update-type ==
version-update:semver-major` so they only run when actually needed.

## Test plan

- [ ] This PR's own Claude check: success (skip-gate catches the
self-modification).
- [ ] After merge, branch pushes no longer trigger the ghost
`.github/workflows/dependabot-automerge.yml push failure` runs.
- [ ] Next major-version Dependabot PR: both admins assigned correctly
via `ADMINS_SPACE`.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/infra CI, build, deploy, Docker, release github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant