Skip to content

fix(ci): drop broken pull_request_target trigger + provision toolchain for Claude workflow#1091

Merged
phernandez merged 2 commits into
mainfrom
fix/claude-workflow-selfverify-and-ci
Jul 16, 2026
Merged

fix(ci): drop broken pull_request_target trigger + provision toolchain for Claude workflow#1091
phernandez merged 2 commits into
mainfrom
fix/claude-workflow-selfverify-and-ci

Conversation

@phernandez

@phernandez phernandez commented Jul 16, 2026

Copy link
Copy Markdown
Member

Hardens .github/workflows/claude.yml after #1087 unblocked the bot from opening PRs. Three fixes, most important first.

1. Stop the OIDC 401 self-trigger (primary)

Opening #1088/#1089/#1090/#1091 each failed its claude check with 401 Unauthorized – Invalid OIDC token. Root cause (confirmed via a cross-check): Anthropic's OIDC exchange is broken for the pull_request_target event (anthropics/claude-code-action#713), and the workflow invoked that path whenever a PR body contained the bot mention. Bot-authored PR descriptions carry attribution text like "Generated by the … workflow", so simply opening a bot PR self-triggered the broken path. A normal issue_comment run succeeded with the same secret in between — the OAuth token is valid and needs no rotation.

Fix: remove the pull_request_target trigger and its PR-body clause, so attribution text can never be read as a command and no event routes into the broken OIDC path. Explicit bot mentions in issues, issue comments, PR reviews, and PR review comments remain the trigger. Also removed the now-dead pull_request.author_association gate clauses (reviewer identity is covered by sender.author_association) and the pull_request_target-only checkout ref. Removing pull_request_target also drops the fork-exploit vector that write permissions otherwise carry.

2. Provision a toolchain so runs can self-verify

The Actions runner has no just/uv, so a run burns its whole time budget on pip workarounds and can time out after writing the code but before committing — that killed the first #1011 run at 25m. Adds python 3.12 + uv + just + uv pip install -e ".[dev]", mirroring test.yml's known-good setup.

3. Document the CI-on-bot-PR gap

The bot pushes its branch with GITHUB_TOKEN; GitHub does not fire push workflows for GITHUB_TOKEN pushes, and test.yml is push-only — so a claude/** branch never runs the suite and the PR reads "mergeable" while unvalidated. Documented inline; the proper fix (a PAT/App token as the action's github_token) is a repo-admin task and needs a secret that does not exist yet.

Note

The claude check on this PR will keep 401-ing until this lands on main, because pull_request_target runs use the workflow from the default branch. Merging removes the trigger for good.

🤖 Generated with Claude Code

Two follow-ups to #1087, which unblocked @claude from opening PRs:

1. Provision python/uv/just + install deps in the claude job (mirroring
   test.yml's known-good setup) so a run can execute the project quality
   gates before pushing. Without a toolchain the runner has no just/uv, so a
   run wastes its whole time budget on pip workarounds and can time out AFTER
   writing the code but BEFORE committing — exactly what killed the first
   #1011 run at 25m, losing the work with the ephemeral runner.

2. Document the known limitation that @claude-authored PRs get no CI: the job
   pushes with GITHUB_TOKEN, GitHub does not fire push-triggered workflows for
   GITHUB_TOKEN pushes, and test.yml is push-only, so a claude/** branch never
   runs the test suite. The self-verify step is a partial mitigation; the
   proper fix is pushing with a PAT/App token as the action's github_token
   (a repo-admin task — create the token + secret), noted inline.

Signed-off-by: phernandez <paul@basicmachines.co>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 444e6bf6a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- name: Create virtual env and install dependencies
run: |
uv venv
uv pip install -e ".[dev]"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid installing PR code under pull_request_target

When this workflow is triggered by pull_request_target for a member/collaborator PR, the checkout step has already selected github.event.pull_request.head.sha while the job has write-scoped permissions, so this command installs the PR's editable package before Claude starts. A PR can change pyproject.toml, the build backend, or dependency metadata so uv pip install -e executes PR-controlled build/install code with the workflow token still available through the checkout credentials, turning the self-verify setup into automatic privileged code execution; install only trusted base-repo tooling before the action, or move untrusted installation into a lower-permission context.

Useful? React with 👍 / 👎.

Anthropic's OIDC exchange is broken for the pull_request_target event
(401 'Invalid OIDC token'; anthropics/claude-code-action#713). The workflow
invoked that path whenever a PR body contained '@claude' — and bot-authored PR
descriptions carry attribution text ('Generated by the @claude workflow'), so
opening #1088/#1089/#1090/#1091 self-triggered the broken path and each failed
its 'claude' check with a 401. A normal issue_comment run succeeded with the
same secret in between, so the OAuth token is valid and needs no rotation.

Remove the pull_request_target trigger and its PR-body '@claude' clause, so
attribution text can never be read as a command and no event routes into the
broken OIDC path. Explicit '@claude' mentions in issues, issue comments, PR
reviews, and PR review comments remain the trigger. Also drop the now-dead
pull_request.author_association gate clauses (reviewer identity is covered by
sender.author_association) and the pull_request_target-only checkout ref.

If automatic PR-open review is wanted later, it should be a dedicated workflow
with a fixed prompt, not a PR-body mention.

Signed-off-by: phernandez <paul@basicmachines.co>
@phernandez phernandez changed the title fix(ci): let Claude Code workflow self-verify and document CI-on-bot-PR gap fix(ci): drop broken pull_request_target trigger + provision toolchain for Claude workflow Jul 16, 2026
@phernandez
phernandez merged commit 592d250 into main Jul 16, 2026
14 checks passed
@phernandez
phernandez deleted the fix/claude-workflow-selfverify-and-ci branch July 16, 2026 23:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3d964bb3c9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- name: Create virtual env and install dependencies
run: |
uv venv
uv pip install -e ".[dev]"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid installing PR code on PR review triggers

Fresh evidence after the pull_request_target removal: GitHub still runs pull_request_review and pull_request_review_comment workflows on the PR merge ref, and actions/checkout keeps the job token available to later steps by default. When a maintainer mentions @claude on a same-repo PR, this editable install can execute PR-controlled pyproject.toml or build-backend code before Claude starts, with the workflow's contents/pull-requests/issues write permissions; install only trusted base-repo tooling or disable persisted credentials before running any PR-controlled code.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant