fix(ci): drop broken pull_request_target trigger + provision toolchain for Claude workflow#1091
Conversation
Two follow-ups to #1087, which unblocked @claude from opening PRs: 1. Provision python/uv/just + install deps in the claude job (mirroring test.yml's known-good setup) so a run can execute the project quality gates before pushing. Without a toolchain the runner has no just/uv, so a run wastes its whole time budget on pip workarounds and can time out AFTER writing the code but BEFORE committing — exactly what killed the first #1011 run at 25m, losing the work with the ephemeral runner. 2. Document the known limitation that @claude-authored PRs get no CI: the job pushes with GITHUB_TOKEN, GitHub does not fire push-triggered workflows for GITHUB_TOKEN pushes, and test.yml is push-only, so a claude/** branch never runs the test suite. The self-verify step is a partial mitigation; the proper fix is pushing with a PAT/App token as the action's github_token (a repo-admin task — create the token + secret), noted inline. Signed-off-by: phernandez <paul@basicmachines.co>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 444e6bf6a3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Create virtual env and install dependencies | ||
| run: | | ||
| uv venv | ||
| uv pip install -e ".[dev]" |
There was a problem hiding this comment.
Avoid installing PR code under pull_request_target
When this workflow is triggered by pull_request_target for a member/collaborator PR, the checkout step has already selected github.event.pull_request.head.sha while the job has write-scoped permissions, so this command installs the PR's editable package before Claude starts. A PR can change pyproject.toml, the build backend, or dependency metadata so uv pip install -e executes PR-controlled build/install code with the workflow token still available through the checkout credentials, turning the self-verify setup into automatic privileged code execution; install only trusted base-repo tooling before the action, or move untrusted installation into a lower-permission context.
Useful? React with 👍 / 👎.
Anthropic's OIDC exchange is broken for the pull_request_target event (401 'Invalid OIDC token'; anthropics/claude-code-action#713). The workflow invoked that path whenever a PR body contained '@claude' — and bot-authored PR descriptions carry attribution text ('Generated by the @claude workflow'), so opening #1088/#1089/#1090/#1091 self-triggered the broken path and each failed its 'claude' check with a 401. A normal issue_comment run succeeded with the same secret in between, so the OAuth token is valid and needs no rotation. Remove the pull_request_target trigger and its PR-body '@claude' clause, so attribution text can never be read as a command and no event routes into the broken OIDC path. Explicit '@claude' mentions in issues, issue comments, PR reviews, and PR review comments remain the trigger. Also drop the now-dead pull_request.author_association gate clauses (reviewer identity is covered by sender.author_association) and the pull_request_target-only checkout ref. If automatic PR-open review is wanted later, it should be a dedicated workflow with a fixed prompt, not a PR-body mention. Signed-off-by: phernandez <paul@basicmachines.co>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3d964bb3c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Create virtual env and install dependencies | ||
| run: | | ||
| uv venv | ||
| uv pip install -e ".[dev]" |
There was a problem hiding this comment.
Avoid installing PR code on PR review triggers
Fresh evidence after the pull_request_target removal: GitHub still runs pull_request_review and pull_request_review_comment workflows on the PR merge ref, and actions/checkout keeps the job token available to later steps by default. When a maintainer mentions @claude on a same-repo PR, this editable install can execute PR-controlled pyproject.toml or build-backend code before Claude starts, with the workflow's contents/pull-requests/issues write permissions; install only trusted base-repo tooling or disable persisted credentials before running any PR-controlled code.
Useful? React with 👍 / 👎.
Hardens
.github/workflows/claude.ymlafter #1087 unblocked the bot from opening PRs. Three fixes, most important first.1. Stop the OIDC 401 self-trigger (primary)
Opening #1088/#1089/#1090/#1091 each failed its
claudecheck with401 Unauthorized – Invalid OIDC token. Root cause (confirmed via a cross-check): Anthropic's OIDC exchange is broken for thepull_request_targetevent (anthropics/claude-code-action#713), and the workflow invoked that path whenever a PR body contained the bot mention. Bot-authored PR descriptions carry attribution text like "Generated by the … workflow", so simply opening a bot PR self-triggered the broken path. A normalissue_commentrun succeeded with the same secret in between — the OAuth token is valid and needs no rotation.Fix: remove the
pull_request_targettrigger and its PR-body clause, so attribution text can never be read as a command and no event routes into the broken OIDC path. Explicit bot mentions in issues, issue comments, PR reviews, and PR review comments remain the trigger. Also removed the now-deadpull_request.author_associationgate clauses (reviewer identity is covered bysender.author_association) and thepull_request_target-only checkout ref. Removingpull_request_targetalso drops the fork-exploit vector that write permissions otherwise carry.2. Provision a toolchain so runs can self-verify
The Actions runner has no
just/uv, so a run burns its whole time budget onpipworkarounds and can time out after writing the code but before committing — that killed the first #1011 run at 25m. Adds python 3.12 +uv+just+uv pip install -e ".[dev]", mirroringtest.yml's known-good setup.3. Document the CI-on-bot-PR gap
The bot pushes its branch with
GITHUB_TOKEN; GitHub does not firepushworkflows forGITHUB_TOKENpushes, andtest.ymlis push-only — so aclaude/**branch never runs the suite and the PR reads "mergeable" while unvalidated. Documented inline; the proper fix (a PAT/App token as the action'sgithub_token) is a repo-admin task and needs a secret that does not exist yet.Note
The
claudecheck on this PR will keep 401-ing until this lands onmain, becausepull_request_targetruns use the workflow from the default branch. Merging removes the trigger for good.🤖 Generated with Claude Code