fix(claude-code): wire agentic responses to trusted bot reviews and CI failures

[don-petry]

Summary

Three gaps in the claude-code-reusable.yml workflow prevent Claude from automatically fixing PR issues raised by trusted bots and CI checks:

1. claude-ci-fix is broken — check_run is not a supported event type in claude-code-action; every triggered run fails with Action failed with error: Unsupported event type: check_run.
2. Bot PR reviews are silently ignored — Copilot and Gemini submit pull_request_review events; no job handles them, and pull_request_review is missing from the caller template's on: triggers entirely.
3. Trusted-bot PR comments are blocked — External bots (e.g. sonarqubecloud[bot], coderabbitai[bot]) post issue_comment events; the claude job's author_association guard (requires OWNER/MEMBER/COLLABORATOR) silently skips them.

Observed failures (2026-05-14)

Run	Event	Result	Root cause
25884853943	check_run (SonarCloud failure on PR #175)	❌ Failed	Unsupported event type: check_run
25884855716	issue_comment by sonarqubecloud[bot]	⏭ Skipped	author_association == "NONE"
PR #175	Copilot + Gemini reviews submitted	🔕 Never triggered	pull_request_review not in on: triggers

---

Root Causes

1. check_run not supported by claude-code-action

The action's parseGitHubContext() uses a switch over supported event names. check_run hits the default branch and throws:

Unsupported event type: check_run

Supported event types are: issues, issue_comment, pull_request, pull_request_review, pull_request_review_comment, workflow_dispatch, repository_dispatch, schedule, workflow_run.

The claude-ci-fix job's PR-resolution step works correctly, but the action invocation always fails before Claude runs.

2. pull_request_review missing from trigger list and reusable

When Copilot (copilot-pull-request-reviewer[bot]) or Gemini (gemini-code-assist[bot]) submits a PR review, GitHub fires a pull_request_review event. claude-code-action does support this event natively (including automation mode via prompt: with allowed_bots:). However:

• The caller template (standards/workflows/claude.yml) has no pull_request_review entry in on:.
• The reusable has no job with github.event_name == 'pull_request_review' from a bot.

Result: the webhook fires, no workflow job runs.

Verified on PR #175: both Copilot and Gemini left top-level pull_request_review events (not inline pull_request_review_comment events), so the existing claude-fix-review-comments job never fired either.

3. Bot issue_comment blocked by author_association guard

The claude job requires:

contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)

GitHub App bots always have author_association: "NONE". The claude-code-action exposes an allowed_bots: input that bypasses the permission check for named bots — this is the correct mechanism, but no job uses it for issue_comment events from external bots.

---

Proposed Solution

Fix A — Replace check_run with workflow_run for GitHub Actions CI (+ bot comment for external CI)

workflow_run is a supported automation event in claude-code-action. It fires when any named GitHub Actions workflow completes and provides pull_requests[0].number directly.

Reusable change — replace claude-ci-fix's if: condition:

claude-ci-fix:
  if: >-
    github.event_name == 'workflow_run' &&
    github.event.workflow_run.conclusion == 'failure' &&
    github.event.workflow_run.pull_requests[0] != null &&
    github.event.workflow_run.repository.full_name == github.repository
  concurrency:
    group: claude-ci-fix-${{ github.event.workflow_run.head_sha }}
    cancel-in-progress: true
  ...
  steps:
    - uses: anthropics/claude-code-action@...
      with:
        prompt: |
          The CI workflow "${{ github.event.workflow_run.name }}" failed on PR
          #${{ github.event.workflow_run.pull_requests[0].number }}.
          Head SHA: ${{ github.event.workflow_run.head_sha }}
          Run URL: ${{ github.event.workflow_run.html_url }}
          
          Diagnose and fix the failure. Check out the PR branch, read the failed
          logs via `gh run view ${{ github.event.workflow_run.id }} --log-failed`,
          apply the minimal fix, commit, push, and comment on the PR.

Caller template change — replace check_run with workflow_run in standards/workflows/claude.yml:

on:
  # ... existing triggers ...
  workflow_run:
    # List CI workflow names for this repo that Claude should monitor:
    workflows: ["SonarCloud Analysis", "test", "CI"]
    types: [completed]

For external CI app checks (e.g. SonarCloud App, which posts a check_run directly without a GitHub Actions workflow), the bot also posts a detailed issue_comment — this is handled by Fix C below.

Fix B — Add pull_request_review handling for trusted bot reviewers

Caller template change — add trigger:

on:
  pull_request_review:
    types: [submitted]

Reusable change — add new job:

claude-fix-pr-reviews:
  if: >-
    github.event_name == 'pull_request_review' &&
    github.event.review.state != 'APPROVED' &&
    github.event.pull_request.head.repo.full_name == github.repository &&
    contains(
      fromJson('["copilot-pull-request-reviewer[bot]","gemini-code-assist[bot]","coderabbitai[bot]"]'),
      github.event.review.user.login
    )
  concurrency:
    group: claude-fix-pr-reviews-${{ github.event.pull_request.number }}
    cancel-in-progress: true
  runs-on: ubuntu-latest
  timeout-minutes: 60
  permissions:
    contents: write
    id-token: write
    pull-requests: write
    issues: write
    actions: read
    checks: read
  steps:
    - uses: actions/checkout@...
      with:
        token: ${{ secrets.GH_PAT_WORKFLOWS || github.token }}
    - uses: anthropics/claude-code-action@...
      with:
        claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
        github_token: ${{ secrets.GH_PAT_WORKFLOWS || github.token }}
        allowed_bots: "copilot-pull-request-reviewer,gemini-code-assist,coderabbitai"
        claude_args: |
          --allowedTools "Bash(gh pr checkout:*),Bash(gh pr view:*),Bash(gh pr comment:*),Bash(gh api:*),Bash(git*:*),Edit,Write"
        prompt: |
          ${{ github.event.review.user.login }} submitted a PR review on
          PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.html_url }}).

          Review state: ${{ github.event.review.state }}
          Review body:
          ${{ github.event.review.body }}

          Your job: address all open (unresolved) review threads on this PR and bring it
          to a passing, fully-reviewed state. Follow the same cycle as claude-fix-review-comments:
          fetch open threads → apply fixes → commit → resolve threads → wait for CI → repeat.

Note on APPROVED filter: Skip approved reviews — no action needed. Only act on COMMENTED and CHANGES_REQUESTED states.

Fix C — Add issue_comment handling for trusted external-tool bots

Reusable change — add new job:

claude-fix-bot-comments:
  if: >-
    github.event_name == 'issue_comment' &&
    github.event.issue.pull_request &&
    github.event.comment.user.login != 'claude[bot]' &&
    contains(
      fromJson('["sonarqubecloud[bot]","coderabbitai[bot]"]'),
      github.event.comment.user.login
    )
  concurrency:
    group: claude-fix-bot-comment-${{ github.event.issue.number }}-${{ github.event.comment.id }}
    cancel-in-progress: false
  runs-on: ubuntu-latest
  timeout-minutes: 60
  permissions:
    contents: write
    id-token: write
    pull-requests: write
    issues: write
    actions: read
    checks: read
  steps:
    - uses: actions/checkout@...
      with:
        token: ${{ secrets.GH_PAT_WORKFLOWS || github.token }}
    - uses: anthropics/claude-code-action@...
      with:
        claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
        github_token: ${{ secrets.GH_PAT_WORKFLOWS || github.token }}
        allowed_bots: "sonarqubecloud,coderabbitai"
        claude_args: |
          --allowedTools "Bash(gh pr checkout:*),Bash(gh pr view:*),Bash(gh pr comment:*),Bash(gh api:*),Bash(git*:*),Edit,Write"
        prompt: |
          ${{ github.event.comment.user.login }} posted the following comment on
          PR #${{ github.event.issue.number }}:

          ---
          ${{ github.event.comment.body }}
          ---

          Diagnose the reported issues, apply minimal fixes to the PR branch,
          commit, push, and leave a comment on the PR summarising what you changed.

---

Files to Change

File	Change
.github/workflows/claude-code-reusable.yml	Replace claude-ci-fix's if: for workflow_run; add claude-fix-pr-reviews job; add claude-fix-bot-comments job
standards/workflows/claude.yml	Add pull_request_review: [submitted] and workflow_run: [completed] to on:
All repos consuming claude.yml	Add repo-specific workflow names under workflow_run.workflows

Security Considerations

• allowed_bots bypasses author_association only for named bots. Wildcard * is not used.
• Fork safety: all three new jobs gate on head.repo.full_name == github.repository, preventing fork PRs from triggering write-access jobs.
• Concurrency guards: cancel-in-progress: true prevents cascading runs when multiple bot events arrive in quick succession.
• Bot allowlists: named explicitly (copilot-pull-request-reviewer[bot], gemini-code-assist[bot], sonarqubecloud[bot], coderabbitai[bot]). New bots must be added intentionally.
• OIDC invariant: Adding triggers (pull_request_review, workflow_run) to claude.yml on main does not violate the OIDC constraint — the constraint is that the file on any PR branch must match main, which is satisfied as long as PRs don't modify claude.yml.

Acceptance Criteria

• A SonarCloud check failure on a PR triggers Claude to diagnose and fix within 2 minutes
• A Copilot or Gemini review (state: COMMENTED or CHANGES_REQUESTED) triggers Claude to address all open threads
• A sonarqubecloud[bot] quality gate comment triggers Claude to fix the reported issues
• No job triggers on fork PRs or on bot comments from unlisted bots
• claude-ci-fix no longer produces "Unsupported event type: check_run" errors

References

• claude-code-action supported event types
• allowed_bots input docs
• Failed run: 25884853943
• Skipped run: 25884855716
• PR with unaddressed bot reviews: petry-projects/.github-private#175

[don-petry]

Claude finished @don-petry's task in 9m 0s —— View job • claude/issue-291-20260515-0147 • [Create PR ➔](https://github.com/petry-projects/.github/compare/main...claude/issue-291-20260515-0147?quick_pull=1&title=Issue%20%23291%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20issue%20%23291%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

Implementing fix for issue #291

• Gather context (AGENTS.md, ci-standards.md, workflow files)
• Read claude-code-reusable.yml and standards/workflows/claude.yml
• Fix A: Replace check_run with workflow_run in claude-ci-fix job
• Fix B: Add claude-fix-pr-reviews job for trusted bot PR reviews
• Fix C: Add claude-fix-bot-comments job for trusted bot issue comments
• Update standards/workflows/claude.yml template with new triggers
• Update standards/ci-standards.md references
• Commit and push changes
• Create PR and tag code owners

What was done

Three jobs were fixed/added in .github/workflows/claude-code-reusable.yml, and the template + docs updated:

Fix A (claude-ci-fix): Replaced the broken check_run trigger (not supported by claude-code-action) with workflow_run. Fork safety enforced via pull_requests[0].head.repo.full_name == github.repository. No longer needs a PR-resolution shell step — the workflow_run payload provides the PR number directly.

Fix B (claude-fix-pr-reviews): New job — triggers on pull_request_review: submitted from Copilot, Gemini, and CodeRabbit. Skips APPROVED reviews. Uses allowed_bots to bypass the author_association guard (these bots always have NONE).

Fix C (claude-fix-bot-comments): New job — triggers on issue_comment: created from sonarqubecloud[bot] and coderabbitai[bot] on PRs. Handles the SonarCloud quality gate comment scenario from the issue.

Required follow-up per repo: Each repo consuming claude.yml must update its .github/workflows/claude.yml on main to replace check_run with workflow_run + pull_request_review triggers.

PR

petry-projects/.github#292
· Branch