fix(claude-code): wire agentic responses to trusted bot reviews and CI failures#292
fix(claude-code): wire agentic responses to trusted bot reviews and CI failures#292don-petry wants to merge 12 commits into
Conversation
…I failures - Replace check_run trigger with workflow_run in claude-ci-fix job. check_run is not a supported event type in claude-code-action; workflow_run is supported and provides pull_requests[0].number directly. Fork-safety is enforced via pull_requests[0].head.repo.full_name == github.repository. - Add claude-fix-pr-reviews job for pull_request_review events from trusted AI reviewer bots (Copilot, Gemini, CodeRabbit). Skips APPROVED reviews; acts on COMMENTED and CHANGES_REQUESTED. Uses allowed_bots to bypass the author_association guard that would otherwise skip bot actors. - Add claude-fix-bot-comments job for issue_comment events from trusted external CI tools (SonarCloud, CodeRabbit) on PRs. These bots have author_association NONE which causes the claude job to silently skip them. - Update standards/workflows/claude.yml template: replace check_run with workflow_run (with example workflow names) and add pull_request_review. Update header comment to list the new triggers. - Update standards/ci-standards.md: update standard config example, job descriptions, and compliance audit mention to reflect the new approach. Closes #291 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
📝 WalkthroughWalkthroughThe PR migrates Claude Code CI automation from unsupported ChangesClaude Code Automation Refactor and Expansion
Sequence DiagramsequenceDiagram
participant GitHub as GitHub Events
participant Workflow as claude-code-reusable.yml
participant Claude as anthropics/claude-code-action
participant Repo as Repository
GitHub->>Workflow: workflow_run (failure)
Workflow->>Claude: claude-ci-fix job
Claude->>Repo: checkout & diagnose failure
Claude->>Repo: apply CI fixes
GitHub->>Workflow: pull_request_review (AI bot)
Workflow->>Claude: claude-fix-pr-reviews job
Claude->>Repo: fetch unresolved review threads
Claude->>Repo: fix code & resolve threads
GitHub->>Workflow: issue_comment (trusted bot)
Workflow->>Claude: claude-fix-bot-comments job
Claude->>Repo: apply minimal fixes per comment
Claude->>Repo: post summary comment
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly Related Issues
Possibly Related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The PR is ready for review. @petry-projects/org-leads — please review and merge when CI is green. What this fixes:
Required follow-up per adopting repo: Update each repo's |
There was a problem hiding this comment.
Pull request overview
Wires up automated Claude responses for cases that were previously silently dropped: bot-authored PR reviews, bot-authored PR comments from external CI tools (NONE author_association), and CI failures (since check_run is unsupported by claude-code-action).
Changes:
- Replaces the broken
check_runtrigger/job with aworkflow_run-basedclaude-ci-fixflow, removing the runtime fork-check shell step in favor of anif:gate. - Adds two new reusable jobs:
claude-fix-pr-reviews(top-levelpull_request_reviewfrom Copilot/Gemini/CodeRabbit) andclaude-fix-bot-comments(issue_commentfrom SonarCloud/CodeRabbit) usingallowed_bots. - Updates standard template triggers and
ci-standards.mdto describe the five-job layout.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/claude-code-reusable.yml |
Rewrites claude-ci-fix for workflow_run and adds bot review/comment jobs. |
standards/workflows/claude.yml |
Swaps check_run for workflow_run and adds pull_request_review trigger. |
standards/ci-standards.md |
Documents the new job set and updated trigger requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - '.github/workflows/claude.yml' # OIDC invariant — see header above | ||
| issue_comment: | ||
| types: [created] | ||
| pull_request_review: | ||
| types: [submitted] | ||
| pull_request_review_comment: | ||
| types: [created] | ||
| issues: | ||
| types: [labeled] | ||
| check_run: | ||
| workflow_run: | ||
| # List the GitHub Actions workflow names in this repo that Claude should | ||
| # monitor for CI failures on PRs. Replace or extend this list with the | ||
| # actual workflow names (the `name:` field) used in your repo. | ||
| # The reusable workflow's claude-ci-fix job only acts on failures that | ||
| # are associated with an open same-repo PR — push-to-main runs are | ||
| # ignored automatically. | ||
| workflows: ["CI", "SonarCloud Analysis", "build-and-test"] | ||
| types: [completed] |
| > will error on every trigger. The weekly compliance audit | ||
| > (`check_claude_workflow_checkout`) detects repos missing the checkout step or | ||
| > the `check_run` trigger and creates a labeled issue to drive remediation. | ||
| > the `workflow_run` trigger and creates a labeled issue to drive remediation. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Claude CI standards and workflow template to expand automation capabilities. It replaces the check_run trigger with workflow_run for CI failure responses and introduces two new jobs, claude-fix-pr-reviews and claude-fix-bot-comments, to handle feedback from AI reviewer bots and external CI tools. Corresponding documentation and the example workflow configuration have been updated to reflect these changes. I have no feedback to provide.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bf44722498
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.event.workflow_run.pull_requests[0] != null && | ||
| github.event.workflow_run.pull_requests[0].head.repo.full_name == github.repository |
There was a problem hiding this comment.
For failed PR workflow runs, this fork-safety check reads pull_requests[0].head.repo.full_name, but the workflow_run webhook's PR repo ref only contains id, url, and name (the full repo object is exposed separately as workflow_run.head_repository). Because this property is absent, same-repo PR failures evaluate this condition as false and claude-ci-fix never runs, which defeats the CI-failure automation this change is adding.
Useful? React with 👍 / 👎.
| github.event_name == 'pull_request_review' && | ||
| github.event.review.state != 'APPROVED' && | ||
| github.event.pull_request.head.repo.full_name == github.repository && |
There was a problem hiding this comment.
On pull_request_review events GitHub documents github.event.review.state as lowercase values such as approved, commented, and changes_requested. With this uppercase comparison, an approved review from Copilot/Gemini/CodeRabbit still satisfies the job condition and starts an unnecessary write-enabled Claude run even though the comment says approvals should be skipped.
Useful? React with 👍 / 👎.
| > will error on every trigger. The weekly compliance audit | ||
| > (`check_claude_workflow_checkout`) detects repos missing the checkout step or | ||
| > the `check_run` trigger and creates a labeled issue to drive remediation. | ||
| > the `workflow_run` trigger and creates a labeled issue to drive remediation. |
There was a problem hiding this comment.
This standard now says the weekly audit detects the workflow_run trigger, but scripts/compliance-audit.sh still greps for check_run: and emits claude-missing-check-run-trigger. Any repo that copies the new workflow_run template will therefore continue to get false compliance findings and remediation issues until the audit is updated alongside the standard.
Useful? React with 👍 / 👎.
| github.event.issue.pull_request && | ||
| github.event.comment.user.login != 'claude[bot]' && | ||
| contains( | ||
| fromJson('["sonarqubecloud[bot]","coderabbitai[bot]"]'), | ||
| github.event.comment.user.login |
There was a problem hiding this comment.
When CodeRabbit or SonarCloud comments on a PR opened from a fork, this condition still starts the write- and secret-bearing Claude job because issue_comment events only prove that the issue is a PR, not that the PR head is in this repository. The other new automation paths explicitly gate on same-repo heads before running Claude; this path should fetch the PR and skip fork heads before exposing the PAT/OIDC-backed action to untrusted PR content.
Useful? React with 👍 / 👎.
| # The reusable workflow's claude-ci-fix job only acts on failures that | ||
| # are associated with an open same-repo PR — push-to-main runs are | ||
| # ignored automatically. | ||
| workflows: ["CI", "SonarCloud Analysis", "build-and-test"] |
There was a problem hiding this comment.
The caller stub is still documented as an immutable file to adopt verbatim, but this new workflow_run filter only fires for workflows whose name: is exactly one of these three strings. Repos whose CI workflow is named differently will copy the standard and silently lose claude-ci-fix coverage, because GitHub only triggers workflow_run for the names listed here; this needs a repo-specific generation path or a non-misleading placeholder instead of fixed defaults.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c826ad3be3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| group: claude-fix-pr-reviews-${{ github.event.pull_request.number }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
When a trusted bot submits a review that contains inline comments, this new pull_request_review job can run at the same time as the existing claude-fix-review-comments job from the pull_request_review_comment trigger for the same PR. Because the two jobs use different concurrency groups, both write-enabled Claude runs can check out the same branch, apply fixes, resolve threads, and push concurrently, causing lost commits or failed pushes; use the same per-PR group (or otherwise suppress one path) for review/comment handlers on the same PR.
Useful? React with 👍 / 👎.
| group: claude-fix-bot-comment-${{ github.event.issue.number }}-${{ github.event.comment.id }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
When SonarCloud or CodeRabbit posts more than one PR comment for the same analysis cycle, this group includes github.event.comment.id, so each comment starts a separate write-enabled Claude run against the same PR branch. Since the prompt tells every run to apply fixes, commit, and push, concurrent bot-comment runs can race and either fail pushes or overwrite each other's fixes; key the concurrency group by the PR number instead if only one fixer should mutate a PR at a time.
Useful? React with 👍 / 👎.
| Review body: | ||
| ${{ github.event.review.body }} | ||
|
|
||
| Your job: address all open (unresolved) review threads on this PR and bring it to a passing, fully-reviewed state. Follow the same cycle as claude-fix-review-comments: fetch open threads → apply fixes → commit → resolve threads → wait for CI → repeat. |
There was a problem hiding this comment.
For a trusted bot review that puts its actionable feedback in the top-level review body without inline review threads, this job fires but the prompt only tells Claude to fetch and address open review threads. Since the top-level review body is not an unresolved thread, Claude can find no threads to resolve and leave the actual CHANGES_REQUESTED feedback untouched; explicitly instruct it to address the review body before or in addition to thread processing.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 484897a3b2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.event_name == 'workflow_run' && | ||
| github.event.workflow_run.conclusion == 'failure' && | ||
| github.event.workflow_run.pull_requests[0] != null && | ||
| github.event.workflow_run.pull_requests[0].head.repo.full_name == github.repository |
There was a problem hiding this comment.
In the current repository, .github/workflows/claude.yml still calls this reusable workflow from only pull_request, issue_comment, pull_request_review_comment, issues, and check_run events; it does not declare workflow_run. After this condition was changed from check_run to workflow_run, the dogfood caller will never pass a CI-failure event into claude-ci-fix, so CI-failure automation stops working for this repo until the caller is updated alongside the reusable.
Useful? React with 👍 / 👎.
| github.event_name == 'pull_request_review' && | ||
| github.event.review.state != 'APPROVED' && | ||
| github.event.pull_request.head.repo.full_name == github.repository && | ||
| contains( | ||
| fromJson('["copilot-pull-request-reviewer[bot]","gemini-code-assist[bot]","coderabbitai[bot]"]'), | ||
| github.event.review.user.login | ||
| ) |
There was a problem hiding this comment.
This new job can only run when the caller workflow is triggered by pull_request_review, but the repository’s own .github/workflows/claude.yml still has no pull_request_review event, so top-level Copilot/Gemini/CodeRabbit reviews on this repo will never reach the reusable workflow. Update the dogfood caller at the same time as adding this handler, otherwise the automation being introduced here is inert for this repository.
Useful? React with 👍 / 👎.
| workflow_run: # enables claude-ci-fix — do not remove | ||
| workflows: [...] # list CI workflow names this repo monitors (repo-specific) |
There was a problem hiding this comment.
This Standard configuration block is meant to be copied when wiring Claude, but workflows: [...] is parsed as a literal workflow-name list containing "..."; a repo that copies the block without noticing the placeholder will install a valid workflow that never receives CI-failure workflow_run events. Use an explicit placeholder that cannot be copied silently, or point readers only to the repo-specific template path.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 484897a3b2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.event_name == 'check_run' && | ||
| github.event.check_run.conclusion == 'failure' && | ||
| !startsWith(github.event.check_run.name, 'claude-code / ') | ||
| github.event_name == 'workflow_run' && |
There was a problem hiding this comment.
In this repo I checked the actual caller .github/workflows/claude.yml, and it still only subscribes to check_run plus the older PR/comment events; it does not trigger on workflow_run or pull_request_review. After this condition switches claude-ci-fix to require workflow_run, the central repo's existing caller will invoke the reusable workflow on check_run events where this job is always skipped, so CI-failure fixing stops working here until the live caller is updated or the reusable keeps a migration path for check_run.
Useful? React with 👍 / 👎.
| fromJson('["copilot-pull-request-reviewer[bot]","gemini-code-assist[bot]","coderabbitai[bot]"]'), | ||
| github.event.review.user.login |
There was a problem hiding this comment.
For Copilot review events where the actor/login is Copilot, this new top-level-review handler never runs because this allowlist only includes copilot-pull-request-reviewer[bot]. I checked the existing inline review-comment handler in this same workflow and it already allows both Copilot and copilot-pull-request-reviewer[bot], and the Claude action's actor validation also special-cases GITHUB_ACTOR="Copilot"; without the same entry here, the gap this job is meant to close for Copilot reviews remains for those events.
Useful? React with 👍 / 👎.
| 5. Commit and push the fix to the PR branch. | ||
| 6. Leave a concise comment on PR #${{ steps.pr.outputs.number }} explaining what you found and what you changed. | ||
| 6. Leave a concise comment on PR #${{ github.event.workflow_run.pull_requests[0].number }} explaining what you found and what you changed. |
There was a problem hiding this comment.
This newly reachable workflow_run path still has claude_args limited to gh commands plus Edit,Write and does not grant Bash(git*:*), unlike the mutating review/comment jobs added below, but the prompt requires Claude to commit and push the fix. When a monitored CI workflow fails, Claude can edit files but cannot run the git commit/git push operations needed to deliver them under the allowed-tools gate, so the CI-fix automation stalls before applying the requested repair.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b77911707d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| pull_request_review: # enables claude-fix-pr-reviews — do not remove | ||
| types: [submitted] |
There was a problem hiding this comment.
In this Standard configuration snippet, adding pull_request_review does not actually enable claude-fix-pr-reviews: the jobs shown below are still the old inline claude/claude-issue jobs, and the claude job's if only handles pull_request, issue_comment, and pull_request_review_comment. Repos that copy this block instead of the separate reusable stub will subscribe to top-level bot reviews but run no fixer for them, so the new Copilot/Gemini/CodeRabbit review automation remains inert in those repos.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8cf94b2b0b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.event.issue.pull_request && | ||
| github.event.comment.user.login != 'claude[bot]' && | ||
| contains( | ||
| fromJson('["sonarqubecloud[bot]","coderabbitai[bot]"]'), |
There was a problem hiding this comment.
For repositories whose SonarCloud PR decorations still arrive from the legacy sonarcloud[bot] account, this allowlist skips the new fixer entirely even though the job is documented as handling SonarCloud comments. I checked this repo's existing bot filtering and it already allows both sonarcloud[bot] and sonarqubecloud[bot], so add the legacy login here as well (and to allowed_bots) to avoid leaving those quality-gate comments unhandled.
Useful? React with 👍 / 👎.
Superseded by automated re-review at
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude-code-reusable.yml:
- Around line 249-256: The prompt currently references "Follow the same cycle as
claude-fix-review-comments" which is not self-contained; replace that reference
in the prompt block with an explicit, minimal actionable cycle (e.g., checkout
PR, rebase to base branch, fetch unresolved review threads, apply fixes or reply
when human input is needed, commit & push changes as claude[bot], resolve
threads via GraphQL, wait for CI and repeat until green, then post a summary) so
Claude has all steps; update the prompt text that includes the variable
interpolations (the multi-line prompt under prompt: |) and ensure it names the
referenced job (claude-fix-review-comments) and then lists the concrete steps in
order so the workflow can run without external context.
- Around line 263-270: Add the same fork-safety PR ownership check to the
claude-fix-bot-comments job that exists in claude-ci-fix and
claude-fix-pr-reviews: insert an initial step (using actions/github-script@v7)
that calls the GitHub REST pulls.get for context.issue.number, then compare
pr.data.head.repo.full_name to context.repo.full_name and call
core.setFailed('Cannot run on fork') if they differ so the job aborts for PRs
coming from forks (this must run before any bot-allowlist logic that assumes
full repo access).
In `@standards/ci-standards.md`:
- Around line 383-385: The YAML example uses an invalid placeholder `workflows:
[...]`; update the `workflow_run` block to show a concrete, copy-pasteable
example by replacing `workflows: [...]` with a real list (e.g., `workflows:
['CI']` or a multi-line list with `- CI` and `- Build`) and keep a short inline
comment explaining to replace with the repo's workflow names; edit the
`workflow_run` section (reference symbol: workflow_run and key: workflows) so
the template is valid YAML and clearly actionable.
- Line 347: The inline CLI command gh run view --log-failed is not formatted as
code like other inline references; update the document text to wrap gh run view
--log-failed in inline code formatting (backticks) wherever it appears to match
the surrounding style and maintain consistency with other inline code examples.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ba4cd741-33b9-4ef4-aa93-54c7d5bead70
📒 Files selected for processing (3)
.github/workflows/claude-code-reusable.ymlstandards/ci-standards.mdstandards/workflows/claude.yml
| prompt: | | ||
| ${{ github.event.review.user.login }} submitted a PR review on PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.html_url }}). | ||
|
|
||
| Review state: ${{ github.event.review.state }} | ||
| Review body: | ||
| ${{ github.event.review.body }} | ||
|
|
||
| Your job: address all open (unresolved) review threads on this PR and bring it to a passing, fully-reviewed state. Follow the same cycle as claude-fix-review-comments: fetch open threads → apply fixes → commit → resolve threads → wait for CI → repeat. |
There was a problem hiding this comment.
Incomplete prompt: "the same cycle" reference is not self-contained.
The prompt instructs Claude to "Follow the same cycle as claude-fix-review-comments" but doesn't include the actual cycle steps. In a fresh workflow run, Claude has no context about what this cycle entails. The referenced job (claude-fix-review-comments) has detailed 8-step instructions (fetch threads → apply fixes → commit → resolve threads → wait for CI → repeat), none of which are present here.
Either embed the full cycle instructions or provide a minimal actionable prompt. Without this, Claude may fail to perform the expected behavior.
Proposed fix: Embed the cycle instructions
prompt: |
${{ github.event.review.user.login }} submitted a PR review on PR #${{ github.event.pull_request.number }} (${{ github.event.pull_request.html_url }}).
Review state: ${{ github.event.review.state }}
Review body:
${{ github.event.review.body }}
- Your job: address all open (unresolved) review threads on this PR and bring it to a passing, fully-reviewed state. Follow the same cycle as claude-fix-review-comments: fetch open threads → apply fixes → commit → resolve threads → wait for CI → repeat.
+ Your job: work through ALL open (unresolved) review threads on this PR and bring it to a passing, fully-reviewed state. Repeat the cycle below until CI is green and every addressable thread is resolved.
+
+ ## Cycle
+
+ ### 1. Check out the PR branch and rebase onto latest main
+ ```
+ gh pr checkout ${{ github.event.pull_request.number }}
+ git fetch origin ${{ github.event.pull_request.base.ref }}
+ git rebase origin/${{ github.event.pull_request.base.ref }}
+ git push --force-with-lease
+ ```
+ If the rebase has conflicts, resolve them, then `git rebase --continue` before pushing.
+
+ ### 2. Fetch all open review threads (collect node IDs)
+ ```
+ gh api graphql -f query='query { repository(owner:"${{ github.repository_owner }}", name:"${{ github.event.repository.name }}") { pullRequest(number:${{ github.event.pull_request.number }}) { reviewThreads(first:250) { nodes { id isResolved comments(first:10) { nodes { path line body author { login } } } } } } } }'
+ ```
+
+ ### 3. Address each unresolved thread
+ For each thread where `isResolved` is false:
+ - Read the comment body and understand the concern.
+ - Apply the appropriate fix. If a `suggestion` block is included, apply it unless you have a clear reason not to.
+ - If a comment needs a human decision, reply explaining what is needed and leave it unresolved.
+
+ ### 4. Commit and push all fixes
+ ```
+ git config user.name "claude[bot]"
+ git config user.email "claude[bot]`@users.noreply.github.com`"
+ git add -A
+ git diff --cached --quiet || git commit -m "fix: address review comments"
+ git push
+ ```
+
+ ### 5. Resolve each addressed thread via GraphQL
+ ```
+ gh api graphql -f query='mutation { resolveReviewThread(input: {threadId: "THREAD_NODE_ID"}) { thread { isResolved } } }'
+ ```
+
+ ### 6. Wait for CI and fix any failures
+ ```
+ gh pr checks ${{ github.event.pull_request.number }} --watch --interval 30
+ ```
+ If any check fails, read logs with `gh run view <run-id> --log-failed`, fix, commit, push, and repeat.
+
+ ### 7. Check for newly opened threads and address if present.
+
+ ### 8. Post a summary comment when CI is green and all addressable threads are resolved.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-reusable.yml around lines 249 - 256, The
prompt currently references "Follow the same cycle as
claude-fix-review-comments" which is not self-contained; replace that reference
in the prompt block with an explicit, minimal actionable cycle (e.g., checkout
PR, rebase to base branch, fetch unresolved review threads, apply fixes or reply
when human input is needed, commit & push changes as claude[bot], resolve
threads via GraphQL, wait for CI and repeat until green, then post a summary) so
Claude has all steps; update the prompt text that includes the variable
interpolations (the multi-line prompt under prompt: |) and ensure it names the
referenced job (claude-fix-review-comments) and then lists the concrete steps in
order so the workflow can run without external context.
| if: >- | ||
| github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| github.event.comment.user.login != 'claude[bot]' && | ||
| contains( | ||
| fromJson('["sonarqubecloud[bot]","coderabbitai[bot]"]'), | ||
| github.event.comment.user.login | ||
| ) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify what data is available in issue_comment.issue.pull_request
# by checking GitHub's webhook payload documentation examples
# Check if any existing workflows handle fork safety for issue_comment events
rg -n "issue_comment" -A 10 .github/workflows/ | grep -i "fork\|head.repo\|full_name" || echo "No fork safety patterns found for issue_comment"Repository: petry-projects/.github
Length of output: 114
🏁 Script executed:
# Check the actual workflow file structure at the mentioned lines
cat -n .github/workflows/claude-code-reusable.yml | sed -n '160,170p; 214,225p; 259,275p'Repository: petry-projects/.github
Length of output: 2039
🌐 Web query:
GitHub issue_comment webhook payload structure head.repo
💡 Result:
The GitHub issue_comment webhook payload does not contain a head.repo field [1][2]. The issue_comment event payload structure includes the following top-level objects: - action: The action that occurred (e.g., created, edited, deleted) [1][2]. - issue: An object containing details about the issue where the comment was made [1][2]. - comment: An object containing the details of the comment itself [1][2]. - repository: An object containing details about the repository [1][2]. - sender: An object containing details about the user who triggered the event [1][2]. If you are looking for repository information, it is located within the repository object, which includes fields such as full_name, name, owner, and html_url [1][2]. The head.repo structure is typically associated with pull_request events, not issue_comment events [3].
Citations:
- 1: https://docs.github.com/developers/webhooks-and-events/webhook-events-and-payloads
- 2: https://docs.github.com/en/webhooks/webhook-events-and-payloads
- 3: https://github.com/octokit/webhooks/blob/main/payload-types/schema.d.ts
🌐 Web query:
GitHub Actions issue_comment event available data fields
💡 Result:
The issue_comment event in GitHub Actions triggers workflows when a comment on an issue or pull request is created, edited, or deleted [1]. When this event occurs, the workflow receives a JSON payload containing detailed information about the activity [2][3][4]. Key fields available in the issue_comment event payload include: action: The activity type that triggered the event, which can be created, edited, or deleted [1][4]. comment: An object containing details about the comment itself, such as the body text, ID, node_id, HTML URL, and the user who created it [2][4]. issue: An object containing details about the issue or pull request where the comment was made, including the issue number, title, state, and labels [2][1][4]. repository: An object containing information about the repository where the event occurred, such as the full name, owner, and default branch [4]. sender: An object representing the user who performed the action [5]. organization: (If applicable) An object containing details about the organization associated with the repository [4]. You can access these fields in your workflow using the github.event context (e.g., ${{ github.event.comment.body }} or ${{ github.event.issue.number }}) [6][1]. Because the issue_comment event applies to both issues and pull requests, you can distinguish between them by checking the github.event.issue.pull_request property; if it exists, the comment was made on a pull request [1]. Note that GitHub periodically updates its API and webhook payloads [7][8]. For example, the author_association field was removed from several event types in late 2025 [7]. Always refer to the official GitHub Webhook events and payloads documentation for the most current schema [2][3].
Citations:
- 1: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
- 2: https://docs.github.com/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
- 3: https://docs.github.com/en/webhooks/webhook-events-and-payloads
- 4: https://www.magicbell.com/workflows/github/issue-comment-created
- 5: https://dev.to/itsmarydan/ingest-webhooks-from-any-provider-github-as-the-example-hj2
- 6: Get the id from the issue_comment trigger event actions/github-script#419
- 7: https://dev.to/flarecanary/github-silently-removed-payloadcommits-from-pushevent-heres-what-broke-and-how-to-catch-the-2i33
- 8: https://dev.to/flarecanary/github-just-removed-mergecommitsha-from-pull-request-responses-your-release-bot-is-probably-156d
🏁 Script executed:
# Search for any documentation about PR objectives or comments explaining the fork check requirement
git log --oneline --all -20 | head -20Repository: petry-projects/.github
Length of output: 1761
🏁 Script executed:
# Check if there are any comments in the workflow about why fork check is skipped for issue_comment
grep -n "claude-fix-bot-comments" -B 5 -A 30 .github/workflows/claude-code-reusable.yml | head -60Repository: petry-projects/.github
Length of output: 1649
Add fork safety check to claude-fix-bot-comments job.
The PR requires gating on repo ownership (head.repo.full_name == github.repository) for all new jobs. This check is present in claude-ci-fix (line 161) and claude-fix-pr-reviews (line 215), but missing from claude-fix-bot-comments (lines 263-270).
For issue_comment events, the webhook payload does not include the PR's head.repo object — only repository (the base repo). To implement the fork check, fetch the PR details via the GitHub API before proceeding:
- name: Check fork safety
uses: actions/github-script@v7
with:
script: |
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
if (pr.data.head.repo.full_name !== context.repo.full_name) {
core.setFailed('Cannot run on fork');
}
While the bot allowlist (SonarCloud, CodeRabbit) provides some protection, this creates an inconsistent security posture across jobs.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/claude-code-reusable.yml around lines 263 - 270, Add the
same fork-safety PR ownership check to the claude-fix-bot-comments job that
exists in claude-ci-fix and claude-fix-pr-reviews: insert an initial step (using
actions/github-script@v7) that calls the GitHub REST pulls.get for
context.issue.number, then compare pr.data.head.repo.full_name to
context.repo.full_name and call core.setFailed('Cannot run on fork') if they
differ so the job aborts for PRs coming from forks (this must run before any
bot-allowlist logic that assumes full repo access).
| - **`claude-ci-fix`** (CI failure response) — triggered by `workflow_run: | ||
| completed` (failure) for named GitHub Actions workflows on open same-repo | ||
| PRs. Checks out the branch, reads the failure logs via `gh run view | ||
| --log-failed`, applies the minimal fix, pushes, and comments with a |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Consider code formatting for the CLI command.
The command gh run view --log-failed could be wrapped in backticks for consistency with other inline code references in this document.
✨ Suggested formatting improvement
- PRs. Checks out the branch, reads the failure logs via `gh run view
- --log-failed`, applies the minimal fix, pushes, and comments with a
+ PRs. Checks out the branch, reads the failure logs via `gh run view --log-failed`, applies the minimal fix, pushes, and comments with a🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@standards/ci-standards.md` at line 347, The inline CLI command gh run view
--log-failed is not formatted as code like other inline references; update the
document text to wrap gh run view --log-failed in inline code formatting
(backticks) wherever it appears to match the surrounding style and maintain
consistency with other inline code examples.
| workflow_run: # enables claude-ci-fix — do not remove | ||
| workflows: [...] # list CI workflow names this repo monitors (repo-specific) | ||
| types: [completed] |
There was a problem hiding this comment.
Provide a concrete example for the workflows: placeholder.
The PR objectives state that the template "now uses workflow_run with a commented example list of workflow names," but line 384 shows only a placeholder workflows: [...] with an explanation comment. The [...] syntax is invalid YAML and will fail if copied verbatim.
Consider adding a concrete example to guide adopters, such as:
workflows: ['CI'] # example — replace with your repo's CI workflow namesor
workflows:
- CI # replace with your repo's workflow names
- BuildThis would make the template more actionable and align with the stated PR objective of providing an example.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@standards/ci-standards.md` around lines 383 - 385, The YAML example uses an
invalid placeholder `workflows: [...]`; update the `workflow_run` block to show
a concrete, copy-pasteable example by replacing `workflows: [...]` with a real
list (e.g., `workflows: ['CI']` or a multi-line list with `- CI` and `- Build`)
and keep a short inline comment explaining to replace with the repo's workflow
names; edit the `workflow_run` section (reference symbol: workflow_run and key:
workflows) so the template is valid YAML and clearly actionable.
Superseded by automated re-review at
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Review — fix requested (cycle 3/3)The automated review identified the following issues. Please address each one: Findings to fixAutomated review — NEEDS HUMAN REVIEWRisk: MEDIUM SummaryPR #292 replaces the broken check_run trigger with workflow_run and adds two new bot-driven automation jobs. CI is fully green and the workflow_run migration is sound, but three valid CodeRabbit findings remain unaddressed (missing fork-safety gate on claude-fix-bot-comments, vague cycle description in claude-fix-pr-reviews prompt, and an invalid YAML placeholder in ci-standards.md), and the branch has a merge conflict. No HIGH-severity security issues found — all secrets access patterns, pinned action SHAs, and fork-safety gates on the other two jobs are correct. Findings
Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.7). Reply if you need a human review. Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
Summary
Fixes three gaps that prevented Claude from automatically addressing issues raised by trusted bots and CI failures.
Fix A — Replace
check_runwithworkflow_runfor CI failurescheck_runis not a supported event type inclaude-code-action(throwsUnsupported event type: check_runon every run). Replaced withworkflow_run, which is natively supported and providespull_requests[0].numberdirectly. Fork-safety is enforced viapull_requests[0].head.repo.full_name == github.repositoryin the jobif:condition, replacing the previous runtime shell check.The
standards/workflows/claude.ymltemplate is updated to useworkflow_runwith a commented example list of workflow names. Each adopting repo must customize theworkflows:list to match their actual CI workflow names.Fix B — Add
claude-fix-pr-reviewsfor trusted bot PR reviewsWhen Copilot (
copilot-pull-request-reviewer[bot]) or Gemini (gemini-code-assist[bot]) submits a top-levelpull_request_reviewevent, no job was handling it. The newclaude-fix-pr-reviewsjob triggers onpull_request_review: submittedfrom the trusted bot allowlist, skipsAPPROVEDreviews (no action needed), and follows the same fix-threads cycle as the existingclaude-fix-review-commentsjob. Usesallowed_botsto bypass theauthor_associationguard.Fix C — Add
claude-fix-bot-commentsfor trusted external tool commentsExternal bots like
sonarqubecloud[bot]andcoderabbitai[bot]haveauthor_association: NONE, causing theclaudejob's guard to silently skip theirissue_commentevents. The newclaude-fix-bot-commentsjob handles these with an explicit bot allowlist andallowed_botsinput.Files changed
.github/workflows/claude-code-reusable.ymlclaude-ci-fixforworkflow_run; addedclaude-fix-pr-reviewsandclaude-fix-bot-commentsjobsstandards/workflows/claude.ymlpull_request_review: [submitted]andworkflow_run: [completed]; replacedcheck_run; updated header commentstandards/ci-standards.mdSecurity
allowed_botsis used with explicit named lists, not wildcardsclaude-ci-fixgates onpull_requests[0].head.repo.full_name == github.repository;claude-fix-pr-reviewsgates onpull_request.head.repo.full_name == github.repositoryRequired follow-up (per-repo)
Each repo consuming
claude.ymlmust update its.github/workflows/claude.ymlto replace thecheck_runtrigger with:Closes #291
Generated with Claude Code
Summary by CodeRabbit