From fb5c8aad29ee2e4c7965e990d466f67df2d71574 Mon Sep 17 00:00:00 2001 From: Enrico Ros Date: Mon, 9 Feb 2026 01:36:35 -0800 Subject: [PATCH] workflows: CC: update dm --- .github/workflows/claude-dm.yml | 13 +++-- .github/workflows/claude-pr-review.yml | 77 -------------------------- 2 files changed, 7 insertions(+), 83 deletions(-) delete mode 100644 .github/workflows/claude-pr-review.yml diff --git a/.github/workflows/claude-dm.yml b/.github/workflows/claude-dm.yml index 5d4e073c5..e1987d1fc 100644 --- a/.github/workflows/claude-dm.yml +++ b/.github/workflows/claude-dm.yml @@ -12,17 +12,20 @@ on: jobs: claude-dm: + # Only allow repository owner to trigger DMs with @claude (blocks other users and bots) if: | - (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) || + github.actor == github.repository_owner && + github.triggering_actor == github.repository_owner && + ((github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) || (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || - (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) + (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))) runs-on: ubuntu-latest timeout-minutes: 30 permissions: - contents: read + contents: write # Required for code creation and commits pull-requests: write issues: write id-token: write @@ -41,6 +44,7 @@ jobs: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # Security: Only users with write access can trigger (DMs allow code execution) + # Note: contents:write permission enables code creation and commits # This is an optional setting that allows Claude to read CI results on PRs additional_permissions: | @@ -49,9 +53,6 @@ jobs: # Optional: Add claude_args to customize behavior and configuration # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options - # claude_args: '--allowed-tools Bash(gh pr:*)' - # disabling opus for now claude-opus-4-1-20250805 - # former: claude-sonnet-4-5-20250929 claude_args: | --model claude-opus-4-5-20251101 --max-turns 100 diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml deleted file mode 100644 index 42f0620d0..000000000 --- a/.github/workflows/claude-pr-review.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Claude Code PR Review - -on: - pull_request: - types: [ opened, synchronize, ready_for_review ] - - # Limit branches - branches: [ main, dev, v1 ] - - # Optional: Only run on specific file changes - # paths: - # - "src/**/*.ts" - # - "src/**/*.tsx" - -jobs: - claude-pr-review: - # Skip draft PRs - # Optional: filter authors: github.event.pull_request.user.login != 'enricoros' - if: | - github.event.pull_request.draft == false - - runs-on: ubuntu-latest - timeout-minutes: 30 - - permissions: - contents: read - pull-requests: write - issues: read - id-token: write - actions: read # Required for Claude to read CI results on PRs - - steps: - - name: Checkout repository - uses: actions/checkout@v6 - with: - fetch-depth: 1 - - - name: Run PR Review - uses: anthropics/claude-code-action@v1 - with: - claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - # Security: Allow any user to trigger reviews (read-only PR analysis is safe) - github_token: ${{ secrets.GITHUB_TOKEN }} - allowed_non_write_users: '*' - # track_progress: true # Enables tracking comments - - # This setting allows Claude to read CI results on PRs - additional_permissions: | - actions: read - - prompt: | - REPO: ${{ github.repository }} - PR NUMBER: ${{ github.event.pull_request.number }} - - Please review this pull request and provide feedback on: - - Potential bugs or issues - - Adherence to Big-AGI architecture and design patterns - - Code quality and best practices, including TypeScript types, error handling, and edge cases - - Performance considerations: bundle size, React patterns, streaming efficiency - - Security concerns if applicable - - Use the repository's CLAUDE.md for guidance on style and conventions. - - Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. - Use `gh pr review comment` for inline suggestions on specific lines. - - IMPORTANT: After completing your review, always add the 'claude-review' label to the PR to indicate it was reviewed by Claude: - gh pr edit ${{ github.event.pull_request.number }} --add-label "claude-review" - - Be constructive, helpful, no-BS, and specific with file:line references. - - # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md - # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options - claude_args: | - --model claude-opus-4-5-20251101 - --max-turns 100 - --allowedTools "Edit,Read,Write,WebFetch,WebSearch,Bash(cat:*),Bash(cp:*),Bash(find:*),Bash(git branch:*),Bash(grep:*),Bash(ls:*),Bash(mkdir:*),Bash(gh issue:*),Bash(gh search:*),Bash(gh label:*),Bash(gh pr:*),mcp__chrome-devtools"