workflows: CC: update dm

.github/workflows/claude-dm.yml

@@ -12,17 +12,20 @@ on:
 
 jobs:
   claude-dm:
+    # Only allow repository owner to trigger DMs with @claude (blocks other users and bots)
     if: |
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) ||
+      github.actor == github.repository_owner &&
+      github.triggering_actor == github.repository_owner &&
+      ((github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) ||
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')))
 
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
     permissions:
-      contents: read
+      contents: write  # Required for code creation and commits
       pull-requests: write
       issues: write
       id-token: write
@@ -41,6 +44,7 @@ jobs:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
           # Security: Only users with write access can trigger (DMs allow code execution)
+          # Note: contents:write permission enables code creation and commits
 
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
@@ -49,9 +53,6 @@ jobs:
           # Optional: Add claude_args to customize behavior and configuration
           # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
           # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
-          # claude_args: '--allowed-tools Bash(gh pr:*)'
-          # disabling opus for now claude-opus-4-1-20250805
-          # former: claude-sonnet-4-5-20250929
           claude_args: |
             --model claude-opus-4-5-20251101
             --max-turns 100

.github/workflows/claude-pr-review.yml

@@ -1,77 +0,0 @@
-name: Claude Code PR Review
-
-on:
-  pull_request:
-    types: [ opened, synchronize, ready_for_review ]
-
-    # Limit branches
-    branches: [ main, dev, v1 ]
-
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-
-jobs:
-  claude-pr-review:
-    # Skip draft PRs
-    # Optional: filter authors: github.event.pull_request.user.login != 'enricoros'
-    if: |
-      github.event.pull_request.draft == false
-
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: read
-      id-token: write
-      actions: read # Required for Claude to read CI results on PRs
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 1
-
-      - name: Run PR Review
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          # Security: Allow any user to trigger reviews (read-only PR analysis is safe)
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          allowed_non_write_users: '*'
-          # track_progress: true # Enables tracking comments
-
-          # This setting allows Claude to read CI results on PRs
-          additional_permissions: |
-            actions: read
-
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number }}
-
-            Please review this pull request and provide feedback on:
-            - Potential bugs or issues
-            - Adherence to Big-AGI architecture and design patterns
-            - Code quality and best practices, including TypeScript types, error handling, and edge cases
-            - Performance considerations: bundle size, React patterns, streaming efficiency
-            - Security concerns if applicable
-
-            Use the repository's CLAUDE.md for guidance on style and conventions.
-
-            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
-            Use `gh pr review comment` for inline suggestions on specific lines.
-
-            IMPORTANT: After completing your review, always add the 'claude-review' label to the PR to indicate it was reviewed by Claude:
-            gh pr edit ${{ github.event.pull_request.number }} --add-label "claude-review"
-
-            Be constructive, helpful, no-BS, and specific with file:line references.
-
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
-          claude_args: |
-            --model claude-opus-4-5-20251101
-            --max-turns 100
-            --allowedTools "Edit,Read,Write,WebFetch,WebSearch,Bash(cat:*),Bash(cp:*),Bash(find:*),Bash(git branch:*),Bash(grep:*),Bash(ls:*),Bash(mkdir:*),Bash(gh issue:*),Bash(gh search:*),Bash(gh label:*),Bash(gh pr:*),mcp__chrome-devtools"