From 62ac5f2f6b5ba4e8f3e15ae70dc9e45f431fb941 Mon Sep 17 00:00:00 2001 From: James Robb <47126579+jamesrweb@users.noreply.github.com> Date: Fri, 3 Apr 2026 00:53:15 +0200 Subject: [PATCH 1/5] =?UTF-8?q?=F0=9F=94=A7=20chore(ci):=20Add=20workflows?= =?UTF-8?q?=20permission=20to=20Claude=20Code=20Action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grant workflows:write so Claude can push branches whose history includes commits that modified workflow files. Without this, GitHub rejects the push even if Claude's own commit doesn't touch any workflow files. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/claude.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 5c62c63f..b42c6390 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -27,6 +27,7 @@ jobs: issues: write id-token: write actions: read # Required for Claude to read CI results on PRs + workflows: write # Required for Claude to push branches that include workflow file changes in history steps: - name: Checkout repository uses: actions/checkout@v6 From ea9d903a5414206a1aa44aa3f1a9cc40ffc9fb24 Mon Sep 17 00:00:00 2001 From: James Robb <47126579+jamesrweb@users.noreply.github.com> Date: Fri, 3 Apr 2026 00:56:10 +0200 Subject: [PATCH 2/5] Revert claude[bot] from CODEOWNERS GitHub CODEOWNERS does not support bot accounts as valid owners. Claude already auto-reviews PRs via the pull_request_target trigger in the Claude Code Action workflow. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a611844b..fdc23349 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @jamesrweb @yevdyko @claude[bot] \ No newline at end of file +* @jamesrweb @yevdyko \ No newline at end of file From ea7c2830ad0c02f3fa954841099622af90462272 Mon Sep 17 00:00:00 2001 From: James Robb <47126579+jamesrweb@users.noreply.github.com> Date: Fri, 3 Apr 2026 01:04:39 +0200 Subject: [PATCH 3/5] Auto-review PRs on opened and ready_for_review events Adds opened and ready_for_review to the pull_request_target triggers so Claude automatically reviews every new PR without needing to be assigned or mentioned. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/claude.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index b42c6390..27fe5d4d 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -8,7 +8,7 @@ on: issues: types: [opened, assigned] pull_request_target: - types: [assigned] + types: [opened, assigned, ready_for_review] pull_request_review: types: [submitted] From cf9a6c25eb6bc2cd45cefcf7a1823e0696a1842d Mon Sep 17 00:00:00 2001 From: James Robb <47126579+jamesrweb@users.noreply.github.com> Date: Fri, 3 Apr 2026 01:08:48 +0200 Subject: [PATCH 4/5] Restrict auto-review to non-fork PRs for security Adds a guard so pull_request_target only triggers when the PR originates from the same repo, not from forks. This prevents external contributors from triggering the action with write permissions and secrets via prompt injection in PR bodies. Fork PRs can still be reviewed by explicitly assigning claude[bot]. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/claude.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 27fe5d4d..a674814d 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -19,7 +19,7 @@ jobs: (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) || (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) || (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude'))) || - (github.event_name == 'pull_request_target') + (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: contents: write From dd30e0a1e94465b1f71bf25fb5958ea117b294c8 Mon Sep 17 00:00:00 2001 From: James Robb <47126579+jamesrweb@users.noreply.github.com> Date: Fri, 3 Apr 2026 01:09:41 +0200 Subject: [PATCH 5/5] Add synchronize trigger for Claude auto-review Re-reviews PRs when new commits are pushed, keeping feedback up to date with the latest changes. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/claude.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index a674814d..7f70b267 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -8,7 +8,7 @@ on: issues: types: [opened, assigned] pull_request_target: - types: [opened, assigned, ready_for_review] + types: [opened, assigned, synchronize, ready_for_review] pull_request_review: types: [submitted]