From bc19560f4141fdb894b39df190f0e9d3d06f1bfe Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 17:33:50 +0000 Subject: [PATCH] fix(ci): pin claude-code-reusable.yml to @v1 per action pinning policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Copies claude.yml verbatim from the org standards template (standards/workflows/claude.yml). Key changes: - @main → @v1 (internal reusable refs use tag, not branch, per ci-standards.md) - Add paths-ignore OIDC guard on pull_request trigger - Add canonical header comment block from template Closes #105 Co-authored-by: Don Petry --- .github/workflows/claude.yml | 43 +++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 8f7c686d..5e1f48f2 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -1,12 +1,49 @@ +# ───────────────────────────────────────────────────────────────────────────── +# SOURCE OF TRUTH: petry-projects/.github/standards/workflows/claude.yml +# Standard: petry-projects/.github/standards/ci-standards.md#4-claude-code-claudeyml +# Reusable: petry-projects/.github/.github/workflows/claude-code-reusable.yml +# +# AGENTS — READ BEFORE EDITING: +# • This file is a THIN CALLER STUB. All Claude Code logic, the prompt, +# allowedTools, and trigger gating live in the reusable workflow above. +# • You MAY change: nothing in this file in normal use. Adopt verbatim. +# • You MUST NOT change: trigger events, job permissions, the `uses:` line, +# or `secrets: inherit`. These are required for the reusable to work. +# • If you need different behaviour, open a PR against the reusable in the +# central repo. The change will propagate everywhere on next run. +# +# WHY THIS FILE IS IMMUTABLE (agents: read before opening any PR here): +# Anthropic's OIDC token endpoint validates that this file on a PR branch +# is byte-for-byte identical to the file on the default branch. Any diff — +# even a whitespace or comment change — causes the token exchange to fail: +# "401 Unauthorized — Workflow validation failed" +# Claude Code will not run on that PR. Do not open compliance PRs against +# this file. Do not SHA-pin the `uses:` line — internal reusable workflow +# refs are exempt from the Action Pinning Policy (ci-standards.md +# §Action Pinning Policy). The @v1 tag is the correct, stable reference. +# +# NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request +# prevents the workflow from triggering only when the PR's entire changeset +# is limited to claude.yml alone. PRs that modify claude.yml *plus other +# files* will still trigger the workflow and hit the 401 error at token +# exchange. Other triggers (issue_comment, pull_request_review_comment, +# issues, check_run) are unaffected by paths-ignore and run as configured. +# ───────────────────────────────────────────────────────────────────────────── +# # Claude Code — thin caller that delegates to the org-level reusable workflow. -# All logic and prompts are maintained centrally in claude-code-reusable.yml. -# Standard: https://github.com/petry-projects/.github/blob/main/standards/ci-standards.md#4-claude-code-claudeyml +# To adopt: copy this file to .github/workflows/claude.yml in your repo. +# Required org/repo secret: CLAUDE_CODE_OAUTH_TOKEN +# Optional org/repo secret: GH_PAT_WORKFLOWS (PAT with `workflow` scope — +# required if Claude needs to push changes to .github/workflows/*.yml) + name: Claude Code on: pull_request: branches: [main] types: [opened, reopened, synchronize] + paths-ignore: + - '.github/workflows/claude.yml' # OIDC invariant — see header above issue_comment: types: [created] pull_request_review_comment: @@ -20,7 +57,7 @@ permissions: {} jobs: claude-code: - uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main + uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1 secrets: inherit permissions: contents: write