petry-projects · don-petry · May 8, 2026 · May 13, 2026 · May 13, 2026 · May 14, 2026
@@ -1,12 +1,49 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# SOURCE OF TRUTH: petry-projects/.github/standards/workflows/claude.yml
+# Standard:        petry-projects/.github/standards/ci-standards.md#4-claude-code-claudeyml
+# Reusable:        petry-projects/.github/.github/workflows/claude-code-reusable.yml
+#
+# AGENTS — READ BEFORE EDITING:
+#   • This file is a THIN CALLER STUB. All Claude Code logic, the prompt,
+#     allowedTools, and trigger gating live in the reusable workflow above.
+#   • You MAY change: nothing in this file in normal use. Adopt verbatim.
+#   • You MUST NOT change: trigger events, job permissions, the `uses:` line,
+#     or `secrets: inherit`. These are required for the reusable to work.
+#   • If you need different behaviour, open a PR against the reusable in the
+#     central repo. The change will propagate everywhere on next run.
+#
+# WHY THIS FILE IS IMMUTABLE (agents: read before opening any PR here):
+#   Anthropic's OIDC token endpoint validates that this file on a PR branch
+#   is byte-for-byte identical to the file on the default branch. Any diff —
+#   even a whitespace or comment change — causes the token exchange to fail:
+#     "401 Unauthorized — Workflow validation failed"
+#   Claude Code will not run on that PR. Do not open compliance PRs against
+#   this file. Do not SHA-pin the `uses:` line — internal reusable workflow
+#   refs are exempt from the Action Pinning Policy (ci-standards.md
+#   §Action Pinning Policy). The @v1 tag is the correct, stable reference.
+#
+#   NARROW GUARD: The paths-ignore setting (lines 38-39) under pull_request
+#   prevents the workflow from triggering only when the PR's entire changeset
+#   is limited to claude.yml alone. PRs that modify claude.yml *plus other
+#   files* will still trigger the workflow and hit the 401 error at token
+#   exchange. Other triggers (issue_comment, pull_request_review_comment,
+#   issues, check_run) are unaffected by paths-ignore and run as configured.
+# ─────────────────────────────────────────────────────────────────────────────
+#
 # Claude Code — thin caller that delegates to the org-level reusable workflow.
-# All logic and prompts are maintained centrally in claude-code-reusable.yml.
-# Standard: https://github.com/petry-projects/.github/blob/main/standards/ci-standards.md#4-claude-code-claudeyml
+# To adopt: copy this file to .github/workflows/claude.yml in your repo.
+# Required org/repo secret: CLAUDE_CODE_OAUTH_TOKEN
+# Optional org/repo secret: GH_PAT_WORKFLOWS (PAT with `workflow` scope —
+#   required if Claude needs to push changes to .github/workflows/*.yml)
+
 name: Claude Code
 
 on:
   pull_request:
     branches: [main]
     types: [opened, reopened, synchronize]
+    paths-ignore:
+      - '.github/workflows/claude.yml'  # OIDC invariant — see header above
   issue_comment:
     types: [created]
   pull_request_review_comment:
@@ -20,7 +57,7 @@ permissions: {}
 
 jobs:
   claude-code:
-    uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@main
+    uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1
     secrets: inherit
     permissions:
       contents: write