feat(claude-code-reusable): enable rebases in interactive job

[don-petry]

Summary

Allow the interactive claude job in claude-code-reusable.yml to recover when the remote branch advances mid-run (e.g. auto-rebase pushes merge commits).

• fetch-depth: 1 → 0 so rebase/merge against main is possible.
• Add explicit --allowedTools covering git fetch/pull/rebase/merge plus the standard git, gh CLI, and Edit/Write/Read surface.

Motivation

PR #166's @claude run failed at push time because auto-rebase had advanced the remote branch during the run. With --allowedTools unset, the action defaults didn't include git pull/git fetch, so Claude couldn't integrate the new remote commits before pushing.

Caveat

Setting claude_args.--allowedTools replaces the action defaults rather than extending them. The list here is written out comprehensively. If something is missing and users start hitting "tool not allowed" prompts, extend the list — don't remove the flag.

Test plan

• Trigger @claude on a PR that has remote commits the local branch doesn't (e.g. fix(standards): pin auto-rebase stub to SHA to satisfy SonarCloud security gate #166 after merge).
• Confirm Claude can git fetch + git pull --rebase (or git rebase origin/main) and push successfully.
• Verify no regression in other interactive @claude flows (review-comment responses, simple edits).

https://claude.ai/code/session_01Udspx48vYhjiEG3fnraMKV

---

Generated by Claude Code

Summary by CodeRabbit

• Chores
  • CI workflow now fetches full repository history during automated runs to enable richer job operations.
  • Expanded allowed tools and permissions for the interactive CI job to enable broader automation and tool access.
• Documentation
  • CI standards doc updated to reflect the workflow changes and the new interactive job configuration.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 51 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ceba0313-eae8-49a4-91d9-4d1d8212bd2c

📥 Commits

Reviewing files that changed from the base of the PR and between eff494b and cdcaeb7.

📒 Files selected for processing (2)

• .github/workflows/claude-code-reusable.yml
• standards/ci-standards.md

📝 Walkthrough

Walkthrough

The reusable Claude Code workflow now checks out full git history (fetch-depth: 0) and expands the Claude action's claude_args allowed-tools list (wrapped with yamllint line-length directives) to permit broader git/gh/bash and Edit/Write/Read operations; docs updated.

Changes

Workflow Tool Configuration

Layer / File(s)	Summary
Git History Checkout .github/workflows/claude-code-reusable.yml, standards/ci-standards.md	Repository checkout step changes fetch-depth from 1 to 0 to fetch full git history instead of a shallow clone; documentation updated to match.
Claude Args / Allowed Tools .github/workflows/claude-code-reusable.yml, standards/ci-standards.md	claude_args block is wrapped with yamllint line-length disable/enable comments and expands --allowedTools to include broader Bash(git:, gh:) permissions and additional tools such as Edit, Write, and Read; documentation updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• petry-projects/.github#86: Broadens the Claude workflow's allowed-tools list (git/gh/Bash-related changes) similar to this PR.
• petry-projects/.github#77: Modifies the same reusable claude-code-reusable.yml workflow file; related checkout/claude_args changes.
• petry-projects/.github#11: Prior PR that touched the Claude job/configuration; related to checkout depth and allowed-tools settings.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'enable rebases in interactive job' accurately describes the main change—setting fetch-depth to 0 and broadening allowedTools to enable git operations like rebase/merge.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/review-compliance-prs-XV3ju

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Enables the interactive claude job in the central reusable workflow to better handle cases where the remote PR branch advances mid-run (e.g., due to auto-rebase activity), by ensuring the workspace has sufficient git history and by explicitly allowing git/gh operations.

Changes:

• Switch actions/checkout from fetch-depth: 1 to fetch-depth: 0 for the interactive claude job.
• Add an explicit claude_args --allowedTools allowlist to permit selected git and gh operations (plus Edit/Write/Read) during interactive runs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 1272435b13fdb4acb2de927d76806ee7e2280ff9
Review mode: triage-approved (single reviewer)

Summary

Prompt-only changes to the org status report template that reduce output size by ~29K bytes. Three changes: (1) Open Issues grouped by repo subsection instead of flat table, dropping the repeated Repo column; (2) duplicate [#N](url) | [title](url) cells merged into single [#N — title](url) cells across Needs Human Review, Open Issues, and Open Discussions tables; (3) MAX_BYTES bumped from 60000 to 64000 (still 1536 bytes below GitHub's 65536 char limit). No data-shape changes.

Linked issue analysis

No closing issue linked, but the PR body clearly describes the problem: daily report #233 exceeded the 60000-byte truncation threshold, causing head -c to drop the start of the report (the @org-leads opener and first three sections). The changes directly address this by shrinking the rendered output.

Findings

No issues found.

• MAX_BYTES 64000: Safe — leaves 1536 bytes of headroom below GitHub's 65536-char issue body limit. Combined with the ~29K reduction in report size, truncation should rarely trigger.
• Prompt template changes: Clean restructuring. The per-repo subsection format for Open Issues and the single-link cell pattern are consistent across all three tables.
• No security concerns: No secrets, auth, eval, injection vectors, or CI security changes.
• Copilot's suppressed comment about UTF-8 truncation in head -c is a pre-existing concern in the truncation step, not introduced by this PR.

CI status

All checks passed:

• Lint: ✓
• ShellCheck: ✓
• Agent Security Scan: ✓
• AgentShield: ✓
• CodeQL (actions): ✓
• SonarCloud: ✓ (0 new issues, 0 security hotspots)
• Dependency audit: ✓

---

Reviewed automatically by the PR-review agent (single-reviewer). Reply if you need a human review.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/claude-code-reusable.yml:
- Line 47: Update the documentation examples in standards/ci-standards.md that
currently reference anthropics/claude-code-action@v1.0.89 (and its old SHA) to
match the workflow: replace those references with
anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 #
v1.0.119 so the examples match the actual workflow usage; search for any
occurrences of "anthropics/claude-code-action@v1.0.89" or the old SHA in
standards/ci-standards.md and update them to the new SHA and version string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c01ff119-899a-4513-a52b-4ef3f258c2a9

📥 Commits

Reviewing files that changed from the base of the PR and between 17be222 and 9eea0d9.

📒 Files selected for processing (2)

• .github/workflows/claude-code-reusable.yml
• standards/ci-standards.md

[don-petry]

@donpetry-bot - please review again

[donpetry-bot]

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 9af3e4ec697e8bf7acb8b4770e207793187972fb
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6)

Summary

PR enables Claude to handle mid-run rebase scenarios by switching to full git history checkout and adding a broad --allowedTools allowlist. All CI checks pass (Lint, ShellCheck, AgentShield, Agent Security Scan, CodeQL, SonarCloud); the CodeRabbit CHANGES_REQUESTED was for outdated action SHA in docs, which the final commit (9af3e4e) fully addresses. Merge is blocked only by stale review state — CodeRabbit was rate-limited and could not re-review.

Findings

• INFO: MergeStateStatus BLOCKED due to CodeRabbit CHANGES_REQUESTED on commit 9eea0d9. The requested change (sync claude-code-action SHA to v1.0.119 in standards/ci-standards.md) is fully addressed in head commit 9af3e4e. CodeRabbit is rate-limited and cannot re-review. Safe to dismiss the stale review and merge.
• MINOR: Bash(gh:*) wildcard allows Claude to invoke any gh CLI subcommand (merge PRs, create releases, delete branches, etc.) during interactive runs. Actual capability is bounded by the token scope (GH_PAT_WORKFLOWS or github.token), and both AgentShield and Agent Security Scan passed — but this warrants awareness. The PR body explicitly calls this out and documents the rationale for a comprehensive allowlist. (.github/workflows/claude-code-reusable.yml:53)
• INFO: fetch-depth: 0 fetches full git history on every interactive Claude run, which increases checkout time on repos with deep history. Acceptable trade-off for enabling rebases; no security concern. (.github/workflows/claude-code-reusable.yml:42)
• INFO: standards/ci-standards.md now correctly documents fetch-depth: 0, the broad --allowedTools list, and the bumped claude-code-action@v1.0.119 SHA across both the claude and claude-issue job examples. Docs match the actual workflow. (standards/ci-standards.md)

---

Reviewed by the PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply if you need a human review.

[don-petry]

@coderabbitai review

---

Generated by Claude Code

[coderabbitai]

@don-petry Sure, I'll review the changes now!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/ci-standards.md`:
- Around line 386-387: The Version policy table is inconsistent with the new
pin: update the "Version Inconsistencies" table entry that currently lists
anthropics/claude-code-action as v1.0.89 to reflect the pinned value v1.0.119 to
match the uses line (uses:
anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416) and
ensure the table header "Version Inconsistencies" and any references to
anthropics/claude-code-action are synchronized.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 609f2e60-5f41-4b83-87d5-c05e9ee830b8

📥 Commits

Reviewing files that changed from the base of the PR and between 9eea0d9 and 9af3e4e.

📒 Files selected for processing (1)

• standards/ci-standards.md

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

standards/ci-standards.md (1)

430-430: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Note: claude-issue job retains narrower allowedTools list.

The claude job (interactive mode) received a broad --allowedTools list including Bash(git:*) for rebase capabilities (line 396), but the claude-issue job (automation mode) retains its original narrower list focused on gh pr, gh issue, and gh run commands.

This appears intentional based on the PR objectives ("enable rebases in interactive job"), since automation-mode PRs are created from fresh branches rather than needing to rebase existing PRs. However, if the automation job can also encounter scenarios where it needs to fetch/pull/rebase (e.g., when updating an existing PR it created), it may need similar git tool permissions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@standards/ci-standards.md` at line 430, The claude-issue job's --allowedTools
list is narrower than the interactive claude job and may lack git permissions
needed when automation updates existing PRs; update the claude-issue job's
--allowedTools string (the value passed to --allowedTools in the claude-issue
job) to include the same Bash(git:*) permission (or otherwise add the necessary
Bash(git:fetch|pull|rebase) entries) so its allowedTools matches the interactive
claude job's rebase-capable set, ensuring the claude-issue job can perform
fetch/pull/rebase operations when required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@standards/ci-standards.md`:
- Line 386: The pinned action reference "uses:
anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416" is
mismatched with the v1.0.119 tag; update the line so the comment and pinned SHA
agree by either replacing the SHA with the canonical v1.0.119 commit SHA
(2703d6e89559c31037b8083eff3cc5ba56502f1e) or changing the version comment to
reflect the actual tag for 476e359e6203e73dad705c8b322e333fabbd7416, ensuring
the uses reference and the trailing version comment are consistent.

---

Outside diff comments:
In `@standards/ci-standards.md`:
- Line 430: The claude-issue job's --allowedTools list is narrower than the
interactive claude job and may lack git permissions needed when automation
updates existing PRs; update the claude-issue job's --allowedTools string (the
value passed to --allowedTools in the claude-issue job) to include the same
Bash(git:*) permission (or otherwise add the necessary
Bash(git:fetch|pull|rebase) entries) so its allowedTools matches the interactive
claude job's rebase-capable set, ensuring the claude-issue job can perform
fetch/pull/rebase operations when required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f38927f8-77be-4a63-8dee-21d564510c40

📥 Commits

Reviewing files that changed from the base of the PR and between 9af3e4e and eff494b.

📒 Files selected for processing (1)

• standards/ci-standards.md

[github-actions]

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

@dev-lead - please fix this PR

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push