ci: add caller-level @claude filter + clarify pinact comment#18
Merged
Conversation
Two improvements to both the in-repo caller and the workflow template, addressing Copilot review comments on the rollout PRs (pituitary#410 and stroma-rs#23 specifically, plus implicit benefit to the 5 already- merged repos that adopted the prior template). 1. Add job-level `if:` filter on the caller. The reusable already has the same filter — but it only no-ops *after* GitHub allocates a runner and fetches/parses the reusable workflow (~5-10s per event). With the caller-level if, no runner is allocated for non-@claude events on active repos. The reusable keeps the filter as defense- in-depth. 2. Update the inline pinact comment from "matching exception lives in .pinact.yaml" to "pinact exception declared org-wide in nantobv/.github/.pinact.yaml" Caller-side `.pinact.yaml` doesn't need the exception (and most nantobv repos don't have one); the exception lives in the org's shared config repo, which is where pinact runs from when the org-wide reusable workflow is invoked. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Refines the org-wide Claude Code workflow by adding a caller-level if: filter that mirrors the reusable workflow's existing filter, avoiding the cost of spinning up a runner just to no-op on non-@claude events. Also clarifies the inline zizmor: ignore[unpinned-uses] comment to point at the org-wide .pinact.yaml rather than the (often non-existent) caller-repo file.
Changes:
- Add a job-level
if:to theclaudejob in both the active workflow and the workflow template, gating on@claudemention +OWNER/MEMBER/COLLABORATORauthor_association across all four trigger events. - Update the inline comment on the
uses:line to explicitly identify the pinact exception's location asnantobv/.github/.pinact.yaml.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| workflow-templates/claude.yml | Adds caller-level @claude/author filter and clarifies pinact exception comment in the org template. |
| .github/workflows/claude.yml | Same caller-level filter + comment clarification applied to this repo's own workflow, keeping it byte-aligned with the template. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refines the org-wide Claude Code workflow based on Copilot review feedback on the rollout PRs (pituitary#410, stroma-rs#23). Two changes to both
.github/workflows/claude.ymlandworkflow-templates/claude.yml:1. Add caller-level
@claude+ author filterPreviously, every
issue_comment/pull_request_review_comment/issues:opened/pull_request_reviewevent would spin up a runner and call the reusable workflow, which then no-op'd via its ownif:filter. With job-levelif:on the caller, no runner is allocated for non-@claudeevents — meaningful savings on active repos likepituitary(#410 PRs deep) where most events are not@claudementions.The reusable keeps its identical filter as defense-in-depth.
2. Clarify the pinact inline comment
Before:
matching exception lives in .pinact.yamlAfter:
pinact exception declared org-wide in nantobv/.github/.pinact.yamlThe exception isn't in the caller repo's
.pinact.yaml(most repos don't have one); it's in this repo's.pinact.yaml, which is what pinact reads when the org-wide reusable workflow is invoked.Propagation plan (after this merges)
pituitary#410,stroma-rs#23,stroma#195) to the new templateccd,hippocampus,thalamus,lifeloop,stroma-benchmarks) to converge on the same callerEvery nantobv repo's claude.yml ends up byte-identical to
workflow-templates/claude.yml.🤖 Generated with Claude Code