Skip to content

ci: migrate Claude workflow to org reusable (author gate + SHA-pinned bun)#410

Merged
autholykos merged 2 commits into
mainfrom
claude/migrate-to-reusable-workflow
May 17, 2026
Merged

ci: migrate Claude workflow to org reusable (author gate + SHA-pinned bun)#410
autholykos merged 2 commits into
mainfrom
claude/migrate-to-reusable-workflow

Conversation

@autholykos

@autholykos autholykos commented May 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Migrates this repo's .github/workflows/claude.yml from the standalone "direct" workflow shipped by the /install-github-app skill to the hardened thin-caller pattern backed by the org-wide reusable workflow at nantobv/.github/.github/workflows/claude-reusable.yml@main.

Why

The previous file (verbatim from the install-github-app template) was missing several hardenings the org has since adopted on nantobv/.github:

Concern Before (this repo, today) After (this PR)
Author gate None — anyone who can comment fires @claude OWNER/MEMBER/COLLABORATOR only. Critical for any public repo.
Bun install curl https://bun.sh/install | bash (no SHA pin) SHA-pinned oven-sh/setup-bun@0c5077e5… # v2.2.0
issues: retrigger [opened, assigned] — every reassignment re-fires Claude on issues whose body already says @claude [opened] only
Updates Per-repo file copies, drift accumulates Single source of truth in nantobv/.github; future tightening lands without per-repo PRs

What changes

.github/workflows/claude.yml goes from ~50 lines of direct workflow to a ~30-line thin caller. All behavior — security gate, action SHAs, bun bootstrap, permissions — lives in the reusable workflow. The contract on the @claude UX is unchanged.

Prereqs (already in place at the org level)

  • Anthropic Claude GitHub App installed on nantobv with "All repositories" scope
  • CLAUDE_CODE_OAUTH_TOKEN org secret reachable by this repo
  • End-to-end validated on nantobv/.github (smoke test issue [P1] Add dry-run mode for index rebuild #17 → "pong" in 9s)

Test plan

  • CI green on this PR
  • After merge, open an issue here and comment @claude reply with "pong" to confirm the responder still fires. Run logs at this repo's Actions tab → "Claude Code" workflow.
  • Try the same @claude comment from a non-member account (if applicable) to confirm the author gate now blocks it.

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings May 17, 2026 16:57
Copilot AI reviewed May 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the repository’s Claude Code GitHub Actions workflow from a “direct” per-repo implementation to a thin caller that delegates behavior (including hardening) to the org-wide reusable workflow nantobv/.github/.github/workflows/claude-reusable.yml@main.

Changes:

  • Replace the standalone Claude responder job/steps with a reusable-workflow call.
  • Tighten the issues trigger to types: [opened] only.
  • Add workflow-level permissions and documentation comments describing the new contract and prerequisites.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/claude.yml
@autholykos autholykos mentioned this pull request May 17, 2026
Merged
@autholykos autholykos merged commit 11d3551 into main May 17, 2026
8 checks passed
@autholykos autholykos deleted the claude/migrate-to-reusable-workflow branch May 17, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@autholykos