mirror of
https://github.com/openwrt/openwrt.git
synced 2026-06-17 14:50:15 +04:00
Hauke Mehrtens
05e111aa42
The workflow already uses contents: read which prevents GitHub from accepting any push. The --disallowedTools setting adds a second layer by stopping Claude from even attempting git write operations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Link: https://github.com/openwrt/openwrt/pull/22897 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
name: Claude Code Review
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
actions: read
|
|
|
|
jobs:
|
|
code-review:
|
|
name: Claude Code Review
|
|
# Only run on PR comments containing "/claude" from users with write access
|
|
if: >-
|
|
github.event.issue.pull_request &&
|
|
contains(github.event.comment.body, '/claude') &&
|
|
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'),
|
|
github.event.comment.author_association)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: PR Review
|
|
uses: hauke/claude-code-action@95d07da986168a9998e8e4713ec29b7c162b4dd9 # v1.0.77-fixed
|
|
with:
|
|
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
trigger_phrase: "/claude"
|
|
claude_args: >-
|
|
--allowedTools "mcp__github_inline_comment__create_inline_comment"
|
|
--disallowedTools "Bash(git add:*),Bash(git commit:*),Bash(git rm:*),Bash(git push:*)"
|