Skip to content

Ensure CI Can Post To PR#10

Merged
github-actions[bot] merged 1 commit intomainfrom
pr-review-comments
Jan 28, 2026
Merged

Ensure CI Can Post To PR#10
github-actions[bot] merged 1 commit intomainfrom
pr-review-comments

Conversation

@stack72
Copy link
Copy Markdown
Contributor

@stack72 stack72 commented Jan 28, 2026

No description provided.

@stack72 stack72 force-pushed the pr-review-comments branch from afb3e35 to 35381e2 Compare January 28, 2026 22:01
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 28, 2026

PR Review: Ensure CI Can Post To PR

Summary

This PR modifies the Claude Code Review GitHub Action configuration to enable posting comments directly to PRs via the gh CLI tool.

Changes Reviewed

File: .github/workflows/ci.yml

✅ What's Good

  1. Explicit tool permissions: The addition of --allowedTools Bash(gh pr comment:*),Bash(gh pr view:*) follows the principle of least privilege by restricting Claude to only the specific gh commands needed for PR interaction.

  2. Clear instructions: The prompt now explicitly instructs Claude how to post feedback, making the workflow more deterministic.

  3. Removal of use_sticky_comment: Moving to manual gh pr comment gives more control over comment behavior.

  4. Passing PR context: Including REPO and PR NUMBER in the prompt ensures Claude has the necessary context to operate.

⚠️ Observations

  1. Parameter reordering: The parameters (github_token, anthropic_api_key, etc.) have been reordered. This is purely cosmetic and has no functional impact, but if there's a team convention for parameter ordering, it might be worth noting.

  2. Removal of ddd skill reference: The prompt changed from:

    3. Domain-driven design principles (use the ddd skill if needed)

    to:

    3. Domain-driven design principles

    This removes the hint about the ddd skill. Given that CLAUDE.md emphasizes DDD principles, you may want to keep that hint, though Claude should still reference CLAUDE.md automatically.

  3. Removed text: The phrase "Please provide constructive feedback and suggest improvements where needed." was removed. This is minor since the review instructions are already clear.

🔒 Security Review

  • ✅ No secrets are exposed in logs
  • ✅ Uses secrets.GITHUB_TOKEN and secrets.ANTHROPIC_API_KEY appropriately
  • ✅ Tool permissions are scoped appropriately (gh pr comment and gh pr view only)
  • ✅ No command injection vulnerabilities - PR number comes from GitHub context, not user input

📋 Compliance with CLAUDE.md

This PR only modifies CI configuration (YAML), not TypeScript code, so the following guidelines don't directly apply:

  • TypeScript strict mode ✅ (N/A)
  • Named exports ✅ (N/A)
  • No any types ✅ (N/A)
  • Test coverage ✅ (N/A - CI config changes don't require unit tests)

Verdict

Approved

This is a straightforward CI configuration change that improves the Claude Code Review workflow by enabling direct PR commenting. The changes are well-scoped and follow security best practices.

@github-actions github-actions Bot merged commit 9640818 into main Jan 28, 2026
3 checks passed
@adamhjk adamhjk deleted the pr-review-comments branch January 29, 2026 06:36
@stack72 stack72 mentioned this pull request Feb 11, 2026
Closed
@github-actions github-actions Bot mentioned this pull request Apr 8, 2026
Merged
6 tasks
stack72 added a commit that referenced this pull request Apr 8, 2026
@stack72 @claude
fix: remove module-level SwampClubClient cache
12a482a 
The _swampClub module-level singleton was keyed on nothing — once created
for issue #N, every subsequent getSwampClub() call returned the same
client regardless of the new issueNumber in globalArgs. Since user models
are loaded via dynamic import() in the same process, the module stays
cached across method calls, so running start for issue #10 and then
issue #20 in the same session silently sent #20's lifecycle entries,
type updates, and status transitions to #10.

Drop the cache entirely and call createSwampClubClient directly at each
use. The reachability check is a single 5s-timeout HTTP GET and runs
once per method invocation — negligible next to the lifecycle POST
already happening on the same code path.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
stack72 added a commit that referenced this pull request Apr 11, 2026
@stack72 @claude
fix(evals/promptfoo): upgrade promptfoo to 0.121.4 and drop overrides
53a5071 
Bump promptfoo from 0.121.3 → 0.121.4 and regenerate the lockfile. The
new release naturally pulls patched versions of every transitive dep
that was previously pinned via an override, so the entire `overrides`
block can go.

Clears 4 open Dependabot alerts against
`evals/promptfoo/package-lock.json`:

| # | Package | GHSA | Severity |
|---|---|---|---|
| 11 | mathjs | GHSA-jvff-x2qm-6286 | high |
| 10 | basic-ftp | GHSA-6v7q-wjvx-w8wg | high |
| 9 | axios | GHSA-3p68-rc4w-qgx5 | critical |
| 8 | basic-ftp | GHSA-chqc-8p9q-pq6q | high |

Root cause: #1158 added `axios` and `basic-ftp` overrides but the
lockfile was never regenerated, so the committed lockfile still had
`[email protected]` and `[email protected]`. The `basic-ftp: >=5.2.1` range
also still allowed the vulnerable 5.2.1 per alert #10, and there was
no override at all for mathjs.

Resolved versions in the regenerated lockfile:

| Package | Was | Now |
|---|---|---|
| @anthropic-ai/sdk | 0.81.0 | 0.82.0 |
| axios | 1.14.0 | 1.15.0 |
| basic-ftp | 5.2.0 | 5.2.2 |
| mathjs | 15.1.1 | 15.2.0 |
| hono | 4.12.12 | 4.12.12 |
| @hono/node-server | 1.19.13 | 1.19.13 |

No nested/duplicate copies of axios, basic-ftp, or mathjs remain in
the lockfile.

Verification:
- `npm audit` → 0 vulnerabilities
- `deno run scripts/audit_deps.ts` → "No known vulnerabilities found"
  (scanned 1064 packages across deno.lock + promptfoo lockfile)
- `deno fmt --check`, `deno lint`, `deno check` — clean

No code changes required. The eval entry script calls `npx promptfoo
eval` — a stable CLI surface — and a patch bump (0.121.3 → 0.121.4)
is not expected to change it. Engine requirement unchanged
(`^20.20.0 || >=22.22.0`); CI uses Node 24.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@stack72 stack72 mentioned this pull request Apr 11, 2026
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stack72