blacksky.community/.github/workflows/claude-mention.yml at main · blacksky-algorithms/blacksky.community · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: claude-mention

# @claude mention handler on PR conversation comments, inline review
# comments, and review bodies. See the header comment in
# claude-review.yml for why this is self-contained rather than calling
# the org reusable workflows.
#
# Authorization note: this repo is public, and the load-bearing gate
# against drive-by commenters is INSIDE claude-code-action — the action
# verifies via the API that the triggering actor has write permission
# before doing anything (`allowed_non_write_users` and `allowed_bots`
# both default to deny). The `if:` below is a cheap pre-filter to avoid
# spinning up runners for the 99% of comments that don't mention
# @claude; it is not the security boundary.

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  pull_request_review:
    types: [submitted]

permissions:
  contents: read
  pull-requests: write
  issues: write
  actions: read
  id-token: write

jobs:
  mention:
    # Skip comments/reviews that don't mention @claude, non-PR issue
    # comments, and events from claude[bot] itself (its review prose
    # often quotes "@claude" and must not retrigger the workflow).
    if: >
      (
        (github.event_name == 'issue_comment' &&
          github.event.issue.pull_request != null &&
          contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review_comment' &&
          contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review' &&
          contains(github.event.review.body, '@claude'))
      ) &&
      github.actor != 'claude[bot]'

    runs-on: ubuntu-latest
    timeout-minutes: 20

    concurrency:
      group: claude-mention-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number }}
      cancel-in-progress: false

    steps:
      - name: Checkout repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 1

      - name: Configure AWS credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
        with:
          role-to-assume: ${{ secrets.AWS_BEDROCK_REVIEW_ROLE_ARN }}
          aws-region: us-east-2

      - name: Claude
        uses: anthropics/claude-code-action@9dd8b95a392eb34b6f5fb56cf5a64cb735912d4b # v1.0.150
        with:
          use_bedrock: 'true'
          additional_permissions: |
            actions: read
          track_progress: true
          claude_args: |
            --model global.anthropic.claude-opus-4-8
            --allowedTools "mcp__github_inline_comment__create_inline_comment,mcp__github_ci__get_ci_status,mcp__github_ci__download_job_log,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"