fix: address Copilot review on PR #376 (round 7)

kotakanbe · claude · kotakanbe · commit 5fdb1c38574c · 2026-05-05T09:21:21.000Z
- claude.yml workflow-file pre-flight: switch from
  `gh pr diff --name-only` to `gh pr view --json files`. The diff
  form reports only the rename destination, so a rename OUT of
  `.github/workflows/**` (e.g. `.github/workflows/ci.yml -&gt; docs/ci.yml`)
  would leave `touches_workflows=0` even though Phase B push would
  still 403 on the source path. The view form returns both `path`
  (added/modified/deleted/destination) and `previousPath` (source
  side of renames); we now check either side. Also defensive case
  on the count: non-numeric / blank ⇒ fail-CLOSED to 1.

- claude.yml "Resolve PR head ref name": stderr no longer merged
  into `head_ref`. The previous `2&gt;&amp;1` (added in R3 to get error
  context on failure) also captured non-fatal `gh` warnings on
  success, which would write a polluted value like `warning ...
  branch-name` to `GITHUB_OUTPUT`. Phase B then used that as the
  push target via `git push origin HEAD:$BRANCH` and the run would
  fail. New form: capture stderr to a temp file, only emit
  `GITHUB_OUTPUT` from stdout on success, surface stderr only in
  the warning path.

Verification: GOWORK=off go build/vet ./... — green.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -75,16 +75,34 @@ jobs:
           # active marker in place. Refuse upfront with a clear comment
           # so the maintainer knows to fix workflow PRs locally via
           # `/review-until-clean` (which uses their own gh auth).
-          # Fail-CLOSED on `gh pr diff` failure: a transient API / auth
-          # error must NOT silently bypass the workflow-file guard
-          # (would let Phase B push hit 403 mid-loop and spin until
-          # timeout). Treat fetch failure as "could be a workflow-file
-          # PR" and decline cleanly with a guidance comment.
-          if ! diff_files=$(gh pr diff "$PR_NUMBER" --repo "$GH_REPO" --name-only 2>&1); then
-            echo "::warning::PR #$PR_NUMBER: gh pr diff failed ($diff_files) — cannot verify workflow-file status. Failing closed."
+          # Fail-CLOSED on `gh pr view --json files` failure: a transient
+          # API / auth error must NOT silently bypass the workflow-file
+          # guard (would let Phase B push hit 403 mid-loop and spin
+          # until timeout). Treat fetch failure as "could be a
+          # workflow-file PR" and decline cleanly with a guidance
+          # comment.
+          #
+          # Use `gh pr view --json files` (returns both `path` and
+          # `previousPath`) instead of `gh pr diff --name-only` (which
+          # only reports the rename destination). Renames OUT of
+          # `.github/workflows/**` would otherwise miss this guard
+          # even though `git push` would still 403 on the source path.
+          err_file=$(mktemp)
+          if ! files_json=$(gh pr view "$PR_NUMBER" --repo "$GH_REPO" --json files 2>"$err_file"); then
+            err=$(cat "$err_file")
+            echo "::warning::PR #$PR_NUMBER: gh pr view --json files failed: $err — cannot verify workflow-file status. Failing closed."
+            rm -f "$err_file"
             touches_workflows=1
           else
-            touches_workflows=$(printf '%s\n' "$diff_files" | grep -c '^\.github/workflows/' || true)
+            rm -f "$err_file"
+            # `.path` covers added/modified/deleted; `.previousPath`
+            # covers source side of renames. Match on either.
+            touches_workflows=$(printf '%s' "$files_json" | jq '[.files[]
+                | (.path // "") , (.previousPath // "")
+                | select(startswith(".github/workflows/"))] | length')
+            case "$touches_workflows" in
+              ''|*[!0-9]*) touches_workflows=1 ;;
+            esac
           fi
           if [[ "$touches_workflows" -gt 0 ]]; then
             echo "::warning::PR #$PR_NUMBER touches .github/workflows/** — CI claude task cannot push under GH_ACTIONS_TOKEN scope. Posting a guidance comment and exiting cleanly so cron does not retry indefinitely."
@@ -153,12 +171,19 @@ jobs:
           # of failure for every @claude run. On failure, leave
           # `head_ref` unset; the skill will fall back to its in-skill
           # PR detection.
+          # IMPORTANT: capture stderr separately so non-fatal `gh`
+          # warnings don't pollute the `head_ref` value (a polluted
+          # value would propagate into the skill's `git push origin
+          # HEAD:$BRANCH` and turn a healthy run into an invalid push).
           if [[ -n "$PR_NUMBER" ]]; then
-            if head_ref=$(gh pr view "$PR_NUMBER" --repo "$GH_REPO" --json headRefName --jq .headRefName 2>&1); then
+            err_file=$(mktemp)
+            if head_ref=$(gh pr view "$PR_NUMBER" --repo "$GH_REPO" --json headRefName --jq .headRefName 2>"$err_file"); then
               echo "head_ref=$head_ref" >> "$GITHUB_OUTPUT"
             else
-              echo "::warning::Resolve PR head ref name: gh pr view failed (PR_NUMBER=$PR_NUMBER): $head_ref — skill will derive from PR_NUMBER directly"
+              err_msg=$(cat "$err_file")
+              echo "::warning::Resolve PR head ref name: gh pr view failed (PR_NUMBER=$PR_NUMBER): $err_msg — skill will derive from PR_NUMBER directly"
             fi
+            rm -f "$err_file"
           fi
 
       - uses: anthropics/claude-code-action@1c8b699d43e9bfed42b48ef15da85d89bab70960 # v1.0.94
