ci: fix /claude-review workflow — pre-approve tools to resolve 22 permission denials#1987
Conversation
|
/claude-review |
There was a problem hiding this comment.
Code Review
This pull request introduces a dummy comment in the CMakeLists.txt file for the Advection problem to test the /claude-review workflow. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…iew workflow The claude-code-review.yml workflow was hitting 22 permission denials per run because Claude Code had no pre-approved tools in headless CI. Pre-approve read-only tools (Read, git, gh, find, grep, ls) to allow the review to proceed. Also enable show_full_output to make future failures easier to diagnose, and update .gitignore to track .claude/settings.json while continuing to ignore all other files in .claude/.
…s.txt change show_full_output: true makes Claude's tool calls visible in CI logs, which is needed to identify the remaining 3 permission denials. Removes the throwaway comment that was only used to trigger the test PR.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d48e0aee5e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Description
Fixes the
/claude-reviewworkflow that was failing with 22 permission denials on every trigger.When a PR comment contains
/claude-review, theclaude-code-review.ymlworkflow runs Claude Code in headless CI mode. Without pre-approved tools in.claude/settings.json, Claude's every tool call hits a permission denial. With the default--max-turns 30, all 30 turns are consumed by denials before Claude can do any work, resulting inerror_max_turns.Root cause:
.claude/is listed in.gitignore, so nosettings.jsonwas ever committed. Claude Code in CI had no pre-approved tools.Fix:
.gitignoreto exclude only the files within.claude/(keepingsettings.jsontrackable via!/.claude/settings.jsonexception)..claude/settings.jsonwith read-only tool permissions pre-approved:Read,git diff/log/show/blame/ls-files,gh pr view/diff,gh issue view,find,grep,ls,wc.show_full_output: truein the workflow so future failures are visible in CI logs rather than hidden.Validation: After this fix, a
workflow_dispatchtest on PR #1987 completed in 10 turns with 3 remaining denials (vs. 22 denials + max-turns failure before). The 3 remaining denials will be identifiable viashow_full_output: trueafter merging and retesting with anissue_commenttrigger.Note on testing: The
workflow_dispatchpath cannot post a sticky comment on a specific PR (the action doesn't expose thepr_numberinput to its comment-posting logic forworkflow_dispatchevents). The primary trigger —issue_commentcontaining/claude-review— will work correctly after this is merged todevelopment, since the action restores.claudefrom the base branch.Related issues
N/A
Checklist
Before this pull request can be reviewed, all of these tasks should be completed. Denote completed tasks with an
xinside the square brackets[ ]in the Markdown source below:/azp run.