chore(ci): harden similar-issues workflow with least-privilege split

[yamadashy]

Summary

Apply the same least-privilege split used for the issue triage workflow (#1598) to the Claude similar-issues workflow.

• Split the single job into two:
  • find (read-only, no write token, no shell/network tools): reads the issue and a candidate pool fetched with plain gh, and returns up to 3 related issue numbers via --json-schema structured output.
  • comment (no AI): validates the chosen numbers against real repository issues and posts a fixed-template "Related Issues" comment that links only the issue references (#n).
• The step that reads issue content no longer holds a write-capable token or shell access, and the posted comment contains no model-authored text.
• Behavior is unchanged: opened issues still get a related-issues comment when relevant.

Checklist

• Run npm run test
• Run npm run lint

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e63b3d90-4d5b-40fa-9933-2b89c9242b52

📥 Commits

Reviewing files that changed from the base of the PR and between 132f1b8 and 5307a43.

📒 Files selected for processing (1)

• .github/workflows/claude-issue-similar.yml

---

📝 Walkthrough

Walkthrough

The workflow governing "find similar issues" is refactored to enforce a least-privilege, two-phase approach. The find job fetches issue and candidate data and runs Claude with schema constraints to select related issue numbers. The comment job then validates those numbers and posts a comment with verified issue links, skipping posting if no valid issues are found.

Changes

Workflow refactor to two-phase architecture

Layer / File(s)	Summary
Two-phase job structure and permissions .github/workflows/claude-issue-similar.yml	Job definition is split from a single find-similar job into separate find and comment jobs, with tightened default permissions (permissions: {}) and explicit per-job grants (issues: read, contents: read for find; issues: write for comment).
Find and comment job implementation .github/workflows/claude-issue-similar.yml	The find job fetches opened issue and candidate pool as JSON, runs Claude with a strict schema to select up to 3 related issue numbers from candidates (excluding the current issue), and outputs the structured list. The comment job validates, filters (numeric-only, de-duplicates, limits to 3), verifies each issue exists via gh issue view, and posts a fixed comment template with issue references; posting is skipped if no valid issues remain.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• yamadashy/repomix#979: Both PRs modify .github/workflows/claude-issue-similar.yml permissions blocks.
• yamadashy/repomix#1203: Both PRs modify the Claude tool targets and gh issue command arguments in the same workflow file.
• yamadashy/repomix#977: Both PRs refactor the "find similar issues" Claude workflow logic; PR #977 initially adds the workflow, and this PR refactors it into separate phases with stricter validation.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(ci): harden similar-issues workflow with least-privilege split' directly and clearly describes the main change: applying security hardening with a least-privilege architectural split to the similar-issues workflow.
Description check	✅ Passed	The description includes a comprehensive summary of changes, details about the two-job split and their responsibilities, security improvements, and the behavior preservation. It follows the template structure with both the summary section and checklist present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/harden-issue-similar-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚡ Performance Benchmark

Latest commit:	5307a43 chore(ci): harden similar-issues workflow with least-privilege split
Status:	✅ Benchmark complete!
Ubuntu:	0.68s (±0.02s) → 0.67s (±0.01s) · -0.01s (-0.7%)
macOS:	0.46s (±0.05s) → 0.47s (±0.07s) · +0.01s (+2.4%)
Windows:	0.86s (±0.02s) → 0.87s (±0.02s) · +0.01s (+0.9%)

Details

• Packing the repomix repository with node bin/repomix.cjs
• Warmup: 2 runs (discarded), interleaved execution
• Measurement: 20 runs / 30 on macOS (median ± IQR)
• Workflow run

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.86%. Comparing base (132f1b8) to head (5307a43).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1600   +/-   ##
=======================================
  Coverage   90.86%   90.86%           
=======================================
  Files         121      121           
  Lines        4683     4683           
  Branches     1088     1088           
=======================================
  Hits         4255     4255           
  Misses        428      428           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	5307a43
Status:	✅  Deploy successful!
Preview URL:	https://a499f38d.repomix.pages.dev
Branch Preview URL:	https://chore-harden-issue-similar-w.repomix.pages.dev

View logs