feat: split Claude workflow into interactive + issue automation jobs

[don-petry]

Summary

• Splits the single claude job into two dedicated jobs: claude (interactive PR reviews / @claude mentions) and claude-issue (issue-triggered automation)
• The claude-issue job runs in automation mode with scoped tools to create PRs, self-review, check CI, and tag code owners when ready
• Adds actions: read and checks: read permissions to both jobs

Aligns with the org standard: https://github.com/petry-projects/.github/blob/main/standards/ci-standards.md#4-claude-code-claudeyml

Test plan

• Label an issue with claude and verify the claude-issue job triggers
• Open a PR and verify the claude job triggers for review
• Comment @claude on a PR and verify it responds

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated internal GitHub Actions workflow configuration to optimize automation processes.

Note: This release contains no user-facing changes. The modifications are limited to development infrastructure updates.

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 51 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 51 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c9c3daa6-abac-4965-ac84-3d29da0f5fe0

📥 Commits

Reviewing files that changed from the base of the PR and between 1505060 and c85978b.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

📝 Walkthrough

Walkthrough

The GitHub Actions workflow for Claude code execution is refactored into two separate jobs with distinct triggers: a claude job handling pull requests and @claude mentions with basic permissions, and a new claude-issue job for issues labeled with claude, including comprehensive automation instructions for implementation, PR creation, self-review, and CI resolution.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Refactoring .github/workflows/claude.yml	Split monolithic Claude job into two: claude job for PR/mention triggers with read-only permissions, and claude-issue job for labeled issues with tool allowlist, progress tracking, and multi-step automation prompt covering implementation, PR creation, review resolution, and CI fixing loops.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• petry-projects/TalkTerm#15: Modifies the same .github/workflows/claude.yml workflow, refactoring Claude Code action execution into separate jobs with adjusted triggers and permission scopes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly summarizes the main change: splitting Claude workflow into two separate jobs for interactive and issue automation purposes, matching the changeset exactly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/claude-auto-pr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Splits the existing Claude Code GitHub Actions workflow into two jobs to separate interactive PR review triggers from issue-labeled automation, aligning the workflow structure with the referenced org CI standard.

Changes:

• Split claude into claude (interactive PR reviews / @claude mentions) and claude-issue (issue label automation).
• Added actions: read and checks: read permissions to both jobs (and passed them via additional_permissions).
• Added automation-mode configuration for claude-issue (progress tracking, tool allowlist, and an implementation/self-review/CI prompt).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

claude_args restricts Bash to a small gh subset and cat, but the prompt requires pushing fixes and interacting with PR threads (replying/resolving) and tagging CODEOWNERS. With the current allowlist, Claude Code won't be able to run needed git commands (commit/push) or post PR comments/reviews (e.g., gh pr comment, gh pr review, or gh api). Either expand the allowed tools to cover the required operations, or adjust the prompt to only actions that are actually permitted.

Suggested change

	--allowedTools "Bash(gh pr create:*),Bash(gh pr view:*),Bash(gh run view:*),Bash(gh run watch:*),Bash(cat:*),Edit,Write"
	--allowedTools "Bash(git status:*),Bash(git diff:*),Bash(git checkout:*),Bash(git switch:*),Bash(git branch:*),Bash(git add:*),Bash(git commit:*),Bash(git push:*),Bash(gh pr create:*),Bash(gh pr view:*),Bash(gh pr comment:*),Bash(gh pr review:*),Bash(gh api:*),Bash(gh run view:*),Bash(gh run watch:*),Bash(cat:*),Edit,Write"

[don-petry]

Addressed: added gh pr comment and gh issue comment to --allowedTools, and removed Bash(cat:*). Note that git commit/push and comment management are already in the action's base tool set — --allowedTools only adds additional tools on top of those defaults.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/claude.yml (1)

22-39: ⚠️ Potential issue | 🔴 Critical

Add fork guard to comment-triggered job conditions.

Lines 25–30 allow any trusted author to trigger the write-scoped claude job by commenting @claude on a fork-backed PR, bypassing the repo-trust check you added for direct PRs (line 24). Attackers can exploit this by submitting benign fork PRs, waiting for a maintainer's automated or manual comment trigger, then updating the PR with malicious code before the workflow executes.

Add github.event.pull_request.head.repo.full_name == github.repository to both the issue_comment (line 25) and pull_request_review_comment (line 28) conditions, or alternatively restrict triggers to labels instead of comments.

Additionally, the claude-issue job's prompt (lines 85–93) asks Claude to "review all comments and review threads on the PR" and "mark the conversation as resolved," but the claude_args tool allowlist doesn't include PR review capabilities (gh pr review). Either extend the tool permissions or adjust the prompt to match available capabilities.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 22 - 39, The workflow's
comment-trigger conditions permit trusted users to activate the write-scoped
"claude" job on fork PRs—add the fork guard by requiring
github.event.pull_request.head.repo.full_name == github.repository in the
issue_comment and pull_request_review_comment boolean expressions (the same
check already used for the pull_request branch) to prevent fork-backed triggers;
additionally, for the "claude-issue" job update either the claude_args tool
allowlist to include PR review capability (gh pr review) or modify the prompt so
it no longer asks Claude to perform or resolve PR reviews, ensuring the prompt
matches the actual allowed tools.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/claude.yml:
- Around line 55-58: The claude-issue job is underpowered for the prompt
actions; update the workflow so the claude-issue job can post and resolve
comments and re-run on new feedback: add the comment-related GitHub CLI tools
(e.g., include gh pr comment and gh issue comment in the allowed tools list used
by claude-issue) and add event triggers for new feedback (e.g., include
issue_comment and pull_request_review_comment events alongside the existing
issues label trigger) so the job can post PR/issue comments and react to new
review threads; ensure the prompt/tool mapping references these added tools so
actions like posting replies, resolving threads, and tagging code owners are
possible.

---

Outside diff comments:
In @.github/workflows/claude.yml:
- Around line 22-39: The workflow's comment-trigger conditions permit trusted
users to activate the write-scoped "claude" job on fork PRs—add the fork guard
by requiring github.event.pull_request.head.repo.full_name == github.repository
in the issue_comment and pull_request_review_comment boolean expressions (the
same check already used for the pull_request branch) to prevent fork-backed
triggers; additionally, for the "claude-issue" job update either the claude_args
tool allowlist to include PR review capability (gh pr review) or modify the
prompt so it no longer asks Claude to perform or resolve PR reviews, ensuring
the prompt matches the actual allowed tools.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6c8edd8-e4dd-4b7b-b721-9b041772dc2f

📥 Commits

Reviewing files that changed from the base of the PR and between 6bbf51c and 1505060.

📒 Files selected for processing (1)

• .github/workflows/claude.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud