anthropics/claude-code-action
1
0
Fork 0
mirror of https://github.com/anthropics/claude-code-action.git synced 2026-01-23 06:54:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Debug: Add logging and always output github_token in prepare step

Browse Source
This commit is contained in:
Kashyap Murali
2025-08-20 11:43:43 -07:00
parent c72a45a95f
commit 130874e0b6
2 changed files with 182 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
AUTO_FIX_CHECKPOINT.md Normal file
View File

@@ -0,0 +1,175 @@
# Auto-Fix CI Workflow Implementation Checkpoint
## Overview
This document captures the learnings from implementing auto-fix CI workflows that allow Claude to automatically fix CI failures and post as claude[bot].
## Journey Summary
### Initial Goal
Create an auto-fix CI workflow similar to Cursor's implementation that:
1. Detects CI failures on PRs
2. Automatically triggers Claude to fix the issues
3. Creates branches with fixes
4. Posts PR comments as claude[bot] (not github-actions[bot])
### Key Implementation Files
#### 1. Auto-Fix Workflow
**File**: `.github/workflows/auto-fix-ci-inline.yml`
- Triggers on `workflow_run` event when CI fails
- Creates fix branch
- Collects failure logs
- Calls Claude Code Action with `/fix-ci` slash command
- Posts PR comment with fix branch link
#### 2. Fix-CI Slash Command
**File**: `.claude/commands/fix-ci.md`
- Contains all instructions for analyzing and fixing CI failures
- Handles test failures, type errors, linting issues
- Commits and pushes fixes
#### 3. Claude Code Action Changes (v1-dev branch)
**Modified Files**:
- `src/entrypoints/prepare.ts` - Exposes GitHub token as output
- `action.yml` - Adds github_token output definition
## Critical Discoveries
### 1. Authentication Architecture
#### How Tag Mode Works (Success Case)
1. User comments "@claude" on PR → `issue_comment` event
2. Action requests OIDC token with audience "claude-code-github-action"
3. Token exchange at `api.anthropic.com/api/github/github-app-token-exchange`
4. Backend validates event type is in allowed list
5. Returns Claude App token → posts as claude[bot]
#### Why Workflow_Run Failed
1. Auto-fix workflow triggers on `workflow_run` event
2. OIDC token has `event_name: "workflow_run"` claim
3. Backend's `allowed_events` list didn't include "workflow_run"
4. Token exchange fails with "401 Unauthorized - Invalid OIDC token"
5. Can't get Claude App token → falls back to github-actions[bot]
### 2. OIDC Token Claims
GitHub Actions OIDC tokens include:
- `event_name`: The triggering event (pull_request, issue_comment, workflow_run, etc.)
- `repository`: The repo where action runs
- `actor`: Who triggered the action
- `job_workflow_ref`: Reference to the workflow file
- And many other claims for verification
### 3. Backend Validation
**File**: `anthropic/api/api/private_api/routes/github/github_app_token_exchange.py`
The backend validates:
```python
allowed_events = [
"pull_request",
"issue_comment",
"pull_request_comment",
"issues",
"pull_request_review",
"pull_request_review_comment",
"repository_dispatch",
"workflow_dispatch",
"schedule",
# "workflow_run" was missing!
]
```
### 4. Agent Mode vs Tag Mode
- **Tag Mode**: Triggers on PR/issue events, creates tracking comments
- **Agent Mode**: Triggers on automation events (workflow_dispatch, schedule, and now workflow_run)
- Both modes can use Claude App token if event is in allowed list
## Solution Implemented
### Backend Change (PR Created)
Add `"workflow_run"` to the `allowed_events` list in the Claude backend to enable OIDC token exchange for workflow_run events.
### Why This Works
- No special handling needed for different event types
- Backend treats all allowed events the same way
- Just validates token, checks permissions, returns Claude App token
- Event name only used for validation and logging/metrics
## Current Status
### Completed
- ✅ Created auto-fix workflow and slash command
- ✅ Modified Claude Code Action to expose GitHub token as output
- ✅ Identified root cause of authentication failure
- ✅ Created PR to add workflow_run to backend allowed events
### Waiting On
- ⏳ Backend PR approval and deployment
- ⏳ Testing with updated backend
## Next Steps
Once the backend PR is merged and deployed:
### 1. Test Auto-Fix Workflow
- Create a test PR with intentional CI failures
- Verify auto-fix workflow triggers
- Confirm Claude can authenticate via OIDC
- Verify comments come from claude[bot]
### 2. Potential Improvements
- Add more sophisticated CI failure detection
- Handle different types of failures (tests, linting, types, build)
- Add progress indicators in PR comments
- Consider batching multiple fixes
- Add retry logic for transient failures
### 3. Documentation
- Document the auto-fix workflow setup
- Create examples for different CI systems
- Add troubleshooting guide
### 4. Extended Features
- Support for multiple CI workflows
- Customizable fix strategies per project
- Integration with other GitHub Actions events
- Support for monorepo structures
## Alternative Approaches (If Backend Change Blocked)
### Option 1: Repository Dispatch
Instead of `workflow_run`, use `repository_dispatch`:
- Original workflow triggers dispatch event on failure
- Auto-fix workflow responds to dispatch event
- Works today without backend changes
### Option 2: Direct PR Event
Trigger on `pull_request` with conditional logic:
- Check CI status in the workflow
- Only run if CI failed
- Keeps PR context for OIDC exchange
### Option 3: Custom GitHub App
Create separate GitHub App for auto-fix:
- Has its own authentication
- Posts as custom bot (not claude[bot])
- More complex but fully independent
## Key Learnings
1. **OIDC Context Matters**: The event context in OIDC tokens determines authentication success
2. **Backend Validation is Simple**: Just a list check, no complex event-specific logic
3. **Agent Mode is Powerful**: Designed for automation, just needed backend support
4. **Token Flow is Critical**: Understanding the full auth flow helped identify the issue
5. **Incremental Solutions Work**: Start simple, identify blockers, fix systematically
## Resources
- [GitHub Actions OIDC Documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
- [Claude Code Action Repository](https://github.com/anthropics/claude-code-action)
- [Backend PR for workflow_run support](#) (Add link when available)
---
*Last Updated: 2025-08-20*
*Session Duration: ~6 hours*
*Key Achievement: Identified and resolved Claude App authentication for workflow_run events*

7
src/entrypoints/prepare.ts
View File

@@ -44,11 +44,18 @@ async function run() {
// Check trigger conditions // Check trigger conditions
const containsTrigger = mode.shouldTrigger(context); const containsTrigger = mode.shouldTrigger(context);
// Debug logging
console.log(`Mode: ${mode.name}`);
console.log(`Context prompt: ${context.inputs?.prompt || "NO PROMPT"}`);
console.log(`Trigger result: ${containsTrigger}`);
// Set output for action.yml to check // Set output for action.yml to check
core.setOutput("contains_trigger", containsTrigger.toString()); core.setOutput("contains_trigger", containsTrigger.toString());
if (!containsTrigger) { if (!containsTrigger) {
console.log("No trigger found, skipping remaining steps"); console.log("No trigger found, skipping remaining steps");
// Still set github_token output even when skipping
core.setOutput("github_token", githubToken);
return; return;
} }