This change removes the custom timeout_minutes parameter from the action in favor of using GitHub Actions' native timeout-minutes feature.
Changes:
- Removed timeout_minutes input from action.yml and base-action/action.yml
- Removed all timeout handling logic from base-action/src/run-claude.ts
- Updated base-action/src/index.ts to remove timeoutMinutes parameter
- Removed timeout-related tests from base-action/test/run-claude.test.ts
- Removed timeout_minutes from all example workflow files (19 files)
Rationale:
- Simplifies the codebase by removing custom timeout logic
- Users can use GitHub Actions' native timeout-minutes at the job/step level
- Reduces complexity and maintenance burden
- Follows GitHub Actions best practices
BREAKING CHANGE: The timeout_minutes parameter is no longer supported. Users should use GitHub Actions' native timeout-minutes instead.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-authored-by: Claude <noreply@anthropic.com>
* feat: add path_to_bun_executable input for custom Bun installations
Adds optional input to specify a custom Bun executable path, bypassing automatic installation. This enables:
- Using pre-installed Bun binaries for faster workflow runs
- Testing with specific Bun versions for debugging
- Custom installation paths in unique environments
Follows the same pattern as path_to_claude_code_executable input.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: consolidate custom executable tests into single workflow
- Remove separate test-custom-executable.yml workflow
- Rename test-custom-bun.yml to test-custom-executables.yml
- Add comprehensive tests for custom Claude, custom Bun, and both together
- Improve verification steps with better error handling
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* simplify: test workflow to single job testing both custom executables
- Remove individual test jobs for Claude and Bun
- Keep only the combined test that validates both custom executables work together
- Simplifies CI workflow and reduces redundant testing
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* feat: add path_to_claude_code_executable input for custom Claude Code installations
Adds optional input to specify a custom Claude Code executable path, bypassing automatic installation. This enables:
- Using pre-installed Claude Code binaries
- Testing with specific versions for debugging
- Custom installation paths in unique environments
Includes warning that older versions may cause compatibility issues with new features.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test: add workflow to test custom Claude Code executable path
Adds test workflow that:
- Manually installs Claude Code via install script
- Uses the new path_to_claude_code_executable input
- Verifies the custom executable path works correctly
- Validates output and execution success
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
This allows workflows to use the Claude App token obtained by the action
for posting comments as claude[bot] instead of github-actions[bot].
Changes:
- Add github_token output to action.yml
- Export token from prepare.ts after authentication
- Allows workflows to use the same token Claude uses internally
* feat: skip action gracefully for workflow validation errors
Handle workflow_not_found_on_default_branch and workflow_content_mismatch
errors by skipping the action with a warning instead of failing. This
improves user experience when adding Claude Code workflows to new
repositories or making workflow changes in PRs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update src/github/token.ts
---------
Co-authored-by: Claude <noreply@anthropic.com>
Replace bun install with official install script for more reliable
installation across different environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-authored-by: Claude <noreply@anthropic.com>
Pass MCP config and allowed tools through claude_args to ensure tools like
mcp__github_comment__update_claude_comment are properly available to Claude CLI.
Key changes:
- Tag mode outputs claude_args with MCP config (as JSON string) and allowed tools
- Fixed shell escaping vulnerability when JSON contains single quotes
- Agent mode passes through user-provided claude_args unchanged
- Re-added mcp_config input for users to provide custom MCP servers
- Cleaned up misleading comments and unused file operations
- Clarified test workflow is for fork testing
Security fix: Properly escape single quotes in MCP config JSON to prevent
shell injection vulnerabilities.
Co-Authored-By: Claude <noreply@anthropic.com>
The MCP servers (including github_comment server) were configured but not passed to Claude. This caused the "update_claude_comment" tool to be unavailable.
Changes:
- Write MCP config to a file at $RUNNER_TEMP/claude-mcp-config.json
- Add mcp_config_file output from prepare.ts
- Pass MCP config file via --mcp-config flag in claude_args
- Use fs/promises writeFile to match codebase conventions
- Agent mode now only triggers when explicit prompt is provided
- Removed automatic triggering for workflow_dispatch/schedule without prompt
- Re-added additional_permissions input for requesting GitHub permissions
- Fixed TypeScript types for mock context helpers to properly handle partial inputs
- Updated documentation to reflect simplified mode behavior
- Remove all backward compatibility for v1.0 simplification
- Remove 10 legacy inputs from base-action/action.yml
- Remove 9 legacy inputs from main action.yml
- Simplify ClaudeOptions type to just timeoutMinutes and claudeArgs
- Remove all legacy option handling from prepareRunConfig
- Update tests to remove references to deleted fields
- Remove obsolete test file github/context.test.ts
- Clean up types to remove customInstructions, allowedTools, disallowedTools
Users now use claudeArgs exclusively for CLI control.
* feat: skip permission check for GitHub App bot users
GitHub Apps (users ending with [bot]) now bypass permission checks
as they have their own authorization mechanism.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* feat: add allow_bot_users option to control bot user access
- Add allow_bot_users input parameter (default: false)
- Modify checkHumanActor to optionally allow bot users
- Add comprehensive tests for bot user handling
- Improve security by blocking bot users by default
This change prevents potential prompt injection attacks from bot users
while providing flexibility for trusted bot integrations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* docs: mark bot user support feature as completed in roadmap
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* refactor: move allowedBots parameter to context object
Move allowedBots from function parameter to context.inputs to maintain
consistency with other input handling throughout the codebase.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* docs: update README for bot user support feature
Add documentation for the new allowed_bots parameter that enables
bot users to trigger Claude actions with granular control.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: add missing allowedBots property in permissions test
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: update bot name format to include [bot] suffix in tests and docs
- Update test cases to use correct bot actor names with [bot] suffix
- Update documentation example to show correct bot name format
- Align with GitHub's actual bot naming convention
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* feat: normalize bot names for allowed_bots validation
- Strip [bot] suffix from both actor names and allowed bot list for comparison
- Allow both "dependabot" and "dependabot[bot]" formats in allowed_bots input
- Display normalized bot names in error messages for consistency
- Add comprehensive test coverage for both naming formats
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
- Add claude_args input to both action.yml files
- Implement shell-style argument parsing with quote handling
- Pass arguments directly to Claude CLI for maximum flexibility
- Add comprehensive tests for argument parsing
- Log custom arguments for debugging
Users can now pass any Claude CLI arguments directly:
claude_args: '--max-turns 3 --mcp-config /path/to/config.json'
This provides power users full control over Claude's behavior without
waiting for specific inputs to be added to the action.
BREAKING CHANGES:
- Remove review mode entirely - now handled via slash commands in agent mode
- Remove all deprecated backward compatibility fields (mode, anthropic_model, override_prompt, direct_prompt)
- Simplify mode detection: prompt overrides everything, then @claude mentions trigger tag mode, default is agent mode
- Remove slash command resolution from GitHub Action - Claude Code handles natively
- Remove variable substitution - prompts passed through as-is
Architecture changes:
- Only two modes now: tag (for @claude mentions) and agent (everything else)
- Agent mode is the default for all events including PRs
- Users configure behavior via prompts/slash commands (e.g. /review)
- GitHub Action is now a thin wrapper that passes prompts to Claude Code
- Mode names changed: 'experimental-review' → removed entirely
This aligns with the philosophy that the GitHub Action should do minimal work and delegate to Claude Code for all intelligent behavior.
Major features:
- Mode auto-detection based on GitHub event type
- Unified prompt field replacing override_prompt and direct_prompt
- Slash command system with pre-built commands
- Full backward compatibility with v0.x
Key changes:
- Add mode detector for automatic mode selection
- Implement slash command loader with YAML frontmatter support
- Update action.yml with new prompt input
- Create pre-built slash commands for common tasks
- Update all tests for v1.0 compatibility
Breaking changes (with compatibility):
- Mode input now optional (auto-detected)
- override_prompt deprecated (use prompt)
- direct_prompt deprecated (use prompt)
Allows modes to provide custom system prompts that are appended to Claude's base system prompt. This enables mode-specific instructions without modifying the core action logic.
- Add optional getSystemPrompt method to Mode interface
- Implement method in all existing modes (tag, agent, review)
- Update prepare.ts to call getSystemPrompt and export as env var
- Wire up APPEND_SYSTEM_PROMPT in action.yml to pass to base-action
All modes currently return undefined (no additional prompts), but the infrastructure is now in place for future modes to provide custom instructions.
* feat: add slash command shipping infrastructure
- Created /slash-commands/ directory to store bundled slash commands
- Added code-review.md slash command for automated PR reviews
- Modified setup-claude-code-settings.ts to copy slash commands to ~/.claude/
- Added test coverage for slash command installation
- Commands are automatically installed when the GitHub Action runs
* fix: simplify slash command implementation to match codebase patterns
- Reverted to using Bun's $ shell syntax consistently with the rest of the codebase
- Simplified slash command copying to basic shell commands
- Removed unnecessary fs/promises complexity
- Maintained all functionality and test coverage
- More appropriate for GitHub Action context where inputs are trusted
* remove test slash command
* fix: rename slash_commands_dir to experimental_slash_commands_dir
- Added 'experimental' prefix as suggested by Ashwin
- Updated all references in action.yml and base-action
- Restored accidentally removed code-review.md file
---------
Co-authored-by: km-anthropic <km-anthropic@users.noreply.github.com>
* feat: add review mode for PR code reviews
- Add 'review' as a new execution mode in action.yml
- Use default GitHub Action token (ACTIONS_TOKEN) for review mode
- Create review mode implementation with GitHub MCP tools included by default
- Move review-specific prompt to review mode's generatePrompt method
- Add comprehensive review workflow instructions for inline comments
- Fix type safety with proper mode validation
- Keep agent mode's simple inline prompt handling
* docs: add review mode example workflow
* update sample workflow
* fix: update review mode example to use @beta tag
* fix: enable automatic triggering for review mode on PR events
* fix: export allowed tools environment variables in review mode
The GitHub MCP tools were not being properly allowed because review mode
wasn't exporting the ALLOWED_TOOLS environment variable like agent mode does.
This caused all GitHub MCP tool calls to be blocked with permission errors.
* feat: add review mode workflow for testing
* fix: use INPUT_ prefix for allowed/disallowed tools environment variables
The base action expects INPUT_ALLOWED_TOOLS and INPUT_DISALLOWED_TOOLS
(following GitHub Actions input naming convention) but we were exporting
them without the INPUT_ prefix. This was causing the tools to not be
properly allowed in the base action.
* fix: add explicit review tool names and additional workflow permissions
- Add explicit tool names in case wildcards aren't working properly
- Add statuses and checks write permissions to workflow
- Include both github and github_comment MCP server tools
* refactor: consolidate review workflows and use review mode
- Update claude-review.yml to use review mode instead of direct_prompt
- Use km-anthropic fork action
- Remove duplicate claude-review-mode.yml workflow
- Add synchronize event to review PR updates
- Update permissions for review mode (remove id-token, add pull-requests/issues write)
* feat: enhance review mode to provide detailed tracking comment summary
- Update review mode prompt to explicitly request detailed summaries
- Include issue counts, key findings, and recommendations in tracking comment
- Ensure users can see complete review overview without checking each inline comment
* Revert "refactor: consolidate review workflows and use review mode"
This reverts commit 54ca948599.
* fix: address PR review feedback for review mode
- Make generatePrompt required in Mode interface
- Implement generatePrompt in all modes (tag, agent, review)
- Remove unnecessary git/branch operations from review mode
- Restrict review mode triggers to specific PR actions
- Fix type safety issues by removing any types
- Update tests to support new Mode interface
* test: update mode registry tests to include review mode
* chore: run prettier formatting
* fix: make mode parameter required in generatePrompt function
Remove optional mode parameter since the function throws an error when mode is not provided. This makes the type signature consistent with the actual behavior.
* fix: remove last any type and update README with review mode
- Remove any type cast in review mode by using isPullRequestEvent type guard
- Add review mode documentation to README execution modes section
- Update mode parameter description in README configuration table
* mandatory bun format
* fix: improve review mode GitHub suggestion format instructions
- Add clear guidance on GitHub's suggestion block format
- Emphasize that suggestions must only replace the specific commented lines
- Add examples of correct vs incorrect suggestion formatting
- Clarify when to use multi-line comments with startLine and line parameters
- Guide on handling complex changes that require multiple modifications
This should resolve issues where suggestions aren't directly committable.
* Add missing MCP tools for experimental-review mode based on test requirements
* chore: format code
* docs: add experimental-review mode documentation with clear warnings
* docs: remove emojis from experimental-review mode documentation
* docs: clarify experimental-review mode triggers - depends on workflow configuration
* minor format update
* test: fix registry tests for experimental-review mode name change
* refactor: clean up review mode implementation based on feedback
- Remove unused parameters from generatePrompt in agent and review modes
- Keep Claude comment requirement for review mode (tracking comment)
- Add overridePrompt support to review mode
- Remove non-existent MCP tools from review mode allowed list
- Fix unused import in agent mode
These changes address all review feedback while maintaining clean code
and proper functionality.
* fix: remove redundant update_claude_comment from review mode allowed tools
The github_comment server is always included automatically, so we don't
need to explicitly list mcp__github_comment__update_claude_comment in
the allowed tools.
* feat: review mode now uses review body instead of tracking comment
- Remove tracking comment creation from review mode
- Update prompt to instruct Claude to write comprehensive review in body
- Remove comment ID requirement for review mode
- The review submission body now serves as the main review content
This makes review mode cleaner with one less comment on the PR. The
review body contains all the information that would have been in the
tracking comment.
* add back id-token: write for example
* Add PR number for context + make it mandatory to have a PR associated
* add `mcp__github__add_issue_comment` tool
* rename token
* bun format
---------
Co-authored-by: km-anthropic <km-anthropic@users.noreply.github.com>
