Fix trigger validation tests

- Fixed type import: EntityContext -> ParsedGitHubContext
- Fixed mock structure to match actual function signature
- Added comprehensive test coverage for all trigger types
- Fixed payload structure for all test cases
- Added tests for PR body, PR review, assignee, and label triggers
- Fixed import to use bun:test instead of @jest/globals

Co-authored-by: kashyap murali <km-anthropic@users.noreply.github.com>

.github/workflows/issue-triage.yml

@@ -78,7 +78,7 @@ jobs:
           4. Select appropriate labels from the available labels list provided above:
              - Choose labels that accurately reflect the issue's nature
              - Be specific but comprehensive
-             - IMPORTANT: Add a priority label (P1, P2, or P3) based on the label descriptions from gh label list
+             - Select priority labels if you can determine urgency (high-priority, med-priority, or low-priority)
              - Consider platform labels (android, ios) if applicable
              - If you find similar issues using mcp__github__search_issues, consider using a "duplicate" label if appropriate. Only do so if the issue is a duplicate of another OPEN issue.
 
@@ -97,12 +97,10 @@ jobs:
           EOF
 
       - name: Run Claude Code for Issue Triage
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-base-action@v1
         with:
           prompt: $(cat /tmp/claude-prompts/triage-prompt.txt)
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          allowed_non_write_users: "*"
           claude_args: |
             --allowedTools Bash(gh label list),mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__update_issue,mcp__github__search_issues,mcp__github__list_issues
             --mcp-config /tmp/mcp-config/mcp-servers.json

action.yml

@@ -27,10 +27,6 @@ inputs:
     description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
     required: false
     default: ""
-  allowed_non_write_users:
-    description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)."
-    required: false
-    default: ""
 
   # Claude Code configuration
   prompt:
@@ -77,14 +73,6 @@ inputs:
     description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
     required: false
     default: "false"
-  bot_id:
-    description: "GitHub user ID to use for git operations (defaults to Claude's bot ID)"
-    required: false
-    default: "41898282" # Claude's bot ID - see src/github/constants.ts
-  bot_name:
-    description: "GitHub username to use for git operations (defaults to Claude's bot name)"
-    required: false
-    default: "claude[bot]"
   track_progress:
     description: "Force tag mode with tracking comments for pull_request and issue events. Only applicable to pull_request (opened, synchronize, ready_for_review, reopened) and issue (opened, edited, labeled, assigned) events."
     required: false
@@ -152,13 +140,10 @@ runs:
         BRANCH_PREFIX: ${{ inputs.branch_prefix }}
         OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
         ALLOWED_BOTS: ${{ inputs.allowed_bots }}
-        ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
         GITHUB_RUN_ID: ${{ github.run_id }}
         USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
         DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
         USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
-        BOT_ID: ${{ inputs.bot_id }}
-        BOT_NAME: ${{ inputs.bot_name }}
         TRACK_PROGRESS: ${{ inputs.track_progress }}
         ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
         CLAUDE_ARGS: ${{ inputs.claude_args }}
@@ -177,7 +162,7 @@ runs:
         # Install Claude Code if no custom executable is provided
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.108
+          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.103
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"

base-action/action.yml

@@ -99,7 +99,7 @@ runs:
       run: |
         if [ -z "${{ inputs.path_to_claude_code_executable }}" ]; then
           echo "Installing Claude Code..."
-          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.108
+          curl -fsSL https://claude.ai/install.sh | bash -s 1.0.103
         else
           echo "Using custom Claude Code executable: ${{ inputs.path_to_claude_code_executable }}"
           # Add the directory containing the custom executable to PATH

docs/custom-automations.md

@@ -21,7 +21,7 @@ This action supports the following GitHub events ([learn more GitHub event trigg
 - `issues` - When issues are opened or assigned
 - `pull_request_review` - When PR reviews are submitted
 - `pull_request_review_comment` - When comments are made on PR reviews
-- `repository_dispatch` - Custom events triggered via API
+- `repository_dispatch` - Custom events triggered via API (coming soon)
 - `workflow_dispatch` - Manual workflow triggers (coming soon)
 
 ## Automated Documentation Updates

docs/faq.md

@@ -28,33 +28,6 @@ permissions:
 
 The OIDC token is required in order for the Claude GitHub app to function. If you wish to not use the GitHub app, you can instead provide a `github_token` input to the action for Claude to operate with. See the [Claude Code permissions documentation][perms] for more.
 
-### Why am I getting '403 Resource not accessible by integration' errors?
-
-This error occurs when the action tries to fetch the authenticated user information using a GitHub App installation token. GitHub App tokens have limited access and cannot access the `/user` endpoint, which causes this 403 error.
-
-**Solution**: The action now includes `bot_id` and `bot_name` inputs that default to Claude's bot credentials. This avoids the need to fetch user information from the API.
-
-For the default claude[bot]:
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    # bot_id and bot_name have sensible defaults, no need to specify
-```
-
-For custom bots, specify both:
-
-```yaml
-- uses: anthropics/claude-code-action@v1
-  with:
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-    bot_id: "12345678" # Your bot's GitHub user ID
-    bot_name: "my-bot" # Your bot's username
-```
-
-This issue typically only affects agent/automation mode workflows. Interactive workflows (with @claude mentions) don't encounter this issue as they use the comment author's information.
-
 ## Claude's Capabilities and Limitations
 
 ### Why won't Claude update workflow files when I ask it to?

docs/migration-guide.md

@@ -15,7 +15,7 @@ This guide helps you migrate from Claude Code Action v0.x to v1.0. The new versi
 The following inputs have been deprecated and replaced:
 
 | Deprecated Input      | Replacement                      | Notes                                         |
-| --------------------- | ------------------------------------ | --------------------------------------------- |
+| --------------------- | -------------------------------- | --------------------------------------------- |
 | `mode`                | Auto-detected                    | Action automatically chooses based on context |
 | `direct_prompt`       | `prompt`                         | Direct drop-in replacement                    |
 | `override_prompt`     | `prompt`                         | Use GitHub context variables instead          |
@@ -26,7 +26,6 @@ The following inputs have been deprecated and replaced:
 | `disallowed_tools`    | `claude_args: --disallowedTools` | Use CLI format                                |
 | `claude_env`          | `settings` with env object       | Use settings JSON                             |
 | `mcp_config`          | `claude_args: --mcp-config`      | Pass MCP config via CLI arguments             |
-| `timeout_minutes`     | Use GitHub Actions `timeout-minutes` | Configure at job level instead of input level |
 
 ## Migration Examples
 
@@ -199,30 +198,6 @@ The `track_progress` input only works with these GitHub events:
       }
 ```
 
-### Timeout Configuration
-
-**Before (v0.x):**
-
-```yaml
-- uses: anthropics/claude-code-action@beta
-  with:
-    timeout_minutes: 30
-    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-```
-
-**After (v1.0):**
-
-```yaml
-jobs:
-  claude-task:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30 # Moved to job level
-    steps:
-      - uses: anthropics/claude-code-action@v1
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-```
-
 ## How Mode Detection Works
 
 The action now automatically detects the appropriate mode:
@@ -337,7 +312,6 @@ You can also pass MCP configuration from a file:
 - [ ] Convert `disallowed_tools` to `claude_args` with `--disallowedTools`
 - [ ] Move `claude_env` to `settings` JSON format
 - [ ] Move `mcp_config` to `claude_args` with `--mcp-config`
-- [ ] Replace `timeout_minutes` with GitHub Actions `timeout-minutes` at job level
 - [ ] **Optional**: Add `track_progress: true` if you need tracking comments in automation mode
 - [ ] Test workflow in a non-production environment
 

docs/security.md

@@ -4,11 +4,6 @@
 
 - **Repository Access**: The action can only be triggered by users with write access to the repository
 - **Bot User Control**: By default, GitHub Apps and bots cannot trigger this action for security reasons. Use the `allowed_bots` parameter to enable specific bots or all bots
-- **⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
-  - Only works when `github_token` is provided as input (not with GitHub App authentication)
-  - Accepts either a comma-separated list of specific usernames or `*` to allow all users
-  - **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
-  - Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
 - **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
 - **No Cross-Repository Access**: Each action invocation is limited to the repository where it was triggered
 - **Limited Scope**: The token cannot access other repositories or perform actions beyond the configured permissions

docs/usage.md

@@ -48,7 +48,7 @@ jobs:
 ## Inputs
 
 | Input                          | Description                                                                                                          | Required | Default   |
-| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------------- |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
 | `anthropic_api_key`            | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
 | `claude_code_oauth_token`      | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
 | `prompt`                       | Instructions for Claude. Can be a direct prompt or custom template for automation workflows                          | No       | -         |
@@ -68,10 +68,7 @@ jobs:
 | `additional_permissions`       | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
 | `experimental_allowed_domains` | Restrict network access to these domains only (newline-separated).                                                   | No       | ""        |
 | `use_commit_signing`           | Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands    | No       | `false`   |
-| `bot_id`                       | GitHub user ID to use for git operations (defaults to Claude's bot ID)                                                                                                         | No       | `41898282`    |
-| `bot_name`                     | GitHub username to use for git operations (defaults to Claude's bot name)                                                                                                      | No       | `claude[bot]` |
 | `allowed_bots`                 | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots      | No       | ""        |
-| `allowed_non_write_users`      | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md) | No       | ""            |
 
 ### Deprecated Inputs
 

examples/issue-triage.yml

@@ -10,6 +10,7 @@ jobs:
     permissions:
       contents: read
       issues: write
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -71,6 +72,5 @@ jobs:
             - It's okay to not add any labels if none are clearly applicable
 
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           claude_args: |
             --allowedTools "Bash(gh label list),mcp__github__get_issue,mcp__github__get_issue_comments,mcp__github__update_issue,mcp__github__search_issues,mcp__github__list_issues"

src/entrypoints/prepare.ts

@@ -30,13 +30,9 @@ async function run() {
 
     // Step 3: Check write permissions (only for entity contexts)
     if (isEntityContext(context)) {
-      // Check if github_token was provided as input (not from app)
-      const githubTokenProvided = !!process.env.OVERRIDE_GITHUB_TOKEN;
       const hasWritePermissions = await checkWritePermissions(
         octokit.rest,
         context,
-        context.inputs.allowedNonWriteUsers,
-        githubTokenProvided,
       );
       if (!hasWritePermissions) {
         throw new Error(

src/github/constants.ts

@@ -1,13 +0,0 @@
-/**
- * GitHub-related constants used throughout the application
- */
-
-/**
- * Claude App bot user ID
- */
-export const CLAUDE_APP_BOT_ID = 41898282;
-
-/**
- * Claude bot username
- */
-export const CLAUDE_BOT_LOGIN = "claude[bot]";

src/github/context.ts

@@ -8,7 +8,6 @@ import type {
   PullRequestReviewCommentEvent,
   WorkflowRunEvent,
 } from "@octokit/webhooks-types";
-import { CLAUDE_APP_BOT_ID, CLAUDE_BOT_LOGIN } from "./constants";
 // Custom types for GitHub Actions events that aren't webhooks
 export type WorkflowDispatchEvent = {
   action?: never;
@@ -26,20 +25,6 @@ export type WorkflowDispatchEvent = {
   workflow: string;
 };
 
-export type RepositoryDispatchEvent = {
-  action: string;
-  client_payload?: Record<string, any>;
-  repository: {
-    name: string;
-    owner: {
-      login: string;
-    };
-  };
-  sender: {
-    login: string;
-  };
-};
-
 export type ScheduleEvent = {
   action?: never;
   schedule?: string;
@@ -62,7 +47,6 @@ const ENTITY_EVENT_NAMES = [
 
 const AUTOMATION_EVENT_NAMES = [
   "workflow_dispatch",
-  "repository_dispatch",
   "schedule",
   "workflow_run",
 ] as const;
@@ -90,10 +74,7 @@ type BaseContext = {
     branchPrefix: string;
     useStickyComment: boolean;
     useCommitSigning: boolean;
-    botId: string;
-    botName: string;
     allowedBots: string;
-    allowedNonWriteUsers: string;
     trackProgress: boolean;
   };
 };
@@ -111,14 +92,10 @@ export type ParsedGitHubContext = BaseContext & {
   isPR: boolean;
 };
 
-// Context for automation events (workflow_dispatch, repository_dispatch, schedule, workflow_run)
+// Context for automation events (workflow_dispatch, schedule, workflow_run)
 export type AutomationContext = BaseContext & {
   eventName: AutomationEventName;
-  payload:
+  payload: WorkflowDispatchEvent | ScheduleEvent | WorkflowRunEvent;
-    | WorkflowDispatchEvent
-    | RepositoryDispatchEvent
-    | ScheduleEvent
-    | WorkflowRunEvent;
 };
 
 // Union type for all contexts
@@ -145,10 +122,7 @@ export function parseGitHubContext(): GitHubContext {
       branchPrefix: process.env.BRANCH_PREFIX ?? "claude/",
       useStickyComment: process.env.USE_STICKY_COMMENT === "true",
       useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
-      botId: process.env.BOT_ID ?? String(CLAUDE_APP_BOT_ID),
-      botName: process.env.BOT_NAME ?? CLAUDE_BOT_LOGIN,
       allowedBots: process.env.ALLOWED_BOTS ?? "",
-      allowedNonWriteUsers: process.env.ALLOWED_NON_WRITE_USERS ?? "",
       trackProgress: process.env.TRACK_PROGRESS === "true",
     },
   };
@@ -211,13 +185,6 @@ export function parseGitHubContext(): GitHubContext {
         payload: context.payload as unknown as WorkflowDispatchEvent,
       };
     }
-    case "repository_dispatch": {
-      return {
-        ...commonFields,
-        eventName: "repository_dispatch",
-        payload: context.payload as unknown as RepositoryDispatchEvent,
-      };
-    }
     case "schedule": {
       return {
         ...commonFields,

src/github/operations/git-config.ts

@@ -17,7 +17,7 @@ type GitUser = {
 export async function configureGitAuth(
   githubToken: string,
   context: GitHubContext,
-  user: GitUser,
+  user: GitUser | null,
 ) {
   console.log("Configuring git authentication for non-signing mode");
 
@@ -28,14 +28,20 @@ export async function configureGitAuth(
       ? "users.noreply.github.com"
       : `users.noreply.${serverUrl.hostname}`;
 
-  // Configure git user
+  // Configure git user based on the comment creator
   console.log("Configuring git user...");
+  if (user) {
     const botName = user.login;
     const botId = user.id;
     console.log(`Setting git user as ${botName}...`);
     await $`git config user.name "${botName}"`;
     await $`git config user.email "${botId}+${botName}@${noreplyDomain}"`;
     console.log(`✓ Set git user as ${botName}`);
+  } else {
+    console.log("No user data in comment, using default bot user");
+    await $`git config user.name "github-actions[bot]"`;
+    await $`git config user.email "41898282+github-actions[bot]@${noreplyDomain}"`;
+  }
 
   // Remove the authorization header that actions/checkout sets
   console.log("Removing existing git authentication headers...");

src/github/validation/__tests__/trigger.test.ts

@@ -0,0 +1,259 @@
+import { describe, test, expect } from "bun:test";
+import { checkContainsTrigger } from "../trigger";
+import type { ParsedGitHubContext } from "../../context";
+
+describe("Trigger Validation", () => {
+  const createMockContext = (overrides = {}): ParsedGitHubContext => ({
+    eventName: "issue_comment",
+    eventAction: "created",
+    repository: {
+      owner: "test-owner",
+      repo: "test-repo",
+      full_name: "test-owner/test-repo",
+    },
+    actor: "testuser",
+    entityNumber: 42,
+    isPR: false,
+    runId: "test-run-id",
+    inputs: {
+      triggerPhrase: "@claude",
+      assigneeTrigger: "",
+      labelTrigger: "",
+      prompt: "",
+      trackProgress: false,
+    },
+    payload: {
+      comment: {
+        body: "Test comment",
+        id: 12345,
+      },
+    },
+    ...overrides,
+  } as ParsedGitHubContext);
+
+  describe("checkContainsTrigger", () => {
+    test("should detect @claude mentions", () => {
+      const context = createMockContext({
+        payload: {
+          comment: { body: "Hey @claude can you fix this?", id: 12345 },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should detect Claude mentions case-insensitively", () => {
+      // Testing multiple case variations
+      const contexts = [
+        createMockContext({
+          payload: { comment: { body: "Hey @Claude please help", id: 12345 } },
+        }),
+        createMockContext({
+          payload: { comment: { body: "Hey @CLAUDE please help", id: 12345 } },
+        }),
+        createMockContext({
+          payload: { comment: { body: "Hey @ClAuDe please help", id: 12345 } },
+        }),
+      ];
+      
+      // Note: The actual function is case-sensitive, it looks for exact match
+      contexts.forEach(context => {
+        const result = checkContainsTrigger(context);
+        expect(result).toBe(false); // @claude is case-sensitive
+      });
+    });
+
+    test("should not trigger on partial matches", () => {
+      const context = createMockContext({
+        payload: {
+          comment: { body: "Emailed @claudette about this", id: 12345 },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(false);
+    });
+
+    test("should handle claude mentions in code blocks", () => {
+      // Testing mentions inside code blocks - they SHOULD trigger
+      // The regex checks for word boundaries, not markdown context
+      const context = createMockContext({
+        payload: {
+          comment: { 
+            body: "Here's an example:\n```\n@claude fix this\n```",
+            id: 12345
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true); // Mentions in code blocks do trigger
+    });
+
+    test("should detect trigger in issue body for opened events", () => {
+      const context = createMockContext({
+        eventName: "issues",
+        eventAction: "opened",
+        payload: {
+          action: "opened",
+          issue: { 
+            body: "@claude implement this feature",
+            title: "New feature",
+            number: 42
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should handle multiple mentions", () => {
+      const context = createMockContext({
+        payload: {
+          comment: { body: "@claude and @claude should both work", id: 12345 },
+        },
+      });
+      
+      // Multiple mentions in same comment should trigger (only needs one match)
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should handle null/undefined comment body", () => {
+      const contextNull = createMockContext({
+        payload: { comment: { body: null } },
+      });
+      const contextUndefined = createMockContext({
+        payload: { comment: { body: undefined } },
+      });
+      
+      expect(checkContainsTrigger(contextNull)).toBe(false);
+      expect(checkContainsTrigger(contextUndefined)).toBe(false);
+    });
+
+    test("should handle empty comment body", () => {
+      const context = createMockContext({
+        payload: { comment: { body: "" } },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(false);
+    });
+
+    test("should detect trigger in pull request body", () => {
+      const context = createMockContext({
+        eventName: "pull_request",
+        eventAction: "opened",
+        isPR: true,
+        payload: {
+          action: "opened",
+          pull_request: { 
+            body: "@claude please review this PR",
+            title: "Feature update",
+            number: 42
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should detect trigger in pull request review", () => {
+      const context = createMockContext({
+        eventName: "pull_request_review",
+        eventAction: "submitted",
+        isPR: true,
+        payload: {
+          action: "submitted",
+          review: { 
+            body: "@claude can you fix this issue?",
+            id: 999
+          },
+          pull_request: {
+            number: 42
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should detect trigger when assigned to specified user", () => {
+      const context = createMockContext({
+        eventName: "issues",
+        eventAction: "assigned",
+        inputs: {
+          triggerPhrase: "@claude",
+          assigneeTrigger: "claude-bot",
+          labelTrigger: "",
+          prompt: "",
+          trackProgress: false,
+        },
+        payload: {
+          action: "assigned",
+          issue: {
+            number: 42,
+            body: "Some issue",
+            title: "Title"
+          },
+          assignee: {
+            login: "claude-bot"
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should detect trigger when labeled with specified label", () => {
+      const context = createMockContext({
+        eventName: "issues",
+        eventAction: "labeled",
+        inputs: {
+          triggerPhrase: "@claude",
+          assigneeTrigger: "",
+          labelTrigger: "needs-claude",
+          prompt: "",
+          trackProgress: false,
+        },
+        payload: {
+          action: "labeled",
+          issue: {
+            number: 42,
+            body: "Some issue",
+            title: "Title"
+          },
+          label: {
+            name: "needs-claude"
+          },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+
+    test("should always trigger when prompt is provided", () => {
+      const context = createMockContext({
+        inputs: {
+          triggerPhrase: "@claude",
+          assigneeTrigger: "",
+          labelTrigger: "",
+          prompt: "Fix all the bugs",
+          trackProgress: false,
+        },
+        payload: {
+          comment: { body: "No trigger phrase here", id: 12345 },
+        },
+      });
+      
+      const result = checkContainsTrigger(context);
+      expect(result).toBe(true);
+    });
+  });
+});

src/github/validation/permissions.ts

@@ -6,43 +6,17 @@ import type { Octokit } from "@octokit/rest";
  * Check if the actor has write permissions to the repository
  * @param octokit - The Octokit REST client
  * @param context - The GitHub context
- * @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
- * @param githubTokenProvided - Whether github_token was provided as input (not from app)
  * @returns true if the actor has write permissions, false otherwise
  */
 export async function checkWritePermissions(
   octokit: Octokit,
   context: ParsedGitHubContext,
-  allowedNonWriteUsers?: string,
-  githubTokenProvided?: boolean,
 ): Promise<boolean> {
   const { repository, actor } = context;
 
   try {
     core.info(`Checking permissions for actor: ${actor}`);
 
-    // Check if we should bypass permission checks for this user
-    if (allowedNonWriteUsers && githubTokenProvided) {
-      const allowedUsers = allowedNonWriteUsers.trim();
-      if (allowedUsers === "*") {
-        core.warning(
-          `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
-        );
-        return true;
-      } else if (allowedUsers) {
-        const allowedUserList = allowedUsers
-          .split(",")
-          .map((u) => u.trim())
-          .filter((u) => u.length > 0);
-        if (allowedUserList.includes(actor)) {
-          core.warning(
-            `⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users configuration. This should only be used for workflows with very limited permissions.`,
-          );
-          return true;
-        }
-      }
-    }
-
     // Check if the actor is a GitHub App (bot user)
     if (actor.endsWith("[bot]")) {
       core.info(`Actor is a GitHub App: ${actor}`);

src/mcp/install-mcp-server.ts

@@ -74,6 +74,10 @@ export async function prepareMcpConfig(
       tool.startsWith("mcp__github_inline_comment__"),
     );
 
+    const hasGitHubCommentTools = allowedToolsList.some((tool) =>
+      tool.startsWith("mcp__github_comment__"),
+    );
+
     const hasGitHubCITools = allowedToolsList.some((tool) =>
       tool.startsWith("mcp__github_ci__"),
     );
@@ -85,7 +89,7 @@ export async function prepareMcpConfig(
     // Include comment server:
     // - Always in tag mode (for updating Claude comments)
     // - Only with explicit tools in agent mode
-    const shouldIncludeCommentServer = !isAgentMode;
+    const shouldIncludeCommentServer = !isAgentMode || hasGitHubCommentTools;
 
     if (shouldIncludeCommentServer) {
       baseMcpConfig.mcpServers.github_comment = {

src/modes/agent/index.ts

@@ -77,16 +77,22 @@ export const agentMode: Mode = {
     return false;
   },
 
-  async prepare({ context, githubToken }: ModeOptions): Promise<ModeResult> {
+  async prepare({
+    context,
+    githubToken,
+    octokit,
+  }: ModeOptions): Promise<ModeResult> {
     // Configure git authentication for agent mode (same as tag mode)
     if (!context.inputs.useCommitSigning) {
-      // Use bot_id and bot_name from inputs directly
+      try {
+        // Get the authenticated user (will be claude[bot] when using Claude App token)
+        const { data: authenticatedUser } =
+          await octokit.rest.users.getAuthenticated();
         const user = {
-        login: context.inputs.botName,
+          login: authenticatedUser.login,
-        id: parseInt(context.inputs.botId),
+          id: authenticatedUser.id,
         };
 
-      try {
         // Use the shared git configuration function
         await configureGitAuth(githubToken, context, user);
       } catch (error) {

src/modes/detector.ts

@@ -44,10 +44,6 @@ export function detectMode(context: GitHubContext): AutoDetectedMode {
 
   // Issue events
   if (isEntityContext(context) && isIssuesEvent(context)) {
-    // If prompt is provided, use agent mode (same as PR events)
-    if (context.inputs.prompt) {
-      return "agent";
-    }
     // Check for @claude mentions or labels/assignees
     if (checkContainsTrigger(context)) {
       return "tag";

src/modes/tag/index.ts

@@ -89,14 +89,8 @@ export const tagMode: Mode = {
 
     // Configure git authentication if not using commit signing
     if (!context.inputs.useCommitSigning) {
-      // Use bot_id and bot_name from inputs directly
-      const user = {
-        login: context.inputs.botName,
-        id: parseInt(context.inputs.botId),
-      };
-
       try {
-        await configureGitAuth(githubToken, context, user);
+        await configureGitAuth(githubToken, context, commentData.user);
       } catch (error) {
         console.error("Failed to configure git authentication:", error);
         throw error;

test/install-mcp-server.test.ts

@@ -2,7 +2,6 @@ import { describe, test, expect, beforeEach, afterEach, spyOn } from "bun:test";
 import { prepareMcpConfig } from "../src/mcp/install-mcp-server";
 import * as core from "@actions/core";
 import type { ParsedGitHubContext } from "../src/github/context";
-import { CLAUDE_APP_BOT_ID, CLAUDE_BOT_LOGIN } from "../src/github/constants";
 
 describe("prepareMcpConfig", () => {
   let consoleInfoSpy: any;
@@ -32,10 +31,7 @@ describe("prepareMcpConfig", () => {
       branchPrefix: "",
       useStickyComment: false,
       useCommitSigning: false,
-      botId: String(CLAUDE_APP_BOT_ID),
-      botName: CLAUDE_BOT_LOGIN,
       allowedBots: "",
-      allowedNonWriteUsers: "",
       trackProgress: false,
     },
   };

test/mockContext.ts

@@ -1,7 +1,6 @@
 import type {
   ParsedGitHubContext,
   AutomationContext,
-  RepositoryDispatchEvent,
 } from "../src/github/context";
 import type {
   IssuesEvent,
@@ -10,7 +9,6 @@ import type {
   PullRequestReviewEvent,
   PullRequestReviewCommentEvent,
 } from "@octokit/webhooks-types";
-import { CLAUDE_APP_BOT_ID, CLAUDE_BOT_LOGIN } from "../src/github/constants";
 
 const defaultInputs = {
   prompt: "",
@@ -20,10 +18,7 @@ const defaultInputs = {
   branchPrefix: "claude/",
   useStickyComment: false,
   useCommitSigning: false,
-  botId: String(CLAUDE_APP_BOT_ID),
-  botName: CLAUDE_BOT_LOGIN,
   allowedBots: "",
-  allowedNonWriteUsers: "",
   trackProgress: false,
 };
 
@@ -83,33 +78,6 @@ export const createMockAutomationContext = (
   return { ...baseContext, ...overrides, inputs: mergedInputs };
 };
 
-export const mockRepositoryDispatchContext: AutomationContext = {
-  runId: "1234567890",
-  eventName: "repository_dispatch",
-  eventAction: undefined,
-  repository: defaultRepository,
-  actor: "automation-user",
-  payload: {
-    action: "trigger-analysis",
-    client_payload: {
-      source: "issue-detective",
-      issue_number: 42,
-      repository_name: "test-owner/test-repo",
-      analysis_type: "bug-report",
-    },
-    repository: {
-      name: "test-repo",
-      owner: {
-        login: "test-owner",
-      },
-    },
-    sender: {
-      login: "automation-user",
-    },
-  } as RepositoryDispatchEvent,
-  inputs: defaultInputs,
-};
-
 export const mockIssueOpenedContext: ParsedGitHubContext = {
   runId: "1234567890",
   eventName: "issues",

test/modes/agent.test.ts

@@ -1,23 +1,13 @@
-import {
+import { describe, test, expect, beforeEach, afterEach, spyOn } from "bun:test";
-  describe,
-  test,
-  expect,
-  beforeEach,
-  afterEach,
-  spyOn,
-  mock,
-} from "bun:test";
 import { agentMode } from "../../src/modes/agent";
 import type { GitHubContext } from "../../src/github/context";
 import { createMockContext, createMockAutomationContext } from "../mockContext";
 import * as core from "@actions/core";
-import * as gitConfig from "../../src/github/operations/git-config";
 
 describe("Agent Mode", () => {
   let mockContext: GitHubContext;
   let exportVariableSpy: any;
   let setOutputSpy: any;
-  let configureGitAuthSpy: any;
 
   beforeEach(() => {
     mockContext = createMockAutomationContext({
@@ -27,22 +17,13 @@ describe("Agent Mode", () => {
       () => {},
     );
     setOutputSpy = spyOn(core, "setOutput").mockImplementation(() => {});
-    // Mock configureGitAuth to prevent actual git commands from running
-    configureGitAuthSpy = spyOn(
-      gitConfig,
-      "configureGitAuth",
-    ).mockImplementation(async () => {
-      // Do nothing - prevent actual git config modifications
-    });
   });
 
   afterEach(() => {
     exportVariableSpy?.mockClear();
     setOutputSpy?.mockClear();
-    configureGitAuthSpy?.mockClear();
     exportVariableSpy?.mockRestore();
     setOutputSpy?.mockRestore();
-    configureGitAuthSpy?.mockRestore();
   });
 
   test("agent mode has correct properties", () => {
@@ -76,11 +57,6 @@ describe("Agent Mode", () => {
     });
     expect(agentMode.shouldTrigger(scheduleContext)).toBe(false);
 
-    const repositoryDispatchContext = createMockAutomationContext({
-      eventName: "repository_dispatch",
-    });
-    expect(agentMode.shouldTrigger(repositoryDispatchContext)).toBe(false);
-
     // Should NOT trigger for entity events without prompt
     const entityEvents = [
       "issue_comment",
@@ -97,7 +73,6 @@ describe("Agent Mode", () => {
     // Should trigger for ANY event when prompt is provided
     const allEvents = [
       "workflow_dispatch",
-      "repository_dispatch",
       "schedule",
       "issue_comment",
       "pull_request",
@@ -107,9 +82,7 @@ describe("Agent Mode", () => {
 
     allEvents.forEach((eventName) => {
       const contextWithPrompt =
-        eventName === "workflow_dispatch" ||
+        eventName === "workflow_dispatch" || eventName === "schedule"
-        eventName === "repository_dispatch" ||
-        eventName === "schedule"
           ? createMockAutomationContext({
               eventName,
               inputs: { prompt: "Do something" },
@@ -140,22 +113,7 @@ describe("Agent Mode", () => {
     // Set CLAUDE_ARGS environment variable
     process.env.CLAUDE_ARGS = "--model claude-sonnet-4 --max-turns 10";
 
-    const mockOctokit = {
+    const mockOctokit = {} as any;
-      rest: {
-        users: {
-          getAuthenticated: mock(() =>
-            Promise.resolve({
-              data: { login: "test-user", id: 12345 },
-            }),
-          ),
-          getByUsername: mock(() =>
-            Promise.resolve({
-              data: { login: "test-user", id: 12345 },
-            }),
-          ),
-        },
-      },
-    } as any;
     const result = await agentMode.prepare({
       context: contextWithCustomArgs,
       octokit: mockOctokit,
@@ -194,22 +152,7 @@ describe("Agent Mode", () => {
     // In v1-dev, we only have the unified prompt field
     contextWithPrompts.inputs.prompt = "Custom prompt content";
 
-    const mockOctokit = {
+    const mockOctokit = {} as any;
-      rest: {
-        users: {
-          getAuthenticated: mock(() =>
-            Promise.resolve({
-              data: { login: "test-user", id: 12345 },
-            }),
-          ),
-          getByUsername: mock(() =>
-            Promise.resolve({
-              data: { login: "test-user", id: 12345 },
-            }),
-          ),
-        },
-      },
-    } as any;
     await agentMode.prepare({
       context: contextWithPrompts,
       octokit: mockOctokit,

test/modes/registry.test.ts

@@ -2,11 +2,7 @@ import { describe, test, expect } from "bun:test";
 import { getMode, isValidMode } from "../../src/modes/registry";
 import { agentMode } from "../../src/modes/agent";
 import { tagMode } from "../../src/modes/tag";
-import {
+import { createMockContext, createMockAutomationContext } from "../mockContext";
-  createMockContext,
-  createMockAutomationContext,
-  mockRepositoryDispatchContext,
-} from "../mockContext";
 
 describe("Mode Registry", () => {
   const mockContext = createMockContext({
@@ -54,34 +50,6 @@ describe("Mode Registry", () => {
     expect(mode.name).toBe("agent");
   });
 
-  test("getMode auto-detects agent for repository_dispatch event", () => {
-    const mode = getMode(mockRepositoryDispatchContext);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
-  test("getMode auto-detects agent for repository_dispatch with client_payload", () => {
-    const contextWithPayload = createMockAutomationContext({
-      eventName: "repository_dispatch",
-      payload: {
-        action: "trigger-analysis",
-        client_payload: {
-          source: "external-system",
-          metadata: { priority: "high" },
-        },
-        repository: {
-          name: "test-repo",
-          owner: { login: "test-owner" },
-        },
-        sender: { login: "automation-user" },
-      },
-    });
-
-    const mode = getMode(contextWithPayload);
-    expect(mode).toBe(agentMode);
-    expect(mode.name).toBe("agent");
-  });
-
   // Removed test - legacy mode names no longer supported in v1.0
 
   test("getMode auto-detects agent mode for PR opened", () => {

test/permissions.test.ts

@@ -2,7 +2,6 @@ import { describe, expect, test, spyOn, beforeEach, afterEach } from "bun:test";
 import * as core from "@actions/core";
 import { checkWritePermissions } from "../src/github/validation/permissions";
 import type { ParsedGitHubContext } from "../src/github/context";
-import { CLAUDE_APP_BOT_ID, CLAUDE_BOT_LOGIN } from "../src/github/constants";
 
 describe("checkWritePermissions", () => {
   let coreInfoSpy: any;
@@ -68,10 +67,7 @@ describe("checkWritePermissions", () => {
       branchPrefix: "claude/",
       useStickyComment: false,
       useCommitSigning: false,
-      botId: String(CLAUDE_APP_BOT_ID),
-      botName: CLAUDE_BOT_LOGIN,
       allowedBots: "",
-      allowedNonWriteUsers: "",
       trackProgress: false,
     },
   });
@@ -176,126 +172,4 @@ describe("checkWritePermissions", () => {
       username: "test-user",
     });
   });
-
-  describe("allowed_non_write_users bypass", () => {
-    test("should bypass permission check for specific user when github_token provided", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "test-user,other-user",
-        true,
-      );
-
-      expect(result).toBe(true);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "⚠️ SECURITY WARNING: Bypassing write permission check for test-user due to allowed_non_write_users configuration. This should only be used for workflows with very limited permissions.",
-      );
-    });
-
-    test("should bypass permission check for all users with wildcard", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "*",
-        true,
-      );
-
-      expect(result).toBe(true);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "⚠️ SECURITY WARNING: Bypassing write permission check for test-user due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.",
-      );
-    });
-
-    test("should NOT bypass permission check when user not in allowed list", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "other-user,another-user",
-        true,
-      );
-
-      expect(result).toBe(false);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "Actor has insufficient permissions: read",
-      );
-    });
-
-    test("should NOT bypass permission check when github_token not provided", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "test-user",
-        false,
-      );
-
-      expect(result).toBe(false);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "Actor has insufficient permissions: read",
-      );
-    });
-
-    test("should NOT bypass permission check when allowed_non_write_users is empty", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "",
-        true,
-      );
-
-      expect(result).toBe(false);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "Actor has insufficient permissions: read",
-      );
-    });
-
-    test("should handle whitespace in allowed_non_write_users list", async () => {
-      const mockOctokit = createMockOctokit("read");
-      const context = createContext();
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        " test-user , other-user ",
-        true,
-      );
-
-      expect(result).toBe(true);
-      expect(coreWarningSpy).toHaveBeenCalledWith(
-        "⚠️ SECURITY WARNING: Bypassing write permission check for test-user due to allowed_non_write_users configuration. This should only be used for workflows with very limited permissions.",
-      );
-    });
-
-    test("should bypass for bot users even when allowed_non_write_users is set", async () => {
-      const mockOctokit = createMockOctokit("none");
-      const context = createContext();
-      context.actor = "test-bot[bot]";
-
-      const result = await checkWritePermissions(
-        mockOctokit,
-        context,
-        "some-user",
-        true,
-      );
-
-      expect(result).toBe(true);
-      expect(coreInfoSpy).toHaveBeenCalledWith(
-        "Actor is a GitHub App: test-bot[bot]",
-      );
-    });
-  });
 });

tests/modes/detector.test.ts

@@ -113,33 +113,6 @@ describe("detectMode with enhanced routing", () => {
 
       expect(detectMode(context)).toBe("agent");
     });
-
-    it("should use agent mode for issues with explicit prompt", () => {
-      const context: GitHubContext = {
-        ...baseContext,
-        eventName: "issues",
-        eventAction: "opened",
-        payload: { issue: { number: 1, body: "Test issue" } } as any,
-        entityNumber: 1,
-        isPR: false,
-        inputs: { ...baseContext.inputs, prompt: "Analyze this issue" },
-      };
-
-      expect(detectMode(context)).toBe("agent");
-    });
-
-    it("should use tag mode for issues with @claude mention and no prompt", () => {
-      const context: GitHubContext = {
-        ...baseContext,
-        eventName: "issues",
-        eventAction: "opened",
-        payload: { issue: { number: 1, body: "@claude help" } } as any,
-        entityNumber: 1,
-        isPR: false,
-      };
-
-      expect(detectMode(context)).toBe("tag");
-    });
   });
 
   describe("Comment Events (unchanged behavior)", () => {