tmp

2026-01-24 07:24:12 +08:00 · 2025-07-15 15:51:39 -07:00
9 changed files with 47 additions and 194 deletions
--- a/.github/workflows/claude-review.yml
+++ b/.github/workflows/claude-review.yml
@@ -26,7 +26,6 @@ jobs:
            - Potential bugs or issues
            - Suggestions for improvements
            - Overall architecture and design decisions
            - Documentation consistency: Verify that README.md and other documentation files are updated to reflect any code changes (especially new inputs, features, or configuration options)
            Be constructive and specific in your feedback. Give inline comments where applicable.
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -31,14 +31,9 @@ jobs:
      - name: Run Claude Code
        id: claude
-        uses: ./
+        uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          allowed_tools: "Bash(bun install),Bash(bun test:*),Bash(bun run format),Bash(bun typecheck)"
          custom_instructions: "You have also been granted tools for editing files and running bun commands (install, run, test, typecheck) for testing your changes: bun install, bun test, bun run format, bun typecheck."
          model: "claude-opus-4-20250514"
          # Test network restrictions
          allowed_domains: |
            .anthropic.com
            .github.com
            .githubusercontent.com
--- a/README.md
+++ b/README.md
@@ -165,34 +165,32 @@ jobs:
 ## Inputs
-| Input                          | Description                                                                                                          | Required | Default   |
+| Input                     | Description                                                                                                          | Required | Default   |
-| ------------------------------ | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------- | -------- | --------- |
-| `anthropic_api_key`            | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
+| `anthropic_api_key`       | Anthropic API key (required for direct API, not needed for Bedrock/Vertex)                                           | No\*     | -         |
-| `claude_code_oauth_token`      | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
+| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                           | No\*     | -         |
-| `direct_prompt`                | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
+| `direct_prompt`           | Direct prompt for Claude to execute automatically without needing a trigger (for automated workflows)                | No       | -         |
-| `base_branch`                  | The base branch to use for creating new branches (e.g., 'main', 'develop')                                           | No       | -         |
+| `base_branch`             | The base branch to use for creating new branches (e.g., 'main', 'develop')                                           | No       | -         |
-| `max_turns`                    | Maximum number of conversation turns Claude can take (limits back-and-forth exchanges)                               | No       | -         |
+| `max_turns`               | Maximum number of conversation turns Claude can take (limits back-and-forth exchanges)                               | No       | -         |
-| `timeout_minutes`              | Timeout in minutes for execution                                                                                     | No       | `30`      |
+| `timeout_minutes`         | Timeout in minutes for execution                                                                                     | No       | `30`      |
-| `use_sticky_comment`           | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                          | No       | `false`   |
+| `use_sticky_comment`      | Use just one comment to deliver PR comments (only applies for pull_request event workflows)                          | No       | `false`   |
-| `github_token`                 | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No       | -         |
+| `github_token`            | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No       | -         |
-| `model`                        | Model to use (provider-specific format required for Bedrock/Vertex)                                                  | No       | -         |
+| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                  | No       | -         |
-| `fallback_model`               | Enable automatic fallback to specified model when primary model is unavailable                                       | No       | -         |
+| `fallback_model`          | Enable automatic fallback to specified model when primary model is unavailable                                       | No       | -         |
-| `anthropic_model`              | **DEPRECATED**: Use `model` instead. Kept for backward compatibility.                                                | No       | -         |
+| `anthropic_model`         | **DEPRECATED**: Use `model` instead. Kept for backward compatibility.                                                | No       | -         |
-| `use_bedrock`                  | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                          | No       | `false`   |
+| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                          | No       | `false`   |
-| `use_vertex`                   | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                        | No       | `false`   |
+| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                        | No       | `false`   |
-| `allowed_tools`                | Additional tools for Claude to use (the base GitHub tools will always be included)                                   | No       | ""        |
+| `allowed_tools`           | Additional tools for Claude to use (the base GitHub tools will always be included)                                   | No       | ""        |
-| `disallowed_tools`             | Tools that Claude should never use                                                                                   | No       | ""        |
+| `disallowed_tools`        | Tools that Claude should never use                                                                                   | No       | ""        |
-| `custom_instructions`          | Additional custom instructions to include in the prompt for Claude                                                   | No       | ""        |
+| `custom_instructions`     | Additional custom instructions to include in the prompt for Claude                                                   | No       | ""        |
-| `mcp_config`                   | Additional MCP configuration (JSON string) that merges with the built-in GitHub MCP servers                          | No       | ""        |
+| `mcp_config`              | Additional MCP configuration (JSON string) that merges with the built-in GitHub MCP servers                          | No       | ""        |
-| `assignee_trigger`             | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                        | No       | -         |
+| `assignee_trigger`        | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment                        | No       | -         |
-| `label_trigger`                | The label name that triggers the action when applied to an issue (e.g. "claude")                                     | No       | -         |
+| `label_trigger`           | The label name that triggers the action when applied to an issue (e.g. "claude")                                     | No       | -         |
-| `trigger_phrase`               | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                        | No       | `@claude` |
+| `trigger_phrase`          | The trigger phrase to look for in comments, issue/PR bodies, and issue titles                                        | No       | `@claude` |
-| `branch_prefix`                | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                         | No       | `claude/` |
+| `branch_prefix`           | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)                         | No       | `claude/` |
-| `claude_env`                   | Custom environment variables to pass to Claude Code execution (YAML format)                                          | No       | ""        |
+| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML format)                                          | No       | ""        |
-| `settings`                     | Claude Code settings as JSON string or path to settings JSON file                                                    | No       | ""        |
+| `settings`                | Claude Code settings as JSON string or path to settings JSON file                                                    | No       | ""        |
-| `additional_permissions`       | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
+| `additional_permissions`  | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results                    | No       | ""        |
 | `experimental_allowed_domains` | Restrict network access to these domains only (newline-separated).                                                   | No       | ""        |
 | `use_commit_signing`           | Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands    | No       | `false`   |
 \*Required when using direct Anthropic API (default and when not using Bedrock or Vertex)
@@ -574,71 +572,6 @@ Use a specific Claude model:
    # ... other inputs
 ```
 ### Network Restrictions
 For enhanced security, you can restrict Claude's network access to specific domains only. This feature is particularly useful for:
 - Enterprise environments with strict security policies
 - Preventing access to external services
 - Limiting Claude to only your internal APIs and services
 When `experimental_allowed_domains` is set, Claude can only access the domains you explicitly list. You'll need to include the appropriate provider domains based on your authentication method.
 #### Provider-Specific Examples
 ##### If using Anthropic API or subscription
 ```yaml
 - uses: anthropics/claude-code-action@beta
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    # Or: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
    experimental_allowed_domains: |
      .anthropic.com
 ```
 ##### If using AWS Bedrock
 ```yaml
 - uses: anthropics/claude-code-action@beta
  with:
    use_bedrock: "true"
    experimental_allowed_domains: |
      bedrock.*.amazonaws.com
      bedrock-runtime.*.amazonaws.com
 ```
 ##### If using Google Vertex AI
 ```yaml
 - uses: anthropics/claude-code-action@beta
  with:
    use_vertex: "true"
    experimental_allowed_domains: |
      *.googleapis.com
      vertexai.googleapis.com
 ```
 #### Common GitHub Domains
 In addition to your provider domains, you may need to include GitHub-related domains. For GitHub.com users, common domains include:
 ```yaml
 - uses: anthropics/claude-code-action@beta
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    experimental_allowed_domains: |
      .anthropic.com  # For Anthropic API
      .github.com
      .githubusercontent.com
      ghcr.io
      .blob.core.windows.net
 ```
 For GitHub Enterprise users, replace the GitHub.com domains above with your enterprise domains (e.g., `.github.company.com`, `packages.company.com`, etc.).
 To determine which domains your workflow needs, you can temporarily run without restrictions and monitor the network requests, or check your GitHub Enterprise configuration for the specific services you use.
 ### Claude Code Settings
 You can provide Claude Code settings to customize behavior such as model selection, environment variables, permissions, and hooks. Settings can be provided either as a JSON string or a path to a settings file.
--- a/action.yml
+++ b/action.yml
@@ -100,10 +100,6 @@ inputs:
    description: "Enable commit signing using GitHub's commit signature verification. When false, Claude uses standard git commands"
    required: false
    default: "false"
  experimental_allowed_domains:
    description: "Restrict network access to these domains only (newline-separated). If not set, no restrictions are applied. Provider domains are auto-detected."
    required: false
    default: ""
 outputs:
  execution_file:
@@ -150,38 +146,6 @@ runs:
        ADDITIONAL_PERMISSIONS: ${{ inputs.additional_permissions }}
        USE_COMMIT_SIGNING: ${{ inputs.use_commit_signing }}
    - name: Setup Network Restrictions
      if: steps.prepare.outputs.contains_trigger == 'true' && inputs.experimental_allowed_domains != ''
      shell: bash
      run: |
        # Install and configure Squid proxy
        sudo apt-get update && sudo apt-get install -y squid
        echo "${{ inputs.experimental_allowed_domains }}" > $RUNNER_TEMP/whitelist.txt
        # Configure Squid
        sudo tee /etc/squid/squid.conf << EOF
        http_port 127.0.0.1:3128
        acl whitelist dstdomain "$RUNNER_TEMP/whitelist.txt"
        acl localhost src 127.0.0.1/32
        http_access allow localhost whitelist
        http_access deny all
        cache deny all
        EOF
        # Stop any existing squid instance and start with our config
        sudo squid -k shutdown || true
        sleep 2
        sudo rm -f /run/squid.pid
        sudo squid -N -d 1 &
        sleep 5
        # Set proxy environment variables
        echo "http_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
        echo "https_proxy=http://127.0.0.1:3128" >> $GITHUB_ENV
        echo "HTTP_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
        echo "HTTPS_PROXY=http://127.0.0.1:3128" >> $GITHUB_ENV
    - name: Run Claude Code
      id: claude-code
      if: steps.prepare.outputs.contains_trigger == 'true'
--- a/examples/claude.yml
+++ b/examples/claude.yml
@@ -36,12 +36,3 @@ jobs:
          # Or use OAuth token instead:
          # claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
          timeout_minutes: "60"
          # Optional: Restrict network access to specific domains only
          # experimental_allowed_domains: |
          #   .anthropic.com
          #   .github.com
          #   api.github.com
          #   .githubusercontent.com
          #   bun.sh
          #   registry.npmjs.org
          #   .blob.core.windows.net
--- a/src/entrypoints/prepare.ts
+++ b/src/entrypoints/prepare.ts
@@ -91,8 +91,7 @@ async function run() {
      githubToken,
      owner: context.repository.owner,
      repo: context.repository.repo,
-      branch: branchInfo.claudeBranch || branchInfo.currentBranch,
+      branch: branchInfo.currentBranch,
      baseBranch: branchInfo.baseBranch,
      additionalMcpConfig,
      claudeCommentId: commentId.toString(),
      allowedTools: context.inputs.allowedTools,
--- a/src/mcp/github-file-ops-server.ts
+++ b/src/mcp/github-file-ops-server.ts
@@ -8,6 +8,7 @@ import { join } from "path";
 import fetch from "node-fetch";
 import { GITHUB_API_URL } from "../github/api/config";
 import { retryWithBackoff } from "../utils/retry";
 import { Octokit } from "@octokit/rest";
 type GitHubRef = {
  object: {
@@ -59,6 +60,12 @@ async function getOrCreateBranchRef(
  branch: string,
  githubToken: string,
 ): Promise<string> {
  // Create Octokit instance
  const octokit = new Octokit({
    auth: githubToken,
    baseUrl: GITHUB_API_URL,
  });
  // Try to get the branch reference
  const refUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs/heads/${branch}`;
  const refResponse = await fetch(refUrl, {
@@ -78,7 +85,8 @@ async function getOrCreateBranchRef(
    throw new Error(`Failed to get branch reference: ${refResponse.status}`);
  }
-  const baseBranch = process.env.BASE_BRANCH!;
+  // Get base branch from environment or determine it
  const baseBranch = process.env.BASE_BRANCH || "main";
  // Get the SHA of the base branch
  const baseRefUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs/heads/${baseBranch}`;
@@ -135,30 +143,19 @@ async function getOrCreateBranchRef(
    baseSha = baseRefData.object.sha;
  }
-  // Create the new branch using the same pattern as octokit
+  // Create the new branch using Octokit
-  const createRefUrl = `${GITHUB_API_URL}/repos/${owner}/${repo}/git/refs`;
+  try {
-  const createRefResponse = await fetch(createRefUrl, {
+    await octokit.rest.git.createRef({
-    method: "POST",
+      owner,
-    headers: {
+      repo,
      Accept: "application/vnd.github+json",
      Authorization: `Bearer ${githubToken}`,
      "X-GitHub-Api-Version": "2022-11-28",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      ref: `refs/heads/${branch}`,
      sha: baseSha,
-    }),
+    });
-  });
+  } catch (error) {
-
+    const errorMessage = error instanceof Error ? error.message : String(error);
-  if (!createRefResponse.ok) {
+    throw new Error(`Failed to create branch: ${errorMessage}`);
    const errorText = await createRefResponse.text();
    throw new Error(
      `Failed to create branch: ${createRefResponse.status} - ${errorText}`,
    );
  }
  console.log(`Successfully created branch ${branch}`);
  return baseSha;
 }
@@ -565,7 +562,6 @@ server.tool(
            // Only retry on 403 errors - these are the intermittent failures we're targeting
            if (updateRefResponse.status === 403) {
              console.log("Received 403 error, will retry...");
              throw error;
            }
--- a/src/mcp/install-mcp-server.ts
+++ b/src/mcp/install-mcp-server.ts
@@ -8,7 +8,6 @@ type PrepareConfigParams = {
  owner: string;
  repo: string;
  branch: string;
  baseBranch: string;
  additionalMcpConfig?: string;
  claudeCommentId?: string;
  allowedTools: string[];
@@ -55,7 +54,6 @@ export async function prepareMcpConfig(
    owner,
    repo,
    branch,
    baseBranch,
    additionalMcpConfig,
    claudeCommentId,
    allowedTools,
@@ -102,7 +100,7 @@ export async function prepareMcpConfig(
          REPO_OWNER: owner,
          REPO_NAME: repo,
          BRANCH_NAME: branch,
-          BASE_BRANCH: baseBranch,
+          BASE_BRANCH: process.env.BASE_BRANCH || "",
          REPO_DIR: process.env.GITHUB_WORKSPACE || process.cwd(),
          GITHUB_EVENT_NAME: process.env.GITHUB_EVENT_NAME || "",
          IS_PR: process.env.IS_PR || "false",
--- a/test/install-mcp-server.test.ts
+++ b/test/install-mcp-server.test.ts
@@ -88,7 +88,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: mockContext,
    });
@@ -119,7 +118,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: contextWithSigning,
    });
@@ -145,7 +143,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [
        "mcp__github__create_issue",
        "mcp__github_file_ops__commit_files",
@@ -177,7 +174,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [
        "mcp__github_file_ops__commit_files",
        "mcp__github_file_ops__update_claude_comment",
@@ -197,7 +193,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: ["Edit", "Read", "Write"],
      context: mockContext,
    });
@@ -215,7 +210,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: "",
      allowedTools: [],
      context: mockContext,
@@ -234,7 +228,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: "   \n\t  ",
      allowedTools: [],
      context: mockContext,
@@ -265,7 +258,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [
        "mcp__github__create_issue",
@@ -304,7 +296,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [
        "mcp__github__create_issue",
@@ -346,7 +337,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -367,7 +357,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: invalidJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -389,7 +378,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: nonObjectJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -414,7 +402,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: nullJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -439,7 +426,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: arrayJson,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -487,7 +473,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      additionalMcpConfig: additionalConfig,
      allowedTools: [],
      context: mockContextWithSigning,
@@ -511,7 +496,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -533,7 +517,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -562,7 +545,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });
@@ -582,7 +564,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: mockContextWithSigning,
    });
@@ -601,7 +582,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: mockPRContextWithSigning,
    });
@@ -633,7 +613,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });
@@ -662,7 +641,6 @@ describe("prepareMcpConfig", () => {
      owner: "test-owner",
      repo: "test-repo",
      branch: "test-branch",
      baseBranch: "main",
      allowedTools: [],
      context: contextWithPermissions,
    });