mirror of
https://github.com/anthropics/claude-code-action.git
synced 2026-01-26 00:34:13 +08:00
Compare commits
10 Commits
claude/sla
...
claude/aut
| Author | SHA1 | Date | |
|---|---|---|---|
|
0085208689 | ||
|
|
4778aeae4c | ||
|
|
b6e5a9f27a | ||
|
|
5d91d7d217 | ||
|
|
90006bcae7 | ||
|
|
005436f51d | ||
|
|
1b8ee3b941 | ||
|
|
c247cb152d | ||
|
|
cefa60067a | ||
|
|
7a708f68fa |
1
.github/workflows/issue-triage.yml
vendored
1
.github/workflows/issue-triage.yml
vendored
@@ -24,4 +24,5 @@ jobs:
|
||||
prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
|
||||
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
|
||||
bypass_write_permission_check_acknowledgment: true # Required when using wildcard
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
12
action.yml
12
action.yml
@@ -23,6 +23,10 @@ inputs:
|
||||
description: "The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format)"
|
||||
required: false
|
||||
default: "claude/"
|
||||
branch_name_template:
|
||||
description: "Template for branch naming. Available variables: {{prefix}}, {{entityType}}, {{entityNumber}}, {{timestamp}}, {{sha}}, {{label}}, {{description}}. {{label}} will be first label from the issue/PR, or {{entityType}} as a fallback. {{description}} will be the first 5 words of the issue/PR title in kebab-case. Default: '{{prefix}}{{entityType}}-{{entityNumber}}-{{timestamp}}'"
|
||||
required: false
|
||||
default: ""
|
||||
allowed_bots:
|
||||
description: "Comma-separated list of allowed bot usernames, or '*' to allow all bots. Empty string (default) allows no bots."
|
||||
required: false
|
||||
@@ -31,6 +35,10 @@ inputs:
|
||||
description: "Comma-separated list of usernames to allow without write permissions, or '*' to allow all users. Only works when github_token input is provided. WARNING: Use with extreme caution - this bypasses security checks and should only be used for workflows with very limited permissions (e.g., issue labeling)."
|
||||
required: false
|
||||
default: ""
|
||||
bypass_write_permission_check_acknowledgment:
|
||||
description: "REQUIRED when using allowed_non_write_users='*'. Set to 'true' to explicitly acknowledge the security implications of bypassing write permission checks for all users. This flag serves as a safeguard against accidental security misconfigurations."
|
||||
required: false
|
||||
default: "false"
|
||||
|
||||
# Claude Code configuration
|
||||
prompt:
|
||||
@@ -178,9 +186,11 @@ runs:
|
||||
LABEL_TRIGGER: ${{ inputs.label_trigger }}
|
||||
BASE_BRANCH: ${{ inputs.base_branch }}
|
||||
BRANCH_PREFIX: ${{ inputs.branch_prefix }}
|
||||
BRANCH_NAME_TEMPLATE: ${{ inputs.branch_name_template }}
|
||||
OVERRIDE_GITHUB_TOKEN: ${{ inputs.github_token }}
|
||||
ALLOWED_BOTS: ${{ inputs.allowed_bots }}
|
||||
ALLOWED_NON_WRITE_USERS: ${{ inputs.allowed_non_write_users }}
|
||||
BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT: ${{ inputs.bypass_write_permission_check_acknowledgment }}
|
||||
GITHUB_RUN_ID: ${{ github.run_id }}
|
||||
USE_STICKY_COMMENT: ${{ inputs.use_sticky_comment }}
|
||||
DEFAULT_WORKFLOW_TOKEN: ${{ github.token }}
|
||||
@@ -208,7 +218,7 @@ runs:
|
||||
|
||||
# Install Claude Code if no custom executable is provided
|
||||
if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
|
||||
CLAUDE_CODE_VERSION="2.0.76"
|
||||
CLAUDE_CODE_VERSION="2.1.6"
|
||||
echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
|
||||
for attempt in 1 2 3; do
|
||||
echo "Installation attempt $attempt..."
|
||||
|
||||
@@ -124,7 +124,7 @@ runs:
|
||||
PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
|
||||
run: |
|
||||
if [ -z "$PATH_TO_CLAUDE_CODE_EXECUTABLE" ]; then
|
||||
CLAUDE_CODE_VERSION="2.0.76"
|
||||
CLAUDE_CODE_VERSION="2.1.6"
|
||||
echo "Installing Claude Code v${CLAUDE_CODE_VERSION}..."
|
||||
for attempt in 1 2 3; do
|
||||
echo "Installation attempt $attempt..."
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
"name": "@anthropic-ai/claude-code-base-action",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.1.76",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.2.6",
|
||||
"shell-quote": "^1.8.3",
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
"@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
|
||||
|
||||
"@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.76", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1 || ^4.0.0" } }, "sha512-s7RvpXoFaLXLG7A1cJBAPD8ilwOhhc/12fb5mJXRuD561o4FmPtQ+WRfuy9akMmrFRfLsKv8Ornw3ClGAPL2fw=="],
|
||||
"@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.6", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-lwswHo6z/Kh9djafk2ajPju62+VqHwJ23gueG1alfaLNK4GRYHgCROfiX6/wlxAd8sRvgTo6ry1hNzkyz7bOpw=="],
|
||||
|
||||
"@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.1.76",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.2.6",
|
||||
"shell-quote": "^1.8.3"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
4
bun.lock
4
bun.lock
@@ -7,7 +7,7 @@
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.1.76",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.2.6",
|
||||
"@modelcontextprotocol/sdk": "^1.11.0",
|
||||
"@octokit/graphql": "^8.2.2",
|
||||
"@octokit/rest": "^21.1.1",
|
||||
@@ -37,7 +37,7 @@
|
||||
|
||||
"@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
|
||||
|
||||
"@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.1.76", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^3.24.1 || ^4.0.0" } }, "sha512-s7RvpXoFaLXLG7A1cJBAPD8ilwOhhc/12fb5mJXRuD561o4FmPtQ+WRfuy9akMmrFRfLsKv8Ornw3ClGAPL2fw=="],
|
||||
"@anthropic-ai/claude-agent-sdk": ["@anthropic-ai/claude-agent-sdk@0.2.6", "", { "optionalDependencies": { "@img/sharp-darwin-arm64": "^0.33.5", "@img/sharp-darwin-x64": "^0.33.5", "@img/sharp-linux-arm": "^0.33.5", "@img/sharp-linux-arm64": "^0.33.5", "@img/sharp-linux-x64": "^0.33.5", "@img/sharp-linuxmusl-arm64": "^0.33.5", "@img/sharp-linuxmusl-x64": "^0.33.5", "@img/sharp-win32-x64": "^0.33.5" }, "peerDependencies": { "zod": "^4.0.0" } }, "sha512-lwswHo6z/Kh9djafk2ajPju62+VqHwJ23gueG1alfaLNK4GRYHgCROfiX6/wlxAd8sRvgTo6ry1hNzkyz7bOpw=="],
|
||||
|
||||
"@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
- **⚠️ Non-Write User Access (RISKY)**: The `allowed_non_write_users` parameter allows bypassing the write permission requirement. **This is a significant security risk and should only be used for workflows with extremely limited permissions** (e.g., issue labeling workflows that only have `issues: write` permission). This feature:
|
||||
- Only works when `github_token` is provided as input (not with GitHub App authentication)
|
||||
- Accepts either a comma-separated list of specific usernames or `*` to allow all users
|
||||
- **When using the wildcard (`*`)**, you MUST also set `bypass_write_permission_check_acknowledgment: true` to explicitly acknowledge the security implications. Without this flag, the action will fail as a safeguard against accidental security misconfigurations
|
||||
- **Should be used with extreme caution** as it bypasses the primary security mechanism of this action
|
||||
- Is designed for automation workflows where user permissions are already restricted by the workflow's permission scope
|
||||
- **Token Permissions**: The GitHub app receives only a short-lived token scoped specifically to the repository it's operating in
|
||||
|
||||
@@ -52,35 +52,36 @@ jobs:
|
||||
|
||||
## Inputs
|
||||
|
||||
| Input | Description | Required | Default |
|
||||
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
|
||||
| `anthropic_api_key` | Anthropic API key (required for direct API, not needed for Bedrock/Vertex) | No\* | - |
|
||||
| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key) | No\* | - |
|
||||
| `prompt` | Instructions for Claude. Can be a direct prompt or custom template for automation workflows | No | - |
|
||||
| `track_progress` | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context | No | `false` |
|
||||
| `include_fix_links` | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue | No | `true` |
|
||||
| `claude_args` | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No | "" |
|
||||
| `base_branch` | The base branch to use for creating new branches (e.g., 'main', 'develop') | No | - |
|
||||
| `use_sticky_comment` | Use just one comment to deliver PR comments (only applies for pull_request event workflows) | No | `false` |
|
||||
| `github_token` | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No | - |
|
||||
| `use_bedrock` | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No | `false` |
|
||||
| `use_vertex` | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No | `false` |
|
||||
| `assignee_trigger` | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment | No | - |
|
||||
| `label_trigger` | The label name that triggers the action when applied to an issue (e.g. "claude") | No | - |
|
||||
| `trigger_phrase` | The trigger phrase to look for in comments, issue/PR bodies, and issue titles | No | `@claude` |
|
||||
| `branch_prefix` | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format) | No | `claude/` |
|
||||
| `settings` | Claude Code settings as JSON string or path to settings JSON file | No | "" |
|
||||
| `additional_permissions` | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results | No | "" |
|
||||
| `use_commit_signing` | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing) | No | `false` |
|
||||
| `ssh_signing_key` | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing) | No | "" |
|
||||
| `bot_id` | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits | No | `41898282` |
|
||||
| `bot_name` | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits | No | `claude[bot]` |
|
||||
| `allowed_bots` | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots | No | "" |
|
||||
| `allowed_non_write_users` | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md) | No | "" |
|
||||
| `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments | No | "" |
|
||||
| `path_to_bun_executable` | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments | No | "" |
|
||||
| `plugin_marketplaces` | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation | No | "" |
|
||||
| `plugins` | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution | No | "" |
|
||||
| Input | Description | Required | Default |
|
||||
| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------- |
|
||||
| `anthropic_api_key` | Anthropic API key (required for direct API, not needed for Bedrock/Vertex) | No\* | - |
|
||||
| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key) | No\* | - |
|
||||
| `prompt` | Instructions for Claude. Can be a direct prompt or custom template for automation workflows | No | - |
|
||||
| `track_progress` | Force tag mode with tracking comments. Only works with specific PR/issue events. Preserves GitHub context | No | `false` |
|
||||
| `include_fix_links` | Include 'Fix this' links in PR code review feedback that open Claude Code with context to fix the identified issue | No | `true` |
|
||||
| `claude_args` | Additional [arguments to pass directly to Claude CLI](https://docs.claude.com/en/docs/claude-code/cli-reference#cli-flags) (e.g., `--max-turns 10 --model claude-4-0-sonnet-20250805`) | No | "" |
|
||||
| `base_branch` | The base branch to use for creating new branches (e.g., 'main', 'develop') | No | - |
|
||||
| `use_sticky_comment` | Use just one comment to deliver PR comments (only applies for pull_request event workflows) | No | `false` |
|
||||
| `github_token` | GitHub token for Claude to operate with. **Only include this if you're connecting a custom GitHub app of your own!** | No | - |
|
||||
| `use_bedrock` | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API | No | `false` |
|
||||
| `use_vertex` | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API | No | `false` |
|
||||
| `assignee_trigger` | The assignee username that triggers the action (e.g. @claude). Only used for issue assignment | No | - |
|
||||
| `label_trigger` | The label name that triggers the action when applied to an issue (e.g. "claude") | No | - |
|
||||
| `trigger_phrase` | The trigger phrase to look for in comments, issue/PR bodies, and issue titles | No | `@claude` |
|
||||
| `branch_prefix` | The prefix to use for Claude branches (defaults to 'claude/', use 'claude-' for dash format) | No | `claude/` |
|
||||
| `settings` | Claude Code settings as JSON string or path to settings JSON file | No | "" |
|
||||
| `additional_permissions` | Additional permissions to enable. Currently supports 'actions: read' for viewing workflow results | No | "" |
|
||||
| `use_commit_signing` | Enable commit signing using GitHub's API. Simple but cannot perform complex git operations like rebasing. See [Security](./security.md#commit-signing) | No | `false` |
|
||||
| `ssh_signing_key` | SSH private key for signing commits. Enables signed commits with full git CLI support (rebasing, etc.). See [Security](./security.md#commit-signing) | No | "" |
|
||||
| `bot_id` | GitHub user ID to use for git operations (defaults to Claude's bot ID). Required with `ssh_signing_key` for verified commits | No | `41898282` |
|
||||
| `bot_name` | GitHub username to use for git operations (defaults to Claude's bot name). Required with `ssh_signing_key` for verified commits | No | `claude[bot]` |
|
||||
| `allowed_bots` | Comma-separated list of allowed bot usernames, or '\*' to allow all bots. Empty string (default) allows no bots | No | "" |
|
||||
| `allowed_non_write_users` | **⚠️ RISKY**: Comma-separated list of usernames to allow without write permissions, or '\*' for all users. Only works with `github_token` input. See [Security](./security.md) | No | "" |
|
||||
| `bypass_write_permission_check_acknowledgment` | **REQUIRED** when using `allowed_non_write_users='*'`. Set to `true` to explicitly acknowledge security implications. Prevents accidental security misconfigurations | No | `false` |
|
||||
| `path_to_claude_code_executable` | Optional path to a custom Claude Code executable. Skips automatic installation. Useful for Nix, custom containers, or specialized environments | No | "" |
|
||||
| `path_to_bun_executable` | Optional path to a custom Bun executable. Skips automatic Bun installation. Useful for Nix, custom containers, or specialized environments | No | "" |
|
||||
| `plugin_marketplaces` | Newline-separated list of Claude Code plugin marketplace Git URLs to install from (e.g., see example in workflow above). Marketplaces are added before plugin installation | No | "" |
|
||||
| `plugins` | Newline-separated list of Claude Code plugin names to install (e.g., see example in workflow above). Plugins are installed before Claude Code execution | No | "" |
|
||||
|
||||
### Deprecated Inputs
|
||||
|
||||
|
||||
@@ -21,26 +21,7 @@ jobs:
|
||||
!startsWith(github.event.workflow_run.head_branch, 'claude-auto-fix-ci-')
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check for clawd-stop label
|
||||
id: check_label
|
||||
uses: actions/github-script@v7
|
||||
with:
|
||||
script: |
|
||||
const prNumber = ${{ github.event.workflow_run.pull_requests[0].number }};
|
||||
const { data: pr } = await github.rest.pulls.get({
|
||||
owner: context.repo.owner,
|
||||
repo: context.repo.repo,
|
||||
pull_number: prNumber
|
||||
});
|
||||
const hasClawdStop = pr.labels.some(label => label.name === 'clawd-stop');
|
||||
if (hasClawdStop) {
|
||||
console.log('PR has clawd-stop label, skipping auto-fix');
|
||||
}
|
||||
return hasClawdStop;
|
||||
result-encoding: string
|
||||
|
||||
- name: Checkout code
|
||||
if: steps.check_label.outputs.result != 'true'
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.event.workflow_run.head_branch }}
|
||||
@@ -48,13 +29,11 @@ jobs:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Setup git identity
|
||||
if: steps.check_label.outputs.result != 'true'
|
||||
run: |
|
||||
git config --global user.email "claude[bot]@users.noreply.github.com"
|
||||
git config --global user.name "claude[bot]"
|
||||
|
||||
- name: Create fix branch
|
||||
if: steps.check_label.outputs.result != 'true'
|
||||
id: branch
|
||||
run: |
|
||||
BRANCH_NAME="claude-auto-fix-ci-${{ github.event.workflow_run.head_branch }}-${{ github.run_id }}"
|
||||
@@ -62,7 +41,6 @@ jobs:
|
||||
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Get CI failure details
|
||||
if: steps.check_label.outputs.result != 'true'
|
||||
id: failure_details
|
||||
uses: actions/github-script@v7
|
||||
with:
|
||||
@@ -101,7 +79,6 @@ jobs:
|
||||
};
|
||||
|
||||
- name: Fix CI failures with Claude
|
||||
if: steps.check_label.outputs.result != 'true'
|
||||
id: claude
|
||||
uses: anthropics/claude-code-action@v1
|
||||
with:
|
||||
|
||||
@@ -26,4 +26,5 @@ jobs:
|
||||
|
||||
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
allowed_non_write_users: "*" # Required for issue triage workflow, if users without repo write access create issues
|
||||
bypass_write_permission_check_acknowledgment: true # Required when using wildcard
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.1.76",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.2.6",
|
||||
"@modelcontextprotocol/sdk": "^1.11.0",
|
||||
"@octokit/graphql": "^8.2.2",
|
||||
"@octokit/rest": "^21.1.1",
|
||||
|
||||
@@ -37,6 +37,7 @@ async function run() {
|
||||
context,
|
||||
context.inputs.allowedNonWriteUsers,
|
||||
githubTokenProvided,
|
||||
context.inputs.bypassWritePermissionCheckAcknowledgment,
|
||||
);
|
||||
if (!hasWritePermissions) {
|
||||
throw new Error(
|
||||
|
||||
@@ -18,6 +18,11 @@ export const PR_QUERY = `
|
||||
additions
|
||||
deletions
|
||||
state
|
||||
labels(first: 1) {
|
||||
nodes {
|
||||
name
|
||||
}
|
||||
}
|
||||
commits(first: 100) {
|
||||
totalCount
|
||||
nodes {
|
||||
@@ -101,6 +106,11 @@ export const ISSUE_QUERY = `
|
||||
updatedAt
|
||||
lastEditedAt
|
||||
state
|
||||
labels(first: 1) {
|
||||
nodes {
|
||||
name
|
||||
}
|
||||
}
|
||||
comments(first: 100) {
|
||||
nodes {
|
||||
id
|
||||
|
||||
@@ -88,6 +88,7 @@ type BaseContext = {
|
||||
labelTrigger: string;
|
||||
baseBranch?: string;
|
||||
branchPrefix: string;
|
||||
branchNameTemplate?: string;
|
||||
useStickyComment: boolean;
|
||||
useCommitSigning: boolean;
|
||||
sshSigningKey: string;
|
||||
@@ -95,6 +96,7 @@ type BaseContext = {
|
||||
botName: string;
|
||||
allowedBots: string;
|
||||
allowedNonWriteUsers: string;
|
||||
bypassWritePermissionCheckAcknowledgment: boolean;
|
||||
trackProgress: boolean;
|
||||
includeFixLinks: boolean;
|
||||
};
|
||||
@@ -145,6 +147,7 @@ export function parseGitHubContext(): GitHubContext {
|
||||
labelTrigger: process.env.LABEL_TRIGGER ?? "",
|
||||
baseBranch: process.env.BASE_BRANCH,
|
||||
branchPrefix: process.env.BRANCH_PREFIX ?? "claude/",
|
||||
branchNameTemplate: process.env.BRANCH_NAME_TEMPLATE,
|
||||
useStickyComment: process.env.USE_STICKY_COMMENT === "true",
|
||||
useCommitSigning: process.env.USE_COMMIT_SIGNING === "true",
|
||||
sshSigningKey: process.env.SSH_SIGNING_KEY || "",
|
||||
@@ -152,6 +155,8 @@ export function parseGitHubContext(): GitHubContext {
|
||||
botName: process.env.BOT_NAME ?? CLAUDE_BOT_LOGIN,
|
||||
allowedBots: process.env.ALLOWED_BOTS ?? "",
|
||||
allowedNonWriteUsers: process.env.ALLOWED_NON_WRITE_USERS ?? "",
|
||||
bypassWritePermissionCheckAcknowledgment:
|
||||
process.env.BYPASS_WRITE_PERMISSION_CHECK_ACKNOWLEDGMENT === "true",
|
||||
trackProgress: process.env.TRACK_PROGRESS === "true",
|
||||
includeFixLinks: process.env.INCLUDE_FIX_LINKS === "true",
|
||||
},
|
||||
|
||||
@@ -6,12 +6,22 @@
|
||||
* - For Issues: Create a new branch
|
||||
*/
|
||||
|
||||
import { $ } from "bun";
|
||||
import { execFileSync } from "child_process";
|
||||
import * as core from "@actions/core";
|
||||
import type { ParsedGitHubContext } from "../context";
|
||||
import type { GitHubPullRequest } from "../types";
|
||||
import type { Octokits } from "../api/client";
|
||||
import type { FetchDataResult } from "../data/fetcher";
|
||||
import { generateBranchName } from "../../utils/branch-template";
|
||||
|
||||
/**
|
||||
* Extracts the first label from GitHub data, or returns undefined if no labels exist
|
||||
*/
|
||||
function extractFirstLabel(githubData: FetchDataResult): string | undefined {
|
||||
const labels = githubData.contextData.labels?.nodes;
|
||||
return labels && labels.length > 0 ? labels[0]?.name : undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a git branch name against a strict whitelist pattern.
|
||||
@@ -125,7 +135,7 @@ export async function setupBranch(
|
||||
): Promise<BranchInfo> {
|
||||
const { owner, repo } = context.repository;
|
||||
const entityNumber = context.entityNumber;
|
||||
const { baseBranch, branchPrefix } = context.inputs;
|
||||
const { baseBranch, branchPrefix, branchNameTemplate } = context.inputs;
|
||||
const isPR = context.isPR;
|
||||
|
||||
if (isPR) {
|
||||
@@ -191,17 +201,8 @@ export async function setupBranch(
|
||||
// Generate branch name for either an issue or closed/merged PR
|
||||
const entityType = isPR ? "pr" : "issue";
|
||||
|
||||
// Create Kubernetes-compatible timestamp: lowercase, hyphens only, shorter format
|
||||
const now = new Date();
|
||||
const timestamp = `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}-${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}`;
|
||||
|
||||
// Ensure branch name is Kubernetes-compatible:
|
||||
// - Lowercase only
|
||||
// - Alphanumeric with hyphens
|
||||
// - No underscores
|
||||
// - Max 50 chars (to allow for prefixes)
|
||||
const branchName = `${branchPrefix}${entityType}-${entityNumber}-${timestamp}`;
|
||||
const newBranch = branchName.toLowerCase().substring(0, 50);
|
||||
// Get the SHA of the source branch to use in template
|
||||
let sourceSHA: string | undefined;
|
||||
|
||||
try {
|
||||
// Get the SHA of the source branch to verify it exists
|
||||
@@ -211,8 +212,46 @@ export async function setupBranch(
|
||||
ref: `heads/${sourceBranch}`,
|
||||
});
|
||||
|
||||
const currentSHA = sourceBranchRef.data.object.sha;
|
||||
console.log(`Source branch SHA: ${currentSHA}`);
|
||||
sourceSHA = sourceBranchRef.data.object.sha;
|
||||
console.log(`Source branch SHA: ${sourceSHA}`);
|
||||
|
||||
// Extract first label from GitHub data
|
||||
const firstLabel = extractFirstLabel(githubData);
|
||||
|
||||
// Extract title from GitHub data
|
||||
const title = githubData.contextData.title;
|
||||
|
||||
// Generate branch name using template or default format
|
||||
let newBranch = generateBranchName(
|
||||
branchNameTemplate,
|
||||
branchPrefix,
|
||||
entityType,
|
||||
entityNumber,
|
||||
sourceSHA,
|
||||
firstLabel,
|
||||
title,
|
||||
);
|
||||
|
||||
// Check if generated branch already exists on remote
|
||||
try {
|
||||
await $`git ls-remote --exit-code origin refs/heads/${newBranch}`.quiet();
|
||||
|
||||
// If we get here, branch exists (exit code 0)
|
||||
console.log(
|
||||
`Branch '${newBranch}' already exists, falling back to default format`,
|
||||
);
|
||||
newBranch = generateBranchName(
|
||||
undefined, // Force default template
|
||||
branchPrefix,
|
||||
entityType,
|
||||
entityNumber,
|
||||
sourceSHA,
|
||||
firstLabel,
|
||||
title,
|
||||
);
|
||||
} catch {
|
||||
// Branch doesn't exist (non-zero exit code), continue with generated name
|
||||
}
|
||||
|
||||
// For commit signing, defer branch creation to the file ops server
|
||||
if (context.inputs.useCommitSigning) {
|
||||
|
||||
@@ -63,6 +63,11 @@ export type GitHubPullRequest = {
|
||||
additions: number;
|
||||
deletions: number;
|
||||
state: string;
|
||||
labels: {
|
||||
nodes: Array<{
|
||||
name: string;
|
||||
}>;
|
||||
};
|
||||
commits: {
|
||||
totalCount: number;
|
||||
nodes: Array<{
|
||||
@@ -88,6 +93,11 @@ export type GitHubIssue = {
|
||||
updatedAt?: string;
|
||||
lastEditedAt?: string;
|
||||
state: string;
|
||||
labels: {
|
||||
nodes: Array<{
|
||||
name: string;
|
||||
}>;
|
||||
};
|
||||
comments: {
|
||||
nodes: GitHubComment[];
|
||||
};
|
||||
|
||||
@@ -8,6 +8,7 @@ import type { Octokit } from "@octokit/rest";
|
||||
* @param context - The GitHub context
|
||||
* @param allowedNonWriteUsers - Comma-separated list of users allowed without write permissions, or '*' for all
|
||||
* @param githubTokenProvided - Whether github_token was provided as input (not from app)
|
||||
* @param bypassAcknowledgment - Explicit acknowledgment required when using wildcard (*)
|
||||
* @returns true if the actor has write permissions, false otherwise
|
||||
*/
|
||||
export async function checkWritePermissions(
|
||||
@@ -15,6 +16,7 @@ export async function checkWritePermissions(
|
||||
context: ParsedGitHubContext,
|
||||
allowedNonWriteUsers?: string,
|
||||
githubTokenProvided?: boolean,
|
||||
bypassAcknowledgment?: boolean,
|
||||
): Promise<boolean> {
|
||||
const { repository, actor } = context;
|
||||
|
||||
@@ -25,6 +27,17 @@ export async function checkWritePermissions(
|
||||
if (allowedNonWriteUsers && githubTokenProvided) {
|
||||
const allowedUsers = allowedNonWriteUsers.trim();
|
||||
if (allowedUsers === "*") {
|
||||
if (!bypassAcknowledgment) {
|
||||
core.error(
|
||||
`❌ SECURITY ERROR: Attempting to bypass write permission checks for all users with allowed_non_write_users='*' without explicit acknowledgment. ` +
|
||||
`This is a critical security misconfiguration. To proceed, you must set bypass_write_permission_check_acknowledgment='true' ` +
|
||||
`to explicitly acknowledge the security implications.`,
|
||||
);
|
||||
throw new Error(
|
||||
"Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment. " +
|
||||
"Set bypass_write_permission_check_acknowledgment='true' to acknowledge security implications.",
|
||||
);
|
||||
}
|
||||
core.warning(
|
||||
`⚠️ SECURITY WARNING: Bypassing write permission check for ${actor} due to allowed_non_write_users='*'. This should only be used for workflows with very limited permissions.`,
|
||||
);
|
||||
|
||||
@@ -1,22 +1,33 @@
|
||||
export function parseAllowedTools(claudeArgs: string): string[] {
|
||||
// Match --allowedTools or --allowed-tools followed by the value
|
||||
// Handle both quoted and unquoted values
|
||||
// Use /g flag to find ALL occurrences, not just the first one
|
||||
const patterns = [
|
||||
/--(?:allowedTools|allowed-tools)\s+"([^"]+)"/, // Double quoted
|
||||
/--(?:allowedTools|allowed-tools)\s+'([^']+)'/, // Single quoted
|
||||
/--(?:allowedTools|allowed-tools)\s+([^\s]+)/, // Unquoted
|
||||
/--(?:allowedTools|allowed-tools)\s+"([^"]+)"/g, // Double quoted
|
||||
/--(?:allowedTools|allowed-tools)\s+'([^']+)'/g, // Single quoted
|
||||
/--(?:allowedTools|allowed-tools)\s+([^'"\s][^\s]*)/g, // Unquoted (must not start with quote)
|
||||
];
|
||||
|
||||
const tools: string[] = [];
|
||||
const seen = new Set<string>();
|
||||
|
||||
for (const pattern of patterns) {
|
||||
const match = claudeArgs.match(pattern);
|
||||
if (match && match[1]) {
|
||||
// Don't return if the value starts with -- (another flag)
|
||||
if (match[1].startsWith("--")) {
|
||||
return [];
|
||||
for (const match of claudeArgs.matchAll(pattern)) {
|
||||
if (match[1]) {
|
||||
// Don't add if the value starts with -- (another flag)
|
||||
if (match[1].startsWith("--")) {
|
||||
continue;
|
||||
}
|
||||
for (const tool of match[1].split(",")) {
|
||||
const trimmed = tool.trim();
|
||||
if (trimmed && !seen.has(trimmed)) {
|
||||
seen.add(trimmed);
|
||||
tools.push(trimmed);
|
||||
}
|
||||
}
|
||||
}
|
||||
return match[1].split(",").map((t) => t.trim());
|
||||
}
|
||||
}
|
||||
|
||||
return [];
|
||||
return tools;
|
||||
}
|
||||
|
||||
99
src/utils/branch-template.ts
Normal file
99
src/utils/branch-template.ts
Normal file
@@ -0,0 +1,99 @@
|
||||
#!/usr/bin/env bun
|
||||
|
||||
/**
|
||||
* Branch name template parsing and variable substitution utilities
|
||||
*/
|
||||
|
||||
const NUM_DESCRIPTION_WORDS = 5;
|
||||
|
||||
/**
|
||||
* Extracts the first 5 words from a title and converts them to kebab-case
|
||||
*/
|
||||
function extractDescription(
|
||||
title: string,
|
||||
numWords: number = NUM_DESCRIPTION_WORDS,
|
||||
): string {
|
||||
if (!title || title.trim() === "") {
|
||||
return "";
|
||||
}
|
||||
|
||||
return title
|
||||
.trim()
|
||||
.split(/\s+/)
|
||||
.slice(0, numWords) // Only first `numWords` words
|
||||
.join("-")
|
||||
.toLowerCase()
|
||||
.replace(/[^a-z0-9-]/g, "") // Remove non-alphanumeric except hyphens
|
||||
.replace(/-+/g, "-") // Replace multiple hyphens with single
|
||||
.replace(/^-|-$/g, ""); // Remove leading/trailing hyphens
|
||||
}
|
||||
|
||||
export interface BranchTemplateVariables {
|
||||
prefix: string;
|
||||
entityType: string;
|
||||
entityNumber: number;
|
||||
timestamp: string;
|
||||
sha?: string;
|
||||
label?: string;
|
||||
description?: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Replaces template variables in a branch name template
|
||||
* Template format: {{variableName}}
|
||||
*/
|
||||
export function applyBranchTemplate(
|
||||
template: string,
|
||||
variables: BranchTemplateVariables,
|
||||
): string {
|
||||
let result = template;
|
||||
|
||||
// Replace each variable
|
||||
Object.entries(variables).forEach(([key, value]) => {
|
||||
const placeholder = `{{${key}}}`;
|
||||
const replacement = value ? String(value) : "";
|
||||
result = result.replaceAll(placeholder, replacement);
|
||||
});
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a branch name from the provided `template` and set of `variables`. Uses a default format if the template is empty or produces an empty result.
|
||||
*/
|
||||
export function generateBranchName(
|
||||
template: string | undefined,
|
||||
branchPrefix: string,
|
||||
entityType: string,
|
||||
entityNumber: number,
|
||||
sha?: string,
|
||||
label?: string,
|
||||
title?: string,
|
||||
): string {
|
||||
const now = new Date();
|
||||
|
||||
const variables: BranchTemplateVariables = {
|
||||
prefix: branchPrefix,
|
||||
entityType,
|
||||
entityNumber,
|
||||
timestamp: `${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, "0")}${String(now.getDate()).padStart(2, "0")}-${String(now.getHours()).padStart(2, "0")}${String(now.getMinutes()).padStart(2, "0")}`,
|
||||
sha: sha?.substring(0, 8), // First 8 characters of SHA
|
||||
label: label || entityType, // Fall back to entityType if no label
|
||||
description: title ? extractDescription(title) : undefined,
|
||||
};
|
||||
|
||||
if (template?.trim()) {
|
||||
const branchName = applyBranchTemplate(template, variables);
|
||||
|
||||
// Some templates could produce empty results- validate
|
||||
if (branchName.trim().length > 0) return branchName;
|
||||
|
||||
console.log(
|
||||
`Branch template '${template}' generated empty result, falling back to default format`,
|
||||
);
|
||||
}
|
||||
|
||||
const branchName = `${branchPrefix}${entityType}-${entityNumber}-${variables.timestamp}`;
|
||||
// Kubernetes compatible: lowercase, max 50 chars, alphanumeric and hyphens only
|
||||
return branchName.toLowerCase().substring(0, 50);
|
||||
}
|
||||
247
test/branch-template.test.ts
Normal file
247
test/branch-template.test.ts
Normal file
@@ -0,0 +1,247 @@
|
||||
#!/usr/bin/env bun
|
||||
|
||||
import { describe, it, expect } from "bun:test";
|
||||
import {
|
||||
applyBranchTemplate,
|
||||
generateBranchName,
|
||||
} from "../src/utils/branch-template";
|
||||
|
||||
describe("branch template utilities", () => {
|
||||
describe("applyBranchTemplate", () => {
|
||||
it("should replace all template variables", () => {
|
||||
const template =
|
||||
"{{prefix}}{{entityType}}-{{entityNumber}}-{{timestamp}}";
|
||||
const variables = {
|
||||
prefix: "feat/",
|
||||
entityType: "issue",
|
||||
entityNumber: 123,
|
||||
timestamp: "20240301-1430",
|
||||
sha: "abcd1234",
|
||||
};
|
||||
|
||||
const result = applyBranchTemplate(template, variables);
|
||||
expect(result).toBe("feat/issue-123-20240301-1430");
|
||||
});
|
||||
|
||||
it("should handle custom templates with multiple variables", () => {
|
||||
const template =
|
||||
"{{prefix}}fix/{{entityType}}_{{entityNumber}}_{{timestamp}}_{{sha}}";
|
||||
const variables = {
|
||||
prefix: "claude-",
|
||||
entityType: "pr",
|
||||
entityNumber: 456,
|
||||
timestamp: "20240301-1430",
|
||||
sha: "abcd1234",
|
||||
};
|
||||
|
||||
const result = applyBranchTemplate(template, variables);
|
||||
expect(result).toBe("claude-fix/pr_456_20240301-1430_abcd1234");
|
||||
});
|
||||
|
||||
it("should handle templates with missing variables gracefully", () => {
|
||||
const template = "{{prefix}}{{entityType}}-{{missing}}-{{entityNumber}}";
|
||||
const variables = {
|
||||
prefix: "feat/",
|
||||
entityType: "issue",
|
||||
entityNumber: 123,
|
||||
timestamp: "20240301-1430",
|
||||
};
|
||||
|
||||
const result = applyBranchTemplate(template, variables);
|
||||
expect(result).toBe("feat/issue-{{missing}}-123");
|
||||
});
|
||||
});
|
||||
|
||||
describe("generateBranchName", () => {
|
||||
it("should use custom template when provided", () => {
|
||||
const template = "{{prefix}}custom-{{entityType}}_{{entityNumber}}";
|
||||
const result = generateBranchName(template, "feature/", "issue", 123);
|
||||
|
||||
expect(result).toBe("feature/custom-issue_123");
|
||||
});
|
||||
|
||||
it("should use default format when template is empty", () => {
|
||||
const result = generateBranchName("", "claude/", "issue", 123);
|
||||
|
||||
expect(result).toMatch(/^claude\/issue-123-\d{8}-\d{4}$/);
|
||||
});
|
||||
|
||||
it("should use default format when template is undefined", () => {
|
||||
const result = generateBranchName(undefined, "claude/", "pr", 456);
|
||||
|
||||
expect(result).toMatch(/^claude\/pr-456-\d{8}-\d{4}$/);
|
||||
});
|
||||
|
||||
it("should preserve custom template formatting (no automatic lowercase/truncation)", () => {
|
||||
const template = "{{prefix}}UPPERCASE_Branch-Name_{{entityNumber}}";
|
||||
const result = generateBranchName(template, "Feature/", "issue", 123);
|
||||
|
||||
expect(result).toBe("Feature/UPPERCASE_Branch-Name_123");
|
||||
});
|
||||
|
||||
it("should not truncate custom template results", () => {
|
||||
const template =
|
||||
"{{prefix}}very-long-branch-name-that-exceeds-the-maximum-allowed-length-{{entityNumber}}";
|
||||
const result = generateBranchName(template, "feature/", "issue", 123);
|
||||
|
||||
expect(result).toBe(
|
||||
"feature/very-long-branch-name-that-exceeds-the-maximum-allowed-length-123",
|
||||
);
|
||||
});
|
||||
|
||||
it("should apply Kubernetes-compatible transformations to default template only", () => {
|
||||
const result = generateBranchName(undefined, "Feature/", "issue", 123);
|
||||
|
||||
expect(result).toMatch(/^feature\/issue-123-\d{8}-\d{4}$/);
|
||||
expect(result.length).toBeLessThanOrEqual(50);
|
||||
});
|
||||
|
||||
it("should handle SHA in template", () => {
|
||||
const template = "{{prefix}}{{entityType}}-{{entityNumber}}-{{sha}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"fix/",
|
||||
"pr",
|
||||
789,
|
||||
"abcdef123456",
|
||||
);
|
||||
|
||||
expect(result).toBe("fix/pr-789-abcdef12");
|
||||
});
|
||||
|
||||
it("should use label in template when provided", () => {
|
||||
const template = "{{prefix}}{{label}}/{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"feature/",
|
||||
"issue",
|
||||
123,
|
||||
undefined,
|
||||
"bug",
|
||||
);
|
||||
|
||||
expect(result).toBe("feature/bug/123");
|
||||
});
|
||||
|
||||
it("should fallback to entityType when label template is used but no label provided", () => {
|
||||
const template = "{{prefix}}{{label}}-{{entityNumber}}";
|
||||
const result = generateBranchName(template, "fix/", "pr", 456);
|
||||
|
||||
expect(result).toBe("fix/pr-456");
|
||||
});
|
||||
|
||||
it("should handle template with both label and entityType", () => {
|
||||
const template = "{{prefix}}{{label}}-{{entityType}}_{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"dev/",
|
||||
"issue",
|
||||
789,
|
||||
undefined,
|
||||
"enhancement",
|
||||
);
|
||||
|
||||
expect(result).toBe("dev/enhancement-issue_789");
|
||||
});
|
||||
|
||||
it("should use description in template when provided", () => {
|
||||
const template = "{{prefix}}{{description}}/{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"feature/",
|
||||
"issue",
|
||||
123,
|
||||
undefined,
|
||||
undefined,
|
||||
"Fix login bug with OAuth",
|
||||
);
|
||||
|
||||
expect(result).toBe("feature/fix-login-bug-with-oauth/123");
|
||||
});
|
||||
|
||||
it("should handle template with multiple variables including description", () => {
|
||||
const template =
|
||||
"{{prefix}}{{label}}/{{description}}-{{entityType}}_{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"dev/",
|
||||
"issue",
|
||||
456,
|
||||
undefined,
|
||||
"bug",
|
||||
"User authentication fails completely",
|
||||
);
|
||||
|
||||
expect(result).toBe(
|
||||
"dev/bug/user-authentication-fails-completely-issue_456",
|
||||
);
|
||||
});
|
||||
|
||||
it("should handle description with special characters in template", () => {
|
||||
const template = "{{prefix}}{{description}}-{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"fix/",
|
||||
"pr",
|
||||
789,
|
||||
undefined,
|
||||
undefined,
|
||||
"Add: User Registration & Email Validation",
|
||||
);
|
||||
|
||||
expect(result).toBe("fix/add-user-registration-email-789");
|
||||
});
|
||||
|
||||
it("should truncate descriptions to exactly 5 words", () => {
|
||||
const result = generateBranchName(
|
||||
"{{prefix}}{{description}}/{{entityNumber}}",
|
||||
"feature/",
|
||||
"issue",
|
||||
999,
|
||||
undefined,
|
||||
undefined,
|
||||
"This is a very long title with many more than five words in it",
|
||||
);
|
||||
expect(result).toBe("feature/this-is-a-very-long/999");
|
||||
});
|
||||
|
||||
it("should handle empty description in template", () => {
|
||||
const template = "{{prefix}}{{description}}-{{entityNumber}}";
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"test/",
|
||||
"issue",
|
||||
101,
|
||||
undefined,
|
||||
undefined,
|
||||
"",
|
||||
);
|
||||
|
||||
expect(result).toBe("test/-101");
|
||||
});
|
||||
|
||||
it("should fallback to default format when template produces empty result", () => {
|
||||
const template = "{{description}}"; // Will be empty if no title provided
|
||||
const result = generateBranchName(template, "claude/", "issue", 123);
|
||||
|
||||
expect(result).toMatch(/^claude\/issue-123-\d{8}-\d{4}$/);
|
||||
expect(result.length).toBeLessThanOrEqual(50);
|
||||
});
|
||||
|
||||
it("should fallback to default format when template produces only whitespace", () => {
|
||||
const template = " {{description}} "; // Will be " " if description is empty
|
||||
const result = generateBranchName(
|
||||
template,
|
||||
"fix/",
|
||||
"pr",
|
||||
456,
|
||||
undefined,
|
||||
undefined,
|
||||
"",
|
||||
);
|
||||
|
||||
expect(result).toMatch(/^fix\/pr-456-\d{8}-\d{4}$/);
|
||||
expect(result.length).toBeLessThanOrEqual(50);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -61,6 +61,7 @@ describe("generatePrompt", () => {
|
||||
body: "This is a test PR",
|
||||
author: { login: "testuser" },
|
||||
state: "OPEN",
|
||||
labels: { nodes: [] },
|
||||
createdAt: "2023-01-01T00:00:00Z",
|
||||
additions: 15,
|
||||
deletions: 5,
|
||||
@@ -475,6 +476,7 @@ describe("generatePrompt", () => {
|
||||
body: "The login form is not working",
|
||||
author: { login: "testuser" },
|
||||
state: "OPEN",
|
||||
labels: { nodes: [] },
|
||||
createdAt: "2023-01-01T00:00:00Z",
|
||||
comments: {
|
||||
nodes: [],
|
||||
|
||||
@@ -28,6 +28,9 @@ describe("formatContext", () => {
|
||||
additions: 50,
|
||||
deletions: 30,
|
||||
state: "OPEN",
|
||||
labels: {
|
||||
nodes: [],
|
||||
},
|
||||
commits: {
|
||||
totalCount: 3,
|
||||
nodes: [],
|
||||
@@ -63,6 +66,9 @@ Changed Files: 2 files`,
|
||||
author: { login: "test-user" },
|
||||
createdAt: "2023-01-01T00:00:00Z",
|
||||
state: "OPEN",
|
||||
labels: {
|
||||
nodes: [],
|
||||
},
|
||||
comments: {
|
||||
nodes: [],
|
||||
},
|
||||
|
||||
@@ -35,12 +35,44 @@ describe("parseAllowedTools", () => {
|
||||
expect(parseAllowedTools("")).toEqual([]);
|
||||
});
|
||||
|
||||
test("handles duplicate --allowedTools flags", () => {
|
||||
test("handles --allowedTools followed by another --allowedTools flag", () => {
|
||||
const args = "--allowedTools --allowedTools mcp__github__*";
|
||||
// Should not match the first one since the value is another flag
|
||||
// The second --allowedTools is consumed as a value of the first, then skipped.
|
||||
// This is an edge case with malformed input - returns empty.
|
||||
expect(parseAllowedTools(args)).toEqual([]);
|
||||
});
|
||||
|
||||
test("parses multiple separate --allowed-tools flags", () => {
|
||||
const args =
|
||||
"--allowed-tools 'mcp__context7__*' --allowed-tools 'Read,Glob' --allowed-tools 'mcp__github_inline_comment__*'";
|
||||
expect(parseAllowedTools(args)).toEqual([
|
||||
"mcp__context7__*",
|
||||
"Read",
|
||||
"Glob",
|
||||
"mcp__github_inline_comment__*",
|
||||
]);
|
||||
});
|
||||
|
||||
test("parses multiple --allowed-tools flags on separate lines", () => {
|
||||
const args = `--model 'claude-haiku'
|
||||
--allowed-tools 'mcp__context7__*'
|
||||
--allowed-tools 'Read,Glob,Grep'
|
||||
--allowed-tools 'mcp__github_inline_comment__create_inline_comment'`;
|
||||
expect(parseAllowedTools(args)).toEqual([
|
||||
"mcp__context7__*",
|
||||
"Read",
|
||||
"Glob",
|
||||
"Grep",
|
||||
"mcp__github_inline_comment__create_inline_comment",
|
||||
]);
|
||||
});
|
||||
|
||||
test("deduplicates tools from multiple flags", () => {
|
||||
const args =
|
||||
"--allowed-tools 'Read,Glob' --allowed-tools 'Glob,Grep' --allowed-tools 'Read'";
|
||||
expect(parseAllowedTools(args)).toEqual(["Read", "Glob", "Grep"]);
|
||||
});
|
||||
|
||||
test("handles typo --alloedTools", () => {
|
||||
const args = "--alloedTools mcp__github__*";
|
||||
expect(parseAllowedTools(args)).toEqual([]);
|
||||
|
||||
@@ -73,6 +73,7 @@ describe("checkWritePermissions", () => {
|
||||
botName: CLAUDE_BOT_LOGIN,
|
||||
allowedBots: "",
|
||||
allowedNonWriteUsers: "",
|
||||
bypassWritePermissionCheckAcknowledgment: false,
|
||||
trackProgress: false,
|
||||
includeFixLinks: true,
|
||||
},
|
||||
@@ -197,7 +198,7 @@ describe("checkWritePermissions", () => {
|
||||
);
|
||||
});
|
||||
|
||||
test("should bypass permission check for all users with wildcard", async () => {
|
||||
test("should bypass permission check for all users with wildcard when acknowledgment provided", async () => {
|
||||
const mockOctokit = createMockOctokit("read");
|
||||
const context = createContext();
|
||||
|
||||
@@ -206,6 +207,7 @@ describe("checkWritePermissions", () => {
|
||||
context,
|
||||
"*",
|
||||
true,
|
||||
true, // acknowledgment provided
|
||||
);
|
||||
|
||||
expect(result).toBe(true);
|
||||
@@ -214,6 +216,17 @@ describe("checkWritePermissions", () => {
|
||||
);
|
||||
});
|
||||
|
||||
test("should FAIL to bypass permission check with wildcard when acknowledgment NOT provided", async () => {
|
||||
const mockOctokit = createMockOctokit("read");
|
||||
const context = createContext();
|
||||
|
||||
await expect(
|
||||
checkWritePermissions(mockOctokit, context, "*", true, false),
|
||||
).rejects.toThrow(
|
||||
"Cannot bypass write permission checks with wildcard (*) without explicit acknowledgment",
|
||||
);
|
||||
});
|
||||
|
||||
test("should NOT bypass permission check when user not in allowed list", async () => {
|
||||
const mockOctokit = createMockOctokit("read");
|
||||
const context = createContext();
|
||||
|
||||
@@ -87,6 +87,7 @@ describe("pull_request_target event support", () => {
|
||||
},
|
||||
comments: { nodes: [] },
|
||||
reviews: { nodes: [] },
|
||||
labels: { nodes: [] },
|
||||
},
|
||||
comments: [],
|
||||
changedFiles: [],
|
||||
|
||||
Reference in New Issue
Block a user