Skip to content

Commit 66b34c7

Browse files
nedtwiggnedtwigg
authored
fixup claude permissions (#2652)
2 parents c997379 + 010e4e1 commit 66b34c7

File tree

1 file changed

+29
-41
lines changed

1 file changed

+29
-41
lines changed

.github/workflows/claude.yml

Lines changed: 29 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -5,74 +5,62 @@ on:
55
types: [created]
66
pull_request_review_comment:
77
types: [created]
8-
issues:
9-
types: [opened, assigned]
108
pull_request_review:
119
types: [submitted]
10+
issues:
11+
types: [opened, assigned]
1212

1313
jobs:
14-
check-team-membership:
14+
claude:
15+
# Only run if @claude is mentioned in the triggering content
16+
# For issues (opened/assigned), checks the issue body or title
17+
# For comments/reviews, checks the comment/review body
18+
if: contains(github.event.comment.body || github.event.review.body || github.event.issue.body || github.event.issue.title || '', '@claude')
1519
runs-on: ubuntu-latest
16-
outputs:
17-
is-team-member: ${{ steps.check-membership.outputs.is-member }}
20+
permissions:
21+
contents: read
22+
pull-requests: read
23+
issues: read
24+
id-token: write
1825
steps:
1926
- name: Check team membership
2027
id: check-membership
2128
uses: actions/github-script@v8
2229
with:
2330
script: |
2431
try {
25-
// Get username - prioritize sender (the person who triggered the event)
26-
const username = github.event?.sender?.login ||
27-
github.event?.comment?.user?.login;
28-
32+
// Get the user who triggered the event
33+
const username = context.payload.sender?.login;
34+
2935
if (!username) {
30-
console.log('Could not determine username from event payload');
31-
console.log(`Event type: ${github.event_name}`);
32-
console.log(`Event payload keys: ${Object.keys(github.event).join(', ')}`);
33-
return false;
36+
core.setFailed('Could not determine username from event');
37+
return;
3438
}
35-
36-
console.log(`Checking team membership for user: ${username} (triggered by ${github.event_name} event)`);
37-
39+
40+
console.log(`Checking if ${username} is a member of diffplug/spotless`);
41+
3842
const { data } = await github.rest.teams.getMembershipForUserInOrg({
3943
org: 'diffplug',
4044
team_slug: 'spotless',
4145
username: username
4246
});
43-
console.log(`User ${username} membership status: ${data.state}`);
44-
return data.state === 'active';
47+
48+
if (data.state !== 'active') {
49+
core.setFailed(`User ${username} is not an active team member`);
50+
} else {
51+
console.log(`✓ ${username} is an active team member`);
52+
}
4553
} catch (error) {
46-
const username = github.event.sender?.login || github.event.comment?.user?.login || 'unknown user';
47-
console.log(`User ${username} is not a member of the Spotless team or error occurred: ${error.message}`);
48-
return false;
54+
// User is not a team member or API error
55+
core.setFailed(`Access denied: ${error.message}`);
4956
}
5057
51-
claude:
52-
needs: check-team-membership
53-
if: |
54-
needs.check-team-membership.outputs.is-team-member == 'true' &&
55-
(
56-
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
57-
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
58-
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
59-
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
60-
)
61-
runs-on: ubuntu-latest
62-
permissions:
63-
contents: read
64-
pull-requests: read
65-
issues: read
66-
id-token: write
67-
steps:
6858
- name: Checkout repository
6959
uses: actions/checkout@v5
7060
with:
7161
fetch-depth: 1
7262

7363
- name: Run Claude Code
74-
id: claude
7564
uses: anthropics/claude-code-action@beta
7665
with:
77-
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
78-
66+
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

0 commit comments

Comments
 (0)