When external users (without write access) create issues, the OIDC
token exchange fails with "User does not have write access" error.
Adding explicit github_token bypasses this authentication flow.
The npm publish command was failing with ENEEDAUTH because the
setup-node action requires registry-url to be set for OIDC trusted
publishing to work properly.
- Migrate PR review prompt to slash command format (.agents/commands/git/pr-review.md)
- Fix CLI argument from --allowed-tools to --allowedTools (correct camelCase format)
- Change pull-requests permission from read to write for PR comments
- Update documentation URL to code.claude.com
The claude-code-action uses OIDC authentication to obtain GitHub tokens,
which requires the id-token: write permission. Without this permission,
the workflows fail with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env
variable" error.
Add automated issue labeling workflow that triggers when new issues
are opened. Claude analyzes the issue content and applies appropriate
labels without posting comments.
Add GitHub Actions workflow for npm publishing using OIDC-based trusted
publishing instead of long-lived npm tokens. This improves security by
using short-lived, cryptographically-signed tokens.
The workflow includes:
- Manual trigger with dry-run option for testing
- Full CI checks (lint, test, build) before publishing
- npm audit signatures verification
- Provenance attestation for supply chain security
Added Node.js 25.x to the CI test matrix to ensure compatibility with the latest Node.js version.
This change updates both the `test` and `build-and-run` jobs to include Node.js 25.x alongside the existing versions (20.x, 22.x, 24.x).
Each job will now run across 12 combinations (3 OS × 4 Node.js versions).
- Added --comments flag to gh pr view command for more reliable comment retrieval
- Clarified suggestion format instruction to "actionable fix suggestions with code examples"
This makes the instructions clearer and ensures Claude can consistently access all PR comments.
Added structured "How to Comment" section that instructs Claude to:
- Check existing PR comments before reviewing to avoid duplicates
- Only provide new feedback or updates to previous feedback
- Use inline comments for specific code issues with suggestions
- Organize commenting approach in clear numbered steps
This prevents repetitive feedback when the workflow runs on PR updates.
Added instruction to perform a premortem analysis during PR reviews
to identify potential failure scenarios and suggest mitigations.
Includes specific examples of failure types to consider (edge cases,
integration issues, deployment risks).
This workflow was experimental and is no longer needed for the project's
CI/CD pipeline. The decision was made to streamline our GitHub Actions
and focus on the essential automation workflows.
Add formatting instructions to the Claude Code Review workflow to improve
readability of PR comments. The review will now show a brief summary upfront
with detailed feedback collapsed in a <details> section.
Update actions/checkout to v5.0.0 in Claude Code Review workflow
for consistency and latest features.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Pin actions/checkout and anthropics/claude-code-action to specific
commit SHAs for improved security and reproducibility:
- actions/checkout pinned to v4.3.0
- anthropics/claude-code-action pinned to v1.0.9
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This replaces the ratchet tool with pinact for managing GitHub Actions SHA pinning across all workflow files. The changes include:
- Remove ratchet-update.yml and ratchet-verify.yml workflows
- Add new pinact.yml workflow for automated SHA pinning
- Update all workflow files to use pinact-style comments (# v1.2.3 instead of # ratchet:action@v1)
- Add .pinact.yaml configuration file with ignore rules for Homebrew actions and local actions
- Update package.json scripts to use pinact commands instead of ratchet
Pinact provides more reliable SHA pinning with better GitHub Actions integration.
