From 178364d4c7a8e6efe92ca60b52030e651015fe5c Mon Sep 17 00:00:00 2001 From: Stephen Freudenthaler Date: Thu, 11 Jun 2026 14:13:43 -0400 Subject: [PATCH] feat(claude): allow the claude bot to trigger AI reviews claude-code-action blocks workflow runs initiated by bot actors unless they are in allowed_bots, which was unset. Bot-initiated PRs/pushes from the Claude Code GitHub App (actor "claude", type Bot) therefore failed auto-review with "Workflow initiated by non-human actor". Expose an allowed_bots input on the orchestrator and executor and pass it to both claude-code-action steps (Anthropic API + Bedrock). Default it to "claude" org-wide so the Claude Code GitHub App can trigger reviews; consumers can pass "" to block all bots or "*" to allow any. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/claude-executor.yml | 7 +++++++ .github/workflows/claude-orchestrator.yml | 6 ++++++ CLAUDE.md | 1 + 3 files changed, 14 insertions(+) diff --git a/.github/workflows/claude-executor.yml b/.github/workflows/claude-executor.yml index c2e1ac3..cf1e593 100644 --- a/.github/workflows/claude-executor.yml +++ b/.github/workflows/claude-executor.yml @@ -67,6 +67,11 @@ on: required: false type: string default: 'us-east-1' + allowed_bots: + description: 'Comma-separated bot usernames allowed to trigger the action, or "*" for all bots. Defaults to "claude" so the Claude Code GitHub App can trigger reviews; pass "" to block all bots.' + required: false + type: string + default: 'claude' secrets: ANTHROPIC_API_KEY: description: 'Anthropic API key — required when provider=anthropic-api, ignored otherwise' @@ -185,6 +190,7 @@ jobs: anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} prompt: ${{ inputs.prompt }} claude_args: ${{ steps.args.outputs.composed }} + allowed_bots: ${{ inputs.allowed_bots }} use_sticky_comment: "true" track_progress: "true" @@ -197,6 +203,7 @@ jobs: use_bedrock: "true" prompt: ${{ inputs.prompt }} claude_args: ${{ steps.args.outputs.composed }} + allowed_bots: ${{ inputs.allowed_bots }} use_sticky_comment: "true" track_progress: "true" env: diff --git a/.github/workflows/claude-orchestrator.yml b/.github/workflows/claude-orchestrator.yml index b2f98e7..3487706 100644 --- a/.github/workflows/claude-orchestrator.yml +++ b/.github/workflows/claude-orchestrator.yml @@ -82,6 +82,11 @@ on: required: false type: string default: '' + allowed_bots: + description: 'Comma-separated bot usernames allowed to trigger the action, or "*" for all bots. Defaults to "claude" so the Claude Code GitHub App can trigger reviews; pass "" to block all bots. Applies to the Anthropic path only.' + required: false + type: string + default: 'claude' secrets: ANTHROPIC_API_KEY: description: 'Anthropic API key — required only when using the direct Anthropic API path (model_id empty)' @@ -186,6 +191,7 @@ jobs: model_id: ${{ inputs.model_id }} bedrock_role_arn: ${{ inputs.bedrock_role_arn }} aws_region: ${{ inputs.aws_region }} + allowed_bots: ${{ inputs.allowed_bots }} secrets: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} diff --git a/CLAUDE.md b/CLAUDE.md index 7e8d0c9..49cf579 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -248,6 +248,7 @@ Sophisticated version comparison supporting dotCMS format: `YY.MM.DD[-REBUILD][_ - **Default Tools**: `git status` and `git diff` - **Mention Detection**: Case-insensitive @claude in comments, reviews, issues, and PRs - **Concurrency**: Consumer repositories should implement concurrency control to prevent duplicate runs +- **Allowed Bots**: `allowed_bots` defaults to `claude`, so the Claude Code GitHub App can trigger reviews on PRs/pushes it initiates. `claude-code-action` otherwise blocks bot-initiated runs. Pass `allowed_bots: ""` to block all bots, or `"*"` to allow any (e.g. dependabot, renovate). Applies to the Anthropic path only. ### Deployment Guard - **Organization bypass**: Disabled by default (must configure `trusted_organization`)