Skip to content

Fix Claude review steps in ClauDependabot workflow#22

Open
danielorbach wants to merge 2 commits intomainfrom
fix-claudependabot-tools
Open

Fix Claude review steps in ClauDependabot workflow#22
danielorbach wants to merge 2 commits intomainfrom
fix-claudependabot-tools

Conversation

@danielorbach
Copy link
Collaborator

@danielorbach danielorbach commented Mar 12, 2026

The ClauDependabot workflow's Claude review steps were silently failing: Claude ran 13 turns with 11 permission denials and never posted its review comment (run #23004309970).

Two issues, both caused by differences between this workflow and the working one in go-digitaltwin/go-digitaltwin:

Missing file-reading tools. This workflow added actions/checkout so Claude could read local files, but in agent mode claude-code-action does not inject default tools (unlike tag mode which includes Read, Glob, Grep, etc.). The allowedTools whitelist only had Bash(gh ...) patterns, so every attempt to read the checkout was denied.

No workflow summary report. claude-code-action v1.0.65 changed display_report default to false, and v1.0.66 stripped detailed permission_denials from sanitized output (both in PR #992 and PR #993). These changes protect against prompt injection from untrusted input rendered in the Step Summary. Since this workflow only triggers on Dependabot PRs (trusted actor, controlled input), the threat model does not apply; display_report is re-enabled explicitly.

@danielorbach
github: allow Claude to read checked-out files in review steps
557c16c 
In agent mode, claude-code-action does not include default file-reading
tools; only the tools listed in claude_args are available. Without Read,
Glob, and Grep, Claude spent all turns hitting permission denials and
never posted its review comment.
@danielorbach
github: enable display_report for Claude review steps
7001f34 
v1.0.65 of claude-code-action changed the display_report default from
true to false (PR #992), and v1.0.66 stripped detailed permission_denials
from the sanitized output (PR #993). Both changes protect against prompt
injection when Claude is triggered by untrusted input (e.g. public issue
comments) that could produce malicious markdown in the Step Summary.

This workflow only triggers on Dependabot PRs (a trusted actor with
controlled input), so the prompt injection threat model does not apply.
Re-enabling display_report restores the workflow summary report for
reviewing Claude's analysis.
@coderabbitai
Copy link

coderabbitai bot commented Mar 12, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8e1476ea-06b0-4220-9884-900a51c3dac0

📥 Commits

Reviewing files that changed from the base of the PR and between 7e98998 and 7001f34.

📒 Files selected for processing (1)
  • .github/workflows/claudependabot.yml
📝 Walkthrough

Walkthrough

This PR modifies the GitHub Actions workflow configuration to augment Claude's review capabilities by enabling report output and adding tool allowances. Specifically, display_report: true is added to review steps, and --allowedTools "Read,Glob,Grep" is introduced in Claude arguments for both minor and major review processes.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/claudependabot.yml		 Added display_report: true flag to enable Claude report output in minor and major review steps. Expanded claude_args with --allowedTools "Read,Glob,Grep" entries in both minor and major review blocks to grant Claude additional file inspection capabilities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

Poem

🐰 A rabbit hops through workflow files,
With Read and Glob and Grep in style,
Display those reports for all to see,
Claude's toolbox grows with glee!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Fix Claude review steps in ClauDependabot workflow' directly reflects the main changes: fixing Claude review steps by adding missing file-reading tools and enabling the workflow summary report.
Description check ✅ Passed The description is highly relevant, explaining the specific problems encountered in the workflow (missing tools and disabled report), the root causes, and the fixes applied to resolve them.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-claudependabot-tools
📝 Coding Plan for PR comments
  • Generate coding plan

Comment @coderabbitai help to get the list of available commands and usage tips.

@danielorbach danielorbach self-assigned this Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@danielorbach danielorbach

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danielorbach