Update GitHub Actions workflows. (#751)
This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 62def83b594d72ccf4eab97cdf5b566ebb910e83. Co-authored-by: Pulumi Bot <bot@pulumi.com>
This commit is contained in:
pulumi-provider-automation[bot]
committed by
GitHub
GitHub
parent
d5e5c8a482
commit
f5d459e624
47
.github/workflows/claude.yml
vendored
47
.github/workflows/claude.yml
vendored
@@ -31,10 +31,11 @@ jobs:
|
|||||||
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
|
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: write
|
||||||
pull-requests: write
|
pull-requests: write
|
||||||
issues: write
|
issues: write
|
||||||
id-token: write
|
id-token: write
|
||||||
|
actions: read
|
||||||
steps:
|
steps:
|
||||||
- env:
|
- env:
|
||||||
ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
|
ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
|
||||||
@@ -47,7 +48,13 @@ jobs:
|
|||||||
uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
|
uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 1
|
fetch-depth: 0
|
||||||
|
- name: Checkout PR head (if applicable)
|
||||||
|
if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
|
||||||
|
env:
|
||||||
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
|
||||||
|
run: gh pr checkout "$PR_NUMBER"
|
||||||
- name: Setup mise
|
- name: Setup mise
|
||||||
uses: blampe/mise-action@blampe/plugins
|
uses: blampe/mise-action@blampe/plugins
|
||||||
env:
|
env:
|
||||||
@@ -83,7 +90,7 @@ jobs:
|
|||||||
Only post GitHub comments - don't submit review text as messages.
|
Only post GitHub comments - don't submit review text as messages.
|
||||||
# Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
|
# Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
|
||||||
claude_args: |
|
claude_args: |
|
||||||
--allowedTools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*),mcp__github_inline_comment__create_inline_comment"
|
--allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
|
||||||
- name: Run Claude Code
|
- name: Run Claude Code
|
||||||
# Comment must contain '@claude', but not '@claude review'
|
# Comment must contain '@claude', but not '@claude review'
|
||||||
if: |
|
if: |
|
||||||
@@ -93,6 +100,36 @@ jobs:
|
|||||||
uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
|
uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
|
||||||
with:
|
with:
|
||||||
anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
|
anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
|
||||||
|
# This allows claude to read github action logs
|
||||||
|
additional_permissions: |
|
||||||
|
actions: read
|
||||||
|
# Sandbox settings: --allowedTools controls which tools Claude can invoke,
|
||||||
|
# but the sandbox also enforces OS-level filesystem restrictions. Edit()
|
||||||
|
# rules in permissions.allow control all bash filesystem writes (mkdir,
|
||||||
|
# output redirection, etc.), not just the Edit tool. Without these, commands
|
||||||
|
# like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
|
||||||
|
settings: |
|
||||||
|
{
|
||||||
|
"permissions": {
|
||||||
|
"allow": ["Edit(./**)", "Edit(/tmp/**)"]
|
||||||
|
}
|
||||||
|
}
|
||||||
claude_args: |
|
claude_args: |
|
||||||
# --max-turns 10 # this is the default
|
--max-turns 50
|
||||||
--allowedTools "Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider:*),Bash(./scripts/upstream.sh:*),Bash(git:*),Bash(GIT_EDITOR=*),Bash(make:*),Bash(gh:*),Bash(mkdir:*),Bash(cd:*),Bash(go install:*)"
|
--allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go install *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
|
||||||
|
# If the claude action fails you don't get any logs on what claude was doing
|
||||||
|
# Uploading the artifact allows you to download the artifact from the UI
|
||||||
|
- name: Upload Claude review output on failure
|
||||||
|
if: failure() && steps.claude-review.outputs.execution_file
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: claude-review-execution-log
|
||||||
|
path: ${{ steps.claude-review.outputs.execution_file }}
|
||||||
|
retention-days: 7
|
||||||
|
- name: Upload Claude output on failure
|
||||||
|
if: failure() && steps.claude-action.outputs.execution_file
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: claude-execution-log
|
||||||
|
path: ${{ steps.claude-action.outputs.execution_file }}
|
||||||
|
retention-days: 7
|
||||||
|
|||||||
Reference in New Issue
Block a user